JohnSon Lui wrote:

 

       <auth-constraint>

          <role-name>*</role-name>

       </auth-constraint>

 

Change the above to only the roles you want access to the url-pattern you indicated.

One option could be to create your own login module for this purpose and chain it after the LDAP module you are currently using, if the authenticated user is not a member of one of your restricted groups you can then add them to a new group - this new group can then be referenced in the web.xml.

JohnSon Lui wrote:

 

jmsjr wrote:

 

JohnSon Lui wrote:

 

       <auth-constraint>

          <role-name>*</role-name>

       </auth-constraint>

 

 

Change the above to only the roles you want access to the url-pattern you indicated.

Hello Jmsjr,

 

This method is just for allow the specified users to access but not my requirement which i want to allow all except some of the ldap groups, isn't it?

 

Thanks a lot

 

Johnson

auth-constraint's purpose is to define which roles are authorised for a given resource. So they only way to achieve what you want is one of the above.

The way I see it, your choices are ( without writing any custom code ):

1) Create a new LDAP group with those users you want belonging to the group, and define a mapping to that LDAP group to a role, and put the role in your auth-constraint. So you only have to worry about one role and one LDAP group.

2) Maybe you can define an LDAP group which can have as members other LDAP groups(????) except some LDAP groups you dont want ? Not sure if the JBoss LDAP provider can understand this nesting though. You may have to try it out.

3) List all the LDAP groups in jboss-web.xml, create a role per LDAP group  in jobss-web.xml. Then in your web.xml, list all the roles in your auth-constraint. So you end up with multiple roles in web.xml ( Not sure if you can have one role mapped to many LDAP groups ).