Every client we have seems to have a different method for achieving single sign-on, so we written various custom security realms when standard realms offered in various J2EE Application Servers are not adequate. This is both tedious and a potential security risk any defects in this code could allow unauthorized access.
What advice do you have for J2EE developers who want to integrate their applications into the wide range of LDAP, Microsoft and other SS systems?
In J2EE Security configuring realms is a vendor-specific practice...the key reason is the J2EE specifications does not dictate how a realm is required to be implemented and configured. All it supposed to do is to store the users, groups and roles. It is also does'nt matter..to use LDAP, ActiveDirectory, RDBMS or even a flat file...each realm has its good and bad characteristics. The key advantage of using LDAP in J2EE...it has JNDI support.
To ensure security of your realm...it is very important to secure the realm information and also the communicaion with a realm. For example, in LDAP based realm you would choose to use SSL for communication and use encryption to secure critical LDAP based info.
From a J2EE security and single sign-on (SSO) standpoint....you may choose to adopt an "Authentication Enforcer and Authorization Enforcer" patterns to support multiple authentication realms and provide a consistent user SSO experience. In both the patterns, we recommend the use of JAAS based authentication and authorization strategies.