How do I provide password authentication for an LDAP server in Java?

Ok, so I have most of the shapes, but I can't put them together correctly. I'm basically trying to secure database data with a simple authentication process (using a GUI perhaps) to make sure the right people are viewing the data. I am currently using UnboundID to handle true authentication, although I am open to other methods like JAAS. Here is the method I wrote to do this (the workaround is for testing purposes):

public static boolean authenticate(String username, String password) {
    if (username == null || password == null) {
        return false;
    }

    if (username.equals("bypass") && password.equals("bypass")) {
        return true;
    }

    try {
        LDAPConnection conn = new LDAPConnection(AUTH_URL,AUTH_PORT);
        BindRequest request = new SimpleBindRequest(username,password);
        BindResult result = conn.bind(request);
        return result.getResultCode().equals(ResultCode.SUCCESS);
    } catch (LDAPException ex) {
        ex.printStackTrace();
        return false;
    }
}

      

This code is clearly dangerous due to the fact that the password is entered as clear text. I did a little bit of tinkering and found that I have to use something like SSL to actually ask for password protection. This raised another question: If I am submitting a request over SSL, shouldn't I somehow need to provide the password in cleartext form before submitting the request? Isn't it dangerous? I'm surprised that password authentication is not done with a simple API, as many applications need to be secure. I am very new to this business and would appreciate some guidance. Thank!

+3


source to share


2 answers


Use TLS everywhere, including your LDAP connection. As long as you follow good TLS connection rules, your connection is secure. -Jim



+1


source


You can use the Stormpath Servlet Plugin to authenticate your users. You just need to follow these very simple steps to create a ready-to-use web application.

You can also use the Servlet App sample (completely open source) as the basis for your web application.

You'll get:



  • From the full window of the web application
  • Complete user management: user authentication, user management, user storage, workflows, etc.
  • API Management
  • Hassle-free world-class security
  • Frequent free updates

So the workflow will be like this. You will redirect your users to the Login page (or Registration for them to register first). Once your user is properly authenticated (via login), you can get your own code executed via the Following URI or SuccessfulAuthenticationRequestEvent .

Disclaimer, I am an active member of Stormpath.

0


source







All Articles