TOM KEMP'S CENTRIFY BLOG

Java and J2EE Integration with Active Directory

Saturday, March 15, 2008

Recently we have seen a lot interest in our Java and J2EE integration capabilities with Active Directory. I wanted to use this blog entry to give some thoughts on why we do it and how we do it.

For many enterprises it makes sense to use the Active Directory infrastructure they already have in place to control access to their Java and J2EE web applications, just like they do with other Windows integrated systems and applications. This is traditionally done using LDAP authentication plug-ins provided by J2EE application servers that authenticate users via LDAP from the Active Directory. These LDAP authentication plug-ins work pretty well for username/password authentication in simple Active Directory environments where there is only one Active Directory domain.

However, for most enterprises their Active Directory infrastructure is more complex and having to enter username/password for every application is not acceptable. Enterprises want a silent authentication experience for Java and J2EE applications that is secure and works like other Windows integrated systems and applications. DirectControl for web applications leverages the technology developed for DirectControl for systems to provide secure, silent integrated Windows authentication and authorization for Java and J2EE web applications that works in the most complex Active Directory environments. It also provides secure LDAP communication with Active Directory domain controllers and can fail-over without any complicated configuration.

By leveraging technology developed for DirectControl for non-Microsoft operating systems, once the system on which the web application server is running is joined to an Active Directory domain no other configuration is needed to have secure LDAP communication and fail-over capabilities to the Active Directory domain controllers. J2EE application server administrators simply configure the application server and application for authentication with DirectControl using standard J2EE and application server tools and consoles. Application server administrators can control the authentication methods to use and fall-back to for each application, for example Kerberos followed by NTLM followed by username/password, as well as the Active Directory groups and users that can access each application. Administrators can also control which user attributes from the Active Directory to pass to each application should the application need more fine grained access control.

For enterprises that want to provide access to external users or partners, application server administrators can configure the Java and J2EE application server and application for ADFS (Active Directory Federation Services) authentication using DirectControl for web applications. With ADFS, users are first authenticated by any integrated Windows authentication method in their own domain then a signed token (SAML assertion) generated by an ADFS server running in the user's domain is subsequently sent to the J2EE application server. DirectControl for web applications authenticates the user by validating the signed token. As with internal users, administrators can control which users or group assertions found in the token can access an application. Administrators can also control which attributes found in the signed token to pass to the application should the application need more fine grained access control.

For more information, check out the following links: