Announcement Announcement Module
Collapse
No announcement yet.
Siteminder as AuthenticationSource for SpringFramework LDAP Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Siteminder as AuthenticationSource for SpringFramework LDAP

    Our several web sites are protected by the CA SiteMinder and share single sign on. We have SunOne Directory LDAP Server and want to use the Siteminder SSO cookie (or token or whatever it is) to authenticate user to perform some operations (update/bind) in LDAP via Spring-LDAP API.

    I see that Spring-LDAP API has Acegi Authentication Source. I guess my questions are

    1. Can I write a custom SiteMinder Authentication Source? Possible?
    2. Can I integrate Acegi with SiteMinder and then use Acegi Authentication Source to authenticate users for LDAP operations.

    Anyway, the bottom line is that the user is authenticated by Siteminder that in its turn uses LDAP as realm and the LDAP somehow should recognize that this is the same user that was authenticated a few milliseconds ago and do not challenge the poor guy any more.
    Last edited by Glennn; Aug 31st, 2007, 08:45 PM.

  • #2
    It would be theoretically possible to create a custom AuthenticationSource for use with SiteMinder. I don't know of any details of the product as such, but presumably the cookie won't contain the full authentication information - it would just be a token to verify that the user is logged in. You'll need to get the actual authentication information (user DN and password) and use that in your AuthenticationSource to return in the callbacks. I'm not all that optimistic about the possibilities for doing this, but if the information would be available, the actual AuthenticationSource implementation would be rather trivial (very similar to the AcegiAuthenticationSource).

    What you could do is use a default user when authenticating using Spring LDAP (i.e. configure the ContextSource with userName/password). After all, SiteMinder has made sure that the user does indeed have the appropriate rights to access the application. This is very similar to the usual case when working against relational databases. Then again, that might not be a suitable solution depending on a number of things (e.g. individual access rights, etc.).
    Last edited by rasky; Sep 1st, 2007, 07:17 AM.

    Comment


    • #3
      My guess is that you can hook SiteMinder into Acegi and then just use the regular AcegiAuthenticationSource.

      Comment


      • #4
        Originally posted by rasky View Post
        You'll need to get the actual authentication information (user DN and password) and use that in your AuthenticationSource to return in the callbacks.
        There is no way you can get password from Siteminder or LDAP. Yes, the guy comes authenticated, but it's not possible to create ContextSource for him because you cannot get his password.

        Originally posted by rasky View Post
        What you could do is use a default user when authenticating using Spring LDAP (i.e. configure the ContextSource with userName/password). After all, SiteMinder has made sure that the user does indeed have the appropriate rights to access the application. This is very similar to the usual case when working against relational databases. Then again, that might not be a suitable solution depending on a number of things (e.g. individual access rights, etc.).
        We have very sophisticated access rights and want to delegate "who can do what on what users and with which attributes" logic to LDAP with tens of ACIs on each branch. The default user is usually superuser who can do everything. No piggybacking behind somebody who has access is allowed.

        Comment


        • #5
          Originally posted by ulsa View Post
          My guess is that you can hook SiteMinder into Acegi and then just use the regular AcegiAuthenticationSource.
          Can you please elaborate on this?

          Comment


          • #6
            Originally posted by Glennn View Post
            There is no way you can get password from Siteminder or LDAP. Yes, the guy comes authenticated, but it's not possible to create ContextSource for him because you cannot get his password.
            That's as I suspected then. Well, If you can't get hold of the password, Spring LDAP can't get an authenticated context for that user, it's as simple as that. Seems very unlikely that Acegi would be able to help you here.

            Comment


            • #7
              Originally posted by rasky View Post
              That's as I suspected then. Well, If you can't get hold of the password, Spring LDAP can't get an authenticated context for that user, it's as simple as that.
              ...unless you can supply actual token in stead of user DN and password when creating the DirContext instance. An authenticationSource implementation won't help you there, that's all based on user DN and credentials. You'd need to override the setupAuthenticatedEnvironment of AbstractContextSource to specify the token somehow. It might be possible, but I wouldn't know the actual details. You might be able to get information here, then again maybe not...

              If you do find a solution I'd be very interested to know about it.

              Comment


              • #8
                Originally posted by Glennn View Post
                Can you please elaborate on this?
                Sorry, I was under the impression that the Acegi/SiteMinder integration filled in the SecurityContextHolder with credentials as well. I had seen one discussion where they did fill in the credentials, but upon closer look I found that they had just used the contents of SM_USER as the password.

                Comment

                Working...
                X