[EJB 3.0] - Simple LDAP Authentication for EJB3
by Daniel Cullender
Daniel Cullender [http://community.jboss.org/people/cullendw] modified the document:
"Simple LDAP Authentication for EJB3"
To view the document, visit: http://community.jboss.org/docs/DOC-15790
--------------------------------------------------------------
There are plenty articles available describing how to set up parts of LDAP authentication for EJB3, but I battled to find an article which pulls everthing together (If I have missed one, please provide a link). I will break the process we went through into four easy steps.
h4. Step 1 : Login and browse your LDAP server
This is an important step since you need to verify that your LDAP connection and logon details are correct. You also need to make sure that your Distinguished Name (DN) is correct. We used an excellent http://directory.apache.org/studio/ldap-browser-plugin.html LDAP Eclipse plugin by Apache to do this. After logging on (remember that your username needs a @ domain attached to it) we could browse our LDAP server and confirm that all our LDAP configuration was correct.
Make sure that your LDAP group (example : *YourGroupName*) has been configured properly and that all the members have been set up. This group is the security role you will configure on your ejb.
h4. Step 2 : Setup you JBoss Security Domain (login-config.xml)
Configuring a JBoss LDAP Security Domain is really simple. The is a LDAP module available :
org.jboss.security.auth.spi.LdapLoginModule
Please http://community.jboss.org/docs/DOC-11253 refer to this comprehensive article for all the ways to configure the module. Our configuration looks as follows:
> <application-policy name="*your-configured-security-domain*">
> <authentication>
> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
> <module-option name="java.naming.provider.url">ldap://ldap-server-name:1389/</module-option>
> <module-option name="rolesCtxDN">OU=Current,OU=User Accounts,OU=bar,DC=foo,DC=co,DC=za</module-option>
> <module-option name="matchOnUserDN">false</module-option>
> <module-option name="principalDNSuffix">@foo.co.za</module-option>
> <module-option name="uidAttributeID">sAMAccountName</module-option>
> <module-option name="roleAttributeID">memberOf</module-option>
> <module-option name="roleAttributeIsDN">true</module-option>
> <module-option name="roleNameAttributeID">name</module-option>
> </login-module>
> </authentication>
> </application-policy>
h4. Step 3 : EJB3 setup
Now that we have our Security Domain configured, all we need to do now is to configure our EJB. Using the following standard Class Level annotation :
@SecurityDomain("*your-configured-security-domain*")
you tell your EJB which security domain to use. The next annotations tells your EJB which roles to allow (This is your LDAP group which your user should be a member of):
@RolesAllowed("*YourGroupName*")
This annotation can be put on a Class or method level depending on the granularity required. There are plenty of other annotations to configured the granularity (example : @PermitAll) but our requirement was to lock down all our EJB's remote interface calls with a single role.
h4. Step 4 : EJB Client
When you get your initial context as a client, make sure that you use Login Initial Context Factory :
Properties prop = new Properties();
prop.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
prop.put(Context.URL_PKG_PREFIXES, "jboss.naming:org.jnp.interfaces");
prop.put(Context.PROVIDER_URL, "jnp://dev-qut6:1099");
prop.put(Context.SECURITY_PRINCIPAL, "dcu");
prop.put(Context.SECURITY_CREDENTIALS, "Gua2010");
prop.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");
> Properties prop = new Properties();
>
> prop.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
>
> prop.put(Context.URL_PKG_PREFIXES, "jboss.naming:org.jnp.interfaces");
>
> prop.put(Context.PROVIDER_URL, "jnp://localhost:1099");
>
> prop.put(Context.SECURITY_PRINCIPAL, "username");
>
> prop.put(Context.SECURITY_CREDENTIALS, "password");
>
> prop.setProperty(Context.INITIAL_CONTEXT_FACTORY, "*org.jboss.security.jndi.JndiLoginInitialContextFactory*");
And you are done.
--------------------------------------------------------------
Comment by going to Community
[http://community.jboss.org/docs/DOC-15790]
Create a new document in EJB 3.0 at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=102&co...]
14 years, 3 months
HttpOnly and jboss
by pat
Hello,
I'm new to this list. I want to setup usage of HttpOnly for cookies for
enterprise application, but without luck.
I've searched and found these:
1) Jboss 4.3 - add useHttpOnly="true" attribute to Context element in the web
application's context.xml
2) Jboss 5.x - add new element as subelement of the Context element in the web
application's context.xml; the element is <SessionCookie httpOnly="true"/>
(I've also try <SessionCookie path="/" httpOnly="true"/>)
None of these works for me.
The application is a enterprise application with web application packed in the
WAR archive. I've changed the context.xml which is in the WEB-INF directory of
the web application.
To check if the HttpOnly presents I'm using "Live HTTP headers" Firefox plug-in.
I'm sure I've missed something, but what I cannot find.
Thanks for help
Pat
----------------------------------------
Freehosting PIPNI - http://www.pipni.cz/
14 years, 3 months
[EJB 3.0] - Re: NamedQuery problem: TABLE is not mapped
by Daniel Winz
Daniel Winz [http://community.jboss.org/people/danwin] created the discussion
"Re: NamedQuery problem: TABLE is not mapped"
To view the discussion, visit: http://community.jboss.org/message/560238#560238
--------------------------------------------------------------
I have installed J2EE SDK 6 and switched JAVA_HOME variable to it.
Still I get the Table is not mapped message.
But maybe I forgot to tell something important. Before the message gets logged a select statement on the said table is executed successfully?!
> 2010-09-02 14:25:13,463 DEBUG [org.hibernate.hql.ast.QueryTranslatorImpl] (http-127.0.0.1-8080-1) parse() - HQL: select e from EmployeeEntity e
> 2010-09-02 14:25:13,463 DEBUG [org.hibernate.hql.ast.AST] (http-127.0.0.1-8080-1) --- HQL AST ---
> \-[QUERY] 'query'
> \-[SELECT_FROM] 'SELECT_FROM'
> +-[FROM] 'from'
> | \-[RANGE] 'RANGE'
> | +-[IDENT] 'EmployeeEntity'
> | \-[ALIAS] 'e'
> \-[SELECT] 'select'
> \-[IDENT] 'e'
>
> 2010-09-02 14:25:13,463 DEBUG [org.hibernate.hql.ast.ErrorCounter] (http-127.0.0.1-8080-1) throwQueryException() : no errors
> 2010-09-02 14:25:13,463 DEBUG [org.hibernate.hql.antlr.HqlSqlBaseWalker] (http-127.0.0.1-8080-1) select << begin [level=1, statement=select]
> 2010-09-02 14:25:13,463 INFO [STDOUT] (http-127.0.0.1-8080-1) org.hibernate.hql.ast.QuerySyntaxException: EmployeeEntity is not mapped [select e from EmployeeEntity e]
Thx,
Daniel
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/560238#560238]
Start a new discussion in EJB 3.0 at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&cont...]
14 years, 4 months
