[jboss-user] [Security & JAAS/JBoss] - JAAS - LDAPExtLoginModule

Thu, 15 Jan 2009 13:54:52 -0800 

I have pasted the JBoss configuration files (below) which authenticate against 
LDAP. The authentication seems to be working fine, but the authorization piece 
is still not working. After authentication, I get the following error message 
in the browser:
HTTP Status 403 - Access to the requested resource has been denied
The server.log file does not show any error message. 

I would like to understand the following:
- Do we have a document detailing a JAAS configuration against LDAP?
- If the JBoss roles are being used to authorize the user, can I get an example 
settings for LDAP?
- What is the ideal way to configure authentication and authorization in 
login-config.xml?
- I debug the JAAS configuration on JBoss using Eclipse IDE. If one of the 
parameters in login-config.xml / web.xml / jboss-web.xml is wrongly set, how do 
I debug through these xml configuration files? Eclipse does not seem to provide 
a way to do the same. 

The reason I am not using LDAPLoginModule is because it creates the UserDN as 
follows: 
UserDN = principalDNPrefix (cn=) + <username entered during authentication> + 
principalDNSuffix (,cn=Users,dc=company,dc=com)
 
But my data is organized as follows:
UserDN = cn=<Full Name>,cn=Users,dc=company,dc=com
So, during the authentication, the LDAPLoginModule will not be able to find the 
UserDN. To overcome this limitation, LDAPExtLoginModule was designed. 
LDAPExtLoginModule makes use of an ldap filter to lookup the user (baseFilter) 
and role (roleFilter).

Thanks & Regards,
shetty2k

LDAP Data:
dc=company,dc=com
- cn=Users
- - cn=Pitt\, Brad
- - cn=Redford\,Robert
- - cn=Spielberg\,Steven
- cn=Groups
- - cn=Actors
- - cn=Directors

login-config.xml:

                <login-module 
code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                    <module-option 
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                    <module-option 
name="java.naming.provider.url">ldap://iamdev1:9389</module-option>
                    <module-option 
name="java.naming.security.authentication">simple</module-option>
                    <module-option 
name="java.naming.security.principal">cn=myAdmin</module-option>
                    <module-option 
name="java.naming.security.credentials">hollywood1</module-option>
                    <module-option name="bindDN">cn=myAdmin</module-option>     
                
                    <module-option 
name="bindCredential">hollywood1</module-option>                     
                    <module-option 
name="baseCtxDN">ou=Users,dc=company,dc=com</module-option>
                    <module-option name="baseFilter">(uid={0})</module-option>
                    <module-option 
name="rolesCtxDN">ou=Groups,dc=company,dc=com</module-option>                   
             
                    <module-option 
name="roleFilter">(uniquemember={1})</module-option>
                    <module-option name="roleAttributeID">cn</module-option>
                    <module-option 
name="roleAttributeIsDN">false</module-option>
                    <module-option name="roleNameAttributeID">cn</module-option>
                    <module-option name="roleRecursion">0</module-option>       
                
                    <module-option name="searchTimeLimit">5000</module-option>
                    <module-option 
name="searchScope">SUBTREE_SCOPE</module-option>         
                    <module-option 
name="allowEmptyPasswords">false</module-option>                         
                    <module-option name="debug">true</module-option>            
                </login-module>        
            


web.xml:
<web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>
        <display-name>
        JAAS</display-name>
        <welcome-file-list>
                <welcome-file>index.html</welcome-file>
                <welcome-file>index.htm</welcome-file>
                <welcome-file>index.jsp</welcome-file>
                <welcome-file>default.html</welcome-file>
                <welcome-file>default.htm</welcome-file>
                <welcome-file>default.jsp</welcome-file>
        </welcome-file-list>

<security-constraint>
<display-name>Constraints of the Administration Console's Security 
Environment</display-name>
<!--URI security patterns and the HTTP methods to protect on them.-->
<web-resource-collection>
<web-resource-name>Protected Administration Console 
Resources</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!--Anyone with these roles may enter this area.-->
<auth-constraint>
<role-name>OCS_PORTAL_USERS</role-name>
</auth-constraint>
<user-data-constraint>
no description
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>My Company</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>OCS_PORTAL_USERS</role-name>
</security-role>
</web-app>

jboss-web.xml:
<jboss-web>
<security-domain>java:/jaas/mySecurityDomain</security-domain>
</jboss-web>


View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4202268#4202268

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4202268
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to