Can The GlassFish Server LDAP Realm Be Configured To Disable Static And Dynamic Group Queries? (Doc ID 1439832.1)

Last updated on OCTOBER 19, 2023

Applies to:

Goal

With GlassFish Server, the LDAP realm always executes LDAP queries to find static and dynamic groups.  This is because the Java EE authentication and authorization model has the concepts of users and roles and that its possible to configure the security such that a user both has to authenticate and be a member of the correct role to invoke an operation.  When using LDAP the Java EE role concept is mapped to membership of an LDAP group.

There are two principle operations that trigger group searches:

1. The GlassFish Server will, in addition to authenticating a user by attempting a BIND to the LDAP Directory Server, will also issue a number of queries to find the static and dynamic groups the user belongs to and caches this information.
2. When access needs role authorization a check is made to find the groups a user belongs to, which can occur before the user has been authenticated.

The second check is made to ensure that the LDAP Realm picks up any changes made in the backend LDAP system that would be missed if the realm relied completely on the information it cached the first time it authenticated a used. 

Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.