Central Authentication and Authorization

Posted Wed, 16/09/2009 - 17:49 by gad
, , , ,

Hi,

 

I'm researching for a central Authentication and authorization solution for my client.

 

The requirements are as follows:

 

1.    Single sign-on for all products.

 

2.    Client libs for Java and C++.

 

3.    Be able to sync with other installed ldap's

 

4.    Good integration with seam (I saw JOSSO provide this)

 

5.    Open-source.

 

Currently I'm checking these:

 

•    JOSSO

 

•    CAS

 

•    JAAS

 

•    Openldap

 

Did anyone used any of these (or any other solution) and can recommend?

 

Thanks!

‹ The Apache Directory Project my own SMTP server code ›

Comments

by shlomo - 16/09/2009 - 19:19

The client I have been working for (for almost two years ... ) has a similar architecture (OpenLDAP, OpenSSL, open source, Java, Seam etc etc) so I might be able to provide some tips.

The other person you can consult with is Shalom who is also working in a similar environment.

:)

by hagzag - 17/09/2009 - 00:26

In one of my previous projects we were on the search for a directory service for over 3000 accounts which were spread on over 10 different services.
The solution we went with was Openldap, for it was very easy to expand it and it supported over 90% of the services we wanted to cover, in addition we found it pretty easy to cover the remaining 10% by adding additional schemes to Openldap.


We also took a look at Fedora Directory Services although we found it pretty unstable at the time.
I am sure Openldap has matured since then and should / can answer most of your needs if not all of them.

by gad - 17/09/2009 - 16:28

Many thanks for the references and advise.

by alexander.sorkin - 22/09/2009 - 19:58

Hi,

First of all you need to keep mind: authentication and authorization are two separate processes.
Still you may to combine it in JAVA with JAAS, doing step by step (enable authentication module, and when authorization).

1) SSO: Kerberos.

2) API: kerberos libs for auth, ldap standard api libs for authz against LDAP (both part of JAVA since 1.5).

3) Multiple authz repos: step by step configuration all of repos with JAAS.

4) Seam Integration: Seam trusts the JAAS.

In additional...Most of app servers already supports Kerberos authentication OOB:

WebsFear has SPNEGO module.

JBoss has "negotiation" with in "JBoss Security project".