LDAP fastbind + non-anonymous principal lookup - again

ann.campbell at shawinc.com ann.campbell at shawinc.com
Fri Aug 1 09:54:59 EDT 2008 

I suspect I know, but could you lay out for me why "That would be very 
bad(tm)"? :-)


Thanks,
Ann

------
G. Ann Campbell
Systems Engineer
Shaw Industries





"Scott Battaglia" <scott.battaglia at gmail.com> 
Sent by: cas-bounces at tp.its.yale.edu
08/01/2008 09:31 AM
Please respond to
Yale CAS mailing list <cas at tp.its.yale.edu>


To
"Yale CAS mailing list" <cas at tp.its.yale.edu>
cc

Subject
Re: LDAP fastbind + non-anonymous principal lookup - again






You shouldn't be setting the username and password on the ContextSource! 
That would be very bad!(tm)

You should use the ContextSource to get a DirContext.  It might be 
something like getContextSource().getDirContext(username, password) or 
something similar.

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia


On Fri, Aug 1, 2008 at 9:16 AM, <ann.campbell at shawinc.com> wrote:

Believe I may have mis-framed what I'm doing, which is this: 

            AuthenticatedLdapContextSource ctxSrc = 
this.getContextSource(); 
        ... 
        ctxSrc.setUserDn(fullUserName); 
        ctxSrc.setPassword(credentials.getPassword()); 

So I suppose my question at this point is whether there's one instance of 
this ContextSource in the JVM or one per thread. 

Thanks for your help & input, 


Ann

------
G. Ann Campbell
Systems Engineer
Shaw Industries




"Scott Battaglia" <scott.battaglia at gmail.com> 
Sent by: cas-bounces at tp.its.yale.edu 
07/31/2008 03:55 PM 

Please respond to

Yale CAS mailing list <cas at tp.its.yale.edu>


To
"Yale CAS mailing list" <cas at tp.its.yale.edu> 
cc

Subject
Re: LDAP fastbind + non-anonymous principal lookup - again








The validation of credentials and the eventual resolution to a principal 
are two separate actions.

Nothing precludes you from binding to a Context and retrieving attributes 
you just don't do it in the AuthenticationHandler, which is used to 
authenticate that the provided credentials are valid.

If you try and do stuff in the wrong section of course its going to feel 
like a hack.  Take a look at the CredentialsToPrincipalResolver which 
you'll notice actually returns a Principal whereas the 
AuthenticationHandler merely returns true or false.

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia


On Thu, Jul 31, 2008 at 3:48 PM, <ann.campbell at shawinc.com> wrote: 

I have to pose a question that my colleagues and I have been asking each 
other for a few days now: 

If you have user-provided credentials that authenticate against a 
directory, why _wouldn't_ you use them for principal lookup and attribute 
retrieval? Just by default? I'm not trying to be smarmy here. I'd really 
like to understand this from an architectural standpoint. 

Also, it _looks_ like an easy way out in FastBindLdapAuthenticationHandler 
(or some variation thereof)  to set the user's credentials into the 
Context's UserDn and Password. It works like a champ, but it _feels_ like 
a bad idea. 

I'm only setting the credentials into the Context after successful login 
and I'm resetting them to empty string at the top of the 
authenticateUsernamePasswordInternal routine to minimize the chance that 
userB could ride userA's coattails into the system. But I have a lingering 
sense of doubt. 

Thoughts? Please? I'm looking for an elegant way to handle this, but what 
I've come up with feels like a hack. 


Thanks,
Ann

------
G. Ann Campbell
Systems Engineer
Shaw Industries

**********************************************************
Privileged and/or confidential information may be contained in this 
message. If you are not the addressee indicated in this message (or are 
not responsible for delivery of this message to that person) , you may not 
copy or deliver this message to anyone. In such case, you should destroy 
this message and notify the sender by reply e-mail.
If you or your employer do not consent to Internet e-mail for messages of 
this kind, please advise the sender.
Shaw Industries does not provide or endorse any opinions, conclusions or 
other information in this message that do not relate to the official 
business of the company  or its subsidiaries.
**********************************************************


_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

**********************************************************
Privileged and/or confidential information may be contained in this 
message. If you are not the addressee indicated in this message (or are 
not responsible for delivery of this message to that person) , you may not 
copy or deliver this message to anyone. In such case, you should destroy 
this message and notify the sender by reply e-mail.
If you or your employer do not consent to Internet e-mail for messages of 
this kind, please advise the sender.
Shaw Industries does not provide or endorse any opinions, conclusions or 
other information in this message that do not relate to the official 
business of the company  or its subsidiaries.
**********************************************************


_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas


**********************************************************
Privileged and/or confidential information may be contained in this message. If you are not the addressee indicated in this message (or are not responsible for delivery of this message to that person) , you may not copy or deliver this message to anyone. In such case, you should destroy this message and notify the sender by reply e-mail.
If you or your employer do not consent to Internet e-mail for messages of this kind, please advise the sender.
Shaw Industries does not provide or endorse any opinions, conclusions or other information in this message that do not relate to the official business of the company  or its subsidiaries.
**********************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080801/e48f5319/attachment.html

More information about the cas mailing list