[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Hi all, Good news! Finally, with trial and error to set different parameter, I can use LdapLoginModule to work fine now. Now I try to figure out the alternate setting for Ldap login. share with our ok config: -- login-module code=org.jboss.security.auth.spi.LdapLoginModule flag=required module-option name=java.naming.factory.initial com.sun.jndi.ldap.LdapCtxFactory /module-option module-option name=java.naming.provider.url ldap://ldap.ust.hk/ /module-option module-option name=java.naming.security.authentication simple /module-option module-option name=principalDNPrefixuid=/module-option module-option name=principalDNSuffix,ou=people,o=my.com/module-option module-option name=rolesCtxDNou=people,o=my.com/module-option module-option name=uidAttributeIDuid/module-option module-option name=matchOnUserDNfalse/module-option module-option name=roleAttributeIDuserClass/module-option module-option name=roleAttributeIsDNfalse/module-option module-option name=searchTimeLimit5/module-option module-option name=searchScopeONELEVEL_SCOPE/module-option /login-module View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4243696#4243696 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4243696 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
anonymous wrote : can we write a custom login module? Yes, you can. You can use any of the existing login modules as a guideline. Most likely you will want to subclass the UsernamePasswordLoginModule class. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4243850#4243850 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4243850 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Thanks Peter. We may get the wrong direction for LDAP authentication. First, I think our LDAP server is a flat ldap structure and thus I only use LdapLoginModule to test. In your config, you use LdapExtLoginModule. I still try to use different parameter for role checking config in LdapLoginModule. Still ok for authentication but fail on authorization. By the way, Peter, can we write a custom login module? As I search this topic, only find this article http://www.jboss.org/community/wiki/CreatingACustomLoginModule; but this is not a full custom login module, just extend the existing one. Is any document to teach us to write a login module? Thanks for any help. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4243626#4243626 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4243626 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
defaultRole doesn't work exactly as I expected - you still need to provide role search info. But here is something that worked for me. I want anyone who logs in to have the loggedin role, and I want to use only that role in web.xml (and other locations) to provide access control. I was able to do this with the following ling module (with obfuscated data, this is for Exchange 2003 which doesn't allow anonymous access, hence the bindDN entry): application-policy name=peterj | authentication | login-module flag=required code=org.jboss.security.auth.spi.LdapExtLoginModule | module-option name=java.naming.factory.initialcom.sun.jndi.ldap.LdapCtxFactory/module-option | module-option name=java.naming.provider.urlldap://xxx:389//module-option | module-option name=java.naming.security.authenticationsimple/module-option | module-option name=bindDN--full DN for my account--/module-option | module-option name=bindCredential--my password--/module-option | module-option name=baseCtxDNOU=Users,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=com/module-option | module-option name=baseFilter(sAMAccountName={0})/module-option | module-option name=defaultRoleloggedin/module-option | module-option name=rolesCtxDNOU=Groups,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=com/module-option | module-option name=roleFilter(member={1})/module-option | module-option name=roleAttributeIsDNtrue/module-option | module-option name=roleNameAttributeIDname/module-option | /login-module | /authentication | /application-policy In typical Exchange fashion, all users are define in OU=Users, and they belong to security groups defined by OU=Groups. The groups have an attribute named member which contains the users in that role. I will now see if there is any way I can lookup a simple attribute value of the User to set a role, but offhand I don't see anything in LdapExtLoginModule that will let me do this. If that fails, I will try using LdapLoginModule. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4242727#4242727 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4242727 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Thanks a lot. Peter. The roleAttributeIsDN is set to false. However, still fail to access the webpage. From the trace log, it shows that the authentication is ok but the authorization is failed. The main problem is caused by role checking. Even thought I set TRACE logging for the org.jboss.security.auth.spi, no any information and message for authorization in the trace log. I also set searchScope to ONELEVEL_SCOPE or SUBTREE_SCOPE. It still fails too. How can I set logging for authorization? what else we can do? Thanks for any help. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4241912#4241912 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4241912 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Here are a few things to try. 1) Set roleAttributeIsDN to false. Looking at the code it appears that if this is false then the role is assumed to be the attribute's value (that is, the value of userClass in your example). Also, set TRACE logging for the org.jboss.security.auth.spi package - once the LDAP login module gathers all of the necessary info to lookup the role it prints the info to the log if TRACE is set. It also prints out information about what it finds. 2) The LdapExtLoginModule has a defaultRole option that might do what you want; it appears to assign a role to all logged in users. You would have to change the config to look something like this: application-policy name=ldapLogin | authentication | login-module flag=required code=org.jboss.security.auth.spi.LdapExtLoginModule |module-option name=java.naming.factory.initialcom.sun.jndi.ldap.LdapCtxFactory/module-option |module-option name=java.naming.provider.urlldap://ldap.my.com:389//module-option |module-option name=java.naming.security.authenticationsimple/module-option |module-option name=bindDN--account with ldap access--/module-option |module-option name=bindCredential--password for that account--/module-option |module-option name=baseCtxDNou=people,o=my.com/module-option |module-option name=baseFilter(uid={0})/module-option |module-option name=defaultRolexxx/module-option | /login-module | /authentication | /application-policy Unfortunately the LdapExtLoginModule does not provide that much information when logging is set to TRACE. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4241773#4241773 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4241773 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Hi all, I do not know what is wrong in my setting. I still fail to use LDAP login module. Can anyone help? View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4241319#4241319 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4241319 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Peter, Can you help me? View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4240568#4240568 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4240568 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Thanks Peter. Can we just use the same DN that include a lot of other information (other attributes), such as UserClass, DeptCode, ? How to use these attributes for the role checking? how to set it in ldap auth module? View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4238937#4238937 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4238937 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Yes, you can use such a DN. You need to set the role attributes such that the result is, for example, the value for DeptCode. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4239132#4239132 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4239132 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
In my Jun 4, 2009 email, I show the setting that set the role attributes to userClass ( same as a kind of attributes of DeptCode ). So, based on my setting, I don't know what's wrong. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4239230#4239230 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4239230 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Stating the user's DN is a good start, but I also need a DN for something that could be used for a role, such as a department. And I need to know an attribute on the user that can be used to link to that role/department. The other thing I am thinking is that perhaps there is a way to simulate a user-only LDAP module that yields a constant role (or chain some modules together to yield the same). I know that this can be done with the database login module because there the role is obtained via an SQL statement and it is easy to write SQL to return a constant. However, I would have to dig through the source code to see if this is possible. I have a very detailed description of how to set up the LDAP login module based on using ldapserach to query the LDAP server in JBoss in Action. You should get a copy and look it over, that might help you set up the roles query. http://www.manning.com/jamae View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4236144#4236144 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4236144 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Thanks Peter. I install jxplorer and can browse the ldap server; get the my DN as below. And list the ldap auth config as below. I still get 403 error code. Peter, please help to point out what's wrong. Thanks. DN: uid=dickson,ou=people,o=my.com login-config.xml -- application-policy name = testLdapExample1 login-module code=org.jboss.security.auth.spi.LdapLoginModule flag=required module-option name=java.naming.factory.initial com.sun.jndi.ldap.LdapCtxFactory /module-option module-option name=java.naming.provider.url ldap://ldap.my.com/ /module-option module-option name=java.naming.security.authentication simple /module-option module-option name=principalDNPrefixuid=/module-option module-option name=principalDNSuffix,ou=people,o=my.com/module-option module-option name=rolesCtxDN,ou=people,o=my.com/module-option module-option name=uidAttributeIDuid/module-option module-option name=matchOnUserDNtrue/module-option module-option name=roleAttributeIDuserClass/module-option module-option name=roleAttributeIsDNtrue/module-option module-option name=searchTimeLimit5000/module-option module-option name=searchScopeONELEVEL_SCOPE/module-option /login-module /application-policy * web.xml - security-constraint web-resource-collection web-resource-nameHtmlAdaptor/web-resource-name An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namestaff/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameJBoss/realm-name /login-config security-role role-namestaff/role-name /security-role View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4235200#4235200 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4235200 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Any ldapsearch utility will work. Two tools I use are: JXplorer http://sourceforge.net/projects/jxplorer/ http://www.sun.com/download/products.xml?id=3ea6ec4d (Hmm, this last link is for the Sun ONE Directory Server Resource Kit, but the page appears to be blank. You used to be able to download a zip file containing various utilities, ldapsearch being one of them. But then JXplorer includes a search feature so that should be sufficient for testing.) In addition, if you are using Active Directory, it's management tools are also handy. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4235042#4235042 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4235042 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Can you supply a full DN for a departmentcode? Given that I might be able to provide the login module settings. Also, do you have an ldapsearch utility? You will need one to ascertain that we use the correct configuration settings. Without ldapserach, configuring an LDAP login module is like wandering around in the dark. Alternatively, I have a resource that goes into detail on LDAP login module configuration, but it is not free. I can provide a URL if you like. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4234752#4234752 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4234752 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Thanks Peter. I do not have a full DN for a departmentcode. I only know how to config apache to do basic authentication against our ldap server. I know my departmentcode, such as iso, hro,...etc. Also, I do not have ldapsearch utility. Please recommend me which ldapsearch utility I should use to help me to config the ldap setting. Thanks again. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4234826#4234826 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4234826 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Peter, Can you help to solve my LDAP authentication problem? Thanks. Thanks in advance for anyone's help. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4234594#4234594 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4234594 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Thanks Peter. Workaround 2 is my target too. Under the LDAP tree, find the right person with related information (department code, user class, ...etc). These information can be used as the role. The question is how to config. I show the setting of LDAP login module. I want to use the departmentcode as the role. How to set? Each applications have their own user profile. For my case, the first step is the password - basic authentication. Then, later on, centralized role checking is a long term task. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4233159#4233159 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4233159 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
I do not know if there is a way to get the LDAP login module to not attempt to get the role - I would have to dig through the source code to find out. I can think of two workarounds: 1) Subclass org.jboss.security.auth.spi.LdapLoginModule and code the subclass to ignore the role info and return a hard-set role. 2) Provide data for the various roles entries such that LDAP returns some value (could be anything - a department name, a country name, whatever) and use that as the role. Will you applications really have just one role? In other words, once someone signs in, do they have access to everything? If so, either of the above should work. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4233080#4233080 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4233080 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Thanks for Peter so much. (most of my question are answered by you, thank you) Actually, I want to config the LDAP authentication. However, I get failure and it is hard to trace what's wrong. Do you have more example about LDAP Auth config? Or how to trace this auth error? At the original design of our LDAP server, no role is designed; not for this purpose. Therefore, I just want to skip this role checking in LDAP auth. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4232923#4232923 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4232923 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
I get 403 error when test the ldap auth. It seems that the password authentication is ok because no error is in the server.log. Therefore, it means something is wrong in role authentication. As my ldap server does not have role design and information, I want to use the same tree (class) for the role authentication. For example, the one attribute of userclass or department will be used for role authentication. Please help to point out how to config my ldap authentication. My setting is as the following: application-policy name = testLdapExample1 login-module code=org.jboss.security.auth.spi.LdapLoginModule flag=required module-option name=java.naming.factory.initial com.sun.jndi.ldap.LdapCtxFactory /module-option module-option name=java.naming.provider.url ldap://ldap.my.com/ /module-option module-option name=java.naming.security.authentication simple /module-option module-option name=principalDNPrefixuid=/module-option module-option name=principalDNSuffix,ou=People,o=my.com/module-option module-option name=rolesCtxDN,ou=People,o=my.com/module-option module-option name=uidAttributeIDuid/module-option module-option name=matchOnUserDNtrue/module-option module-option name=roleAttributeIDuid/module-option module-option name=roleAttributeIsDNfalse/module-option module-option name=searchTimeLimit5000/module-option module-option name=searchScopeONELEVEL_SCOPE/module-option /login-module /application-policy View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4232926#4232926 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4232926 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Can anyone help for this issue? Thanks in advance. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4232637#4232637 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4232637 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
The role checking is an integral part of login - without it the app server will not know the role of the user and therefore cannot grant access rights to any resources. In other words, even though the user is logged in, she would still get a 404 error because she would not have access to the desired web page. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=4232744#4232744 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=4232744 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
This might be a good start http://www.jboss.org/community/docs/DOC-12185 View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4207237#4207237 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4207237 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Installation, Configuration DEPLOYMENT] - Re: Tutorial for setup of Authentication in JBoss?
Thanks for Jaikiran help. I have read that article to get the idea of the setup for authentication. For the authentication with using password file, ldap and other else, it also include the role (authorization) checking. How can I ignore that role checking and just validate the username/password in my first approach? Thanks for any help. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=4207590#4207590 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4207590 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user