0 Replies Latest reply on Dec 24, 2009 1:15 PM by John Bailo

    LDAP: After successful authentication, all pages 403-Forbidden

    John Bailo Master

      I am using LDAP authentication with JBoss

       

      From my logs and various tests, I am sure that my username is authenticating.

       

      I checked my LDAP logs (running on remote server) and it records that the user authenticates.

       


       

      However, after authenticating via login.jsp, I cannot browse any other page.

       

      They all report -- 403 Access Forbidden

       

       

      Not sure what to try next ...here is my entry for login-config.xml

       

      Here is my entry for login-config.xml



           <application-policy name="broadbaseema">
           <authentication>
               <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                   <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                   <module-option name="java.naming.provider.url">ldap://10.100.230.64:389</module-option>
                   <module-option name="java.naming.security.authentication">simple</module-option>
                   <module-option name="java.naming.security.credentials">clear-text password</module-option>
                   <module-option name="principalDNPrefix">cn=</module-option>
                   <module-option name="principalDNSuffix">,ou=Users,dc=ing,dc=com</module-option>
                   <module-option name="rolesCtxDN">ou=Roles,dc=ing,dc=com</module-option>
                   <module-option name="uidAttributeID">uniqueMember</module-option>
                   <module-option name="matchOnUserDN">true</module-option>
                   <module-option name="roleAttributeID">cn</module-option>
                   <module-option name="roleAttributeIsDN">false</module-option>
                   <module-option name="searchTimeLimit">5000</module-option>
                   <module-option name="searchScope">SUBTREE_SCOPE</module-option>
               </login-module>
           </authentication>
           </application-policy>

       

       

      It's been suggested adding

       

                  <module-option name="java.naming.security.principal">??</module-option>

       

      But not sure what to add...a user?   And how do I give the user correct permissions to browse the directory?

       

       

      web.xml

       

         
                  <security-constraint>
            <web-resource-collection>
                <web-resource-name>broadbaseema</web-resource-name>
                <description>Require users to authenticate</description>
                <url-pattern>/*</url-pattern>
                <http-method>POST</http-method>
                <http-method>GET</http-method>
            </web-resource-collection>
            <auth-constraint>
              <description>Only allow Authenticated_users role</description>
              <role-name>Authenticated_users</role-name>
            </auth-constraint>
            <user-data-constraint>
            <description>Encryption is not required for the application in general. </description>
            <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
          </security-constraint>
      <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
        <realm-name>broadbaseema</realm-name>
         <form-login-page>/a1/login.jsp</form-login-page>
         <form-error-page>/a1/login-error.html</form-error-page>
        </form-login-config>
      </login-config>

       

      jboss-web.xml

       

      <jboss-web>
         <security-domain>java:/jaas/broadbaseema</security-domain>
      </jboss-web>