Building a JAAS Active Directory Realm for Glassfish

At my company, we use Java for all our internal applications, and we’ve recently started new projects with Java EE. However, the LDAP module in Sun Java System Application Server (GlassFish) often struggles to work with Microsoft Active Directory. In most cases, it just doesn’t work.

Since the default setup failed, I created my own JAAS realm to authenticate users with Active Directory. I tested it on a large AD tree with multiple domains and thousands of users before sharing it.

The Problem

When I first used the default LDAP realm, logging in with usernames and passwords worked, but the realm couldn’t find the user’s groups afterward. After looking into it, I found two main problems with the default setup.

Issue 1: Escaped Commas in Distinguished Names

Microsoft, by default, stores user names as “Last, First.” This results in Distinguished Names that look like this: CN=Last\, First,OU=Group,OU=People,DC=Domain,DC=com The backslash escapes the comma so it isn’t treated as a separator, since LDAP uses commas to separate fields in a Distinguished Name. However, Java sees the backslash as an escape character in the string, which causes the group lookup to fail. Because of this, the realm can’t find the Distinguished Name as a group member.

Issue 2: Nested Groups

Active Directory often uses nested groups, but the default LDAP realm doesn’t check for them. It only shows direct group membership and misses any groups a user is part of through nesting. This is a major issue in enterprise environments where nested groups are common.

The Solution

I developed my own Active Directory realm to solve both of these problems:

• Escaped comma handling: It properly processes Distinguished Names that include escaped commas.
• Nested group traversal: It checks group membership recursively to provide complete role assignments.
• Enterprise tested: I tested it on a large Active Directory forest with multiple domains and thousands of users.

I documented the code using JavaDoc annotations and generated HTML documentation, which I included in the repository.

Bug Fix: DirectoryContext Copy Issue

Shortly after the first release, I found a bug that stopped users from signing in if they entered the wrong password. The issue was that copying a DirectoryContext is not a shallow copy. When someone entered incorrect credentials, the code accidentally updated the service account with the wrong username and password, which caused later login attempts to fail.

Lessons Learned

1. Test failure cases, not just success cases. This bug only appeared after a failed login attempt. Understand your object references. In Java, reference semantics mean that what looks like a copy might actually be a shared reference.
2. Enterprise LDAP is complicated. What works for standard LDAP directories often doesn’t work with Active Directory’s quirks.

Note

The source code was originally hosted at https://www.mattas.net/svn/ADRealm/, but that repository is no longer available because the code is now obsolete.