[jboss-user] [Security & JAAS/JBoss] - Getting started with LDAP

mata98 do-not-reply at jboss.com
Fri Jun 22 07:38:47 EDT 2007 

Hi all,

I'm an newby in AS development, so excuse my ignorance (and my joggled english).

Actually I'm challenged with the implementation of the security layer of my application (called tms).
My configuration:
I put the client-application as jar-file with all further needed libraries into one war-file, next with the server ejb and further service archives into one (huge) ear-file. Deployment without any security works fine.

I have to meet the requirement to verify the login against LDAP,
so I set up my application policy in server/tms/conf/login.config.xml:

  |         <application-policy name = "tms">
  |           <authentication>
  |             <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
  |                           flag="required">
  |                 <module-option name="java.naming.factory.initial"> 
  |                     com.sun.jndi.ldap.LdapCtxFactory
  |                 </module-option>
  |                 <module-option name="java.naming.provider.url">
  |                     ldap://ldapserver:389/
  |                 </module-option>
  |                 <module-option name="java.naming.security.authentication">
  |                     simple
  |                 </module-option>
  | 
  |                 <module-option name="password-stacking">useFirstPass</module-option>
  | 
  | ....
  | 
  |             </login-module>
  |    	    <login-module code="org.jboss.security.ClientLoginModule" 
  |                 flag="required">
  |                 <module-option name="password-stacking">useFirstPass</module-option>
  |             </login-module>
  |         </authentication>
  |     </application-policy>
  | 

I configured my web-application in war/web-inf/web.xml:

  |     <security-constraint> 
  |       <web-resource-collection> 
  |         <web-resource-name>restricted</web-resource-name> 
  |         <url-pattern>/*</url-pattern> 
  |       </web-resource-collection> 
  |       <auth-constraint> 
  |         <role-name>tms.user</role-name> 
  |       </auth-constraint> 
  |       <transport-guarantee>NONE</transport-guarantee>
  |     </security-constraint> 
  |    
  |     <login-config>
  |       <auth-method>BASIC</auth-method>
  |       <realm-name>TMS</realm-name>
  |     </login-config>
  | 
  |     <security-role> 
  |       <role-name>tms.user</role-name> 
  |     </security-role> 
  | 

As result, when requesting my application from within a webbrowser (localhost:8080/tms) I see a standard web-login dialog, the login works fine, it even refuses wrong user/passwords ;).
But the first try to request an EJB fails with
anonymous wrote : [LdapLoginModule] Bad password for username=null

So what's missing, how do I propagate the principal/credential from the initial login to the EJB-request ?

One further challenge: I have to modify the Login dialog to insert a further 'mandatory' field, where can I configure and introduce my own dialog ?

Thanks in advance, 
Matz

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4056823#4056823

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4056823

More information about the jboss-user mailing list