Hi. I'm trying to useLdapLoginModule for authenticating into the portal that
runs on JBOSS AS 4.0.5GA. The authentication part is ok (the trace logs returns
loginOK=true), when I put in the user's username and password in and hit enter.
However, in the browser it gives me a 403 error. Error message as follows :
HTTP Status 403 - Access to the requested resource has been denied
--------------------------------------------------------------------------------
type Status report
message Access to the requested resource has been denied
description Access to the specified resource (Access to the requested resource
has been denied) has been forbidden.
--------------------------------------------------------------------------------
Here are the details:
1. LDAP server (we use eDirectory) :
Sample user :
cn=abc,ou=users,ou=MyDivision,o=MyCompany
Sample Role :
cn=finance,ou=DistributionLists,ou=MyDivision,o=MyCompany
The member attribute will contain the users that are assigned to this role.
For example :
member=cn=abc,ou=users,ou=MyDivision,o=MyCompany
2.
jboss-4.0.5.GA\server\default\deploy\jboss-portal.sar\portal-server.war\WEB-INF\web.xml
:
<security-constraint>
<web-resource-collection>
<web-resource-name>Authenticated</web-resource-name>
<url-pattern>/auth/*</url-pattern>
</web-resource-collection>
<!--<auth-constraint>
<role-name>Authenticated</role-name>
</auth-constraint>-->
<auth-constraint>
<role-name>finance</role-name>
</auth-constraint>
</security-constraint>
also :
<login-config>
<auth-method>FORM</auth-method>
<realm-name>JBoss Portal</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<!--<security-role>
<role-name>Authenticated</role-name>
</security-role>-->
<security-role>
<role-name>finance</role-name>
</security-role>
3. jboss-4.0.5.GA\server\default\deploy\jboss-portal.sar\conf\login-config.xml :
<application-policy name="portal">
<login-module
code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option
name="java.naming.factory.initial">
com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option
name="java.naming.provider.url">ldap://myLDAPserverIP:389/</module-option>
<module-option
name="java.naming.security.authentication">simple</module-option>
<module-option
name="principalDNPrefix">cn=</module-option>
<module-option
name="principalDNSuffix">,ou=users,ou=MyDivision,o=MyCompany </module-option>
<module-option
name="rolesCtxDN">ou=DistributionLists,ou=MyDivision,o=MyCompany</module-option>
<module-option
name="uidAttributeID">member</module-option>
<module-option
name="matchOnUserDN">true</module-option>
<module-option
name="roleAttributeID">cn</module-option>
<module-option
name="roleAttributeIsDN">false</module-option>
</login-module>
</application-policy>
4. database table "jbp_users" in the portal database :
The user abc is added to the jbp_users table. The jbp_uid is 11.
Note : I did not synchronize the passord here from the LDAP server because I
thought the password here is not used anymore since we authenticate using the
LDAP server
5. database table "jbp_roles" in the portal datatabase :
The role "finance" is added to the jbp_roles table. jbp_name and
jbp_displayName are both set to "finance". The jbp_rid value is 7.
6. database table "jbp_role_membership" in the portal database :
The entry with values jbp_uid = 11 and jbp_rid = 7 is added to the
jbp_role_membership table.
Is any other configurations I need to do in order to make it work?
Also, is there a way to do more detailed logging so that I can see what's
happening after the authentication? Right now the log doesn't show what went
wrong regarding to the role permissions.
Any help is appreciated.
-Andrew
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4026315#4026315
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4026315
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
