update/fix:
I've added a new role "person", via userRoleName="objectClass" in my
server.xml realm configuration (as well as appropriate adds in web.xml).
I also had to add a connectionName and connectionPassword since we
don't allow anonymous searches of the directory.
I now get assigned the "person" role by the container, in addition to
"Authenticated":
2009-07-16 10:53:01,701 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD
[source=com.ecyrd.jspwiki.auth.authenticationmana...@ee3aa7,
princpal=com.ecyrd.jspwiki.auth.authorize.Role person,
target=com.ecyrd.jspwiki.wikisess...@6d06b0]
2009-07-16 10:53:01,701 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD
[source=com.ecyrd.jspwiki.auth.authenticationmana...@ee3aa7,
princpal=com.ecyrd.jspwiki.auth.authorize.Role Authenticated,
target=com.ecyrd.jspwiki.wikisess...@6d06b0]
I no longer get "Forbidden". I'm unsure why this manually configured
role works differently than the default "Authenticated", but this is a
workable solution.
curious point: with jspwiki.cookieAssertions=true in
jspwiki.properties, I'm forced to login twice (at which point everything
works). With it false, I get properly authenticated the first time.
strange.
jonathan.
jonathan wrote:
heya too!
The wiki page on container auth has been very, very helpful, yes. Upon
further investigation, I think my issues are currently more role-related
than UserDatabase related.
Container has been set up to authenticate to ldap, no roles have been
configured, web.xml is default container-managed config. As soon as I
log in, I end up getting a forbidden page (on Login.jsp?redirect=Main).
If I click "Better luck next time", I end up back on the main page,
"authenticated" (much like this problem:
http://www.mail-archive.com/[email protected]/msg01892.html
- except I'm using Tomcat 5.5.15).
If I look at my security log, I get the following entries only *after* I
click the "Better luck..." link on the Forbidden page:
2009-07-15 17:11:07,547 INFO - WikiSecurityEvent.LOGIN_AUTHENTICATED
[source=com.ecyrd.jspwiki.auth.authenticationmana...@e4245,
princpal=org.apache.catalina.realm.GenericPrincipal jengbrec,
target=com.ecyrd.jspwiki.wikisess...@1f55105]
2009-07-15 17:11:07,547 DEBUG - WikiSecurityEvent.LOGIN_AUTHENTICATED
[source=com.ecyrd.jspwiki.auth.authenticationmana...@e4245,
princpal=org.apache.catalina.realm.GenericPrincipal jengbrec,
target=com.ecyrd.jspwiki.wikisess...@1f55105]
2009-07-15 17:11:07,548 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD
[source=com.ecyrd.jspwiki.auth.authenticationmana...@e4245,
princpal=org.apache.catalina.realm.GenericPrincipal jengbrec,
target=com.ecyrd.jspwiki.wikisess...@1f55105]
2009-07-15 17:11:07,548 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD
[source=com.ecyrd.jspwiki.auth.authenticationmana...@e4245,
princpal=com.ecyrd.jspwiki.auth.authorize.Role Authenticated,
target=com.ecyrd.jspwiki.wikisess...@1f55105]
It looks like I now should have the "Authenticated" role from the
container (though I don't seem to have it (according to the log, anyway)
immediately after clicking "login" which is strange). However, I still
get "Forbidden" if I try and go to Edit.jsp or similar (the
"Authenticated area" in web.xml).
After the initial "Forbidden", my wiki acls seem to work properly, but
the container-given Role ("Authenticated") doesn't seem to be working,
even though the logs appear to indicate that the role has been assigned.
Thoughts on where to go from here?
as always, many thanks,
jonathan.
Janne Jalkanen wrote:
Heya!
Does this help?
http://www.jspwiki.org/wiki/WebContainerAuthenticationViaLDAP
/Janne
On 14 Jul 2009, at 21:37, jonathan wrote:
Has anyone successfully done this?
In 2.4 I'm using Kaukolu LDAPUserDatabase implementation to get user
data, so I have no local userdatabse.xml file to fall back on. The
existing LDAPUserDatabase doesn't work with 2.8, of course.
If you've done this, how are you handling the userdatabase portion
under 2.8? We have a very large ldap database, but a relatively
small number of JSPWiki users, so migrating the ldap info into an xml
(or even mysql) userdatabase seems a bit like overkill (though this
may be the simplest route to take given my relative inability to
recode the LDAPUserDatabase stuff).
Any thoughts appreciated.
