3 Replies Latest reply on Jan 31, 2006 4:56 PM by sethtrain

LDAP Authentication

sethtrain Jan 31, 2006 3:08 PM

I know this horse is probably beat to death but I just can't get it. I have looked and read and just don't understand.

1. In my login-config.xml file I have (which I think is correct) this:

 <application-policy name="kwormSecurity">
 <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
 <module-option name="java.naming.provider.url">ldap://server.school.edu</module-option>
 <module-option name="rolesCtxDN">dc=school,dc=edu</module-option>
 <module-option name="matchOnUserDN">false</module-option>
 <module-option name="principalDNSuffix">@school.edu</module-option>
 <module-option name="uidAttributeID">userPrincipalName</module-option>
 <module-option name="roleAttributeID">memberOf</module-option>
 <module-option name="roleAttributeIsDN">true</module-option>
 <module-option name="roleNameAttributeID">name</module-option>
 </login-module>
 </application-policy>

2. I have a form that submits (via POST) to j_security_check.

<form action="j_security_check" method="post">
 <table>
 <tr>
 <td>
 <label for="username">Username:</label>
 </td>
 <td>
 <input type="text" id="username" name="username" />
 </td>
 </tr>
...

Now comes the parts that I don't understand..

I think there is something I have to put in my jboss-web.xml file (I assume appname is my context-root):

<security-domain>java:/jaas/appname</security-domain>

This information goes in my web.xml file:

<security-constraint>
 <web-resource-collection>
 <web-resource-name>Application</web-resource-name>
 <description>Require users to authenticate</description>
 <url-pattern>/*</url-pattern>
 <http-method>POST</http-method>
 <http-method>GET</http-method>
 </web-resource-collection>
 <auth-constraint>
 <description>Only allow Authenticated_users role</description>
 <role-name>Authenticated_users</role-name>
 </auth-constraint>
 <user-data-constraint>
 <description>Encryption is not required for the application in general. </description>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>

I guess where I am confused is what ties my security-constraint (the info I put in my web.xml file) to the application-policy (what I put in my login-config.xml file)?

-- Thanks --
Seth

1. Re: LDAP Authentication

sethtrain Jan 31, 2006 3:13 PM (in response to sethtrain)

I forgot that I have this is my web.xml file also

<login-config>
 <auth-method>FORM</auth-method>
 <form-login-config>
 <form-login-page>/login.jsp</form-login-page>
 <form-error-page>/login_error.html</form-error-page>
 </form-login-config>
 </login-config>

2. Re: LDAP Authentication

brian.stansberry Jan 31, 2006 4:31 PM (in response to sethtrain)
In jboss-web.xml:

<security-domain>java:/jaas/kwormSecurity</security-domain>
Actions

3. Re: LDAP Authentication

sethtrain Jan 31, 2006 4:56 PM (in response to sethtrain)

does this:

<application-policy name="kwormSecurity">
 <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
 <module-option name="java.naming.provider.url">ldap://server.school.edu</module-option>
 <module-option name="rolesCtxDN">dc=school,dc=edu</module-option>
 <module-option name="matchOnUserDN">false</module-option>
 <module-option name="principalDNSuffix">@school.edu</module-option>
 <module-option name="uidAttributeID">userPrincipalName</module-option>
 <module-option name="roleAttributeID">memberOf</module-option>
 <module-option name="roleAttributeIsDN">true</module-option>
 <module-option name="roleNameAttributeID">name</module-option>
 </login-module>
 </application-policy>

need to be this???:

<application-policy name="kwormSecurity">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
 <module-option name="java.naming.provider.url">ldap://server.school.edu</module-option>
 <module-option name="rolesCtxDN">dc=school,dc=edu</module-option>
 <module-option name="matchOnUserDN">false</module-option>
 <module-option name="principalDNSuffix">@school.edu</module-option>
 <module-option name="uidAttributeID">userPrincipalName</module-option>
 <module-option name="roleAttributeID">memberOf</module-option>
 <module-option name="roleAttributeIsDN">true</module-option>
 <module-option name="roleNameAttributeID">name</module-option>
 </login-module>
 </authentication>
 </application-policy>

Go to original post