-
1. Re: LDAP Newbie - LdapLoginModule
rafael.nunes Nov 2, 2006 3:09 PM (in response to jwisetech)Did you have some success?
I have in the same situation.
Could someone help me? -
2. Re: LDAP Newbie - LdapLoginModule
jaikiran Nov 3, 2006 5:41 AM (in response to jwisetech)Have a look at:
http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapLoginModule
If thats not what you are looking for, please provide more details about your application and also what exactly you are having problems with -
3. Re: LDAP Newbie - LdapLoginModule
shilpee_k Nov 22, 2006 1:11 AM (in response to jwisetech)Hi,
have done configurations in JBOSS (version :jboss-4.0.3SP1) to use LdapLoginModule authentication mentioned below. I have set up test ldap server using OpenLDAP and added entries as mentioned below.Problem is even if i dont start the LDAP server it still authenticates for correct username & password but if i give wrong password it fives LoginException. So i am not able to find out against what it is trying to match username/password if my LDAP server is not running.
Please let me know if i have missed out something in configurations ?? Also, the code used to authentication in step 3 is correct or not ?
Is it required to add loginmodule entry in auth.conf file for JBOSS ?
Regards,
Shilpee"sample.ldif" file to add entries in LDAP DB (data is stored in dbb file in OpenLDAP server)
dn: dc=sample,dc=com objectClass: top objectClass: dcObject objectClass: organization objectClass: domainRelatedObject objectClass: dcObject associatedDomain: sample.com o: sample dc: sample description: Sample International - Specialist Providers of Widgets postalAddress: empty telephoneNumber: +44 00000000 dn: cn=Directory Manager,dc=sample,dc=com objectClass: top objectClass: organizationalRole objectClass: OpenLDAPdisplayableObject objectClass: labeledURIObject cn: Directory Manager cn: Manager cn: Directory Administrator cn: Administrator displayName: Directory Manager roleOccupant: uid=lrussell,ou=People,dc=sample,dc=com labeledURI: mailto:directorymanager@sample.com Directory Manager seeAlso: dc=sample,dc=com description: Manages the OpenLDAP directories dn: ou=People,dc=sample,dc=com ou: People objectClass: top objectClass: organizationalUnit dn: ou=Groups,dc=sample,dc=com ou: Groups objectClass: top objectClass: organizationalUnit dn: ou=Roles,dc=sample,dc=com ou: Roles objectClass: top objectClass: organizationalUnit dn: uid=lrussell,ou=People,dc=sample,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: Russell cn: Luc uid: lrussell userpassword: fgCPCzLOHJSRIhLb756rLfe8E7Y= mail: lrussell@sample.com dn: uid=jbloggs,ou=People,dc=sample,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: Bloggs cn: Joe uid: jbloggs userpassword: no3XJAZeeb9AKbGNY65/masWpZE= mail: jbloggs@sample.com dn: uid=fsmith,ou=People,dc=sample,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: Smith cn: Fred uid: fsmith userpassword: kSgNNHCC/WXSjWH3s11BQNE6cKE= mail: fsmith@sample.com dn: cn=Users,ou=Groups,dc=sample,dc=com objectClass: top objectClass: groupOfUniqueNames cn: Users uniqueMember: uid=jbloggs,ou=People,dc=sample,dc=com uniqueMember: uid=fsmith,ou=People,dc=sample,dc=com dn: cn=Member_admins,ou=Groups,dc=sample,dc=com objectClass: top objectClass: groupOfUniqueNames cn: Member_admins uniqueMember: uid=lrussell,ou=People,dc=sample,dc=com dn: cn=Everyone,ou=Groups,dc=sample,dc=com objectClass: top objectClass: groupOfUniqueNames cn: Everyone uniqueMember: uid=jbloggs,ou=People,dc=sample,dc=com uniqueMember: uid=fsmith,ou=People,dc=sample,dc=com uniqueMember: uid=lrussell,ou=People,dc=sample,dc=com dn: cn=Authenticated_users,ou=Roles,dc=sample,dc=com objectClass: top objectClass: groupOfUniqueNames cn: Authenticated_users uniqueMember: cn=Everyone,ou=Groups,dc=sample,dc=com dn: cn=Member_admin,ou=Roles,dc=sample,dc=com objectClass: top objectClass: groupOfUniqueNames cn: Member_admin uniqueMember: cn=Member_admins,ou=Groups,dc=sample,dc=com
"login-config.xml"
<?xml version='1.0'?> <!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN" "http://www.jboss.org/j2ee/dtd/security_config.dtd "> <!-- The XML based JAAS login configuration read by the org.jboss.security.auth.login.XMLLoginConfig mbean. Add an application-policy element for each security domain. The outline of the application-policy is: <application-policy name="security-domain-name"> <authentication> <login-module code="login.module1.class.name " flag="control_flag"> <module-option name = "option1-name">option1-value</module-option> <module-option name = "option2-name">option2-value</module-option> ... </login-module> <login-module code="login.module2.class.name" flag="control_flag"> ... </login-module> ... </authentication> </application-policy> --> <policy> <!-- Used by clients within the application server VM such as mbeans and servlets that access EJBs. --> <application-policy name="client-login"> <authentication> <login-module code="org.jboss.security.ClientLoginModule" flag="required"/> </authentication> </application-policy> <!-- Security domain for JBossMQ --> <application-policy name = "jbossmq"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "dsJndiName">java:/DefaultDS</module-option> <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option> <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option> </login-module> </authentication> </application-policy> <!-- Security domain for JBossMQ when using file-state-service.xml <application-policy name = "jbossmq"> <authentication> <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule " flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "sm.objectname ">jboss.mq:service=StateManager</module-option> </login-module> </authentication> </application-policy> --> <!-- Security domains for testing new jca framework --> <application-policy name = "HsqlDbRealm"> <authentication> <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule " flag = "required"> <module-option name = "principal">sa</module-option> <module-option name = "userName">sa</module-option> <module-option name = "password"></module-option> <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option> </login-module> </authentication> </application-policy> <application-policy name = "JmsXARealm"> <authentication> <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required"> <module-option name = "principal">guest</module-option> <module-option name = "userName">guest</module-option> <module-option name = "password">guest</module-option> <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option> </login-module> </authentication> </application-policy> <!-- A template configuration for the jmx-console web application. This defaults to the UsersRolesLoginModule the same as other and should be changed to a stronger authentication mechanism as required. --> <application-policy name = "jmx-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> </login-module> </authentication> </application-policy> <application-policy name="sample_web_client_security"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url ">ldap://localhost:389</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name=" java.naming.security.principal">cn=Directory Manager,dc=sample,dc=com</module-option> <module-option name="java.naming.security.credentials">secret</module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix">,ou=People,dc=sample,dc=com</module-option> <module-option name="uidAttributeID">uniqueMember</module-option> <module-option name="rolesCtxDN">cn=Directory Manager,dc=sample,dc=com</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="matchOnUserDN">false</module-option> </login-module> </authentication> </application-policy> <!-- The default login configuration used by any security domain that does not have a application-policy entry with a matching name --> <application-policy name = "other"> <!-- A simple server login module, which can be used when the number of users is relatively small. It uses two properties files: users.properties, which holds users (key) and their password (value). roles.properties, which holds users (key) and a comma-separated list of their roles (value). The unauthenticatedIdentity property defines the name of the principal that will be used when a null username and password are presented as is the case for an unuathenticated web client or MDB. If you want to allow such users to be authenticated add the property, e.g., unauthenticatedIdentity="nobody" --> <authentication> <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required" /> </authentication> </application-policy> </policy>
web.xml:
<web-app> <display-name>Compliance Engine</ display-name> <description>Web application Configuration of Compliance Engine </description> <servlet> <servlet-name>action</ servlet-name> <servlet-class>org.apache.struts.action.ActionServlet </servlet-class> <init-param> <param-name>config</ param-name> <param-value>/WEB-INF/struts-config.xml </param-value> </init-param> <init-param> <param-name>debug</ param-name> <param-value>6</ param-value> </init-param> <load-on-startup>2</ load-on-startup> </servlet> <servlet-mapping> <servlet-name>action</ servlet-name> <url-pattern>*.do</ url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>Sample Application </web-resource-name> <description>Require users to authenticate </description> <url-pattern>*.jsp</ url-pattern> <http-method>POST</ http-method> <http-method>GET</ http-method> </web-resource-collection> <auth-constraint> <description>Only allow Authenticated_users role </description> <role-name>Authenticated_users</ role-name> </auth-constraint> <user-data-constraint> <description>Encryption is not required for the application in general. </description> <transport-guarantee>NONE</ transport-guarantee> </user-data-constraint> </security-constraint> <session-config> <session-timeout>30</ session-timeout> </session-config> <distributable/> </web-app>
Code used to perform supply authentication info.
public synchronized UserVO authenticate( final String userId, final String password) throws Exception { UserVO userVO = null; try { MessageDigest d = java.security.MessageDigest.getInstance("SHA-1"); d.reset(); d.update(password.getBytes()); BASE64Encoder encoder = new BASE64Encoder(); String digestedPwdString = new String(encoder.encode(d.digest())); System.out.println("encoder -------- >> "+digestedPwdString); UsernamePasswordHandler handler = new UsernamePasswordHandler( userId.toLowerCase(), digestedPwdString.toCharArray()); LoginContext loginContext = new LoginContext("sample_web_client_security", handler); loginContext.login (); /* * Login successful: - Get the subject - Get the principals list - * Add the current principal */ Subject subject = loginContext.getSubject (); Set principals = subject.getPrincipals(); SimplePrincipal user = new SimplePrincipal(userId.toLowerCase()); principals.add(user); /* * Fetch the user from the database. */ userVO = userDelegate.getUserByNetworkId(userId); } catch (final LoginException ex) { this.log.error(ex.getMessage(), ex); System.out.println(ex.getMessage()); ex.printStackTrace(); throw ex; } catch (final Exception ex) { System.out.println(ex.getMessage()); ex.printStackTrace(); throw ex; } return userVO; }
-
4. Re: LDAP Newbie - LdapLoginModule
jaikiran Nov 22, 2006 3:54 AM (in response to jwisetech)You will have to add a security-domain element in the jboss-web.xml. Have you done that?
-
5. Re: LDAP Newbie - LdapLoginModule
shilpee_k Nov 29, 2006 2:13 AM (in response to jwisetech)HI, Thanks for replying.
Yes i added in it in jboss-web.xml. Forgot to mention.
I am facing a new problem now. I am not able to access my login.jsp page. It gives COnfiguration error: can't authenticate against null principal.
In the code i posted, after successful login , the way i am adding user to principal , i m not sure its correct or not.
Please let me know how to add the principal. -
6. Re: LDAP Newbie - LdapLoginModule
shilpee_k Nov 30, 2006 4:11 AM (in response to jwisetech)Hi Jai,
Accessing JSP problem is solved . I am able to access the login.jsp.
I have one more doubt. In what all scenarios LoginException is thrown by LoginModule?
My objective is to allow a user to give only 3 login attempts and after 3 unsuccessful login attempts user's account should be locked. I have one flag in Database for failedLogin count in order to allow Admin to unlock user account.
So if LoginException is thrown only in case of Password mismatch then i am planning to implement it like this :
i can catch LoginException in catch block and update DB in catch block.
Please let me know how can i implement this failed login attempt functionality.
Also, is it correct to use UsernamePasswordHandler in LdapLoginModule in the code? -
7. Re: LDAP Newbie - LdapLoginModule
jaikiran Dec 4, 2006 4:43 AM (in response to jwisetech)LoginException is thrown when the authentication fails (one of them being invalid password). Yes, you can implement your use case of checking the number of attempts when LoginException is thrown. But remember that there might be various other reasons why the LoginException is thrown.
-
8. Re: LDAP Newbie - LdapLoginModule
shilpee_k Dec 21, 2006 1:09 AM (in response to jwisetech)Yes. You are right.
So what is the other way to implement failed login attempt functionality? Please suggest.