[jboss-user] [JBoss Portal] - LDAP authentication and Role-based permissions question

ndrw_cheung do-not-reply at jboss.com
Thu Mar 8 11:53:10 EST 2007

Hi. I'm trying to useLdapLoginModule for authenticating into the portal that runs on JBOSS AS 4.0.5GA. The authentication part is ok (the trace logs returns loginOK=true), when I put in the user's username and password in and hit enter. However, in the browser it gives me a 403 error. Error message as follows :

HTTP Status 403 - Access to the requested resource has been denied


type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.


Here are the details:

1. LDAP server (we use eDirectory) :

Sample user :


Sample Role :


The member attribute will contain the users that are assigned to this role.
For example : 


2. jboss-4.0.5.GA\server\default\deploy\jboss-portal.sar\portal-server.war\WEB-INF\web.xml :


also :

		<realm-name>JBoss Portal</realm-name>

3. jboss-4.0.5.GA\server\default\deploy\jboss-portal.sar\conf\login-config.xml :

	<application-policy name="portal">
			<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
				<module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory</module-option>
				<module-option name="java.naming.provider.url">ldap://myLDAPserverIP:389/</module-option>
				<module-option name="java.naming.security.authentication">simple</module-option>
				<module-option name="principalDNPrefix">cn=</module-option>
				<module-option name="principalDNSuffix">,ou=users,ou=MyDivision,o=MyCompany </module-option>
				<module-option name="rolesCtxDN">ou=DistributionLists,ou=MyDivision,o=MyCompany</module-option>
				<module-option name="uidAttributeID">member</module-option>
				<module-option name="matchOnUserDN">true</module-option>
				<module-option name="roleAttributeID">cn</module-option>
				<module-option name="roleAttributeIsDN">false</module-option>

4. database table "jbp_users" in the portal database :

The user abc is added to the jbp_users table. The jbp_uid is 11.

Note : I did not synchronize the passord here from the LDAP server because I thought the password here is not used anymore since we authenticate using the LDAP server

5. database table "jbp_roles"  in the portal datatabase :

The role "finance" is added to the jbp_roles table. jbp_name and jbp_displayName are both set to "finance". The jbp_rid value is 7.

6. database table "jbp_role_membership" in the portal database :

The entry with values jbp_uid = 11 and jbp_rid = 7 is added to the jbp_role_membership table.

Is any other configurations I need to do in order to make it work?

Also, is there a way to do more detailed logging so that I can see what's happening after the authentication? Right now the log doesn't show what went wrong regarding to the role permissions.

Any help is appreciated.


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4026315#4026315

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4026315

More information about the jboss-user mailing list