4 Replies Latest reply on Mar 16, 2005 1:12 AM by starksm64

    Organizational Role to Application Role mapping using LDAP?

    tjp

      I am trying to configure an LDAP LoginModule for my Web application and understand everything except how to map a user's organizational role name (defined in the LDAP server, such as "QA Managers"):

       dn: cn=QA Managers,ou=groups,o=techniques.org
       objectclass: top
       objectclass: groupOfUniqueNames
       cn: QA Managers
       ou: groups
       uniquemember: uid=abergin, ou=People, o=techniques.org
       uniquemember: uid=jwalker, ou=People, o=techniques.org
       description: People who can manage QA entries
      


      to an application role name defined by my Web application's deployment descriptor, such as "qamgr":

       <security-role>
       <description>quality assurance managers</description>
       <role-name>qamgr</role-name>
       </security-role>
      


      At runtime, from a Servlet in my Web application, I would like to do:

       request.isUserInRole("qamgr")
      


      and would expect a return value of true if the authenticated user is "abergin" or "jwalker".

      I'll use an example from your admin documentation, chapter 8, to clarify my point:

      The documentation sets up a org.jboss.security.auth.spi.LdapLoginModule that would result in the "jduke" user having the "TheDuke" and "AnimatedCharacter" roles after login succeeds.

      I'm confused about whether "TheDuke" and "AnimatedCharacter" are application roles to be used in Web application descriptors and calls like:

       request.isUserInRole("TheDuke")
      


      and Web application <security-constraint> elements such as:

       <security-constraint>
       <web-resource-collection>
       <web-resource-name>Pages for the Duke</web-resource-name>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
       <description>only for animated dukes</description>
       <role-name>TheDuke</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
      


      OR

      are these organizational roles that are somehow mapped to application roles?

      In other words, how do you map a user's organizational roles defined in the LDAP server to logical application security roles when using the LdapLoginModule?

      I've done some research and it seems like this process is called Principal mapping (or Realm mapping). Is this true??? Unfortunately, I don't know much about this process and would appreciate some help understanding how this should work ;-)

      I've worked with this a little in the past with WebLogic using: weblogic.xml

       <security-role-assignment>
       <role-name>Users</role-name>
       <principal-name>users</principal-name>
       </security-role-assignment>
      


      Does such a process exist for JBoss? Kind regards, Tim

        • 1. Re: Organizational Role to Application Role mapping using LD
          tjp

          I've answered my own question. I swear I read the Servlet 2.3 spec a few times, but it didn't really click until now...I was looking at the problem from the wrong angle...

          Basically, I had to realize that role mapping is accomplished differently for declarative vs. programmatic authorization. In other words, the mapping from an organizational role to a logical security role used by your application needs to be treated differently for declarative vs. programmatic authorization.

          For declarative authorization, you simply change the name of the role in the <auth-constraint> child element of the <security-constraint> element in the web.xml file to the organizational role name used in the LDAP directory server. Hence the term "declarative" ;-)

          For example, in the example I gave in my previous posting, I have a role name in the LDAP server: QA Managers. Since my Servlet code uses programmatic authorization using the role name qamgr, I thought that I needed to be consistent between declarative and programmatic authorization. That is, I thought I had to use qamgr in the <role-name> element for declarative authorization in the web.xml file. However, what I really needed to do was very simple:

          <auth-constraint>
           <description>People who can manage QA entries</description>
           <role-name>QA Managers</role-name>
          </auth-constraint>
          


          See how the <role-name> element uses QA Managers instead of qamgr. This works because the Subject holds "QA Managers" as a role from the LDAP query.

          So the lesson is that with declarative authorization, one shouldn't get confused by what your programmatic authorization code is doing and just use the organizational role names from your security provider, in my case LDAP.

          On the other hand, programmatic authorization is where a Servlet calls:

          request.isUserInRole("qamgr");


          In this case, the container needs to know that qamgr is really QA Managers. This is done using a <security-role-ref> element in the web.xml. Specifically, each Servlet that issues calls like isUserInRole("qamgr") needs to include a "link" to tell the container that qamgr is the same as the role name QA Managers held in the Subject.

          Here's an example:

          <security-role-ref>
           <role-name>qamgr</role-name>
           <role-link>QA Managers</manager>
          </security-role-ref>
          


          Great product by the way!!! Cheers, Tim

          • 2. Re: Organizational Role to Application Role mapping using LD
            richardberger

            Don't know if you are still watching this thread - but I wanted to thank you for your posts - it is rare enough for someone to post an answer to their own question, much less such a well thought out and well explained answer.

            I have been looking at security role mappings in WebLogic and JBoss over the past day (using WebLogic 9, JBoss 4) and it appears to me that there is a capability in the weblogic.xml that is missing from jboss-web.xml. (Of course, I am pretty new to this, so I could be wrong).

            For simplicity, let's assume that we are only using declarative security and want to deploy an web application into an existing environment. We want to have an auth-constraint as:
            <auth-constraint>
            <role-name>MyRoleName</role-name>
            </auth-constraint>

            In JBoss, I will have to have MyRoleName show up in my authentication source (e.g. that specific name will have to be in LDAP or the DBMS that I use for my loginModule).

            However, in WebLogic, I can use:
            <security-role-assignment>
            <role-name>MyRoleName</role-name>
            <principal-name>SomeExistingWLGroup</principal-name>
            </security-role-assignment>

            So, it seems that WebLogic is offering some additional capability here - and that capability seems useful. But as I mentioned, I might be confused here.

            I saw a similar post at: http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3868751#3868751, but there were no replies.

            Thanks in advance for any advice you might have on this subject.

            RB

            • 3. Re: Organizational Role to Application Role mapping using LD
              richardberger

              I too think that I have answered my own question. Due to various configuration complexities, I believe I went down the wrong path. I no longer see the need for the information in the weblogic.xml file.

              In the scenario that I described earlier:

              For simplicity, let's assume that we are only using declarative security and want to deploy an web application into an existing environment. We want to have an auth-constraint as:
              <auth-constraint>
              <role-name>MyRoleName</role-name>
              </auth-constraint>

              In JBoss, I will have to have MyRoleName show up in my authentication source (e.g. that specific name will have to be in LDAP or the DBMS that I use for my loginModule).

              However, in WebLogic, I can use:
              <security-role-assignment>
              <role-name>MyRoleName</role-name>
              <principal-name>SomeExistingWLGroup</principal-name>
              </security-role-assignment>


              In JBoss, if I want to use the security role SomeExistingWLGroup, then that is the role that I would use in the auth-constraint. Simple as that. It means that the customers will need to change the web.xml but that is no different than changing the weblogic.xml.

              So, the weblogic.jar makes it easy to statically configure your authentication source, but that is not really related to the web-app (which is why the security-role-assignment is not part of the Servlet spec and probably why it is not in JBoss).

              • 4. Re: Organizational Role to Application Role mapping using LD
                starksm64

                Its easy to statically configure the role in jboss using the UserRolesLoginModule. We only support static assocation of roles from the deployment descriptors for the run-as identity. For all other usecases the role are associated via JAAS, or JACC.