[ApacheDS] Using ApacheDS for web authentication

[Greg Allen <Gr...@SierraAtlantic.com>]

I'm new to ApacheDS, so forgive me if these questions are simple...

I would like to use ApacheDS as the authentication module for a web
application, probably
bundled in somehow with Tomcat (or maybe embedded)?

First, is this a something that ApacheDS would/could be used for?

Second, I'd like users who come to the site have the ability to create
their own accounts. Could
this be done with ApacheDS?  You see these types of login pages all over
the web, where you 
can create an account if you don't already have one.

Lastly, assuming the answers are yes to first two questions, is there a
sample application
somewhere out there that I could look at that does this type of thing?

Thanks in advance,

-- Greg

__________________________________________________________________________________________________________________
DISCLAIMER:"The information contained in this message and the attachments (if any) may be privileged and confidential and protected from disclosure. You are hereby notified that any unauthorized use, dissemination, distribution or copying of this communication, review, retransmission, or taking of any action based upon this information, by persons or entities other than the intended recipient, is strictly prohibited. If you are not the intended recipient or an employee or agent responsible for delivering this message, and have received this communication in error, please notify us immediately by replying to the message and kindly delete the original message, attachments, if any, and all its copies from your computer system. Thank you for your cooperation." 
________________________________________________________________________________________________________________

Re: [ApacheDS] Using ApacheDS for web authentication

[Stefan Zoerner <st...@labeo.de>]

Greg Allen wrote:
> This sounds like the right solution to me too.
> 
> My next question is when?  How much work is this?
> 
> I would be happy to help, either by attempting the implementation or
> testing out something that the ApacheDS people create.
> 
> If you want to contact me off the list, feel free.


Basically it is only implementing this interface.

http://tomcat.apache.org/tomcat-6.0-doc/api/index.html

In the first run, it is probably sufficient to provide only a subset of 
the methods, primarily a version of authenticate and hasRole.

I will try to create a first version at weekend, and keep you informed.
Greetings from Hamburg,
     Stefan

ApacheDS embedded as a Tomcat Realm (was Re: [ApacheDS] Using ApacheDS for web authentication)

[Stefan Zoerner <st...@labeo.de>]

Hi Greg!

Greg Allen wrote:
> This sounds like the right solution to me too.
> 
> My next question is when?  How much work is this?
> 
> I would be happy to help, either by attempting the implementation or
> testing out something that the ApacheDS people create.


I have started a Realm implementation. A first version (proof of 
concepts) already works quite well. I have committed the sources here as 
a Maven2 project:

https://svn.apache.org/repos/asf/directory/sandbox/szoerner/apacheds-tomcatrealm

It builds a jar file which contains the Realm class. In order to use it, 
one has to copy it to the Tomcat server lib directory, along with the 
required ApacheDS and dependency jars.

Activation in Tomcat server.xml is simply

<Realm className="org.apache.directory.tomcatrealm.EmbeddedApacheDsRealm" />

You can use Studio to edit your users and groups after Tomcat startup; 
the embedded ApacheDS opens an LDAP port at 10389.

I will continue testing and will provide some documentation on the wiki 
later on. Some features like configuration (LDAP port, filter 
expressions for searches, ...) are still missing, but I think it looks 
quite promising.

Feel free to check it out and provide feedback. Further discussions 
about whether we provide this as official artifact will be on the 
dev-list, which you hopefully scan as well.

Greetings from Hamburg,
     Stefan

RE: [ApacheDS] Using ApacheDS for web authentication

[Greg Allen <Gr...@SierraAtlantic.com>]

Stefan,

  > The better solution would be to embed ApacheDS as a Tomcat Realm
anyway. 
  > In order to do so you (we?) have to write a realm which embeds
ApacheDS 
  > instead of a web application which embeds ApacheDS.
  >
  > In this case, the start order would be no problem, and it would be
much 
  > clever to do this, because the realm implementation can talk
directly to 
  > ApachsDS instead of using the network layer.
  > 
  > I think we (Apache Directory Project) should implement this and
provide 
  > it to our users, It would make a perfect example for embedding
ApacheDS 
  > + It would help people like you.

This sounds like the right solution to me too.

My next question is when?  How much work is this?

I would be happy to help, either by attempting the implementation or
testing out something that the ApacheDS people create.

If you want to contact me off the list, feel free.

Thanks,

-- Greg

__________________________________________________________________________________________________________________
DISCLAIMER:"The information contained in this message and the attachments (if any) may be privileged and confidential and protected from disclosure. You are hereby notified that any unauthorized use, dissemination, distribution or copying of this communication, review, retransmission, or taking of any action based upon this information, by persons or entities other than the intended recipient, is strictly prohibited. If you are not the intended recipient or an employee or agent responsible for delivering this message, and have received this communication in error, please notify us immediately by replying to the message and kindly delete the original message, attachments, if any, and all its copies from your computer system. Thank you for your cooperation." 
________________________________________________________________________________________________________________

RE: [ApacheDS] Using ApacheDS for web authentication

[Greg Allen <Gr...@SierraAtlantic.com>]

Hi Stefan,

I'm not sure this would help me. 

I believe I still want to embed ApacheDS in my application - that way I
can provide
self-registration.  I think what you are suggestion to provide would fix
my authentication
problem but not help with self-registration.

I assumed I could fix my problem by simply moving my <Realm> to the
context.xml of
my web application. I assumed then it would start after the embedded
ApacheDS instance.
But it doesn't seem to be working.  I added this to my web apps's
context.xml:

<Realm className="org.apache.catalina.realm.JNDIRealm" 
 debug="99" 
 connectionName="uid=admin,ou=system" 
 connectionPassword="secret" 
 connectionURL="ldap://localhost:10389" 
 digest="SHA" 
 allRolesMode="authOnly" 
 userPassword="userPassword" 
 userPattern="uid={0},ou=accounts,dc=test,dc=org" 
 roleBase="ou=groups,dc=test,dc=org" 
 roleName="cn" 
 roleSearch="(uniqueMember={0})" 
/>

I then start my web application and see the ApacheDS instance started. I
navigate
to my login page and then hit submit.  This appears in the log:

     [java] May 13, 2009 10:01:15 PM org.apache.catalina.realm.JAASRealm
authenticate
     [java] SEVERE: Unexpected error
     [java] java.lang.SecurityException: Unable to locate a login
configuration
     [java]     at
com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:93)
     [java]     at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(NativeMethod)
     [java]     at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorA
ccessorImpl.java:39)
     [java]     at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingCons
tructorAccessorImpl.java:27)
     [java]     at
java.lang.reflect.Constructor.newInstance(Constructor.java:513)
     [java]     at java.lang.Class.newInstance0(Class.java:355)
     [java]     at java.lang.Class.newInstance(Class.java:308)
     [java]     at
javax.security.auth.login.Configuration$3.run(Configuration.java:246)
     [java]     at java.security.AccessController.doPrivileged(Native
Method)
     [java]     at
javax.security.auth.login.Configuration.getConfiguration(Configuration.j
ava:241)
     [java]     at
javax.security.auth.login.LoginContext$1.run(LoginContext.java:237)
     [java]     at java.security.AccessController.doPrivileged(Native
Method)
     [java]     at
javax.security.auth.login.LoginContext.init(LoginContext.java:234)
     [java]     at
javax.security.auth.login.LoginContext.<init>(LoginContext.java:403)
     [java]     at
org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:347)

It seems to be using JAAS rather than JNDI.  Why is that? I would assume
it would
use the Realm from the application-specific context.

Shouldn't what I am trying to do work?

Any help appreciated.

Thanks,

-- Greg

-----Original Message-----
From: Stefan Zoerner [mailto:stefan@labeo.de] 
Sent: Thursday, May 14, 2009 2:22 AM
To: users@directory.apache.org
Subject: Re: [ApacheDS] Using ApacheDS for web authentication

Hi Greg!

Greg Allen wrote:
> I've now gotten ApacheDS embedded in my application.  I can see from
the
> log
> file that it starts up when my webapp starts. 
> 
> Now my question is this - can I use the forms authentication
> (j_securitycheck)
> with the embedded ApacheDS instance?  If I leave the <Realm> defined
in
> the
> Tomcat server.xml, I get connection problems as the embedded ApacheDS
> hasn't
> started yet (and Tomcat just seems to stop there).
> 
> This may be a Tomcat configuration issue, I'm not sure.
> 
> Can anyone help?

I assume, that the startup order is a problem here. The embedded 
ApacheDS is a web application, which starts after the realm.

I am not sure, whether it is possible to configure Tomcat differently
here.

The better solution would be to embed ApacheDS as a Tomcat Ream anyway. 
In order to do so you (we?) have to write a realm which embeds ApacheDS 
instead of a web application which embeds ApacheDS.

In this case, the start order would be no problem, and it would ne much 
clever to do this, because the realm implementation can talk directly to

ApachsDS instead of using the network layer.

I think we (Apache Directory Project) should implement this and provide 
it to our users, It would make a perfect example for embedding ApacheDS 
+ It would help people like you.

Greetings from Hamburg,
     Stefan


__________________________________________________________________________________________________________________
DISCLAIMER:"The information contained in this message and the attachments (if any) may be privileged and confidential and protected from disclosure. You are hereby notified that any unauthorized use, dissemination, distribution or copying of this communication, review, retransmission, or taking of any action based upon this information, by persons or entities other than the intended recipient, is strictly prohibited. If you are not the intended recipient or an employee or agent responsible for delivering this message, and have received this communication in error, please notify us immediately by replying to the message and kindly delete the original message, attachments, if any, and all its copies from your computer system. Thank you for your cooperation." 
________________________________________________________________________________________________________________

Re: [ApacheDS] Using ApacheDS for web authentication

[Stefan Zoerner <st...@labeo.de>]

Hi Greg!

Greg Allen wrote:
> I've now gotten ApacheDS embedded in my application.  I can see from the
> log
> file that it starts up when my webapp starts. 
> 
> Now my question is this - can I use the forms authentication
> (j_securitycheck)
> with the embedded ApacheDS instance?  If I leave the <Realm> defined in
> the
> Tomcat server.xml, I get connection problems as the embedded ApacheDS
> hasn't
> started yet (and Tomcat just seems to stop there).
> 
> This may be a Tomcat configuration issue, I'm not sure.
> 
> Can anyone help?

I assume, that the startup order is a problem here. The embedded 
ApacheDS is a web application, which starts after the realm.

I am not sure, whether it is possible to configure Tomcat differently here.

The better solution would be to embed ApacheDS as a Tomcat Ream anyway. 
In order to do so you (we?) have to write a realm which embeds ApacheDS 
instead of a web application which embeds ApacheDS.

In this case, the start order would be no problem, and it would ne much 
clever to do this, because the realm implementation can talk directly to 
ApachsDS instead of using the network layer.

I think we (Apache Directory Project) should implement this and provide 
it to our users, It would make a perfect example for embedding ApacheDS 
+ It would help people like you.

Greetings from Hamburg,
     Stefan

RE: [ApacheDS] Using ApacheDS for web authentication

[Greg Allen <Gr...@SierraAtlantic.com>]

Thanks, Alex. This has been very helpful. 

I first set up my application to use Tomcat and ApacheDS standalone.
That's
working with a <Realm> set up in the Tomcat server.xml file to talk to 
ApacheDS to do the authentication - my login page is using forms
authentication.

I've now gotten ApacheDS embedded in my application.  I can see from the
log
file that it starts up when my webapp starts. 

Now my question is this - can I use the forms authentication
(j_securitycheck)
with the embedded ApacheDS instance?  If I leave the <Realm> defined in
the
Tomcat server.xml, I get connection problems as the embedded ApacheDS
hasn't
started yet (and Tomcat just seems to stop there).

This may be a Tomcat configuration issue, I'm not sure.

Can anyone help?

Thanks,

-- Greg



-----Original Message-----
From: Alex Karasulu [mailto:akarasulu@gmail.com] 
Sent: Thursday, April 23, 2009 12:28 PM
To: users@directory.apache.org
Subject: Re: [ApacheDS] Using ApacheDS for web authentication

On Thu, Apr 23, 2009 at 11:28 AM, Greg Allen <
Gregory.Allen@sierraatlantic.com> wrote:

> I'm new to ApacheDS, so forgive me if these questions are simple...
>
> I would like to use ApacheDS as the authentication module for a web
> application, probably
> bundled in somehow with Tomcat (or maybe embedded)?
>

Sure you can totally do that.  Also your incredibly lucky :-D. Our very
own
Stephan Zoerner wrote an excellent tutorial in our user's guide to step
users through doing just that.  Here's a link to doing this with 1.0
plus
another article:


http://directory.apache.org/apacheds/1.0/embedding-apacheds-as-a-web-app
lication.html
    http://www.screaming-penguin.com/node/5677

I'd stick to using ADS 1.5 though and so here's the same tutorial for
the
latest and greatest:


http://directory.apache.org/apacheds/1.5/embedding-apacheds-as-a-web-app
lication.html



>
> First, is this a something that ApacheDS would/could be used for?
>

Absolutely.  This is a classic use case.


>
> Second, I'd like users who come to the site have the ability to create
> their own accounts. Could
> this be done with ApacheDS?  You see these types of login pages all
over
> the web, where you
> can create an account if you don't already have one.
>

Right like they register then get some email etc etc for confirmation.
However you slice this thing you would build it into your application.
Basically your application determines how to verify the user and then
creates a single user entry for them.

We thought about building web interfaces for ADS to supply some self
service
apps too like when you forget your password but this is just icing that
users can do themselves and integrate into their own applications.


>
> Lastly, assuming the answers are yes to first two questions, is there
a
> sample application
> somewhere out there that I could look at that does this type of thing?
>

Those tutorials are your ticket.  Read, test, and have fun.

HTH

-- 
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org

__________________________________________________________________________________________________________________
DISCLAIMER:"The information contained in this message and the attachments (if any) may be privileged and confidential and protected from disclosure. You are hereby notified that any unauthorized use, dissemination, distribution or copying of this communication, review, retransmission, or taking of any action based upon this information, by persons or entities other than the intended recipient, is strictly prohibited. If you are not the intended recipient or an employee or agent responsible for delivering this message, and have received this communication in error, please notify us immediately by replying to the message and kindly delete the original message, attachments, if any, and all its copies from your computer system. Thank you for your cooperation." 
________________________________________________________________________________________________________________

Re: [ApacheDS] Using ApacheDS for web authentication

[Alex Karasulu <ak...@gmail.com>]

On Thu, Apr 23, 2009 at 11:28 AM, Greg Allen <
Gregory.Allen@sierraatlantic.com> wrote:

> I'm new to ApacheDS, so forgive me if these questions are simple...
>
> I would like to use ApacheDS as the authentication module for a web
> application, probably
> bundled in somehow with Tomcat (or maybe embedded)?
>

Sure you can totally do that.  Also your incredibly lucky :-D. Our very own
Stephan Zoerner wrote an excellent tutorial in our user's guide to step
users through doing just that.  Here's a link to doing this with 1.0 plus
another article:


http://directory.apache.org/apacheds/1.0/embedding-apacheds-as-a-web-application.html
    http://www.screaming-penguin.com/node/5677

I'd stick to using ADS 1.5 though and so here's the same tutorial for the
latest and greatest:


http://directory.apache.org/apacheds/1.5/embedding-apacheds-as-a-web-application.html



>
> First, is this a something that ApacheDS would/could be used for?
>

Absolutely.  This is a classic use case.


>
> Second, I'd like users who come to the site have the ability to create
> their own accounts. Could
> this be done with ApacheDS?  You see these types of login pages all over
> the web, where you
> can create an account if you don't already have one.
>

Right like they register then get some email etc etc for confirmation.
However you slice this thing you would build it into your application.
Basically your application determines how to verify the user and then
creates a single user entry for them.

We thought about building web interfaces for ADS to supply some self service
apps too like when you forget your password but this is just icing that
users can do themselves and integrate into their own applications.


>
> Lastly, assuming the answers are yes to first two questions, is there a
> sample application
> somewhere out there that I could look at that does this type of thing?
>

Those tutorials are your ticket.  Read, test, and have fun.

HTH

-- 
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org

Re: [ApacheDS] Using ApacheDS for web authentication

[Stefan Zoerner <st...@labeo.de>]

Greg Allen wrote:
> I'm new to ApacheDS, so forgive me if these questions are simple...
> 
> I would like to use ApacheDS as the authentication module for a web
> application, probably
> bundled in somehow with Tomcat (or maybe embedded)?


Just a small addition. Besides embedding ApacheDS (as described by Alex 
in his mail), it is also possible to ApacheDS and Tomcat independently, 
and use ApacheDS as a backend sore for users, groups, passwords. Like 
described here:

http://directory.apache.org/apacheds/1.0/42-apache-tomcat.html

The page describes it for ApacheDS 1.0, but it mainly deals with 
configuration of Tomcat, which has not been changed.

This uses Java EE standard stuff, and will therefore not solve your 
requirement of self registration. But it is an easy first step, because 
it is configuration only.

Greetings from Hamburg,
     Stefan

Re: [ApacheDS] Using ApacheDS for web authentication

[Pierre-Arnaud Marcelot <pa...@marcelot.net>]

Hi Greg,
On Thu, Apr 23, 2009 at 5:28 PM, Greg Allen <
Gregory.Allen@sierraatlantic.com> wrote:

> I'm new to ApacheDS, so forgive me if these questions are simple...
>
> I would like to use ApacheDS as the authentication module for a web
> application, probably
> bundled in somehow with Tomcat (or maybe embedded)?
>
> First, is this a something that ApacheDS would/could be used for?


Yes, ApacheDS is very easy to embed.

We even have an example of Embedding Apache DS as a Web Application within
Tomcat.
See this page:

http://directory.apache.org/apacheds/1.5/43-embedding-apacheds-as-a-web-application.html

 Second, I'd like users who come to the site have the ability to create
> their own accounts. Could
> this be done with ApacheDS?  You see these types of login pages all over
> the web, where you
> can create an account if you don't already have one.
>
> Lastly, assuming the answers are yes to first two questions, is there a
> sample application
> somewhere out there that I could look at that does this type of thing?
>

Yes, you'll be able to do that in you application.
You'll just have to create your users or retrieve them, as well as
authenticate them (bind() operation) using JNDI.

If you're not familiar with JNDI, you should consider reading this first:
  http://java.sun.com/products/jndi/tutorial/

Regards,
Pierre-Arnaud