12 Replies Latest reply on Apr 17, 2007 5:30 AM by antoine_h

    Roles and LoginModule

    patrickdalla

      I've created an login module integrated with Active Directory via LDAP.

      The roles of a user are the groups of which the user is member (memberOf attribute).

      I had to create an Authenticated group, so the users in this group could log into jboss-portal. It works well.

      So I've created an Admin group but the members of this group aren't getting admin permission.

      Can someone suggest a possible solution?

        • 1. Re: Roles and LoginModule

          great to hear that, that's a very good news, can you contribute it to the codebase ?

          where do you have that issue ? is it with isUserInRole(String roleName) ?

          • 2. Re: Roles and LoginModule
            patrickdalla

            Well,

            when I use

            <%=request.isUserInRole("Authenticated")%>
            


            it returns false.

            when I execute the code

            <%
             InitialContext iniCtx = new InitialContext();
            
             // do we need the 'java:comp/env' prefix ? TODO
             Context securityCtx =(Context) iniCtx.lookup("java:comp/env/security");
             JaasSecurityManager authMgr = (JaasSecurityManager) securityCtx.lookup("securityMgr");
             if(authMgr!=null){
             %>
             <%=authMgr.getSecurityDomain()%><br>
             <%
             Iterator i = authMgr.getUserRoles(request.getUserPrincipal()).iterator();
             while(i.hasNext()){
             Principal p = (Principal) i.next();
             %><%=p.getName()%><br><%
             }
             }
            %>
            


            All the groups of the user in the Active Directory are displayed.

            What can be the problem. Is isUserInRole the correct function to use?

            Abaout the code I can send to you. But I'm still working on it and it is not so parameterized yet.

            How can I send it to you?

            • 3. Re: Roles and LoginModule
              patrickdalla

              Just to complement the previous message, there is an Authenticated group in AD and the user I log is member of this group.

              • 4. Re: Roles and LoginModule

                send it to my email so I can look at the mysterious ldap (russo style : julien AT jboss DOT org)

                • 5. Re: Roles and LoginModule

                  if you test that from a portlet you need to :

                  1/ put the role in portlet.xml where your portlet access it

                  <security-role-ref>
                   <role-name>Authenticated</role-name>
                  </security-role-ref>
                  


                  2/ have your jaas Subject have a group called "Roles" that contains a principal called "Authenticated"

                  you can look at the TestPortlet in branch 2.0 which does that

                  • 6. Re: Roles and LoginModule
                    patrickdalla

                    I have done both and it continues not to work.

                    • 7. Re: Roles and LoginModule
                      patrickdalla

                      As I've seen in org.jboss.portal.portlet.impl.PortletRequestImpl code, a call to isUserInRole("rolename") will return true only if the role is mapped in portlet.xml <security-role-ref>.

                      But my portlet security needs to be more dynamic. Roles are created and configured online and the portlet need to know his membership without any change in portlet.xml.

                      How can I do this?

                      • 8. Re: Roles and LoginModule

                        that feature could be added in the specific deployment descriptor of jboss saying that if nothing is found in portlet.xml then delegate directly to req.isUserInRole() of the servlet request.

                        • 9. Re: Roles and LoginModule
                          patrickdalla

                          in which specific deployment descriptor??

                          • 10. Re: Roles and LoginModule
                            patrickdalla

                            How I configure this feature???

                            • 11. Re: Roles and LoginModule
                              hkuegel

                              Hi,

                              I use the JBOSS LdapLoginModule and have the same problem (authentication works, but no roles). I also added the security-role-ref in portlet.xml.

                              If i use the LdapLoginModule in a plain web application everything works fine, so i guess it's a JBoss Portal problem.

                              Please let me know if you have a solution.

                              thanks,
                              Harald

                              • 12. Re: Roles and LoginModule
                                antoine_h

                                could be a way for the workaround of this need, in :
                                http://jboss.org/index.html?module=bb&op=viewtopic&p=4037894#4037894

                                what are the classes/services involved in this ?

                                either the portlet instanciation from the descriptor ?

                                or where to change things to adapt the behavior of "isUserInRole" method ?

                                Thank you.