Re: [Wicket-user] LDAP Authentication

[Eelco Hillenius]

Timothy, you rock!

Eelco


On 5/18/06, Timothy Bennett <[EMAIL PROTECTED]> wrote:

On 5/18/06, Michiel Trimpe <[EMAIL PROTECTED]> wrote:

>
>
>
>
>
> Has anyone already tried to implement LDAP-authentication with Wicket?

Yup, and in earnest.  Check out what we are doing with Triplesec over at
http://docs.safehaus.org/display/TRIPLESEC/Home . Triplesec
is a strong authentication identity management platform built on top of
Apache Directory (http://directory.apache.org), and offers 2-factor
authentication and authorization services using standards like LDAP,
Kerberos, and HOTP.

We are using Wicket for the Triplesec server's web-based configuration
wizard, admin application, account registration wizard, and demo apps, all
of which require LDAP integration.  In fact, if you are at JavaOne this
week, you'll see the Triplesec-Wicket apps as part of the Triplesec
presentation.

One of the cool things about Triplesec is that we also have some very nice
API's for dealing with both authentication and authorization, and we've
integrated these API's with Wicket.

There is the Guardian API which is a read-only API for performing Kerberos
(and LDAP) authentication and subsequent authorization by providing access
to your application's security policy in the Triplesec LDAP store -- which
gives you nice API's to access a user's security profile for your
application accessing his roles, permissions, and denials.  (
http://docs.safehaus.org/display/TRIPLESEC/Guardian+API+User%27s+Guide).

There is also a read-write Admin API, which provides some nice APIs for
managing users, password changes, application policies, security profiles,
roles, and permissions.

Javadocs for the API's at
http://triplesec.safehaus.org/maven/apidocs/index.html.

At my day job... we are using Triplesec for Identity Management and my
Wicket apps authenticate against Triplesec via Guardian.  Integration with
Wicket and Guardian's authorization API's provide my apps with role-based
(and/or permission-based) access control at the deepest fine-grained
component-level in Wicket.

>
>
>
>
>
> If so, do you have some examples??


Working on some docs at Safehaus now. When they are ready, I'll post here
and update the Wicket wiki to point to them.  I'm still putting the
finishing touches on integration with Wicket's 1.2 role-based authorization
interfaces.

>
>
>
>
>
> If not, could someone give me quick step-by-step pointers of what is
needed to implement it?


Now that my shameless plug of Triplesec is over... if you can't use
Triplesec for an Identity Management platform, or your application use case
involves a "vanilla" LDAP integration, I might suggest you check out
something like:

http://ldaptemplate.sourceforge.net/

LdapTemplate is a project that seeks to provide a Spring Dao pattern for
LDAP integration much like Spring's own JdbcTemplate and HibernateTemplate
API's.  It's on my TODO list, but I suspect you could take LdapTemplate and
the Wicket-Spring integration extensions and have a nice Dao pattern for
LDAP integration.  But you'll have do all the work to set up your LDAP as a
authN and authZ store....

...which is what makes Triplesec and Guardian especially nice is that it is
already setup as a specialized LDAP store for authN and authZ, including
out-of-the-box support for optional one-time passwords generated by a midlet
app you download to your cell phone instead of some keychain fob.

--
timothy

-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642
_______________________________________________
Wicket-user mailing list
Wicket-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wicket-user