[jboss-jira] [JBoss JIRA] Commented: (SECURITY-476) Allow return of user name without realm part for legacy applications

Vladimir Ze'ev Bunich (JIRA) jira-events at lists.jboss.org
Tue Mar 23 10:18:28 EDT 2010 

    [ https://jira.jboss.org/jira/browse/SECURITY-476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12521384#action_12521384 ] 

Vladimir Ze'ev Bunich commented on SECURITY-476:
------------------------------------------------

Hi , we ran into similar problem similar problem with domain qualified principals and AdvancedLdapLoginModule  while working with JBOSS EAP 4.3 , queries to AD failed since sAMAccountName doesn't include the domain part.
We had to add the following code (denoted FIXME in the code snippet below) to findUserDN in org.jboss.security.negotiation.AdvancedLdapLoginModule to strip the DQN from the principals when required.

The behavior is similar to "Use domain-qualified user names" available in Websphere global security.

protected String findUserDN(LdapContext ctx) throws LoginException {
		if (baseCtxDN == null) {
			return getIdentity().getName();
		}

		try {
			NamingEnumeration results = null;

			String filterPrincipalNameArg = getIdentity().getName();

			// FIXME DOMAIN CUTOFF FIX - START
                        if (isUseDomainQualifiedPrincipal) { // isUseDomainQualifiedPrincipal is a property exposed as a module option default is false
                                Object[] filterArgs = {getIdentity().getName()};
                        } else {
			         if (filterPrincipalNameArg != null && filterPrincipalNameArg.trim().length() > 0 && filterPrincipalNameArg.contains("@")) {
				                filterPrincipalNameArg = filterPrincipalNameArg.substring(0,
						filterPrincipalNameArg.indexOf("@"));
			          }

		  	         Object[] filterArgs = { filterPrincipalNameArg };
                         }     
			// FIXME DOMAIN CUTOFF - END
			// FIXME original: Object[] filterArgs = {getIdentity().getName()};

			results = ctx.search(baseCtxDN, baseFilter, filterArgs,
					userSearchControls);
			if (results.hasMore() == false) {
				results.close();
				throw new LoginException("Search of baseDN(" + baseCtxDN
						+ ") found no matches");
			}

			SearchResult sr = (SearchResult) results.next();
			String name = sr.getName();
			String userDN = null;
			if (sr.isRelative() == true)
				userDN = name + "," + baseCtxDN;
			else
				throw new LoginException(
						"Can't follow referal for authentication: " + name);

			results.close();
			results = null;

			if (log.isTraceEnabled()) {
				log.trace("findUserDN - " + userDN);
			}

			return userDN;
		} catch (NamingException e) {
			LoginException le = new LoginException("Unable to find user DN");
			le.initCause(e);
			throw le;
		}
	}
			// FIXME DOMAIN CUTOFF - END
			// FIXME original: Object[] filterArgs = {getIdentity().getName()};

			results = ctx.search(baseCtxDN, baseFilter, filterArgs,
					userSearchControls);
			if (results.hasMore() == false) {
				results.close();
				throw new LoginException("Search of baseDN(" + baseCtxDN
						+ ") found no matches");
			}

			SearchResult sr = (SearchResult) results.next();
			String name = sr.getName();
			String userDN = null;
			if (sr.isRelative() == true)
				userDN = name + "," + baseCtxDN;
			else
				throw new LoginException(
						"Can't follow referal for authentication: " + name);

			results.close();
			results = null;

			if (log.isTraceEnabled()) {
				log.trace("findUserDN - " + userDN);
			}

			return userDN;
		} catch (NamingException e) {
			LoginException le = new LoginException("Unable to find user DN");
			le.initCause(e);
			throw le;
		}
	}


Since the Negotiation component was not a part of EAP in version 4.3 we had to implement this code , currently we are migrating to EAP v5 which has Negotiation 2.0.3 SP2/SP3 integrated thus we would like to have this FIX applied in the enterprise version for EAP 5.

Thank you.

> Allow return of user name without realm part for legacy applications
> --------------------------------------------------------------------
>
>                 Key: SECURITY-476
>                 URL: https://jira.jboss.org/jira/browse/SECURITY-476
>             Project: PicketBox (JBoss Security and Identity Management)
>          Issue Type: Patch
>      Security Level: Public(Everyone can see) 
>          Components: Negotiation
>            Reporter: Matthias Kopczynski
>            Assignee: Darran Lofthouse
>             Fix For: Negotiation_2.0.3.SP3, Negotiation_2.0.4.GA
>
>         Attachments: cutOffDomainPatch.patch
>
>
> We have a legacy application which already uses authentication but cannot handle the realm part of the principal name. To enable single sign on we have made the changes in provided patch which allows to configure the module-option cutOffDomain for SPNEGOLoginModule. If the username ends with the realm name configured in this option the realm name is removed from the user name. This way the application gets the simpler name in the HttpServletRequest. Principals not ending with this realm are left untouched.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list