[jboss-user] [JBoss Portal] - LdapExtLoginModule + Active Directory Help

Tue, 29 Aug 2006 10:16:36 -0700 

Hi Team,

I have been trying JBOSS authentication and Authorization against 
ActiveDirectory and having the problem. My working steps as below. Can anybody 
help me on this?


Step1: in "login-config.xml" the entry as below 
------------------------- 
<application-policy name="JawJaasDbRealm">
      
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" 
flag="sufficient" >
     <module-option 
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
 
                        <module-option 
name="java.naming.provider.url">ldap://151.111.195.26:389/</module-option>
                        <module-option 
name="java.naming.security.authentication">simple</module-option> 
     <module-option 
name="java.naming.security.principal">ldapbrowse</module-option>
     <module-option 
name="java.naming.security.credentials">ldapbrowse</module-option>  
     <!-- bGRhcGJyb3dzZQ== -->
                        <module-option 
name="bindDN">CN=LDAPBrowse,OU=Enterprise 
Administration,DC=ad,DC=dot,DC=state,DC=mn,DC=us</module-option> 
                        <module-option 
name="bindCredential">ldapbrowse</module-option> 
                        <module-option 
name="baseCtxDN">DC=ad,DC=dot,DC=state,DC=mn,DC=us</module-option>
                        <module-option 
name="baseFilter">(sAMAccountName={0})</module-option>
                        <module-option name="rolesCtxDN">OU=Groups,OU=Freight 
and Commercial Vehicle Operations,OU=Program Management 
Division,DC=ad,DC=dot,DC=state,DC=mn,DC=us</module-option>
                        <module-option 
name="roleFilter">(sAMAccountName={0})</module-option>
                        <module-option 
name="roleAttributeID">memberOf</module-option>
<!--                    <module-option 
name="roleAttributeIsDN">true</module-option>  -->
                        <module-option 
name="roleNameAttributeID">cn</module-option>
                <module-option 
name="defaultRole">OFCVO_RGCIP_Inventory</module-option>
                <!--    <module-option name="roleRecursion">-1</module-option> 
-->
                        <module-option 
name="searchScope">ONELEVEL_SCOPE</module-option>
      </login-module>
      
    </application-policy>
-------------------------- 
Step2: in "jboss.xml" file the entry as below 

------------------ 
<jboss-web> 
<context-root>jaw</context-root> 
<security-domain>java:/jaas/JawJaasDbRealm</security-domain> 
</jboss-web> 

------------------ 

Step3: web-security.xml file
--------------

  <security-constraint> 

    <web-resource-collection> 
      <web-resource-name>
        JAW Application protected Admin pages and actions.
      </web-resource-name> 
      Require users to authenticate. 
      <url-pattern>/test/index.jsp</url-pattern>
    </web-resource-collection>

<auth-constraint> 
      
        Allow Manager role to access Admin pages and actions.
       
  <role-name>OFCVO_RGCIP_Inventory</role-name>
</auth-constraint>

  </security-constraint> 

   <security-role>
      JAW Guest User (unsecured)
  <role-name>OFCVO_RGCIP_Inventory</role-name>
  </security-role>
   
  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>JawJaasDbRealm</realm-name>
    <form-login-config>
          <form-login-page>/login.jsp</form-login-page>
          <form-error-page>/loginError.jsp</form-error-page>
    </form-login-config>
  </login-config>
---------------------------


index.jsp
----------------
<%@ page contentType="text/html; charset=ISO-8859-1" %>


Welcome to the application, <%= request.getRemoteUser() %>! 
MnDOT Chg Access Role :<%=request.isUserInRole("MnDOT Chg Access") %> 
OFCVO_RGCIP_Inventory Role :<%=request.isUserInRole("OFCVO_RGCIP_Inventory") %>
OFCVO_RGCIP_Admin Role :<%=request.isUserInRole("OFCVO_RGCIP_Admin") %>
OFCVO_RGCIP_ProjMgr Role :<%=request.isUserInRole("OFCVO_RGCIP_ProjMgr") %>
OFCVO_RGCIP_DataMaint Role :<%=request.isUserInRole("OFCVO_RGCIP_DataMaint") %>
OFCVO_RGCIP_Auditor Role :<%=request.isUserInRole("OFCVO_RGCIP_Auditor") %>
OFCVO_RGCIP_Finance Role :<%=request.isUserInRole("OFCVO_RGCIP_Finance") %>






----------------

If i enter user credentials(userid/password) who don't have role 
"OFCVO_RGCIP_Inventory" , it's authenticating and getting the index.jsp page 
and <%=request.isUserInRole("OFCVO_RGCIP_Inventory") %> displaying "true" 
value. I think once it's authentication is over then the 
defaultRole(<module-option 
name="defaultRole">OFCVO_RGCIP_Inventory</module-option>
) is associating with the logged in user even if he don't belongs to that role 
in AD.


Can you help me what's going wrong and why it's behaving like this?


Thanks,
Sreeni
914 439 3469




View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3968158#3968158

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3968158
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to