my dog learned polymorphism*
The moose likes Security and the fly likes Apache Authentication / LDAP Authorization Question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Apache Authentication / LDAP Authorization Question" Watch "Apache Authentication / LDAP Authorization Question" New topic
Author

Apache Authentication / LDAP Authorization Question

Darryl A. J. Staflund
Ranch Hand

Joined: Oct 06, 2002
Posts: 303
Hi all,
I am currently installing an LDAP server at our site. One of the constraints that I have to work with is that LDAP authentication requests have to be proxied through an Apache HTTP Server although authorization requests can be performed directly against the LDAP database.
Our software / hardware environment is as follows:
1. Solaris 8 Server.
2. Java SDK 1.4 / J2EE 1.3
3. JBoss 3
4. Apache 1.3.x.
5. OpenLDAP (LDAP v3 I believe) - Berkeley DB.
6. JNDI
7. JAAS
Apache acts as a gateway or proxy to JBoss and is to perform all authentication requests for security reasons.
I am still green when it comes to J2EE application development, so I hope my question isn't too basic. But I am having trouble understanding how to send authentication requests to Apache from within a J2EE application.
I think one of my biggest problems is that I don't understand security enough to see why authentication should be performed by Apache instead of the J2EE server. To me it seems redundant -- why ask Apache to authenticate a user against an LDAP database on my behalf when I can send the authentication request to LDAP directly. This, i think is my biggest hurdle. It seems neither efficient nor needed.
On a more technical note, though, I am not sure how to send an authentication request to Apache from within a Java application. Three ideas come to mind:
1. I can send an HTTP authentication request to Apache using the javax.servlet.http package.
2. I can write a custom JAAS login module to handle the authentication request.
3. JBoss 3 supports JAAS so perhaps it can be configured to send authentication requests to Apache.
Thanks for your tips, input, and help.
Darryl
[ October 17, 2002: Message edited by: Darryl A. J. Staflund ]
Brian Buege
Author
Ranch Hand

Joined: Oct 16, 2002
Posts: 42
To answer your immediate question: If you upgrade to Apache 2.0, there's a module "mod_auth_ldap" that comes with it that will do what you're looking for.
If you stick with 1.3, check out this link:
http://nona.net/software/ldap/
However, using an authorization/authentication module in apache will only allow you to provide declarative authorization at the URL level (you can make decisions about access only by the URL someone is requesting). This is probably OK if you are only going to serve static content. But, since I see you're using JBoss, you may want to do your authentication and authorization at the app server (web container) level instead of through the Apache web server. If that's the case, you can use a LDAP JAAS LoginModule to allow you to allow the app server (JBoss or Tomcat/JBoss) to authenticate via LDAP. This will give you the advantage of managing your authorization at the application level and also will allow you make decisions based on the caller's identity within your J2EE code.
[ October 20, 2002: Message edited by: Brian Buege ]

Brian Buege<br />Author of <a href="http://www.amazon.com/exec/obidos/ASIN/0072225653/brivacom-20" target="_blank" rel="nofollow">Hacking Exposed J2EE & Java: Developing Secure Web Applications with Java Technology</a><br />Visit the <a href="http://www.hackingexposedjava.com" target="_blank" rel="nofollow">Companion Website</a>
Darryl A. J. Staflund
Ranch Hand

Joined: Oct 06, 2002
Posts: 303
Hi Brian,
Thanks for your reply. I wish I had held off until Friday before posting my question because a lot of different discussions have taken place at work about the nature of J2EE security within a Solaris environment. I think, at bottom, the security model our sysadmin wants to put into place is at odds with the security model that Java has in place.
The following is a letter I posted for our sysadmin on our internal discussion forum:
=======> Letter Starts Here <========
Hi <SysAdmin>,
I kind of look at the security features of web containers this way: Java security is based on the premise that everything running within a JVM is 'safe' while everything coming in and out of the JVM is considered 'unsafe' and needs to be handled by the default Security Manager run by the JVM at the time of execution.
Looking at it this way, JBoss serves a number of roles - EJB Container and Servlet Container among others. Because Java's security mechanism still applies, however, everything coming in and going out of JBoss HAS to be handled by the default Security Manager in place -- otherwise Java's fundamental security policy is compromised. In the case of J2EE development, the Manager is a little more complex and involves XML configuration files among other things.
I think it's because of the premise that everything outside the JVM is unsafe and has to be handled by a Java Security Manager, that authentication has been given to the web container to perform. Why? Apache runs outside the Java JVM and is considered unsafe. I think it is partly because of this that JBoss has evolved to take on the role of HTTP server -- to keep things within the Java VM as it were. This is not just a problem with JBoss, but a problem with other EJB Containers as well -- Orion is a prime example as is iPlanet and the other big players.
What I find really interesting about this explanation is that your desire to keep security in the hands of the the physical server (the embodied VM we're running on), is the same desire that Java has to keep security in the hands of the JVM. The problem is, the JVM is itself a server that runs on another server and issues of policy and ownership are coming into conflict.
My two cents worth.
Darryl
========> Letter stops here <========
One of the driving concerns of our Sysadmin as I found out after posting my letter on JavaRanch was to link authentication to a single HTTP gateway (namely Apache) in order to maximize control and security over incoming and outgoing traffic. Since JBoss doesn't implement security in this way, I (as a developer) was left wondering why I needed to proxy authentication requests through Apache, and the Sysadmin was left wondering how to implement security JBoss seemed to circumvent Apache authentication.
Our Sysadmin has just posted a letter on our discussion thread that I will post here:
========> Letter starts here <========
OK, I have done my research and you can just assume that Apache will have nothing to do with the authentication or authorization of requests for JBoss webapps. Even if Apache is involve it will be little more than passing the HTTP request straight to Jetty. This simplifies our discussions on "auth" substantially.
Technically its true that the method I suggested previously will work. Using an AJP connector, Apache could pass Jetty/JBoss the authenticated name of the user making the HTTP request. So, technically Apache could do all the authentication (via mod_auth_ldap) however I see little advantage in it unless we have non-JBoss webapps that need to be accessed by the same users as our JBoss webapps. If we do have both JBoss and non-JBoss webapps that need to be used by the same group of authenticating users, then we have to let Apache do the auth, or make the user login twice (once to JBoss and once to non-JBoss apps).
Further reading shows that JBoss started with the goal of being an EJB container but no longer holds that as a goal. JBoss claims to be a Web-based Operating System. Being an EJB container is just one small part of that. I will not be so bold as to criticise this products ability to be a WebOS. It still frustrates me that this product is choosen by many because it is an open-source EJB container but that we are forced to take Jetty with it.
What does this mean in to us? It means there is no point in pursuing Apache/JBoss integration. JBoss' is wedded to Jetty. There are configurations that are usable that use JBoss/Tomcat/Apache (via mod_jk) but there are not substantially different than a configuration that uses JBoss/Jetty/Apache (via mod_jk).
========> Letter stops here <========
Anyway, I will stop here. I just wanted to share the fruits of our internal discussion regard Apache / JBoss / LDAP authentication. Since I am now free to authenticate against LDAP directly, I will be using JBoss' JAAS/LDAP features.
Thanks everyone,
Darryl
[ October 20, 2002: Message edited by: Darryl A. J. Staflund ]
 
wood burning stoves
 
subject: Apache Authentication / LDAP Authorization Question