Results 1 to 4 of 4
  1. #1
    bvilten is offline Member
    Join Date
    May 2013
    Posts
    2
    Rep Power
    0

    Default LDAP - Active Directory Login with JNDI

    Hello All,

    I have been working my way through HFJ and decided to branch out a bit on a personal project. I have a working login GUI interface Class and a working LDAP authentication Class. The authentication Class is using JNDI to authenticate against an Active Directory Server. I am interested in how you think it could be improved particularly in regards to security as I seem to be a bit foggy as to what (class, methods, and vars) should be set for private access and what should not. I am also fairly sure that my use of the JPassworField.getPassword() method in not exactly what it should be.

    Thank You for your time.

    Java Code:
    // Login GUI Class
    
    import javax.swing.*;
    import java.awt.*;
    import java.awt.event.*;
    
    public class ldapLoginPost implements ActionListener {
    
        JFrame frame;
        JPanel panel;
        JButton button;
        JTextField username;
        JPasswordField password;
        JLabel usernameLbl;
        JLabel passwordLbl;
        JLabel resultLbl;
        int result;
    
        public static void main (String[] args) {
              ldapLoginPost gui = new ldapLoginPost();            
    
                gui.go();
            }
            public void go() {
                frame = new JFrame();
                frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
                
                button = new JButton("Login");
                button.addActionListener(this);
                username = new JTextField(20);
                username.setText("");
                password = new JPasswordField(20);
                password.setText("");
                resultLbl = new JLabel(" ");
                usernameLbl = new JLabel("Enter Username");
                passwordLbl = new JLabel("Enter Password");
                panel = new JPanel();
                frame.getContentPane().add(BorderLayout.CENTER, panel);
                panel.add(usernameLbl);
                panel.add(username);
                username.requestFocusInWindow();
                panel.add(passwordLbl);
                panel.add(password);
                panel.add(resultLbl);
                panel.add(button);
                frame.setSize(300,600);
                frame.setVisible(true);
            }
            
            
             public void actionPerformed(ActionEvent event) {
                    char[] passwordVar = password.getPassword();
                    String passString = new String (passwordVar);
                    String currentUser = (username.getText());
                if (currentUser.isEmpty() || passString.isEmpty()) {
                   result = 2;
                }else{
                    String[] inputLine;
                    inputLine = new String[2];
                    inputLine[0] = currentUser;
                    inputLine[1] = passString;
                    ldapConnPost connect = new ldapConnPost();
                    result = connect.setUpConnection(inputLine);
                }
                 if (result ==1) {
                    username.setText("");
                    password.setText("");
                    resultLbl.setText("");
                 }
                 if (result == 2){
                 resultLbl.setText("Blank fields are not allowed");  
                  System.out.println("Connection Class not called");
                 } 
                 
                 if (result == 0) {
                  resultLbl.setText("Login Failed");
                  password.setText("");
             }
            }
    }

    Authentication Class

    Java Code:
    // Authentication Class
    
    import javax.naming.*;
    import javax.naming.ldap.*;
    import java.util.Hashtable;
    import javax.naming.directory.*;
    
    public class ldapConnPost {
        int result = 0;
        public  int setUpConnection( String[] args) {
            // set up to authenticate against Active Directory
            String ldapHost   = "ldap://LDAP.SERVER.NET:389/DC=domain,DC=net";
            String loginDN    = args[0];
            String password   = args[1]; 
            
            // make sure args array contains both elements
            if (args.length != 2) {
                 System.exit(1);
            }
    
         // Set up the environment for creating the initial context
            Hashtable<String, Object> env = new Hashtable<String, Object>(11);
        env.put(Context.INITIAL_CONTEXT_FACTORY, 
            "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        env.put(Context.SECURITY_PRINCIPAL, loginDN);
        env.put(Context.SECURITY_CREDENTIALS, password);
        env.put(Context.PROVIDER_URL, ldapHost);
    
     
           result = simpleBind1(env);
        
           return result;
         
        }
      
        private int simpleBind1(Hashtable env) {
            try {
                DirContext ctx = new InitialDirContext(env);  
                // successful bind indicates successful authentication
                System.out.println("Bind Successful");
                result = 1;
            } catch(NamingException e) {
                System.out.println( "Bind Failed");
                result = 0;
            }
         
            return result;
        }
    }

  2. #2
    monkeyjr97 is offline Senior Member
    Join Date
    Nov 2012
    Posts
    258
    Rep Power
    2

    Default Re: LDAP - Active Directory Login with JNDI

    Your use of getPassword() seems fine to me.

    Also you should method your instance variables private and use encapsulation other wise other Classes can directly access those variables and change.retrieve the values which is obviously a security risk in this application.

    encapsulation - is the technique of making the fields in a class private and providing access to the fields via public methods (Often called getters and setters). If a field is declared private, it cannot be accessed by anyone outside the class, thereby hiding the fields within the class.

    That is what i would go about doing first.

    Just from an efficiency point of view i would reset the password field after every action event, i would move it to the very end of the action performed method. This removes duplicate code. So i would place it between lines 78/79 on the above code.

    if you are doing this:

    Java Code:
     public static void main (String[] args) {
              ldapLoginPost gui = new ldapLoginPost();           
     
                gui.go();
            }
    You might as well put your main method in a seperate Class, i never run my main from inside part of a functioning Class like that i use my main as a exe. But This is my personal preference, i think it makes the code look a lot nicer :)

    Is there a specific area you are having problems with? or is it a general question of " How can i improve the security"
    Last edited by monkeyjr97; 05-10-2013 at 09:44 PM.

  3. #3
    bvilten is offline Member
    Join Date
    May 2013
    Posts
    2
    Rep Power
    0

    Default Re: LDAP - Active Directory Login with JNDI

    Thank You vey much for the reply. I am not understanding the correct way to implement encapsulation. Would you tell me a line number represents a field the should be marked private and perhaps where the setter method would then be placed? In the mean time I will get back to RTJM (read the Java manual :-) and see what I can figure out.

    Thanks Again

  4. #4
    monkeyjr97 is offline Senior Member
    Join Date
    Nov 2012
    Posts
    258
    Rep Power
    2

    Default Re: LDAP - Active Directory Login with JNDI

    JFrame frame;
    JPanel panel;
    JButton button;
    JTextField username;
    JPasswordField password;
    JLabel usernameLbl;
    JLabel passwordLbl;
    JLabel resultLbl;
    int result;

    id make all these private, and you should know how to write getters and setters, but you dont need to really for this example since everything is done in the Class with these varibales in. I would still declare all of them as private though, i rarely use public instance variables.

Similar Threads

  1. Replies: 0
    Last Post: 11-19-2011, 06:25 PM
  2. Cant find myself in my companies ldap directory
    By richierich in forum Advanced Java
    Replies: 1
    Last Post: 04-05-2011, 05:03 AM
  3. Replies: 2
    Last Post: 05-18-2010, 03:12 PM
  4. Accessing Active Directory using JNDI
    By Chandran in forum Advanced Java
    Replies: 0
    Last Post: 02-25-2009, 12:04 PM
  5. Accessing Active Directory
    By javaplus in forum Advanced Java
    Replies: 1
    Last Post: 01-04-2008, 11:25 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •