Using LDAP Login Module to authenticate users with LDAP server in hybrid applications
improve this page | report issueOverview
You can use the LdapLoginModule
class to authenticate users with LDAP servers such as OpenLDAP or Active Directory.
The LdapLoginModule
class implements the UserNamePasswordLoginModule
interface. Therefore, you must use it in conjunction with an authenticator that implements the UsernamePasswordAuthenticator
interface. For example: FormBasedAuthenticator
.
For more information about how to implement the UsernamePasswordAuthenticator
interface, see Custom Authentication.
In this tutorial, you learn how to configure and use the LdapLoginModule
class to protect various IBM MobileFirst Platform Foundation entities.
- Configuring the authenticationConfig.xml file
- Protecting a JavaScript adapter
- Protecting a Java adapter
- Creating the client-side authentication components
- Sample application
Configuring the authenticationConfig.xml file
Realm
- Add an authentication realm to the
realms
section of theauthenticationConfig.xml
file and call itLDAPRealm
. - Use
FormBasedAuthenticator
in theclassName
element because it implements the requiredUsernamePasswordAuthenticator
interface.
This realm uses LDAPLoginModule
as a login module, which you define in the Login module section.
Login module
- Add a login module to the
loginModules
section and call itLDAPLoginModule
. - Use
com.worklight.core.auth.ext.LdapLoginModule
in theclassName
element.- The
ldapProviderUrl
parameter is mandatory. It defines the URL of your LDAP server. - The
ldapTimeoutMs
parameter is mandatory. It defines the timeout for LDAP server requests (in milliseconds). - The
ldapSecurityAuthentication
parameter is mandatory. It defines the type of authentication that is required by LDAP server. The usual value issimple
, but you might need to contact LDAP administrator for a more appropriate value. - The
validationType
parameter is mandatory. It defines the type of validation that is performed.
LdapLoginModule
supports three types of validation:exists
: The login module tries to establish the LDAP binding by using the supplied credentials. The validation of the credentials is considered successful when binding is successfully established.searchPattern
: The login module first tries to run theexists
validation. After such validation is successful, the login module issues a search query to the LDAP server context according to theldapSearchFilterPattern
andldapSearchBase
parameters. Credential validation is considered successful if a search query returns one or more entries.custom
: Use this value to enable a custom validation logic. The login module tries to run theexists
validation. After such validation is successful, the login module calls thepublic boolean doCustomValidation(LdapContext ldapCtx, String username)
method. You can override this method by creating a custom Java class in your project and extending thecom.worklight.core.auth.ext.UserNamePasswordLoginModule
class.
For more information about custom LDAP validation types, see the user documentation.
- The
ldapSecurityPrincipalPattern
parameter is mandatory. It defines the pattern in which LDAP security principal is sent to the LDAP server. You can use a{username}
placeholder to inject the user name from the authenticator. - The
ldapSearchFilterPattern
andldapSearchBase
parameters are optional. They apply only to thesearchPattern
validation type.
- The
Security test
Add a security test to the securityTests
section of the authenticationConfig.xml
file.
You use this security test to protect the adapter procedure. Therefore, use the customSecurityTest
element.
Remember the security test name because you will reuse it to protect adapters.
Protecting a JavaScript adapter
- Create an adapter and name it DummyAdapter.
- Add a
getSecretData
procedure and protect it with the security test that you created previously.
In this module, the getSecretData
procedure returns some hardcoded value:
Protecting a Java adapter
- Create a Java adapter.
- Add a
getSecretData
method and protect it with the realm that you created previously.
In this module, thegetSecretData
procedure returns some hardcoded value: - To set the new realm as the default user identity for the application, in the application descriptor, add this option:
Creating the client-side authentication components
The application consists of two main div
elements:
- The
AppDiv
element displays the application content. - The
AuthDiv
element is used for authentication forms.
When authentication is required, the application hides the AppDiv
element and shows the AuthDiv
element.
When authentication is complete, it does the opposite.
The buttons are used to call the getSecretData
procedure and to log out.
The AuthDiv
element is styled as display:none
because it must not be displayed before authentication is requested by server.
Challenge handler
Use the WL.Client.createChallengeHandler
method to create a challenge handler object. Supply a realm name as a parameter.
isCustomResponse
The isCustomResponse
function of the challenge handler is called each time a response is received from the server. That function is used to detect whether the response contains data that are related to this challenge handler. It must return true
or false
.
The default login form that is returned from the MobileFirst server contains the j_security_check
string. If the challenge handler detects it in the response, it returns true
.
handleChallenge
If the isCustomResponse
method returns true
, the framework calls the handleChallenge
function. This function is used to perform required actions, such as hide the application screen or show the login screen.
After the client application detects that the server sent a login form, which means that the server is requesting authentication, the application hides the AppDiv
, shows the AuthDiv
, and cleans up the passwordInputField
element.
Other methods
In addition to the methods that the developer must implement, the challenge handler contains functionality that the developer might want to use:
- The
submitLoginForm
function sends collected credentials to a specific URL. The developer can also specify request parameters, headers, and callbacks. - The
submitSuccess
function notifies the framework that the authentication process completed successfully. The framework then automatically issues the original request that triggered authentication. - The
submitFailure
function notifies the framework that the authentication process completed with failure. The framework then disposes of the original request that triggered authentication.
Important: You must attach each function to its object. For example: myChallengeHandler.submitSuccess()
Login button
A click on a Login button triggers a function that collects the user name and password from the HTML input fields and submits them to the server.
It is possible to set request headers here, and to specify callbacks.
The form-based authenticator uses the hardcoded j_security_check
URL component. You cannot have more than one instance of it.
Cancel button
A click on a Cancel button hides AuthDiv
, shows AppDiv
, and notifies the framework that authentication failed.
submitLoginFormCallback
The callback function checks the response for the containing server challenge again. If a challenge is found, the handleChallenge
function is called again.
No challenge in the server response means that authentication completed successfully. In this case, AppDiv
is shown, AuthDiv
is hidden, and the framework is notified about authentication success.
Sample application
Click to download the MobileFirst project.
▲Inclusive terminology note: The Mobile First Platform team is making changes to support the IBM® initiative to replace racially biased and other discriminatory language in our code and content with more inclusive language. While IBM values the use of inclusive language, terms that are outside of IBM's direct influence are sometimes required for the sake of maintaining user understanding. As other industry leaders join IBM in embracing the use of inclusive language, IBM will continue to update the documentation to reflect those changes.