Using Tomcat Realm to perform Active Directory Authentication/Authorization

Introduction

I have been asked to implement an authentication and authorization mechanism to an existing legacy application built using Software AG Apama.

The best option in this case would be to implement a custom Login Module for Apama but this was not an option due to many non-tech reasons.

Workaround

Apama generates a .war file during build process and it is executed under Apache Tomcat.

So I have decided to use Tomcat to provide this security mechanism.

Implementation

To do so I have changed my server.xml and included the following config.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.CombinedRealm">

<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>

<Realm className="org.apache.catalina.realm.JNDIRealm"
adCompat="true"
connectionName="CN=Application Service User,OU=Crypto,OU=Example Applications Group,DC=example,DC=net"
connectionPassword="service_user_password"
connectionURL="ldap://example.net:389"
userBase="DC=example,DC=net"
userSearch="(&amp;(sAMAccountName={0})(memberOf:1.2.840.113556.1.4.1941:=CN=DEV_CRYPTO_DASHBOARD,OU=Crypto,OU=Example Applications Group,DC=example,DC=net))"
userSubtree="true"
roleBase="DC=example,DC=net"
roleName="cn"
roleNested="true"
roleSearch="(&amp;(member={0})(cn=DEV_CRYPTO_DASHBOARD))"
roleSubtree="true"
/>
</Realm>
</Realm>

Caveats

Role validation

JNDIRealm expects to do the authentication process and load roles from LDAP. The application itself should validate access based on roles granted for the authenticated user.

Since changing legacy application was not an option we are validating user membership at user search.

Nested groups

In Active Directory it is possible to add another group as a member of a group to improve directory management.

To validate user membership in this case we must use LDAP_MATCHING_RULE_IN_CHAIN custom matching rule during the search process as described here.

To do so we have to change or membership (memberOf=CN=DEV_CRYPTO_DASHBOARD,OU=Crypto,OU=Example Applications Group,DC=example,DC=net) to (memberOf:1.2.840.113556.1.4.1941:=CN=DEV_CRYPTO_DASHBOARD,OU=Crypto,OU=Example Applications Group,DC=example,DC=net).