File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Tomcat and the fly likes How to get user credentials from LDAP using Apache Tomacet JNDIRealm Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "How to get user credentials from LDAP using Apache Tomacet JNDIRealm" Watch "How to get user credentials from LDAP using Apache Tomacet JNDIRealm" New topic
Author

How to get user credentials from LDAP using Apache Tomacet JNDIRealm

ganesh boil
Greenhorn

Joined: Sep 17, 2009
Posts: 14
Hi,
recently i have been started to make a POC on Apache Tomcat JNDIRealm.
For this i have followed the tutorial available at

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm and

http://viralpatel.net/blogs/2008/12/implement-ldap-authentication-in-tomcat-jboss-server-for-java-app.html

I have created a couple of users and groups in openldap. And configures server.xml in tomcat as suggested in the above link.
And configured web.xml in my j2ee application as suggested in the second url.

Now my question is how to get the user credentials in .java file where i have login() method.
So can anyone suggest me how to get user name and password from ldap using thios Tomcat JNDIRealm.

Any sample code is more helpful.

Thanks in advance.

regards,
Ganesh
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15641
    
  15

When you use web.xml to define security, you're offloading security to your web application container. Which is as it should be if you intend to authenticate and authorize via a Tomcat Security Realm.

However, container-managed security means exactly that. You don't write your own login code, the container manages the login. The user ID and password are never directly accessible by the application. Which is also good, since if someone hacks the application, they cannot plunder it for login information.

The closest thing you'll have is the User Principal object, which is constructed by the Realm when the user is logged in. You can obtain a reference to this by invoking getUserPrincipal() on your request object. Usually the userID will be the ID in the principal, although I suppose a Realm could supply any unique identifier it wanted to.

In accordance with good security mearures, the password isn't visible at all, and in fact, isn't sent back to Tomcat in most cases. The SQL equivalent is:

In a case like this, if the correct password was supplied, the return count will be nonzero (hopefully it will be 1!). An invalid user ID or password would return back zero, without giving any hints to hackers as to what a valid user ID or password might be.


Customer surveys are for companies who didn't pay proper attention to begin with.
ganesh boil
Greenhorn

Joined: Sep 17, 2009
Posts: 14
Hi Holloway,

thnaks for your response. can you have a loot into my full post at http://www.coderanch.com/t/463042/Security/redirect-success-page-tomcat-using

Regards,
Ganesh
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to get user credentials from LDAP using Apache Tomacet JNDIRealm
 
Similar Threads
How can I read my context.xml's JNDIRealm settings dynamically?
Basic Auth using Custom classes in Apache
Apache web server and Tomcat 5.0
Authenticate user against MS active directory in Java
Apache2 as reverse proxy with Tomcat6 and LDAP