4 Replies Latest reply on Nov 29, 2007 1:50 PM by Dennis John

    Roles using LDAPLoginModule

    Dennis John Newbie

      I have a jaas domain configured using the LDAPLoginModule for my seam app. I need to use the roles in LDAP for authorization in my seam app. The seam app uses the LDAP to log in, and in the trace log I can see the following:

      2007-11-28 15:50:03,654 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Assign user to role Development

      However, if I use identity.hasRole("Development") in my seam app, it never evaluates to true. Are the roles not passed from the LDAPLoginModule to the seam identity component? If not, can I extend the LDAPLoginModule and somehow access the seam Identity component? I tried subclassing it and using Identity.instance() but that blew up.

      Any help would be greatly appreciated.

      -Dennis

        • 1. Re: Roles using LDAPLoginModule
          Shane Bryzak Master

          It should just work. The subject is passed in the LoginContext when you authenticate with Identity.login(), and as long as your login module conforms to the standard of placing roles inside a group called "Roles" then any roles granted by the login module will be reflected by Identity.hasRole().

          • 2. Re: Roles using LDAPLoginModule
            Dennis John Newbie

            I thought that was the case, but it still doesn't seem to work.

            I ended up overriding the LDAPLoginModule anyway, here are the relavant pieces:

            public class LdapLoginModule extends UsernamePasswordLoginModule {

            private static final String BASE_DN = "dc=body,dc=local";
            private static final String PRINCIPAL_DN_PREFIX_OPT = "principalDNPrefix";
            private static final String PRINCIPAL_DN_SUFFIX_OPT = "principalDNSuffix";
            private static final String MATCH_ON_USER_DN_OPT = "matchOnUserDN";

            public LdapLoginModule()
            {
            }

            private transient SimpleGroup userRoles = new SimpleGroup("Roles");

            ...


            private void createLdapInitContext(String username, Object credential) throws NamingException
            {

            ...

            try
            {
            NamingEnumeration answer = ctx.search(rolesCtxDN, matchAttrs);
            while (answer.hasMore())
            {
            SearchResult sr = (SearchResult) answer.next();
            Attributes attrs = sr.getAttributes();
            Attribute roles = attrs.get("name");

            for (int r = 0; r < roles.size(); r++)
            {
            String roleName = roles.get(r).toString();

            if (roleName != null)
            {
            try
            {
            Principal p = super.createIdentity(roleName);
            log.trace("Assign user to role " + roleName);
            userRoles.addMember(p);

            }
            catch (Exception e)
            {
            log.debug("Failed to create principal: " + roleName, e);
            }
            }
            }
            }
            }
            catch (NamingException e)
            {
            log.trace("Failed to locate roles", e);
            }
            ...
            }


            Thanks for the reply, hopefully I'm just missing something.

            • 3. Re: Roles using LDAPLoginModule
              Shane Bryzak Master

              Are you adding userRoles to the subject?

              • 4. Re: Roles using LDAPLoginModule
                Dennis John Newbie

                Yep, you are correct! It was "just working"

                It turns out it was an EL issue in my tag.

                Thanks for the help!