Okay, so I have most of the pieces, but I can't seem to put them together properly. I'm basically trying to protect database data with a simple authentication process (maybe with a GUI) to ensure that the correct people are viewing the data. Right now I'm using UnboundID to handle the actual authentication, although I am open to other methods such as JAAS. Here is the method that I wrote for that (the bypass is for testing purposes):
public static boolean authenticate(String username, String password) {
if (username == null || password == null) {
return false;
}
if (username.equals("bypass") && password.equals("bypass")) {
return true;
}
try {
LDAPConnection conn = new LDAPConnection(AUTH_URL,AUTH_PORT);
BindRequest request = new SimpleBindRequest(username,password);
BindResult result = conn.bind(request);
return result.getResultCode().equals(ResultCode.SUCCESS);
} catch (LDAPException ex) {
ex.printStackTrace();
return false;
}
}
This code is obviously dangerous due to the fact that the password is being inputted as plaintext. I did some digging and discovered that I should be using something like SSL for the actual request to protect the password. This raised another question: if I'm sending the request via SSL, don't I still need to somehow supply the password in plaintext form before I send the request? Isn't this dangerous? I'm surprised something like password authentication isn't done by a simple API since so many applications need to be secure. I'm very new to this stuff and would appreciate some guidance. Thanks!
Use TLS everywhere including your LDAP connection. As long as you follow good TLS connection practices your connection is safe. -jim