I've been having trouble getting my LDAP security set up in JBoss
3.0.1. I've added an <application-policy> into my login-config.xml,
per the Quick Start guide's instructions. We use Domino 5.0.10 for our
LDAP and the users I'm trying to log in as are being rejected saying
their roles don't match. I have declared the roles in my web.xml and
the config for the ldap security domain in JBoss is set to use the
attribute "org" for roles.
Attached are the config files for the JBoss security domain, my web
descriptor, and an ldif export of the user that I'm trying to log in
as.
Any help on why this isn't working would be appreciated! :-)
=====
Thanks!
Jon Brisbin
[EMAIL PROTECTED]
417.682.6157 (h/w)
417.825.3995 (c)
__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com
<?xml version="1.0"?>
<!-- The XML based JAAS login configuration read by the
org.jboss.security.auth.login.XMLLoginConfig mbean. Add
an application-policy element for each security domain.
The outline of the application-policy is:
<application-policy name="security-domain-name">
<authentication>
<login-module code="login.module1.class.name" flag="control_flag">
<module-option name = "option1-name">option1-value</module-option>
<module-option name = "option2-name">option2-value</module-option>
...
</login-module>
<login-module code="login.module2.class.name" flag="control_flag">
...
</login-module>
...
</authentication>
</application-policy>
$Revision: 1.1.2.4 $
-->
<policy>
<!-- Used by clients within the application server VM such as
mbeans and servlets that access EJBs.
-->
<application-policy name="client-login">
<authentication>
<login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
</authentication>
</application-policy>
<!-- Security domain for JBossMQ -->
<application-policy name="jbossmq">
<authentication>
<login-module code="org.jboss.mq.sm.file.DynamicLoginModule" flag="required">
<module-option name="unauthenticatedIdentity">guest</module-option>
<module-option name="sm.objectname">jboss.mq:service=StateManager</module-option>
</login-module>
</authentication>
</application-policy>
<!-- Security domains for testing new jca framework -->
<application-policy name="HsqlDbRealm">
<authentication>
<login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required">
<module-option name="principal">sa</module-option>
<module-option name="userName">sa</module-option>
<module-option name="password"/>
<module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=hsqldbDS</module-option>
</login-module>
</authentication>
</application-policy>
<application-policy name="FirebirdDBRealm">
<authentication>
<login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required">
<module-option name="principal">sysdba</module-option>
<module-option name="userName">sysdba</module-option>
<module-option name="password">masterkey</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
</login-module>
</authentication>
</application-policy>
<application-policy name="JmsXARealm">
<authentication>
<login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required">
<module-option name="principal">guest</module-option>
<module-option name="userName">guest</module-option>
<module-option name="password">guest</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=jmsra</module-option>
</login-module>
</authentication>
</application-policy>
<!-- A template configuration for the jmx-console web application. This
defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name="jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"/>
</authentication>
</application-policy>
<application-policy name="testLdap">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://172.16.1.3:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="principalDNPrefix">cn=</module-option>
<module-option name="principalDNSuffix"></module-option>
<module-option name="uidAttributeID">cn</module-option>
<module-option name="roleAttributeID">org</module-option>
<module-option name="matchOnUserDN">false</module-option>
<module-option name="rolesCtxDN">o=efcoweb</module-option>
</login-module>
</authentication>
</application-policy>
<!-- The default login configuration used by any security domain that
does not have a application-policy entry with a matching name
-->
<application-policy name="other">
<!-- A simple server login module, which can be used when the number
of users is relatively small. It uses two properties files:
users.properties, which holds users (key) and their password (value).
roles.properties, which holds users (key) and a comma-separated list of
their roles (value).
The unauthenticatedIdentity property defines the name of the principal
that will be used when a null username and password are presented as is
the case for an unuathenticated web client or MDB. If you want to
allow such users to be authenticated add the property, e.g.,
unauthenticatedIdentity="nobody"
-->
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"/>
</authentication>
</application-policy>
</policy>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd";>
<web-app id="WebApp">
<display-name>test</display-name>
<servlet>
<servlet-name>TestServlet</servlet-name>
<display-name>TestServlet</display-name>
<servlet-class>com.efcocorp.TestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TestServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>default.shtml</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>index.shtml</welcome-file>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Test Application</web-resource-name>
<url-pattern>*.shtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>webusers</role-name>
<role-name>emp</role-name>
<role-name>cust</role-name>
<role-name>rep</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>EFCO JBoss test</realm-name>
</login-config>
<!--
<security-role>
<role-name>webusers</role-name>
</security-role>
<security-role>
<role-name>emp</role-name>
</security-role>
<security-role>
<role-name>cust</role-name>
</security-role>
<security-role>
<role-name>rep</role-name>
</security-role>
-->
<!--
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/login-error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>EFCO Web Users</description>
<role-name>webusers</role-name>
</security-role>
-->
</web-app>
CN=jasher^efcocorp.com,OU=emp,O=efcoweb
cn=jasher^efcocorp.com
shortname=jasher^efcocorp.com
uid=jasher^efcocorp.com
[EMAIL PROTECTED]
objectclass=top
objectclass=person
objectclass=organizationalPerson
objectclass=inetOrgPerson
objectclass=dominoPerson
objectclass=PersonSub
active=A
wholename=JAMES ASHER
mailsystem=1
messagestorage=1
encryptincomingmail=0
idsub=1
empid=35
textpw=XXXXX
org=emp
secword=XXXXX
added=Yes
checkpassword=0
availablefordirsync=1
passwordchangeinterval=0
passwordgraceperiod=0
sn=Asher
givenname=James
keyfield=E35
userpassword=(XXXXX)
