5 Replies Latest reply on Mar 13, 2007 5:16 PM by bdaw

    LDAP authentication and Role-based permissions question

    ndrw_cheung

      Hi. I'm trying to useLdapLoginModule for authenticating into the portal that runs on JBOSS AS 4.0.5GA. The authentication part is ok (the trace logs returns loginOK=true), when I put in the user's username and password in and hit enter. However, in the browser it gives me a 403 error. Error message as follows :

      HTTP Status 403 - Access to the requested resource has been denied

      --------------------------------------------------------------------------------

      type Status report

      message Access to the requested resource has been denied

      description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.


      --------------------------------------------------------------------------------

      Here are the details:

      1. LDAP server (we use eDirectory) :

      Sample user :

      cn=abc,ou=users,ou=MyDivision,o=MyCompany

      Sample Role :

      cn=finance,ou=DistributionLists,ou=MyDivision,o=MyCompany

      The member attribute will contain the users that are assigned to this role.
      For example :

      member=cn=abc,ou=users,ou=MyDivision,o=MyCompany

      2. jboss-4.0.5.GA\server\default\deploy\jboss-portal.sar\portal-server.war\WEB-INF\web.xml :


      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Authenticated</web-resource-name>

      <url-pattern>/auth/*</url-pattern>
      </web-resource-collection>
      <!--<auth-constraint>
      <role-name>Authenticated</role-name>
      </auth-constraint>-->
      <auth-constraint>
      <role-name>finance</role-name>
      </auth-constraint>
      </security-constraint>


      also :

      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>JBoss Portal</realm-name>
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/error.jsp</form-error-page>
      </form-login-config>
      </login-config>
      <!--<security-role>
      <role-name>Authenticated</role-name>
      </security-role>-->
      <security-role>
      <role-name>finance</role-name>
      </security-role>


      3. jboss-4.0.5.GA\server\default\deploy\jboss-portal.sar\conf\login-config.xml :


      <application-policy name="portal">

      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
      <module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name="java.naming.provider.url">ldap://myLDAPserverIP:389/</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="principalDNPrefix">cn=</module-option>
      <module-option name="principalDNSuffix">,ou=users,ou=MyDivision,o=MyCompany </module-option>
      <module-option name="rolesCtxDN">ou=DistributionLists,ou=MyDivision,o=MyCompany</module-option>
      <module-option name="uidAttributeID">member</module-option>
      <module-option name="matchOnUserDN">true</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      </login-module>

      </application-policy>


      4. database table "jbp_users" in the portal database :

      The user abc is added to the jbp_users table. The jbp_uid is 11.

      Note : I did not synchronize the passord here from the LDAP server because I thought the password here is not used anymore since we authenticate using the LDAP server


      5. database table "jbp_roles" in the portal datatabase :

      The role "finance" is added to the jbp_roles table. jbp_name and jbp_displayName are both set to "finance". The jbp_rid value is 7.

      6. database table "jbp_role_membership" in the portal database :

      The entry with values jbp_uid = 11 and jbp_rid = 7 is added to the jbp_role_membership table.


      Is any other configurations I need to do in order to make it work?

      Also, is there a way to do more detailed logging so that I can see what's happening after the authentication? Right now the log doesn't show what went wrong regarding to the role permissions.

      Any help is appreciated.

      -Andrew

        • 1. Re: LDAP authentication and Role-based permissions question
          bdaw

          I just tried your configuration and it seemed to work. Didn't put things into database. Just test if users are authenticated correctly and are able to enter portal.

          I used this
          ldif file and changed:

          1) login-config.xml:

          <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
           <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
           <module-option name="java.naming.provider.url">ldap://localhost:10389/</module-option>
           <module-option name="java.naming.security.authentication">simple</module-option>
           <module-option name="principalDNPrefix">uid=</module-option>
           <module-option name="principalDNSuffix">,ou=People,o=test,dc=portal,dc=example,dc=com</module-option>
           <module-option name="rolesCtxDN">ou=Roles,o=test,dc=portal,dc=example,dc=com</module-option>
           <module-option name="uidAttributeID">member</module-option>
           <module-option name="matchOnUserDN">true</module-option>
           <module-option name="roleAttributeID">cn</module-option>
           <module-option name="roleAttributeIsDN">false</module-option>
           <module-option name="searchTimeLimit">5000</module-option>
           <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
           </login-module>
          


          and IdentityLoginModule commented out.

          2) jboss-4.0.5.GA\server\default\deploy\jboss-portal.sar\portal-server.war\WEB-INF\web.xml :
          <security-role>
           <!--<role-name>Authenticated</role-name>-->
           <role-name>User</role-name>
           </security-role>
          
          and
          
          <security-constraint>
           <web-resource-collection>
           <web-resource-name>Authenticated</web-resource-name>
           <description></description>
           <url-pattern>/auth/*</url-pattern>
           </web-resource-collection>
           <auth-constraint>
           <!--<role-name>Authenticated</role-name>-->
           <role-name>User</role-name>
           </auth-constraint>
           </security-constraint>
          


          I'm able to login as admin/admin or as jduke/theduke. Tested with 2.4 and 2.6 trunk



          • 2. Re: LDAP authentication and Role-based permissions question
            ndrw_cheung

            I believe in the configuration that I sent up in my orginal post, the authentication works (otherwise I will get a "login failed" message.) However, it just cannot get to the portal.

            I thought the LDAP server is only used for authentication and not for looking up the role permissions by the portal if I use LDAPLoginModule. Therefore I thought I have to enter into the database the user and the role it is assigned to. Could you please explain in more detail this is not the case?

            Thanks.

            -Andrew



            • 3. Re: LDAP authentication and Role-based permissions question
              ndrw_cheung

              Forgot to attach some tracing/logging information in my last reply. Also, our portal is not the default and is accessed by the url : http://localhost:8080/portal/auth/portal/myportal.

              The following is a section of the log starting from the authentication. Any help is appreciated. Thanks.

              -Andrew

              ------------------------------------


              2007-03-12 09:55:16,953 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] Begin isValid, principal:abc, cache info: null
              2007-03-12 09:55:16,953 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] defaultLogin, principal=abc
              2007-03-12 09:55:16,953 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(portal), size=10
              2007-03-12 09:55:16,953 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(portal), authInfo=AppConfigurationEntry[]:
              [0]
              LoginModule Class: org.jboss.security.auth.spi.LdapLoginModule
              ControlFlag: LoginModuleControlFlag: required
              Options:name=principalDNSuffix, value=,ou=users,ou=MyDivision,o=MyCompany
              name=user.provider.url, value=ldap://myLDAPServerIP:389/ou=users,ou=MyDivision,o=MyCompany
              name=principalDNPrefix, value=cn=
              name=group.provider.url, value=ldap://myLDAPServerIP:389/ou=DistributionLists,ou=MyDivision,o=MyCompany
              name=java.naming.security.authentication, value=simple
              name=java.naming.provider.url, value=ldap://myLDAPServerIP:389/
              name=roleAttributeID, value=cn
              name=uidAttributeID, value=member
              name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
              name=roleAttributeIsDN, value=false
              name=rolesCtxDN, value=ou=DistributionLists,ou=MyDivision,o=MyCompany
              name=matchOnUserDN, value=true

              2007-03-12 09:55:16,953 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.auth.spi.LdapLoginModule, false)
              2007-03-12 09:55:16,953 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories
              2007-03-12 09:55:16,953 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.auth.spi.LdapLoginModule)
              2007-03-12 09:55:16,953 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@6d3209
              2007-03-12 09:55:16,953 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent
              2007-03-12 09:55:16,968 TRACE [org.jboss.security.auth.spi.LdapLoginModule] initialize, instance=@9504057
              2007-03-12 09:55:16,968 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Security domain: portal
              2007-03-12 09:55:16,968 TRACE [org.jboss.security.auth.spi.LdapLoginModule] login
              2007-03-12 09:55:16,984 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logging into LDAP server, env={user.provider.url=ldap://myLDAPServerIP:389/ou=users,ou=MyDivision,o=MyCompany, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, principalDNPrefix=cn=, java.naming.security.principal=cn=abc,ou=users,ou=MyDivision,o=MyCompany, roleAttributeID=cn, matchOnUserDN=true, principalDNSuffix=,ou=users,ou=MyDivision,o=MyCompany, rolesCtxDN=ou=DistributionLists,ou=MyDivision,o=MyCompany, jboss.security.security_domain=portal, group.provider.url=ldap://10.141.41.21:389/ou=DistributionLists,ou=MyDivision,o=MyCompany, java.naming.provider.url=ldap://myLDAPServerIP:389/, roleAttributeIsDN=false, uidAttributeID=member, java.naming.security.authentication=simple, java.naming.security.credentials=***}
              2007-03-12 09:55:16,984 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(com.sun.jndi.ldap.LdapCtxFactory, false)
              2007-03-12 09:55:17,281 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logged into LDAP server, javax.naming.ldap.InitialLdapContext@dc35ba
              2007-03-12 09:55:17,281 TRACE [org.jboss.security.auth.spi.LdapLoginModule] searching rolesCtxDN=ou=DistributionLists,ou=MyDivision,o=MyCompany, roleFilter=(member={0}), filterArgs=cn=abc,ou=users,ou=MyDivision,o=MyCompany, roleAttr=[Ljava.lang.String;@14b6ec8, searchScope=2, searchTimeLimit=10000
              2007-03-12 09:55:17,671 TRACE [org.jboss.security.auth.spi.LdapLoginModule] User 'abc' authenticated, loginOk=true
              2007-03-12 09:55:17,671 TRACE [org.jboss.security.auth.spi.LdapLoginModule] commit, loginOk=true
              2007-03-12 09:55:17,671 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] defaultLogin, lc=javax.security.auth.login.LoginContext@1e4e47f, subject=Subject(5607282).principals=org.jboss.security.SimplePrincipal@19017836(abc)org.jboss.security.SimpleGroup@20745137(Roles(members))
              2007-03-12 09:55:17,671 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] updateCache, inputSubject=Subject(5607282).principals=org.jboss.security.SimplePrincipal@19017836(abc)org.jboss.security.SimpleGroup@20745137(Roles(members)), cacheSubject=Subject(32978170).principals=org.jboss.security.SimplePrincipal@19017836(abc)org.jboss.security.SimpleGroup@20745137(Roles(members))
              2007-03-12 09:55:17,671 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@b70e32[Subject(32978170).principals=org.jboss.security.SimplePrincipal@19017836(abc)org.jboss.security.SimpleGroup@20745137(Roles(members)),credential.class=java.lang.String@20738936,expirationTime=1173709516953]
              2007-03-12 09:55:17,671 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] End isValid, true
              2007-03-12 09:55:17,687 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
              Principal: abc
              Principal: Roles(members)
              , sc=org.jboss.security.SecurityAssociation$SubjectContext@5e8588{principal=abc,subject=26267652}
              2007-03-12 09:55:17,687 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@b70e32[Subject(32978170).principals=org.jboss.security.SimplePrincipal@19017836(abc)org.jboss.security.SimpleGroup@20745137(Roles(members)),credential.class=java.lang.String@20738936,expirationTime=1173709516953]
              2007-03-12 09:55:17,687 TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext@5e8588{principal=abc,subject=26267652}
              2007-03-12 09:55:17,687 TRACE [org.jboss.security.plugins.JaasSecurityManager.portal] getUserRoles, subject: Subject:
              Principal: abc
              Principal: Roles(members)

              2007-03-12 09:55:17,687 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authentication of 'abc' was successful
              2007-03-12 09:55:17,687 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Redirecting to original '/portal/auth/portal/myportal'
              2007-03-12 09:55:17,687 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test ??/portal/auth/portal/j_security_check
              2007-03-12 09:55:17,687 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
              2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is BA0783EC9001950BDFF9A5C80C6027B9
              2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /portal/auth/portal/myportal
              2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Authenticated]' against GET /auth/portal/myportal --> true
              2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET /auth/portal/myportal --> false
              2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure+Authenticated]' against GET /auth/portal/myportal --> false
              2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Authenticated]' against GET /auth/portal/myportal --> true
              2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET /auth/portal/myportal --> false
              2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure+Authenticated]' against GET /auth/portal/myportal --> false
              2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
              2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
              2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
              2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session 'BA0783EC9001950BDFF9A5C80C6027B9'
              2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'abc' with type 'FORM'
              2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Proceed to restored request
              2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
              2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Username abc does NOT have role finance
              2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed accessControl() test

              • 4. Re: LDAP authentication and Role-based permissions question
                bdaw

                I think the reason is:

                2007-03-12 09:55:17,703 DEBUG [org.apache.catalina.realm.RealmBase] Username abc does NOT have role finance

                something in your configuration or LDAP tree must be wrong and 'abc' doesn't get principal 'finance' assigned.

                • 5. Re: LDAP authentication and Role-based permissions question
                  bdaw

                   

                  "ndrw_cheung" wrote:

                  I thought the LDAP server is only used for authentication and not for looking up the role permissions by the portal if I use LDAPLoginModule. Therefore I thought I have to enter into the database the user and the role it is assigned to. Could you please explain in more detail this is not the case?


                  Role assignment is also done at the JAAS level. So if you plug different LoginModule portal will see role assignment resolved there and use it to apply security.