[jboss-user] [JBoss Portal] - LdapExtLoginModule + Active Directory Help

sreeni.gali do-not-reply at jboss.com
Tue Aug 29 13:14:34 EDT 2006 

Hi Team,

I have been trying JBOSS authentication and Authorization against ActiveDirectory and having the problem. My working steps as below. Can anybody help me on this?


Step1: in "login-config.xml" the entry as below 
------------------------- 
<application-policy name="JawJaasDbRealm">
      
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient" >
     <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> 
			<module-option name="java.naming.provider.url">ldap://151.111.195.26:389/</module-option>
			<module-option name="java.naming.security.authentication">simple</module-option> 
     <module-option name="java.naming.security.principal">ldapbrowse</module-option>
     <module-option name="java.naming.security.credentials">ldapbrowse</module-option>  
     <!-- bGRhcGJyb3dzZQ== -->
			<module-option name="bindDN">CN=LDAPBrowse,OU=Enterprise Administration,DC=ad,DC=dot,DC=state,DC=mn,DC=us</module-option> 
			<module-option name="bindCredential">ldapbrowse</module-option> 
			<module-option name="baseCtxDN">DC=ad,DC=dot,DC=state,DC=mn,DC=us</module-option>
			<module-option name="baseFilter">(sAMAccountName={0})</module-option>
			<module-option name="rolesCtxDN">OU=Groups,OU=Freight and Commercial Vehicle Operations,OU=Program Management Division,DC=ad,DC=dot,DC=state,DC=mn,DC=us</module-option>
			<module-option name="roleFilter">(sAMAccountName={0})</module-option>
			<module-option name="roleAttributeID">memberOf</module-option>
<!--			<module-option name="roleAttributeIsDN">true</module-option>  -->
			<module-option name="roleNameAttributeID">cn</module-option>
		<module-option name="defaultRole">OFCVO_RGCIP_Inventory</module-option>
		<!--	<module-option name="roleRecursion">-1</module-option> -->
           		<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      </login-module>
      
    </application-policy>
-------------------------- 
Step2: in "jboss.xml" file the entry as below 

------------------ 
<jboss-web> 
<context-root>jaw</context-root> 
<security-domain>java:/jaas/JawJaasDbRealm</security-domain> 
</jboss-web> 

------------------ 

Step3: web-security.xml file
--------------

  <security-constraint> 

    <web-resource-collection> 
      <web-resource-name>
        JAW Application protected Admin pages and actions.
      </web-resource-name> 
      Require users to authenticate. 
      <url-pattern>/test/index.jsp</url-pattern>
    </web-resource-collection>

<auth-constraint> 
      
        Allow Manager role to access Admin pages and actions.
       
  <role-name>OFCVO_RGCIP_Inventory</role-name>
</auth-constraint>

  </security-constraint> 

   <security-role>
      JAW Guest User (unsecured)
  <role-name>OFCVO_RGCIP_Inventory</role-name>
  </security-role>
   
  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>JawJaasDbRealm</realm-name>
    <form-login-config>
	  <form-login-page>/login.jsp</form-login-page>
	  <form-error-page>/loginError.jsp</form-error-page>
    </form-login-config>
  </login-config>
---------------------------


index.jsp
----------------
<%@ page contentType="text/html; charset=ISO-8859-1" %>


Welcome to the application, <%= request.getRemoteUser() %>! 
MnDOT Chg Access Role :<%=request.isUserInRole("MnDOT Chg Access") %> 
OFCVO_RGCIP_Inventory Role :<%=request.isUserInRole("OFCVO_RGCIP_Inventory") %>
OFCVO_RGCIP_Admin Role :<%=request.isUserInRole("OFCVO_RGCIP_Admin") %>
OFCVO_RGCIP_ProjMgr Role :<%=request.isUserInRole("OFCVO_RGCIP_ProjMgr") %>
OFCVO_RGCIP_DataMaint Role :<%=request.isUserInRole("OFCVO_RGCIP_DataMaint") %>
OFCVO_RGCIP_Auditor Role :<%=request.isUserInRole("OFCVO_RGCIP_Auditor") %>
OFCVO_RGCIP_Finance Role :<%=request.isUserInRole("OFCVO_RGCIP_Finance") %>






----------------

If i enter user credentials(userid/password) who don't have role "OFCVO_RGCIP_Inventory" , it's authenticating and getting the index.jsp page and <%=request.isUserInRole("OFCVO_RGCIP_Inventory") %> displaying "true" value. I think once it's authentication is over then the defaultRole(<module-option name="defaultRole">OFCVO_RGCIP_Inventory</module-option>
) is associating with the logged in user even if he don't belongs to that role in AD.


Can you help me what's going wrong and why it's behaving like this?


Thanks,
Sreeni
914 439 3469




View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3968158#3968158

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3968158

More information about the jboss-user mailing list