[jboss-user] [Installation, Configuration & DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?

PeterJ do-not-reply at jboss.com
Thu Jul 9 18:58:56 EDT 2009

defaultRole doesn't work exactly as I expected - you still need to provide role search info. But here is something that worked for me. I want anyone who logs in to have the "loggedin" role, and I want to use only that role in web.xml (and other locations) to provide access control. I was able to do this with the following ling module (with obfuscated data, this is for Exchange 2003 which doesn't allow anonymous access, hence the bindDN entry):

  <application-policy name="peterj">
  |     <authentication>
  |       <login-module flag="required" code="org.jboss.security.auth.spi.LdapExtLoginModule">
  |         <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
  |         <module-option name="java.naming.provider.url">ldap://xxx:389/</module-option>
  |         <module-option name="java.naming.security.authentication">simple</module-option>
  |         <module-option name="bindDN">--full DN for my account--</module-option>
  |         <module-option name="bindCredential">--my password--</module-option>
  |         <module-option name="baseCtxDN">OU=Users,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=com</module-option>
  |         <module-option name="baseFilter">(sAMAccountName={0})</module-option>
  |         <module-option name="defaultRole">loggedin</module-option>
  |         <module-option name="rolesCtxDN">OU=Groups,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=com</module-option>
  |         <module-option name="roleFilter">(member={1})</module-option>
  |         <module-option name="roleAttributeIsDN">true</module-option>
  |         <module-option name="roleNameAttributeID">name</module-option>
  |       </login-module>
  |     </authentication>
  |   </application-policy>

In typical Exchange fashion, all users are define in OU=Users, and they belong to security groups defined by OU=Groups. The groups have an attribute named "member" which contains the users in that role.

I will now see if there is any way I can lookup a simple attribute value of the User to set a role, but offhand I don't see anything in LdapExtLoginModule that will let me do this. If that fails, I will try using LdapLoginModule.

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4242727#4242727

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4242727

More information about the jboss-user mailing list