I have been asked to implement an authentication and authorization mechanism to an existing legacy application built using Software AG Apama.
The best option in this case would be to implement a custom Login Module for Apama but this was not an option due to many non-tech reasons.
Apama generates a
.war file during build process and it is executed under Apache Tomcat.
So I have decided to use Tomcat to provide this security mechanism.
To do so I have changed my
server.xml and included the following config.
JNDIRealm expects to do the authentication process and load roles from LDAP. The application itself should validate access based on roles granted for the authenticated user.
Since changing legacy application was not an option we are validating user membership at user search.
In Active Directory it is possible to add another group as a member of a group to improve directory management.
To validate user membership in this case we must use
LDAP_MATCHING_RULE_IN_CHAIN custom matching rule during the search process as described here.
To do so we have to change or membership
(memberOf=CN=DEV_CRYPTO_DASHBOARD,OU=Crypto,OU=Example Applications Group,DC=example,DC=net) to
(memberOf:1.2.840.1135220.127.116.111:=CN=DEV_CRYPTO_DASHBOARD,OU=Crypto,OU=Example Applications Group,DC=example,DC=net).