[jboss-user] [Security & JAAS/JBoss] - Re: Active Directory and LdapExtLoginModule?

ksiva_rajesh do-not-reply at jboss.com
Wed Mar 7 15:48:52 EST 2007


Hi, 

I have a J2EE WebApp which expects the user to have a specific role for authorization (Authentication and Authorization will be against Active Directory). 

Environment details given below:
App Server : JBoss-4.0.5.GA
Directory Services : Microsoft Active Directory.

Steps - 1: 
Created a Group in Active Directory exactly with the same name required by WebaApp, assuming that JAAS will populate the group name(s) into role(s) after successful authentication. 

Step - 2: 
Assigned all the users to the group apart from their pre-assigned groups in Active Directory (AD). 

Step - 3: 

Below are the various config XMLs in JBoss. 

<!-- ------------------------- login-config.xml - START  --------------------------------------------- -->

<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC 
      "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">


    <!-- Used by clients within the application server VM such as
    mbeans and servlets that access EJBs.
    -->
	<!-- Attempt with LdapExtLoginModule -->
	<application-policy name="HMActiveDirecotry">
		
			<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
				<!--
					Some AD configurations may require searching against
					the Global Catalog on port 3268 instead of the usual
					port 389.  This is most likely when the AD forest
					includes multiple domains.
				-->
				<module-option name="java.naming.provider.url">ldap://ldaphost.company.com:389/</module-option>
				<module-option name="java.naming.security.authentication">simple</module-option>
				<module-option name="bindDN">cn=user,cn=Users,DC=company,DC=com</module-option> 
				<module-option name="bindCredential">password</module-option> 
				<module-option name="baseCtxDN">DC=company,DC=com</module-option>
				<module-option name="baseFilter">(userPrincipalName={0})</module-option>
				<module-option name="rolesCtxDN">DC=company,DC=com</module-option>
				<module-option name="roleFilter">(member={1})</module-option>
				<module-option name="roleAttributeID">memberOf</module-option>
				<module-option name="roleAttributeIsDN">true</module-option>
				<module-option name="roleNameAttributeID">name</module-option> 
				<module-option name="roleRecursion">-1</module-option>
				<module-option name="searchScope">SUBTREE_SCOPE</module-option>
				<module-option name="defaultRole">AuthUserRole</module-option> 
			</login-module>
		
	</application-policy>

	<!-- Attempt 2 from Wiki as it is from example and few more additions -->
	<application-policy name="HMActiveDirecotry">
		
			<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
		  		<module-option name="java.naming.provider.url">ldap://ldaphost.company.com:389/</module-option> 
				<module-option name="java.naming.security.authentication">simple</module-option>
				<module-option name="rolesCtxDN">cn=Users,DC=company,DC=com</module-option>
				<module-option name="matchOnUserDN">false</module-option>
                <module-option name="principalDNSuffix">@ldaphost.company.com</module-option>
				<module-option name="uidAttributeID">sAMAccountName</module-option>
                <module-option name="roleAttributeID">memberOf</module-option>
                <module-option name="roleAttributeIsDN">true</module-option>
				<module-option name="roleNameAttributeID">name</module-option>
				<module-option name="allowEmptyPasswords">false</module-option>
				<module-option name="searchScope">SUBTREE_SCOPE</module-option>
				<module-option name="searchTimeLimit">5000</module-option>	
				<module-option name="defaultRole">AuthUserRole</module-option> 
				<!-- module-option name="additionalRole">AuthUserRole</module-option -->
  			</login-module>
	  
	</application-policy>


<!-- ------------------------- login-config.xml - END  --------------------------------------------- -->

<!-- ------------------------- web.xml - START  --------------------------------------------- -->

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>
	<display-name>LDAP-Test</display-name>

	<welcome-file-list>
		<welcome-file>index.jsp</welcome-file>
	</welcome-file-list>

	
		<servlet-name>ldapTest</servlet-name>
		<display-name>LDAPTest</display-name>
		<jsp-file>/ldaptest.jsp</jsp-file>
	

	<servlet-mapping>
		<servlet-name>ldapTest</servlet-name>
		<url-pattern>/ldapTest</url-pattern>
	</servlet-mapping>

	<security-constraint>
		<web-resource-collection>
			<web-resource-name>LDAPTestJSP</web-resource-name>
			<url-pattern>/ldaptest</url-pattern>
			<url-pattern>/ldaptest.jsp</url-pattern>
			<url-pattern>/ldapTest</url-pattern>
			<http-method>POST</http-method>
			<http-method>GET</http-method>
		</web-resource-collection>
		<auth-constraint>
			<role-name>AuthUserRole</role-name>
		</auth-constraint>
	</security-constraint>

	<!-- login-config>
		<auth-method>BASIC</auth-method>
	</login-config -->

	<login-config>
		<auth-method>FORM</auth-method>
		<form-login-config>
			<form-login-page>/login.jsp</form-login-page>
			<form-error-page>/login_error.jsp</form-error-page>
		</form-login-config>
	</login-config>

	<security-role>
	  <role-name>AuthUserRole</role-name>
	</security-role>
</web-app>

<!-- ------------------------- web.xml - END  --------------------------------------------- -->


<!-- ------------------------- jboss-web.xml - START  ------------------------------------- -->

<jboss-web>
 <security-domain>java:/jaas/test</security-domain>
</jboss-web>

<!-- ------------------------- jboss-web.xml - END  -------------------------------------- -->

Actual Result: 

The J2EE WebApp is not authorizing the user to view the ldapTest Servlet (JSP) after successful authentication. 

I have tried with both LdapExtLoginModule & LdapLoginModule and could not get thru.

Is there any specific way of defining groups in Active Directory so that they will be populated into roles by JAAS after successful authentication? Please respond ASAP. 

Can anyone help me please? This is very urgent.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4025948#4025948

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4025948



More information about the jboss-user mailing list