In our company we are planning to switch to a jBoss 4.0.3 based application server array, but we need to authenticate the users against our OpenLDAP service. I've been trying in many ways but I can't seem to get the right configuration.
Our ldap structure is: dc=comune,dc=grosseto,dc=it | |_ | | ou=people | | |_ | | |_uid=user1 | | |_uid=user2 | | uid=user3 | |_ | ou=groups | |_ | |_ cn=admin | |_ cn=manager | |_ cn=dipendenti | ... The user's group is specified as a group property: dn cn=admin,ou=groups,dc=comune,dc=grosseto,dc=it | cn admin | objectClass groupOfUniqueNames | uniqueMember uid=user2,ou=people,dc=comune,dc=grosseto,dc=it | uniqueMember uid=user3,ou=people,dc=comune,dc=grosseto,dc=it Our webapp has this jboss-web.xml: <?xml version="1.0" encoding="UTF-8"?> | <jboss-web> | <security-domain>java:/jaas/comunegr</security-domain> | </jboss-web> while web.xml includes this constraint: <security-constraint> | <web-resource-collection> | <web-resource-name>certificati</web-resource-name> | <url-pattern>/browse/*</url-pattern> | </web-resource-collection> | <auth-constraint> | <role-name>utenti</role-name> | </auth-constraint> | </security-constraint> | <login-config> | <auth-method>FORM</auth-method> | <realm-name>comunegr</realm-name> | <form-login-config> | <form-login-page>/login/login.jsp</form-login-page> | <form-error-page>/login/error.jsp</form-error-page> | </form-login-config> | </login-config> | <security-role> | <role-name>utenti</role-name> | </security-role> Finally, I added these lines to the jBoss' login-config.xml: <application-policy name = "comunegr"> | <authentication> | <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required"> | <module-option name="java.naming.factory.initial"> | com.sun.jndi.ldap.LdapCtxFactory | </module-option> | <module-option name="java.naming.provider.url"> | ldap://ldap01.comune.grosseto.it:389/ | </module-option> | <module-option name="java.naming.security.authentication"> | simple | </module-option> | <module-option name="java.naming.security.protocol"> | * | </module-option> | <module-option name="bindDN"> | cn=admin,dc=comune,dc=grosseto,dc=it | </module-option> | <module-option name="bindCredential"> | [password] | </module-option> | <module-option name="baseCtxDN"> | ou=people,dc=comune,dc=grosseto,dc=it | </module-option> | <module-option name="baseFilter"> | (uid={0}) | </module-option> | <module-option name="rolesCtxDN"> | ou=groups,dc=comune,dc=grosseto,dc=it | </module-option> | <module-option name="roleFilter"> | (uniqueMember={0}) | </module-option> | <module-option name="roleAttributeIsDN">true</module-option> | <module-option name="roleNameAttributeID">cn</module-option> | </login-module> | </authentication> | </application-policy> (I also tried to connect with LdapLoginModule (and jBoss 4.0.2) which has slightly different options, but still I could not authenticate) As I call the webapp from the browser I get this error: anonymous wrote : java.lang.NullPointerException | at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:966) | at org.apache.jsp.index_jsp._jspService(org.apache.jsp.index_jsp:53) | at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97) | at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) | at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:322) | at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314) | at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264) | at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252) | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) | at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81) | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) | at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39) | at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:157) | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:407) | at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59) | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) | at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) | at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744) | at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) | at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112) | at java.lang.Thread.run(Thread.java:595) | AFTER this error I get the login page anyway, but no user can be authenticated: anonymous wrote : HTTP Status 403 - Access to the requested resource has been denied Can someone help me? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3896275#3896275 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3896275 ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
