[jboss-user] [Security & JAAS/JBoss] - LDAP authentication and role-based permission question (x-po

ndrw_cheung do-not-reply at jboss.com
Thu Mar 8 12:42:45 EST 2007 

Hi. I'm trying to useLdapLoginModule for authenticating into the portal that runs on JBOSS AS 4.0.5GA. The authentication part is ok (the trace logs returns loginOK=true), when I put in the user's username and password in and hit enter. However, in the browser it gives me a 403 error. Error message as follows : 

HTTP Status 403 - Access to the requested resource has been denied 

-------------------------------------------------------------------------------- 

type Status report 

message Access to the requested resource has been denied 

description Access to the specified resource (Access to the requested resource has been denied) has been forbidden. 


-------------------------------------------------------------------------------- 

Here are the details: 

1. LDAP server (we use eDirectory) : 

Sample user : 

cn=abc,ou=users,ou=MyDivision,o=MyCompany 

Sample Role : 

cn=finance,ou=DistributionLists,ou=MyDivision,o=MyCompany 

The member attribute will contain the users that are assigned to this role. 
For example : 

member=cn=abc,ou=users,ou=MyDivision,o=MyCompany 

2. jboss-4.0.5.GA\server\default\deploy\jboss-portal.sar\portal-server.war\WEB-INF\web.xml : 


<security-constraint> 
<web-resource-collection> 
<web-resource-name>Authenticated</web-resource-name> 

<url-pattern>/auth/*</url-pattern> 
</web-resource-collection> 
<!--<auth-constraint> 
<role-name>Authenticated</role-name> 
</auth-constraint>--> 
<auth-constraint> 
<role-name>finance</role-name> 
</auth-constraint> 
</security-constraint> 


also : 

<login-config> 
<auth-method>FORM</auth-method> 
<realm-name>JBoss Portal</realm-name> 
<form-login-config> 
<form-login-page>/login.jsp</form-login-page> 
<form-error-page>/error.jsp</form-error-page> 
</form-login-config> 
</login-config> 
<!--<security-role> 
<role-name>Authenticated</role-name> 
</security-role>--> 
<security-role> 
<role-name>finance</role-name> 
</security-role> 


3. jboss-4.0.5.GA\server\default\deploy\jboss-portal.sar\conf\login-config.xml : 


<application-policy name="portal"> 

<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> 
<module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory</module-option> 
<module-option name="java.naming.provider.url">ldap://myLDAPserverIP:389/</module-option> 
<module-option name="java.naming.security.authentication">simple</module-option> 
<module-option name="principalDNPrefix">cn=</module-option> 
<module-option name="principalDNSuffix">,ou=users,ou=MyDivision,o=MyCompany </module-option> 
<module-option name="rolesCtxDN">ou=DistributionLists,ou=MyDivision,o=MyCompany</module-option> 
<module-option name="uidAttributeID">member</module-option> 
<module-option name="matchOnUserDN">true</module-option> 
<module-option name="roleAttributeID">cn</module-option> 
<module-option name="roleAttributeIsDN">false</module-option> 
</login-module> 

</application-policy> 


4. database table "jbp_users" in the portal database : 

The user abc is added to the jbp_users table. The jbp_uid is 11. 

Note : I did not synchronize the passord here from the LDAP server because I thought the password here is not used anymore since we authenticate using the LDAP server 


5. database table "jbp_roles" in the portal datatabase : 

The role "finance" is added to the jbp_roles table. jbp_name and jbp_displayName are both set to "finance". The jbp_rid value is 7. 

6. database table "jbp_role_membership" in the portal database : 

The entry with values jbp_uid = 11 and jbp_rid = 7 is added to the jbp_role_membership table. 


Is any other configurations I need to do in order to make it work? 

Also, is there a way to do more detailed logging so that I can see what's happening after the authentication? Right now the log doesn't show what went wrong regarding to the role permissions. 

Any help is appreciated. 

-Andrew 


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4026343#4026343

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4026343

More information about the jboss-user mailing list