[Security & JAAS/JBoss] - LDAP authentication and role-based permission question (x-po
by ndrw_cheung
Hi. I'm trying to useLdapLoginModule for authenticating into the portal that runs on JBOSS AS 4.0.5GA. The authentication part is ok (the trace logs returns loginOK=true), when I put in the user's username and password in and hit enter. However, in the browser it gives me a 403 error. Error message as follows :
HTTP Status 403 - Access to the requested resource has been denied
--------------------------------------------------------------------------------
type Status report
message Access to the requested resource has been denied
description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
--------------------------------------------------------------------------------
Here are the details:
1. LDAP server (we use eDirectory) :
Sample user :
cn=abc,ou=users,ou=MyDivision,o=MyCompany
Sample Role :
cn=finance,ou=DistributionLists,ou=MyDivision,o=MyCompany
The member attribute will contain the users that are assigned to this role.
For example :
member=cn=abc,ou=users,ou=MyDivision,o=MyCompany
2. jboss-4.0.5.GA\server\default\deploy\jboss-portal.sar\portal-server.war\WEB-INF\web.xml :
<security-constraint>
<web-resource-collection>
<web-resource-name>Authenticated</web-resource-name>
<url-pattern>/auth/*</url-pattern>
</web-resource-collection>
<!--<auth-constraint>
<role-name>Authenticated</role-name>
</auth-constraint>-->
<auth-constraint>
<role-name>finance</role-name>
</auth-constraint>
</security-constraint>
also :
<login-config>
<auth-method>FORM</auth-method>
<realm-name>JBoss Portal</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<!--<security-role>
<role-name>Authenticated</role-name>
</security-role>-->
<security-role>
<role-name>finance</role-name>
</security-role>
3. jboss-4.0.5.GA\server\default\deploy\jboss-portal.sar\conf\login-config.xml :
<application-policy name="portal">
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://myLDAPserverIP:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="principalDNPrefix">cn=</module-option>
<module-option name="principalDNSuffix">,ou=users,ou=MyDivision,o=MyCompany </module-option>
<module-option name="rolesCtxDN">ou=DistributionLists,ou=MyDivision,o=MyCompany</module-option>
<module-option name="uidAttributeID">member</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
</login-module>
</application-policy>
4. database table "jbp_users" in the portal database :
The user abc is added to the jbp_users table. The jbp_uid is 11.
Note : I did not synchronize the passord here from the LDAP server because I thought the password here is not used anymore since we authenticate using the LDAP server
5. database table "jbp_roles" in the portal datatabase :
The role "finance" is added to the jbp_roles table. jbp_name and jbp_displayName are both set to "finance". The jbp_rid value is 7.
6. database table "jbp_role_membership" in the portal database :
The entry with values jbp_uid = 11 and jbp_rid = 7 is added to the jbp_role_membership table.
Is any other configurations I need to do in order to make it work?
Also, is there a way to do more detailed logging so that I can see what's happening after the authentication? Right now the log doesn't show what went wrong regarding to the role permissions.
Any help is appreciated.
-Andrew
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4026343#4026343
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4026343
19Â years, 1Â month
[JBoss Seam] - Re: Inject messages into JavaBean
by monkeyden
How do you instantiate DefaultPaginator?
By way of a constructor. Do I need to inject it instead, to make use of some Seam recursive injection facility?
Ensure that your messages.properties is in the appropriate location (usually WEB-INF/classes)
Yep, i18n works with EL in session beans and facelets.
...make sure your Log type is of org.jboss.seam.log.Log (not the commons version)
Yep, it's a Seam Log.
Here is the signature:
public DefaultPaginator(String name, PageProvider owner, List keySet, int rowsPerPage)
owner - the owner of the paginator. Implements callbacks for the paginator to use to load, as objects, subsets of keySet.
name - the unique identifier of the paginator, in case there is more than 1 in a single Action. Used when the paginator calls:
owner.loadPage(String name, List keys)
List - complete list of primary keys
I'll check out injection of it and call mutators for everything.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4026342#4026342
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4026342
19Â years, 1Â month
[JBoss Seam] - Why does Seam checks for LoginRedirection after ApplyRequest
by dsmithï¼ nesmi.com
Seam will apply page parameters before it does the checks to see if login redirection is required.
This is problematic for applications rely on session scope information created in authenticator being present
e.g. using @In(scope=SESSION) currentUser;
| <page view-id="/secure/browseUsers.xhtml">
| <param name="firstResult" value="#{userBrowseQueryFactory.firstResult}" converterId="javax.faces.Integer" />
| </page>
|
| 12:16:53,383 ERROR [DebugPageHandler] redirecting to debug page
| org.jboss.seam.RequiredException: In attribute requires non-null value: userBrowseQueryFactory.currentUser
| at org.jboss.seam.Component.getValueToInject(Component.java:1887)
| at org.jboss.seam.Component.injectAttributes(Component.java:1336)
| at org.jboss.seam.Component.inject(Component.java:1163)
| at org.jboss.seam.interceptors.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:46)
| at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:69)
| at org.jboss.seam.interceptors.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:27)
| at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:69)
| at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:103)
| at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:154)
| at org.jboss.seam.intercept.JavaBeanInterceptor.intercept(JavaBeanInterceptor.java:89)
| at edu.uga.ais.piac.pva.action.user.UserBrowseQueryFactory$$EnhancerByCGLIB$$5ef43164.setFirstResult(<generated>)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
| at org.apache.myfaces.el.PropertyResolverImpl.setProperty(PropertyResolverImpl.java:406)
| at org.apache.myfaces.el.PropertyResolverImpl.setValue(PropertyResolverImpl.java:173)
| at org.apache.myfaces.el.ValueBindingImpl.setValue(ValueBindingImpl.java:275)
| at org.jboss.seam.core.Expressions$1.setValue(Expressions.java:67)
| at org.jboss.seam.core.Pages.applyRequestParameterValues(Pages.java:608)
| at org.jboss.seam.jsf.AbstractSeamPhaseListener.beforeRender(AbstractSeamPhaseListener.java:176)
| at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.java:57)
| at org.apache.myfaces.lifecycle.PhaseListenerManager.informPhaseListenersBefore(PhaseListenerManager.java:70)
| at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:373)
| at javax.faces.webapp.FacesServlet.service(FacesServlet.java:138)
|
You could workaround the problem with @In(request=false,scope=SESSION) currentUser or call Contexts.getSessionContext().get("currentUser");
My question is why would Seam need to need to apply request parameters if it is going to redirect to login page?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4026339#4026339
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4026339
19Â years, 1Â month
[JBoss AOP] - Re: Inteception on field inherited through generic superclas
by dunks80
I've been running my application in jboss-4.2.0.CR1 and i've been seeing some really odd behavior with the aop system. Sometimes my pointcuts won't get picked up..i change nothing...i touch nothing..i just restart the server and bam! it works the next time.
Anyway trying to test this stuff to figure out what the problem is I noticed something in my test case. From my previous post I was getting this output which is wrong...
| ...
| cInstance.toString()=null
| cInstance.getMyField()=Invoked testcase.MyMethodInterceptor on testcase.C method getMyField
| cInstance.myField=Invoked testcase.MyFieldInterceptor on testcase.C field myField
| cInstance.cInstance.getClass().getMethod("getMyField",new Class[0]).getName()=getMyField
| dInstance.toString()=Invoked testcase.MyFieldInterceptor on testcase.D field myField
| dInstance.getMyField()=Invoked testcase.MyMethodInterceptor on testcase.D method getMyField
| dInstance.myField=Invoked testcase.MyFieldInterceptor on testcase.D field myField
| dInstance.cInstance.getClass().getMethod("getMyField",new Class[0]).getName()=getMyField
| ...
|
As i said cInstance.toString() should not result in null because my interceptor should return a value but it doens't. Ok so I added another protected annotated field to the C class called myOtherField. Now checkout the output of cInstance.toString()...
| cInstance.toString()=Invoked testcase.MyFieldInterceptor on testcase.C field myField
| cInstance.getMyField()=Invoked testcase.MyMethodInterceptor on testcase.C method getMyField
| cInstance.myField=Invoked testcase.MyFieldInterceptor on testcase.C field myField
| cInstance.myOtherField=Invoked testcase.MyFieldInterceptor on testcase.C field myOtherField
| cInstance.cInstance.getClass().getMethod("getMyField",new Class[0]).getName()=getMyField
| dInstance.toString()=Invoked testcase.MyFieldInterceptor on testcase.D field myField
| dInstance.getMyField()=Invoked testcase.MyMethodInterceptor on testcase.D method getMyField
| dInstance.myField=Invoked testcase.MyFieldInterceptor on testcase.D field myField
| dInstance.myOtherField=Invoked testcase.MyFieldInterceptor on testcase.D field myOtherField
| dInstance.cInstance.getClass().getMethod("getMyField",new Class[0]).getName()=getMyField
|
Suddenly the interceptor is run on the inherited myField attribute for C. It's almost like the aop system doens't see any direct annotations in the C class so it doesn't bother applying any aspects but if there is an annotation in C then it will also take the time to look for any inherited fields that may be annotated.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4026336#4026336
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4026336
19Â years, 1Â month