JBoss Team --
I am trying to convert an application using JAAS on WebSphere to be using JAAS
on JBoss.
I have been reviewing the documentation about JBossSX and the JBoss Security
Integration Guide and counteless other documentation.
However, I feel like I am still missing some things.
1. The implementation in WebSphere contained a file named
ibm-application-bnd.xmi that was located in the applicationEAR\META-INF folder.
An excerpt from that file follows. My first question is - Is there some
file that I need to define like this for the JBoss configuration?
<?xml version="1.0" encoding="UTF-8"?>
<applicationbnd:ApplicationBinding xmi:version="2.0"
xmlns:xmi="http://www.omg.org/XMI"; xmlns:applicationbnd="applicationbnd.xmi"
xmi:id="ApplicationBinding_1103565947194">
<authorizationTable xmi:id="AuthorizationTable_1103565947194">
<authorizations xmi:id="RoleAssignment_1108662566127">
<groups xmi:id="Group_1159457809140"
name="App.Prod.~~~.BranchManager"/>
<groups xmi:id="Group_1159457809141"
name="App.Prod.~~~.BranchManager"/>
<groups xmi:id="Group_1159457809142"
name="App.Prod.~~~.BranchManager"/>
...
2. I have the JAAS connecting to the LDAP but I am having some problems with
the LDAP properties.
Also, I still feel like I am missing something that tells the server how to
match the LDAP groups to the role names
specified in the web.xml
So, with those questions asked here is my current setup:
the application's (located in the War's WEB-INF folder)
web.xml:
...
<security-constraint id="SecurityConstraint_1159792191999">
<display-name>Region Managers Resources</display-name>
<web-resource-collection
id="WebResourceCollection_1159792191999">
<web-resource-name>Region Managers
Resources</web-resource-name>
<url-pattern>/admin/regionMan/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1159792191999">
<role-name>BranchManager</role-name>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint id="SecurityConstraint_1159792192015">
<web-resource-collection
id="WebResourceCollection_1159792192015">
<web-resource-name>Assign Assistants</web-resource-name>
<url-pattern>/admin/assistants/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1159792192031">
<role-name>BranchManager</role-name>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint id="SecurityConstraint_1159792192031">
<web-resource-collection
id="WebResourceCollection_1159792192031">
<web-resource-name>Admin Resources</web-resource-name>
<url-pattern>/admin/reports/*</url-pattern>
<url-pattern>/admin/regionAdmin/*</url-pattern>
<url-pattern>/admin/siteAdmin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1159792192032">
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<login-config id="LoginConfig_1159792192046">
<auth-method>FORM</auth-method>
<form-login-config id="FormLoginConfig_1159792192046">
<form-login-page>/redirectToLogin.jsp</form-login-page>
<form-error-page>/redirectToErrorLogin.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role id="SecurityRole_1112738942726">
<role-name>BranchManager</role-name>
</security-role>
<security-role id="SecurityRole_1112644368717">
<role-name>Admin</role-name>
</security-role>
...
the application's (located in the War's WEB-INF folder)
jboss-web.xml =
<?xml version="1.0"?>
<jboss-web>
<!-- All secured web content uses this security manager -->
<security-domain>java:/jaas/myAppAdmin</security-domain>
</jboss-web>
the server's
login-config.xml =
<application-policy name = "myAppAdmin">
<login-module code =
"org.jboss.security.auth.spi.LdapLoginModule" flag = "required">
<module-option
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option
name="java.naming.provider.url">ldap://server:389</module-option>
<module-option
name="java.naming.security.authentication">simple</module-option>
<module-option
name="java.naming.security.principal">username</module-option>
<module-option
name="java.naming.security.credentials">password</module-option>
<module-option
name="matchOnUserDN">true</module-option>
<module-option
name="roleAttributeIsDN">false</module-option>
<module-option
name="uidAttributeID">sAMAccountName</module-option>
<module-option
name="roleAttributeID">memberOf</module-option>
</login-module>
</application-policy>
When I run the application, I am currently getting the following LDAP error:
Where I feel like I am still missing something is the fact that in WebSphere,
we had to define an ibm-application-bnd.xmi file which looks like the below
snippet. However, I am not sure where I would be putting this equivalent for
the JBoss configuration.
2008-02-07 10:47:44,407 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] Security checking request
POST /contextRoot/j_security_check
2008-02-07 10:47:44,423 DEBUG
[org.apache.catalina.authenticator.FormAuthenticator] Authenticating username
'pcable'
2008-02-07 10:47:44,423 TRACE
[org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Begin authenticate,
username=pcable
2008-02-07 10:47:44,423 DEBUG [org.apache.catalina.loader.WebappClassLoader]
loadClass(org.jboss.naming.java.javaURLContextFactory, false)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader]
Searching local repositories
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader]
findClass(org.jboss.naming.java.javaURLContextFactory)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader]
Delegating to parent classloader at end: [EMAIL PROTECTED]
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader]
Loading class from parent
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader]
loadClass(org.jboss.naming.ENCFactory, false)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader]
Searching local repositories
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader]
findClass(org.jboss.naming.ENCFactory)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader]
Delegating to parent classloader at end: [EMAIL PROTECTED]
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader]
Loading class from parent
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader]
loadClass(org.jboss.security.plugins.JaasSecurityManagerService$SecurityDomainObjectFactory,
false)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader]
Searching local repositories
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader]
findClass(org.jboss.security.plugins.JaasSecurityManagerService$SecurityDomainObjectFactory)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader]
Delegating to parent classloader at end: [EMAIL PROTECTED]
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader]
Loading class from parent
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader]
loadClass(java.lang.reflect.Proxy, false)
2008-02-07 10:47:44,438 DEBUG [org.apache.catalina.loader.WebappClassLoader]
loadClass(java.lang.reflect.UndeclaredThrowableException, false)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader]
loadClass(java.lang.NoSuchMethodError, false)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader]
loadClass(java.lang.reflect.InvocationHandler, false)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader]
loadClass(javax.naming.Name, false)
2008-02-07 10:47:44,454 TRACE [org.jboss.security.plugins.JaasSecurityManager]
Constructing
2008-02-07 10:47:44,454 DEBUG
[org.jboss.security.plugins.JaasSecurityManager.contextRoot] CallbackHandler:
[EMAIL PROTECTED]
2008-02-07 10:47:44,454 DEBUG
[org.jboss.security.plugins.JaasSecurityManagerService] Created [EMAIL
PROTECTED]
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader]
loadClass(org.jboss.security.plugins.JaasSecurityManagerService$DefaultCacheObjectFactory,
false)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader]
Searching local repositories
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader]
findClass(org.jboss.security.plugins.JaasSecurityManagerService$DefaultCacheObjectFactory)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader]
Delegating to parent classloader at end: [EMAIL PROTECTED]
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader]
Loading class from parent
2008-02-07 10:47:44,454 DEBUG
[org.jboss.security.plugins.JaasSecurityManager.contextRoot] CachePolicy set
to: [EMAIL PROTECTED]
2008-02-07 10:47:44,454 DEBUG
[org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, [EMAIL
PROTECTED]
2008-02-07 10:47:44,454 DEBUG
[org.jboss.security.plugins.JaasSecurityManagerService] Added contextRoot,
[EMAIL PROTECTED] to map
2008-02-07 10:47:44,454 TRACE
[org.jboss.security.plugins.JaasSecurityManager.contextRoot] Begin isValid,
principal:pcable, cache info: null
2008-02-07 10:47:44,454 TRACE
[org.jboss.security.plugins.JaasSecurityManager.contextRoot] defaultLogin,
principal=pcable
2008-02-07 10:47:44,454 TRACE
[org.jboss.security.auth.login.XMLLoginConfigImpl] Begin
getAppConfigurationEntry(contextRoot), size=9
2008-02-07 10:47:44,454 TRACE
[org.jboss.security.auth.login.XMLLoginConfigImpl] End
getAppConfigurationEntry(contextRoot), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=uidAttributeID, value=sAMAccountName
name=java.naming.security.authentication, value=simple
name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
name=java.naming.security.credentials, value=password
name=matchOnUserDN, value=true
name=java.naming.provider.url, value=ldap://server:389
name=java.naming.security.principal, value=username
name=roleAttributeIsDN, value=false
name=roleAttributeID, value=memberOf
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader]
loadClass(org.jboss.security.auth.spi.LdapLoginModule, false)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader]
Searching local repositories
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader]
findClass(org.jboss.security.auth.spi.LdapLoginModule)
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader]
Delegating to parent classloader at end: [EMAIL PROTECTED]
2008-02-07 10:47:44,454 DEBUG [org.apache.catalina.loader.WebappClassLoader]
Loading class from parent
2008-02-07 10:47:44,469 TRACE [org.jboss.security.auth.spi.LdapLoginModule]
initialize, [EMAIL PROTECTED]
2008-02-07 10:47:44,469 TRACE [org.jboss.security.auth.spi.LdapLoginModule]
Security domain: contextRoot
2008-02-07 10:47:44,469 TRACE [org.jboss.security.auth.spi.LdapLoginModule]
login
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] Start
expire sessions StandardManager at 1202402880701 sessioncount 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] End
expire sessions StandardManager processingTime 0 expired sessions: 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] Start
expire sessions StandardManager at 1202402880701 sessioncount 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] End
expire sessions StandardManager processingTime 0 expired sessions: 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] Start
expire sessions StandardManager at 1202402880701 sessioncount 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] End
expire sessions StandardManager processingTime 0 expired sessions: 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] Start
expire sessions StandardManager at 1202402880701 sessioncount 0
2008-02-07 10:48:00,701 DEBUG [org.apache.catalina.session.ManagerBase] End
expire sessions StandardManager processingTime 0 expired sessions: 0
2008-02-07 10:48:10,709 DEBUG [org.apache.catalina.session.ManagerBase] Start
expire sessions StandardManager at 1202402890709 sessioncount 0
2008-02-07 10:48:10,709 DEBUG [org.apache.catalina.session.ManagerBase] End
expire sessions StandardManager processingTime 0 expired sessions: 0
2008-02-07 10:48:13,148 TRACE [org.jboss.security.auth.spi.LdapLoginModule]
Logging into LDAP server,
env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.security.principal=pcable, roleAttributeID=memberOf,
matchOnUserDN=true, jboss.security.security_domain=contextRoot,
java.naming.provider.url=ldap://server:389, roleAttributeIsDN=false,
uidAttributeID=sAMAccountName, java.naming.security.authentication=simple,
java.naming.security.credentials=***}
2008-02-07 10:48:13,148 DEBUG [org.apache.catalina.loader.WebappClassLoader]
loadClass(com.sun.jndi.ldap.LdapCtxFactory, false)
2008-02-07 10:48:13,164 DEBUG [org.jboss.security.auth.spi.LdapLoginModule] Bad
password for username=pcable
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr:
DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3005)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2753)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2667)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:287)
...
Yes, I do realize that the LDAP: error code 49 means that the username and/or
password is incorrect.
I guess I am just wanting to validate my migration path so far and determine
how the ibm-application-bnd.xmi information fits into the JBoss Security Setup.
Also, the login-config.xml - in the JBoss Security FAQ it says the
<application-policy name="mydomain"> does the mydomain have to be the LDAP
domain
or just some name that I make up that has to be the same text put in the
jboss-web.xml so that they match up?
Any ideas?
Thanks
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4127558#4127558
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4127558
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
