8 Replies Latest reply on Jul 30, 2009 5:18 PM by ttsimpso

    JAAS - LDAPExtLoginModule

    shetty2k

      I have pasted the JBoss configuration files (below) which authenticate against LDAP. The authentication seems to be working fine, but the authorization piece is still not working. After authentication, I get the following error message in the browser:
      HTTP Status 403 - Access to the requested resource has been denied
      The server.log file does not show any error message.

      I would like to understand the following:
      - Do we have a document detailing a JAAS configuration against LDAP?
      - If the JBoss roles are being used to authorize the user, can I get an example settings for LDAP?
      - What is the ideal way to configure authentication and authorization in login-config.xml?
      - I debug the JAAS configuration on JBoss using Eclipse IDE. If one of the parameters in login-config.xml / web.xml / jboss-web.xml is wrongly set, how do I debug through these xml configuration files? Eclipse does not seem to provide a way to do the same.

      The reason I am not using LDAPLoginModule is because it creates the UserDN as follows:
      UserDN = principalDNPrefix (cn=) + <username entered during authentication> + principalDNSuffix (,cn=Users,dc=company,dc=com)

      But my data is organized as follows:
      UserDN = cn=<Full Name>,cn=Users,dc=company,dc=com
      So, during the authentication, the LDAPLoginModule will not be able to find the UserDN. To overcome this limitation, LDAPExtLoginModule was designed. LDAPExtLoginModule makes use of an ldap filter to lookup the user (baseFilter) and role (roleFilter).

      Thanks & Regards,
      shetty2k

      LDAP Data:
      dc=company,dc=com
      - cn=Users
      - - cn=Pitt\, Brad
      - - cn=Redford\,Robert
      - - cn=Spielberg\,Steven
      - cn=Groups
      - - cn=Actors
      - - cn=Directors

      login-config.xml:

      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
      <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name="java.naming.provider.url">ldap://iamdev1:9389</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="java.naming.security.principal">cn=myAdmin</module-option>
      <module-option name="java.naming.security.credentials">hollywood1</module-option>
      <module-option name="bindDN">cn=myAdmin</module-option>
      <module-option name="bindCredential">hollywood1</module-option>
      <module-option name="baseCtxDN">ou=Users,dc=company,dc=com</module-option>
      <module-option name="baseFilter">(uid={0})</module-option>
      <module-option name="rolesCtxDN">ou=Groups,dc=company,dc=com</module-option>
      <module-option name="roleFilter">(uniquemember={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleNameAttributeID">cn</module-option>
      <module-option name="roleRecursion">0</module-option>
      <module-option name="searchTimeLimit">5000</module-option>
      <module-option name="searchScope">SUBTREE_SCOPE</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
      <module-option name="debug">true</module-option>
      </login-module>



      web.xml:
      <web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
      <display-name>
      JAAS</display-name>
      <welcome-file-list>
      <welcome-file>index.html</welcome-file>
      <welcome-file>index.htm</welcome-file>
      <welcome-file>index.jsp</welcome-file>
      <welcome-file>default.html</welcome-file>
      <welcome-file>default.htm</welcome-file>
      <welcome-file>default.jsp</welcome-file>
      </welcome-file-list>

      <security-constraint>
      <display-name>Constraints of the Administration Console's Security Environment</display-name>
      <!--URI security patterns and the HTTP methods to protect on them.-->
      <web-resource-collection>
      <web-resource-name>Protected Administration Console Resources</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <!--Anyone with these roles may enter this area.-->
      <auth-constraint>
      <role-name>OCS_PORTAL_USERS</role-name>
      </auth-constraint>
      <user-data-constraint>
      no description
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <!-- Default login configuration uses form-based authentication -->
      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>My Company</realm-name>
      </login-config>
      <!-- Security roles referenced by this web application -->
      <security-role>
      <role-name>OCS_PORTAL_USERS</role-name>
      </security-role>
      </web-app>

      jboss-web.xml:
      <jboss-web>
      <security-domain>java:/jaas/mySecurityDomain</security-domain>
      </jboss-web>

        • 1. Re: JAAS - LDAPExtLoginModule
          wolfgangknauf

          Hi,

          did you activate logging of the security layer? This should give you some hints?
          http://www.jboss.org/community/docs/DOC-12198 (question 4)

          Best regards

          Wolfgang

          • 2. Re: JAAS - LDAPExtLoginModule
            shetty2k

            Hi,

            I am using JBoss 4.2.2 GA. Instead of log4j.xml, I have jboss-log4j.xml. It does not contain the following 3 tags:
            org.jboss.security
            org.jboss.web.tomcat.security
            org.apache.catalina

            So, I enabled the following tag:




            The logs now show authentication errors, but the authorization errors w.r.t roles is still not visible. Please advise.

            Thanks,
            shetty2k

            • 3. Re: JAAS - LDAPExtLoginModule
              shetty2k

              Hi,

              I am using JBoss 4.2.2 GA. Instead of log4j.xml, I have jboss-log4j.xml. It does not contain the following 3 tags:
              org.jboss.security
              org.jboss.web.tomcat.security
              org.apache.catalina

              So, I enabled the following tag:




              The logs now show authentication errors, but the authorization errors w.r.t roles is still not visible. Please advise.

              Thanks,
              shetty2k

              • 4. Re: JAAS - LDAPExtLoginModule
                shetty2k

                Hi,

                I am using JBoss 4.2.2 GA. Instead of log4j.xml, I have jboss-log4j.xml. It does not contain the following 3 tags:
                org.jboss.security
                org.jboss.web.tomcat.security
                org.apache.catalina

                So, I enabled the following tag:
                category name="org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain">
                priority value="TRACE" class="org.jboss.logging.XLevel"/>
                /category>

                The logs now show authentication errors, but the authorization errors w.r.t roles is still not visible. Please advise.

                Thanks,
                shetty2k

                • 5. Re: JAAS - LDAPExtLoginModule
                  wolfgangknauf

                  Hi,

                  if you post xml, use the "post reply" button and wrap your snippets in "Code" tags. Thus your XML will not be lost. Don't reply directly in the thread view.

                  I use this config in "server/default/conf/jboss-log4j.xml" to log ALL security output to a new console appender, which is set to TRACE level:

                  <appender name="CONSOLE.SECURITY" class="org.apache.log4j.ConsoleAppender">
                   <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
                   <param name="Target" value="System.out"/>
                   <param name="Threshold" value="TRACE"/>
                  
                   <layout class="org.apache.log4j.PatternLayout">
                   <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c{1}] %m%n"/>
                   </layout>
                   </appender>
                   ...
                  
                   <category name="org.jboss.security">
                   <priority value="TRACE"/>
                   <appender-ref ref="CONSOLE.SECURITY"/>
                   </category>
                  


                  Hope this provides you with more information.

                  Wolfgang

                  • 6. Re: JAAS - LDAPExtLoginModule
                    shetty2k

                    Thanks Wolfgang. The logging helped a little. Some update:
                    I configured JAAS Authentication and Authorization successfully using Active Directory. This is how AD is different from other LDAPs:
                    Two linked multivalued attributes, called member and memberOf, control group membership. The group object always holds the member attribute. The memberOf attribute is a calculated back link held on the group member object itself. As such, group membership is always managed from the group object side (the forward link) of the relationship and the back link is updated by the system automatically. That is, we can read the memberOf attribute, but we cannot modify it directly.

                    Here is the login-config.xml for AD:

                    <application-policy name = "mySecurityDomain">
                     <authentication>
                     <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                     <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                     <module-option name="java.naming.provider.url">ldap://10.200.243.34:389</module-option>
                     <module-option name="java.naming.security.authentication">simple</module-option>
                     <module-option name="java.naming.security.principal">CN=Domainmaster,CN=Users,DC=COQA,DC=CORoot,DC=local</module-option>
                     <module-option name="java.naming.security.credentials">password1</module-option>
                     <module-option name="bindDN">CN=Domainmaster,CN=Users,DC=COQA,DC=CORoot,DC=local</module-option>
                     <module-option name="bindCredential">password1</module-option>
                     <module-option name="baseCtxDN">OU=Users,OU=City,DC=COQA,DC=CORoot,DC=local</module-option>
                     <module-option name="baseFilter">(sAMAccountName={0})</module-option>
                     <module-option name="rolesCtxDN">CN=Builtin,DC=COQA,DC=CORoot,DC=local</module-option>
                     <module-option name="roleFilter">(member={1})</module-option>
                     <module-option name="roleAttributeID">memberOf</module-option>
                     <module-option name="roleAttributeIsDN">true</module-option>
                     <module-option name="roleNameAttributeID">cn</module-option>
                     <module-option name="roleRecursion">0</module-option>
                     <module-option name="searchTimeLimit">10000</module-option>
                     <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
                     <module-option name="allowEmptyPasswords">false</module-option>
                     <module-option name="debug">true</module-option>
                     </login-module>
                     </authentication>
                     </application-policy>
                    


                    My LDAP is OID or OVD. This does not have a member or memberOf attribute generation. So, I created my own custom arrangement:: uniquemember(default schema) and myRole(custom schema) to link to each other, based on what happens in AD. The authorization part still does not work. Following is the login-config.xml:
                     <application-policy name = "mySecurityDomain">
                     <authentication>
                     <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                     <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                     <module-option name="java.naming.provider.url">ldap://machine1:9389</module-option>
                     <module-option name="java.naming.security.authentication">simple</module-option>
                     <module-option name="java.naming.security.principal">cn=ovdadmin</module-option>
                     <module-option name="java.naming.security.credentials">password1</module-option>
                     <module-option name="bindDN">cn=ovdadmin</module-option>
                     <module-option name="bindCredential">password1</module-option>
                     <module-option name="baseCtxDN">ou=Users,dc=company,dc=com</module-option>
                     <module-option name="baseFilter">(uid={0})</module-option>
                     <module-option name="rolesCtxDN">ou=Groups,dc=company,dc=com</module-option>
                     <module-option name="roleFilter">(uniquemember={1})</module-option>
                     <module-option name="roleAttributeID">myRole</module-option>
                     <module-option name="roleAttributeIsDN">true</module-option>
                     <module-option name="roleNameAttributeID">cn</module-option>
                     <module-option name="roleRecursion">0</module-option>
                     <module-option name="searchTimeLimit">10000</module-option>
                     <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
                     <module-option name="allowEmptyPasswords">false</module-option>
                     <module-option name="debug">true</module-option>
                     </login-module>
                     </authentication>
                     </application-policy>
                    


                    Following are the logs generated (username is shetty2k, rolename is not visible):
                    2009-01-23 16:41:16,468 TRACE [org.jboss.security.plugins.JaasSecurityManager] Constructing
                    2009-01-23 16:41:16,468 DEBUG [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@1e84244
                    2009-01-23 16:41:16,468 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@156b7c1
                    2009-01-23 16:41:16,468 DEBUG [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] CachePolicy set to: org.jboss.util.TimedCachePolicy@3a1e23
                    2009-01-23 16:41:16,468 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@3a1e23
                    2009-01-23 16:41:16,468 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added mySecurityDomain, org.jboss.security.plugins.SecurityDomainContext@190a284 to map
                    2009-01-23 16:41:16,468 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] Begin isValid, principal:shetty2k, cache info: null
                    2009-01-23 16:41:16,468 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] defaultLogin, principal=shetty2k
                    2009-01-23 16:41:16,468 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(mySecurityDomain), size=9
                    2009-01-23 16:41:16,468 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(mySecurityDomain), authInfo=AppConfigurationEntry[]:
                    [0]
                    LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
                    ControlFlag: LoginModuleControlFlag: required
                    Options:name=allowEmptyPasswords, value=false
                    name=roleRecursion, value=0
                    name=java.naming.security.principal, value=cn=ovdadmin
                    name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
                    name=rolesCtxDN, value=ou=Groups,dc=company,dc=com
                    name=java.naming.security.credentials, value=password1
                    name=debug, value=true
                    name=roleNameAttributeID, value=cn
                    name=baseFilter, value=(uid={0})
                    name=roleFilter, value=(uniquemember={1})
                    name=java.naming.security.authentication, value=simple
                    name=bindDN, value=cn=ovdadmin
                    name=bindCredential, value=password1
                    name=java.naming.provider.url, value=ldap://machine1:9389
                    name=roleAttributeID, value=myRole
                    name=baseCtxDN, value=ou=Users,dc=company,dc=com
                    name=roleAttributeIsDN, value=true
                    name=searchScope, value=ONELEVEL_SCOPE
                    name=searchTimeLimit, value=10000

                    2009-01-23 16:41:16,468 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] initialize, instance=@8682641
                    2009-01-23 16:41:16,468 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] Security domain: mySecurityDomain
                    2009-01-23 16:41:16,468 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] login
                    2009-01-23 16:41:17,437 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] User 'shetty2k' authenticated, loginOk=true
                    2009-01-23 16:41:17,437 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] commit, loginOk=true
                    2009-01-23 16:41:17,437 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] defaultLogin, lc=javax.security.auth.login.LoginContext@ce374a, subject=Subject(9432614).principals=org.jboss.security.SimplePrincipal@13409648(shetty2k)org.jboss.security.SimpleGroup@24164496(Roles(members))
                    2009-01-23 16:41:17,437 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] updateCache, inputSubject=Subject(9432614).principals=org.jboss.security.SimplePrincipal@13409648(shetty2k)org.jboss.security.SimpleGroup@24164496(Roles(members)), cacheSubject=Subject(22819146).principals=org.jboss.security.SimplePrincipal@13409648(shetty2k)org.jboss.security.SimpleGroup@24164496(Roles(members))
                    2009-01-23 16:41:17,437 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@1a80fb8[Subject(22819146).principals=org.jboss.security.SimplePrincipal@13409648(shetty2k)org.jboss.security.SimpleGroup@24164496(Roles(members)),credential.class=java.lang.String@31054905,expirationTime=1232759476468]
                    2009-01-23 16:41:17,437 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] End isValid, true
                    2009-01-23 16:41:17,437 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
                    Principal: shetty2k
                    Principal: Roles(members)
                    , sc=org.jboss.security.SecurityAssociation$SubjectContext@bade60{principal=shetty2k,subject=6129815}
                    2009-01-23 16:41:17,437 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@1a80fb8[Subject(22819146).principals=org.jboss.security.SimplePrincipal@13409648(shetty2k)org.jboss.security.SimpleGroup@24164496(Roles(members)),credential.class=java.lang.String@31054905,expirationTime=1232759476468]
                    2009-01-23 16:41:17,437 TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext@bade60{principal=shetty2k,subject=6129815}
                    2009-01-23 16:41:17,437 TRACE [org.jboss.security.plugins.JaasSecurityManager.mySecurityDomain] getUserRoles, subject: Subject:
                    Principal: shetty2k
                    Principal: Roles(members)

                    Any clues?

                    Thanks,
                    shetty2k


                    • 7. Re: JAAS - LDAPExtLoginModule
                      shetty2k

                      Hi,

                      An update: I was able to configure it successfully against AD, OID and Sun LDAP. But it is still not working with OVD, which is the final goal.
                      Settings: OVD = AD + OID
                      AD is the (Read Only) Bind Adapter and OID is used for storing data.

                      Please let me know if anyone has faced a similar problem.

                      Thanks,
                      shetty2k

                      • 8. Re: JAAS - LDAPExtLoginModule
                        ttsimpso

                        Could you share the successful OID configuration?
                        Thanks