Announcement Announcement Module
Collapse
No announcement yet.
Read/write/set authorizations on user/rename folders - possible with Spring LDAP ? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Read/write/set authorizations on user/rename folders - possible with Spring LDAP ?

    Hello,

    I am doing at the moment a practical:

    I wanna make a java app where an IT teacher is logging into the java app (he can only login the app when he belongs to the "spec" group in the AD of the windows 2000 domain. This teacher must be able to set authorizations to a class folder or school folder. He should be able to delete directorys, rename them and fill all the read data into a database which is located on the it teachers client pc where he runs the java app.


    I have browsed the www and used google and found many solutions but as a java network stuff n00b i cant filter which solution is best for me but i have already a little idea of what fits best for me:

    1.) JNDI: OLD stuff where i have to do everything manually, and its not so easy to use.

    http://java.sun.com/products/jndi/tu.../trailmap.html

    2.) Spring LDAP: Cares for most encoding/coding stuff etc. can read the AD, but can it also write permissions of a certain user? I havent found a proper method in the respective classes.

    http://www.springframework.org/ldap

    3.) OpenLDAP: This site seems outdated to me but do not really know

    http://www.openldap.org/jldap/

    4.) J-Integra: this one cost money at least after 30 days...

    http://j-integra.intrinsyc.com/suppo..._from_Java.htm

    So much about what is possible maybe.

    Can someone help me and give me a proper advise!?

  • #2
    You should look at Acegi Security, which is the security framework of choice in the Java world. It has LDAP support if you need that, but also supports JDBC storage or any other storage you may come up with.

    Acegi Security will let you control who logs in, what URLS she can access, what service methods she can call, and even control which domain objects she can retrieve on an instance level, if you need that kind of security. It provides support for anonymous users, RunAs a different user, RememberMe functionality, and Captcha checks. It supports the standard HTTP authentication algorithms, which enables security for Web Services and all other kinds of remoting. It works together with single sign-on solutions like CAS. It provides a tag library for accessing security information from your web pages.

    Comment


    • #3
      Originally posted by ulsa View Post
      You should look at Acegi Security, which is the security framework of choice in the Java world. It has LDAP support if you need that, but also supports JDBC storage or any other storage you may come up with.

      Acegi Security will let you control who logs in, what URLS she can access, what service methods she can call, and even control which domain objects she can retrieve on an instance level, if you need that kind of security. It provides support for anonymous users, RunAs a different user, RememberMe functionality, and Captcha checks. It supports the standard HTTP authentication algorithms, which enables security for Web Services and all other kinds of remoting. It works together with single sign-on solutions like CAS. It provides a tag library for accessing security information from your web pages.
      Hey Ulsa, thank you very much for helping me out of my misery and confusion

      what you say above sounds heavy all i wanna do is this:

      I wanna make a java app where an IT teacher is logging into the java app (he can only login the app when he belongs to the "spec" group in the AD of the windows 2000 domain. This teacher must be able to set authorizations to a class folder or school folder. He should be able to delete directorys, rename them and fill all the read data into a database which is located on the it teachers client pc where he runs the java app.
      I have just thought about buying a book about LDAP and Java and how to setup an openLDAP server.

      So you are the opinion that i need only AECIsecurity and then i can access a w2k domain from a client in the network and manipulate the Active Directory and write the AD data into a sql database on the client pc ?

      The problem is i write also my questions on other forums as I recieve nearly no answers and those who answer always advise something totall different what is very frustrating for me!

      Comment


      • #4
        I listed everything Acegi Security can do just to make it clear that when it comes to security, Acegi is the way to go, regardless of whether you're building a web app, a web service or a stand-alone app. You can pick and choose the parts you want, and you can incrementally use more security features as your requirements change.

        It is possible to use Spring LDAP to authenticate users, but Spring LDAP is really a framework aimed at those that frequently manipulate and read stuff from an LDAP database. An application that uses Spring LDAP to authenticate users will be stuck with (relatively) low level, LDAP-specific authentication code. By contrast, an application that uses Acegi Security can switch to another storage mechanism by simply changing a configuration file.

        Back to your problem:

        1. You want to restrict authentication to users that belong to a certain group in Active Directory.

        Perfect fit for Acegi Security.

        2. The (admin) user should be able to set authorizations, possibly in a relational database or in the same LDAP as the groups.

        I'm not sure whether Acegi can mix and match between LDAP and JDBC at the same time; you'd better check with the lads in the Acegi forum. However, if you choose to place all security stuff in LDAP (AD), then you could let Spring LDAP do the CRUD (Create, Read, Update, Delete) of the security data, while Acegi uses the data for authentication and authorization.

        Comment


        • #5
          It is possible to use Spring LDAP to authenticate users, but Spring LDAP is really a framework aimed at those that frequently manipulate and read stuff from an LDAP database. An application that uses Spring LDAP to authenticate users will be stuck with (relatively) low level, LDAP-specific authentication code. By contrast, an application that uses Acegi Security can switch to another storage mechanism by simply changing a configuration file.
          So you wanna say that Spring LDAP for authenticating users is rather unsecure instead of using Acegi Security ? Well thats not so important for me, as it is not sure at all that this programm will be used at all in real life ;-)

          Back to your problem:

          1. You want to restrict authentication to users that belong to a certain group in Active Directory.

          Perfect fit for Acegi Security.
          Does this not work in Spring ldap?

          All i wanna avoid is to learn and use to much different stuff coz its hard to handle and my time is limited...

          2. The (admin) user should be able to set authorizations, possibly in a relational database or in the same LDAP as the groups.

          I'm not sure whether Acegi can mix and match between LDAP and JDBC at the same time; you'd better check with the lads in the Acegi forum. However, if you choose to place all security stuff in LDAP (AD), then you could let Spring LDAP do the CRUD (Create, Read, Update, Delete) of the security data, while Acegi uses the data for authentication and authorization.
          to correct it: the it teacher (every school has 1 IT teacher) who is in the "spec" folder of the Active Directory will be able to login and then he should be able to remove the password of a pupil or of an other teacher. And set a new password for the teacher/pupil!

          2nd thing is to delete the authorizations of pupils then write the new authorizations in a sql database on the client pc and after this write the same authorizations also in the Active Directory of the w2k server. These new authorizations can be set from the it teacher via client pc to a certain class in the school.

          So you really still think I need AcegiSEcurity for this stuff?

          Comment


          • #6
            So you wanna say that Spring LDAP for authenticating users is rather unsecure instead of using Acegi Security ?
            No, I'm saying that it's better to use a security framework for security rather than using an LDAP framework for security.

            Does this not work in Spring ldap?
            Sure it does. As long it concerns reading and writing to LDAP, Spring LDAP works fine. You just have to do more hand-coding yourself.

            All i wanna avoid is to learn and use to much different stuff coz its hard to handle and my time is limited...
            I respect that. You're free to select the solution that best fits your needs.

            So you really still think I need AcegiSEcurity for this stuff?
            Well, my view is that the login part, which I refer to as both authentication and authorization, should be handled by Acegi Security, unless a) it's a Mickey Mouse application, b) you foresee that you never ever will change or grow your authorization needs, or c) another framework dependency for some reason is out of the question.

            Any other data access towards LDAP is probably best handled by Spring LDAP, while I would use Spring JDBC for any JDBC access.

            Comment


            • #7
              No, I'm saying that it's better to use a security framework for security rather than using an LDAP framework for security.
              aha so what offers me this security framework what is better in than the Ldap framework?

              ssl protocol/transfer of pass and user data ?

              Sure it does. As long it concerns reading and writing to LDAP, Spring LDAP works fine. You just have to do more hand-coding yourself.
              so acegi offers me already coded methods to do stuff i need to handcode using spring ldap?


              Well, my view is that the login part, which I refer to as both authentication and authorization, should be handled by Acegi Security, unless a) it's a Mickey Mouse application, b) you foresee that you never ever will change or grow your authorization needs, or c) another framework dependency for some reason is out of the question.
              well i have 5 months time from now on, in the afternoon i have about 3 hours in the office to code the stuff and at home in the evening i have 3 hours time to write on my practical work which must be at the end minimum 30 pages.

              You think I can achieve this all in that time? i am doing java since 9 months and my biggest app was 1500 lines of code not much i know hehe

              Any other data access towards LDAP is probably best handled by Spring LDAP, while I would use Spring JDBC for any JDBC access.
              all i find is this:

              Access official Spring subprojects

              * Acegi Security System for Spring
              * Spring Web Services
              * Spring LDAP
              * Spring Rich Client
              * Spring IDE for Eclipse Update Site
              * Spring BeanDoc

              there is no Spring JDBC ?


              Ok when i do this acegi thing you must know i will ask much here and hope you help me out sometimes coz its your fault i do acegi now :P . I just found a book in german language as i am from germany. damn its the only acegi book in german language and its out in may 2007 I pray to god there will be no delay...

              http://www.amazon.de/Security-Securi...5625913&sr=8-1

              Comment

              Working...
              X