[jboss-user] [Security & JAAS/JBoss] - Re: Complete set of example snippets of JAAS + LDAP code and
illipilla
do-not-reply at jboss.com
Wed May 30 10:55:54 EDT 2007
1. Add the following snippet to the conf/login-config.xml. You want modify the basefilter and rolefilter as per your needs.
<!-- LDAP Integration Details-->
<application-policy name = "testLDAP">
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://LDAPSERVER:389</module-option>
<module-option name="bindDN">uid=adminuser,ou=admin,ou=corporate,dc=company,dc=com</module-option>
<module-option name="bindCredential">xxxxxxxx</module-option>
<module-option name="baseCtxDN">dc=company,dc=com</module-option>
<module-option name="baseFilter">(uid={0})</module-option>
<module-option name="rolesCtxDN">dc=company,dc=com</module-option>
<module-option name="roleFilter">(uniquemember={1})</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleAttributeID">cn</module-option>
<!-- need to understand the impact of enabling roleRecursion -->
<module-option name="roleRecursion">0</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
</login-module>
</application-policy>
2. A sample web.xml snippet that secures some webpages with roles
<security-constraint>
<!-- all the pages in this webapp are secured -->
<web-resource-collection>
<web-resource-name>SecuredPages</web-resource-name>
<url-pattern>/index.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>WebAccessRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>WebAccessRole</role-name>
</security-role>
3. Edit the jboss specific web descriptor jboss-web.xml to configure jboss application to use the configured IPlanet LDAP as security domain for authentication purposes. Please add the below lines.
<security-domain>java:/jaas/testLDAP</security-domain>
<security-role>
<role-name>WebAccessRole</role-name>
<principal-name>yourLDAPGroup</principal-name>
</security-role>
4. 5. To retrieve the roles gathered by the container as part of authentication use the below code snippet.
//Get the Authenticated Subject
Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
//out.println(subject+"");
//Now look for a Group called Roles
Set principals = subject.getPrincipals(Principal.class);
Iterator iter = principals.iterator();
while(iter.hasNext())
{
Principal p = (Principal)iter.next();
out.println("Principals: "+p+"");
if(p instanceof SimpleGroup)
{
SimpleGroup sg = (SimpleGroup)p;
if("Roles".equals(sg.getName())) {
System.out.println(sg.toString()+"");
//Do anything with role here
}
}
}
5. Restart the jboss process
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4049757#4049757
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4049757
More information about the jboss-user
mailing list