Hi,
I have a J2EE WebApp which expects the user to have a specific role for
authorization (Authentication and Authorization will be against Active
Directory).
Environment details given below:
App Server : JBoss-4.0.5.GA
Directory Services : Microsoft Active Directory.
Steps - 1:
Created a Group in Active Directory exactly with the same name required by
WebaApp, assuming that JAAS will populate the group name(s) into role(s) after
successful authentication.
Step - 2:
Assigned all the users to the group apart from their pre-assigned groups in
Active Directory (AD).
Step - 3:
Below are the various config XMLs in JBoss.
<!-- ------------------------- login-config.xml - START
--------------------------------------------- -->
<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
"-//JBoss//DTD JBOSS Security Config 3.0//EN"
"http://www.jboss.org/j2ee/dtd/security_config.dtd";>
<!-- Used by clients within the application server VM such as
mbeans and servlets that access EJBs.
-->
<!-- Attempt with LdapExtLoginModule -->
<application-policy name="HMActiveDirecotry">
<login-module
code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<!--
Some AD configurations may require
searching against
the Global Catalog on port 3268 instead
of the usual
port 389. This is most likely when the
AD forest
includes multiple domains.
-->
<module-option
name="java.naming.provider.url">ldap://ldaphost.company.com:389/</module-option>
<module-option
name="java.naming.security.authentication">simple</module-option>
<module-option
name="bindDN">cn=user,cn=Users,DC=company,DC=com</module-option>
<module-option
name="bindCredential">password</module-option>
<module-option
name="baseCtxDN">DC=company,DC=com</module-option>
<module-option
name="baseFilter">(userPrincipalName={0})</module-option>
<module-option
name="rolesCtxDN">DC=company,DC=com</module-option>
<module-option
name="roleFilter">(member={1})</module-option>
<module-option
name="roleAttributeID">memberOf</module-option>
<module-option
name="roleAttributeIsDN">true</module-option>
<module-option
name="roleNameAttributeID">name</module-option>
<module-option
name="roleRecursion">-1</module-option>
<module-option
name="searchScope">SUBTREE_SCOPE</module-option>
<module-option
name="defaultRole">AuthUserRole</module-option>
</login-module>
</application-policy>
<!-- Attempt 2 from Wiki as it is from example and few more additions
-->
<application-policy name="HMActiveDirecotry">
<login-module
code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option
name="java.naming.provider.url">ldap://ldaphost.company.com:389/</module-option>
<module-option
name="java.naming.security.authentication">simple</module-option>
<module-option
name="rolesCtxDN">cn=Users,DC=company,DC=com</module-option>
<module-option
name="matchOnUserDN">false</module-option>
<module-option
name="principalDNSuffix">@ldaphost.company.com</module-option>
<module-option
name="uidAttributeID">sAMAccountName</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option
name="roleNameAttributeID">name</module-option>
<module-option
name="allowEmptyPasswords">false</module-option>
<module-option
name="searchScope">SUBTREE_SCOPE</module-option>
<module-option
name="searchTimeLimit">5000</module-option>
<module-option
name="defaultRole">AuthUserRole</module-option>
<!-- module-option
name="additionalRole">AuthUserRole</module-option -->
</login-module>
</application-policy>
<!-- ------------------------- login-config.xml - END
--------------------------------------------- -->
<!-- ------------------------- web.xml - START
--------------------------------------------- -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application
2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd";>
<web-app>
<display-name>LDAP-Test</display-name>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<servlet-name>ldapTest</servlet-name>
<display-name>LDAPTest</display-name>
<jsp-file>/ldaptest.jsp</jsp-file>
<servlet-mapping>
<servlet-name>ldapTest</servlet-name>
<url-pattern>/ldapTest</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>LDAPTestJSP</web-resource-name>
<url-pattern>/ldaptest</url-pattern>
<url-pattern>/ldaptest.jsp</url-pattern>
<url-pattern>/ldapTest</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>AuthUserRole</role-name>
</auth-constraint>
</security-constraint>
<!-- login-config>
<auth-method>BASIC</auth-method>
</login-config -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login_error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>AuthUserRole</role-name>
</security-role>
</web-app>
<!-- ------------------------- web.xml - END
--------------------------------------------- -->
<!-- ------------------------- jboss-web.xml - START
------------------------------------- -->
<jboss-web>
<security-domain>java:/jaas/test</security-domain>
</jboss-web>
<!-- ------------------------- jboss-web.xml - END
-------------------------------------- -->
Actual Result:
The J2EE WebApp is not authorizing the user to view the ldapTest Servlet (JSP)
after successful authentication.
I have tried with both LdapExtLoginModule & LdapLoginModule and could not get
thru.
Is there any specific way of defining groups in Active Directory so that they
will be populated into roles by JAAS after successful authentication? Please
respond ASAP.
Can anyone help me please? This is very urgent.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4025948#4025948
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4025948
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
