<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="http://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
Simple LDAP Authentication for EJB3
</h3>
<span style="margin-bottom: 10px;">
modified by <a href="http://community.jboss.org/people/cullendw">Daniel Cullender</a> in <i>EJB 3.0</i> - <a href="http://community.jboss.org/docs/DOC-15790">View the full document</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>There are plenty articles available describing how to set up parts of LDAP authentication for EJB3, but I battled to find an article which pulls everthing together (If I have missed one, please provide a link).  I will break the process we went through into four easy steps.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><h4>Step 1 : Login and browse your LDAP server</h4><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>This is an important step since you need to verify that your LDAP connection and logon details are correct. You also need to make sure that your Distinguished Name (DN) is correct. We used an excellent <a class="jive-link-external-small" href="http://directory.apache.org/studio/ldap-browser-plugin.html">LDAP Eclipse plugin by Apache</a> to do this. After logging on (remember that your username needs a @ domain attached to it) we could browse our LDAP server and confirm that all our LDAP configuration was correct.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Make sure that your LDAP group (example : <strong style="font-weight: bold;"> YourGroupName</strong>) has been configured properly and that all the members have been set up. This group is the security role you will configure on your ejb.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><h4>Step 2 : Setup you JBoss Security Domain (<span style="font-family: 'courier new', courier;">login-config.xml</span>)</h4><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Configuring a JBoss LDAP Security Domain is really simple. The is a LDAP module available :</p><pre class="jive-pre"><code class="jive-code" style="PADDING-BOTTOM: 0px; BORDER-RIGHT-WIDTH: 0px; BACKGROUND-COLOR: transparent; LIST-STYLE-TYPE: none; MARGIN: 0px; PADDING-LEFT: 0px; OUTLINE-WIDTH: 0px; PADDING-RIGHT: 0px; BORDER-COLLAPSE: collapse; BORDER-TOP-WIDTH: 0px; BORDER-BOTTOM-WIDTH: 0px; FONT-SIZE: 1em; BORDER-LEFT-WIDTH: 0px; PADDING-TOP: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; background-origin: initial; background-clip: initial">org.jboss.security.auth.spi.LdapLoginModule</code></pre><p>Please <a class="jive-link-wiki-small" href="http://community.jboss.org/docs/DOC-11253">refer to this comprehensive article</a> for all the ways to configure the module. Our configuration looks as follows:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><blockquote class="jive-quote"><p style="padding: 0pt; margin: 0pt;"><span style="font-size: 8pt;">     <application-policy name="</span><strong style="font-size: 8pt; font-weight: bold; ">your-configured-security-domain</strong><span style="font-size: 8pt;">"></span></p><p style="padding: 0pt; margin: 0pt;"><span style="font-size: 8pt;">        <authentication></span></p><p style="padding: 0pt; margin: 0pt;"><span style="font-size: 8pt;">            <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" ></span></p><p style="padding: 0pt; margin: 0pt;"><span style="font-size: 8pt;">                <module-option name="java.naming.provider.url">ldap://ldap-server-name:1389/</module-option></span></p><p style="padding: 0pt; margin: 0pt;"><span style="font-size: 8pt;">                <module-option name="rolesCtxDN">OU=Current,OU=User Accounts,OU=bar,DC=foo,DC=co,DC=za</module-option></span></p><p style="padding: 0pt; margin: 0pt;"><span style="font-size: 8pt;">                <module-option name="matchOnUserDN">false</module-option></span></p><p style="padding: 0pt; margin: 0pt;"><span style="font-size: 8pt;">                <module-option name="principalDNSuffix">@foo.co.za</module-option></span></p><p style="padding: 0pt; margin: 0pt;"><span style="font-size: 8pt;">                <module-option name="uidAttributeID">sAMAccountName</module-option></span></p><p style="padding: 0pt; margin: 0pt;"><span style="font-size: 8pt;">                <module-option name="roleAttributeID">memberOf</module-option></span></p><p style="padding: 0pt; margin: 0pt;"><span style="font-size: 8pt;">                <module-option name="roleAttributeIsDN">true</module-option></span></p><p style="padding: 0pt; margin: 0pt;"><span style="font-size: 8pt;">                <module-option name="roleNameAttributeID">name</module-option></span></p><p style="padding: 0pt; margin: 0pt;"><span style="font-size: 8pt;">            </login-module></span></p><p style="padding: 0pt; margin: 0pt;"><span style="font-size: 8pt;">        </authentication></span></p><p style="padding: 0pt; margin: 0pt;"><span style="font-size: 8pt;">    </application-policy></span></p></blockquote><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><h4>Step 3 : EJB3 setup</h4><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Now that we have our Security Domain configured, all we need to do now is to configure our EJB. Using the following standard Class Level annotation :</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><span style="font-family: 'courier new', courier;">@SecurityDomain("</span><strong style="font-family: 'courier new', courier; font-weight: bold; ">your-configured-security-domain</strong><span style="font-family: 'courier new', courier;">")</span></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>you tell your EJB which security domain to use. The next annotations tells your EJB which roles to allow (This is your LDAP group which your user should be a member of):</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><span style="font-family: 'courier new', courier;">@RolesAllowed("</span><strong style="font-family: 'courier new', courier; font-weight: bold; ">YourGroupName</strong><span style="font-family: 'courier new', courier;">")</span></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>This annotation can be put on a Class or method level depending on the granularity required. There are plenty of other annotations to configured the granularity (example : <span style="font-family: 'courier new', courier;">@PermitAll</span>) but our requirement was to lock down all our EJB's remote interface calls with a single role.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><h4>Step 4 : EJB Client</h4><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>When you get your initial context as a client, make sure that you use Login Initial Context Factory : </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><div id="_mcePaste" style="position: absolute; left: -10000px; top: 509px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">Properties prop = new Properties();</div><div id="_mcePaste" style="position: absolute; left: -10000px; top: 509px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">prop.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");</div><div id="_mcePaste" style="position: absolute; left: -10000px; top: 509px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">prop.put(Context.URL_PKG_PREFIXES, "jboss.naming:org.jnp.interfaces");</div><div id="_mcePaste" style="position: absolute; left: -10000px; top: 509px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">prop.put(Context.PROVIDER_URL, "jnp://dev-qut6:1099");</div><div id="_mcePaste" style="position: absolute; left: -10000px; top: 509px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">prop.put(Context.SECURITY_PRINCIPAL, "dcu");</div><div id="_mcePaste" style="position: absolute; left: -10000px; top: 509px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">prop.put(Context.SECURITY_CREDENTIALS, "Gua2010");</div><div id="_mcePaste" style="position: absolute; left: -10000px; top: 509px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">prop.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");</div><blockquote class="jive-quote"><p><span style="font-size: 8pt;">Properties prop = new Properties();<br/></span></p><p><span style="font-size: 8pt;">prop.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");<br/></span></p><p><span style="font-size: 8pt;">prop.put(Context.URL_PKG_PREFIXES, "jboss.naming:org.jnp.interfaces");<br/></span></p><p><span style="font-size: 8pt;">prop.put(Context.PROVIDER_URL, "jnp://localhost:1099");<br/></span></p><p><span style="font-size: 8pt;">prop.put(Context.SECURITY_PRINCIPAL, "username");<br/></span></p><p><span style="font-size: 8pt;">prop.put(Context.SECURITY_CREDENTIALS, "password");<br/></span></p><p><span style="font-size: 8pt;">prop.setProperty(Context.INITIAL_CONTEXT_FACTORY, "</span><strong style="font-size: 8pt; ">org.jboss.security.jndi.JndiLoginInitialContextFactory</strong><span style="font-size: 8pt;">");</span></p></blockquote><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>And you are done.</p></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Comment by <a href="http://community.jboss.org/docs/DOC-15790">going to Community</a></p>
<p style="margin: 0;">Create a new document in EJB 3.0 at <a href="http://community.jboss.org/choose-container!input.jspa?contentType=102&containerType=14&container=2029">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>