[jboss-user] [Security & JAAS/JBoss] - Re: Complete set of example snippets of JAAS + LDAP code and

illipilla do-not-reply at jboss.com
Wed May 30 10:55:54 EDT 2007


1.  Add the following snippet to the conf/login-config.xml.  You want modify the basefilter and rolefilter as per your needs.

    <!-- LDAP Integration Details-->
    <application-policy name = "testLDAP">
        
          <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
            <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
            <module-option name="java.naming.provider.url">ldap://LDAPSERVER:389</module-option>
            <module-option name="bindDN">uid=adminuser,ou=admin,ou=corporate,dc=company,dc=com</module-option>
            <module-option name="bindCredential">xxxxxxxx</module-option>
            <module-option name="baseCtxDN">dc=company,dc=com</module-option>
            <module-option name="baseFilter">(uid={0})</module-option>

            <module-option name="rolesCtxDN">dc=company,dc=com</module-option>
            <module-option name="roleFilter">(uniquemember={1})</module-option>
            <module-option name="roleAttributeIsDN">false</module-option>
            <module-option name="roleAttributeID">cn</module-option>
            <!-- need to understand the impact of enabling roleRecursion -->
            <module-option name="roleRecursion">0</module-option>
            <module-option name="searchScope">SUBTREE_SCOPE</module-option>
          </login-module>
        
   </application-policy>

2.  A sample web.xml snippet that secures some webpages with roles

    <security-constraint>
        <!-- all the pages in this webapp are secured -->
        <web-resource-collection>
            <web-resource-name>SecuredPages</web-resource-name>
            <url-pattern>/index.jsp</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>WebAccessRole</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
         <form-login-config>
         <form-login-page>/login.jsp</form-login-page>
         <form-error-page>/login.jsp</form-error-page>
        </form-login-config>
    </login-config>

    <security-role>
        <role-name>WebAccessRole</role-name>
    </security-role>


3.  Edit the jboss specific web descriptor jboss-web.xml to configure jboss application to use the configured IPlanet LDAP as security domain for authentication purposes.  Please add the below lines.

<security-domain>java:/jaas/testLDAP</security-domain>
<security-role>
        <role-name>WebAccessRole</role-name>
        <principal-name>yourLDAPGroup</principal-name>
    </security-role>

4. 5.	To retrieve the roles gathered by the container as part of authentication use the below code snippet.

//Get the Authenticated Subject
Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");

//out.println(subject+"");

//Now look for a Group called Roles
Set principals = subject.getPrincipals(Principal.class);
Iterator iter = principals.iterator();
while(iter.hasNext())
{
   Principal p = (Principal)iter.next();
   out.println("Principals: "+p+"");
   if(p instanceof SimpleGroup)
   {
        SimpleGroup sg = (SimpleGroup)p;
        if("Roles".equals(sg.getName())) {
           System.out.println(sg.toString()+"");
	    //Do anything with role here
        }
   }
}

5.  Restart the jboss process

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4049757#4049757

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4049757



More information about the jboss-user mailing list