[jboss-user] [Security & JAAS/JBoss] - LDAP with Domino -- No roles found/Access Denied

tjpfister do-not-reply at jboss.com
Wed Sep 10 17:25:04 EDT 2008

I'm having an issue integrating JBOSS's security in my application.  When logging into my application, the LDAP server is correctly verifying the user name and password, but it cannot find the roles on the LDAP server.  Since it cannot find the roles, the user is redirected to a 403 error page: "Access to the requested resource has been denied".

I'm running this on JBOSS 4.2.0.GA

My login-config.xml security policy:
       <application-policy name="mySecurityPolicy">
  |            <authentication>
  |                <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
  |                              flag="required">
  |                    <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
  |                    <module-option name="java.naming.provider.url">ldap://myserver.host.com:389/</module-option>                               
  |                    <module-option name="java.naming.security.authentication">simple</module-option>
  |                    <module-option name="principalDNPrefix">cn=</module-option>
  |                    <!-- for principalDNSuffix no entry is needed for domino (e.g. o=MYDOMIAN) -->                 
  |                    <module-option name="principalDNSuffix"></module-option>
  |                    <module-option name="rolesCtxDN"></module-option>
  |                   <module-option name="uidAttributeID">member</module-option>
  |                    <module-option name="matchOnUserDN">true</module-option>
  |                    <module-option name="roleAttributeID">cn</module-option>
  |                    <module-option name="roleAttributeIsDN">false</module-option>
  |                    <module-option name="searchTimeLimit">5000</module-option>
  |                    <!-- searchScope ONELEVEL_SCOPE is neccesary for Domino -->
  |                 <module-option name="searchScope">ONELEVEL_SCOPE</module-option> 
  | 		<!-- Principal und Credentials for ldap lookups -->
  | 		<module-option name="java.naming.security.principal">cn=admin</module-option>
  | 		<module-option name="java.naming.security.credentials">admin</module-option> 
  |                </login-module>
  |            </authentication>
  |        </application-policy>

My jboss-web.xml:

  | <?xml version="1.0" encoding="UTF-8"?>
  | <jboss-web>
  | 	<security-domain>java:/jaas/mySecurityPolicy</security-domain>
  | </jboss-web>

The security section of my web.xml:

  |         <web-resource-collection>
  |             <web-resource-name>General</web-resource-name>
  |             <url-pattern>/app/*</url-pattern>
  |         	<http-method>PUT</http-method>
  |         	<http-method>DELETE</http-method>
  |         	<http-method>GET</http-method>
  |         	<http-method>POST</http-method> 
  |         </web-resource-collection>
  |         <auth-constraint>
  |             <role-name>Change Requester</role-name>
  |             <role-name>Request Approver</role-name>
  |         </auth-constraint>
  |     </security-constraint>
  |     <security-role>
  |         <role-name>Change Requester</role-name>
  |     </security-role>
  |     <security-role>
  |    		<role-name>Request Approver</role-name>
  |     </security-role>

The groups are at the root of my Domino LDAP server.  The Groups are named exactly the same as my role-names from my web.xml file "Change Requester" and "Request Approver".  I have verified the users I am attempting to login with are a member of at least one these groups.

I have enabled trace output for security in my jboss-log4j.xml file:
<category name="org.jboss.security">
  |    <priority value="TRACE" class="org.jboss.logging.XLevel"/>
  | </category>
  | <category name="org.jboss.web.tomcat.security">
  |    <priority value="TRACE" class="org.jboss.logging.XLevel"/>
  | </category>
  | <category name="org.apache.catalina">
  |    <priority value="DEBUG"/>
  | </category>

 and receive the following output when logging in:

2008-09-10 17:10:20,188 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]  Calling authenticate()
2008-09-10 17:10:20,188 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session '0C5834DF07062C7C651A26A7CD01AD48'
2008-09-10 17:10:20,188 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'tpfister' with type 'FORM'
2008-09-10 17:10:20,188 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Proceed to restored request
2008-09-10 17:10:20,188 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]  Calling accessControl()
2008-09-10 17:10:20,188 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles GenericPrincipal[tpfister()]
2008-09-10 17:10:20,188 DEBUG [org.apache.catalina.realm.RealmBase] Username tpfister does NOT have role Change Requester
2008-09-10 17:10:20,188 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found:  Change Requester
2008-09-10 17:10:20,188 DEBUG [org.apache.catalina.realm.RealmBase] Username tpfister does NOT have role Request Approver
2008-09-10 17:10:20,188 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found:  Request Approver
2008-09-10 17:10:20,188 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking for all roles mode: authOnly
2008-09-10 17:10:20,188 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]  Failed accessControl() test

I have this same application installed on WebSphere running against the same Domino LDAP server just fine.  I'm trying to push for our development group's standard application server to be switched from WebSphere to JBOSS, but if I cannot get security working, it would be an obvious deal-breaker.

Does anyone have any ideas what is causing this?  If not, are there any additional debugging methods I could use?

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4175709#4175709

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4175709

More information about the jboss-user mailing list