[jboss-user] [Security & JAAS/JBoss] - JAAS - LDAPExtLoginModule
shetty2k
do-not-reply at jboss.com
Thu Jan 15 16:52:24 EST 2009
I have pasted the JBoss configuration files (below) which authenticate against LDAP. The authentication seems to be working fine, but the authorization piece is still not working. After authentication, I get the following error message in the browser:
HTTP Status 403 - Access to the requested resource has been denied
The server.log file does not show any error message.
I would like to understand the following:
- Do we have a document detailing a JAAS configuration against LDAP?
- If the JBoss roles are being used to authorize the user, can I get an example settings for LDAP?
- What is the ideal way to configure authentication and authorization in login-config.xml?
- I debug the JAAS configuration on JBoss using Eclipse IDE. If one of the parameters in login-config.xml / web.xml / jboss-web.xml is wrongly set, how do I debug through these xml configuration files? Eclipse does not seem to provide a way to do the same.
The reason I am not using LDAPLoginModule is because it creates the UserDN as follows:
UserDN = principalDNPrefix (cn=) + <username entered during authentication> + principalDNSuffix (,cn=Users,dc=company,dc=com)
But my data is organized as follows:
UserDN = cn=<Full Name>,cn=Users,dc=company,dc=com
So, during the authentication, the LDAPLoginModule will not be able to find the UserDN. To overcome this limitation, LDAPExtLoginModule was designed. LDAPExtLoginModule makes use of an ldap filter to lookup the user (baseFilter) and role (roleFilter).
Thanks & Regards,
shetty2k
LDAP Data:
dc=company,dc=com
- cn=Users
- - cn=Pitt\, Brad
- - cn=Redford\,Robert
- - cn=Spielberg\,Steven
- cn=Groups
- - cn=Actors
- - cn=Directors
login-config.xml:
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://iamdev1:9389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.security.principal">cn=myAdmin</module-option>
<module-option name="java.naming.security.credentials">hollywood1</module-option>
<module-option name="bindDN">cn=myAdmin</module-option>
<module-option name="bindCredential">hollywood1</module-option>
<module-option name="baseCtxDN">ou=Users,dc=company,dc=com</module-option>
<module-option name="baseFilter">(uid={0})</module-option>
<module-option name="rolesCtxDN">ou=Groups,dc=company,dc=com</module-option>
<module-option name="roleFilter">(uniquemember={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="roleRecursion">0</module-option>
<module-option name="searchTimeLimit">5000</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="debug">true</module-option>
</login-module>
web.xml:
<web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>
JAAS</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Constraints of the Administration Console's Security Environment</display-name>
<!--URI security patterns and the HTTP methods to protect on them.-->
<web-resource-collection>
<web-resource-name>Protected Administration Console Resources</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!--Anyone with these roles may enter this area.-->
<auth-constraint>
<role-name>OCS_PORTAL_USERS</role-name>
</auth-constraint>
<user-data-constraint>
no description
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>My Company</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>OCS_PORTAL_USERS</role-name>
</security-role>
</web-app>
jboss-web.xml:
<jboss-web>
<security-domain>java:/jaas/mySecurityDomain</security-domain>
</jboss-web>
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4202268#4202268
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4202268
More information about the jboss-user
mailing list