3 Replies Latest reply on Jan 31, 2006 4:56 PM by Seth Buntin

    LDAP Authentication

    Seth Buntin Newbie

      I know this horse is probably beat to death but I just can't get it. I have looked and read and just don't understand.

      1. In my login-config.xml file I have (which I think is correct) this:

       <application-policy name="kwormSecurity">
       <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
       <module-option name="java.naming.provider.url">ldap://server.school.edu</module-option>
       <module-option name="rolesCtxDN">dc=school,dc=edu</module-option>
       <module-option name="matchOnUserDN">false</module-option>
       <module-option name="principalDNSuffix">@school.edu</module-option>
       <module-option name="uidAttributeID">userPrincipalName</module-option>
       <module-option name="roleAttributeID">memberOf</module-option>
       <module-option name="roleAttributeIsDN">true</module-option>
       <module-option name="roleNameAttributeID">name</module-option>
       </login-module>
       </application-policy>
      


      2. I have a form that submits (via POST) to j_security_check.

      <form action="j_security_check" method="post">
       <table>
       <tr>
       <td>
       <label for="username">Username:</label>
       </td>
       <td>
       <input type="text" id="username" name="username" />
       </td>
       </tr>
      ...
      
      


      Now comes the parts that I don't understand..

      I think there is something I have to put in my jboss-web.xml file (I assume appname is my context-root):

      <security-domain>java:/jaas/appname</security-domain>
      


      This information goes in my web.xml file:

      <security-constraint>
       <web-resource-collection>
       <web-resource-name>Application</web-resource-name>
       <description>Require users to authenticate</description>
       <url-pattern>/*</url-pattern>
       <http-method>POST</http-method>
       <http-method>GET</http-method>
       </web-resource-collection>
       <auth-constraint>
       <description>Only allow Authenticated_users role</description>
       <role-name>Authenticated_users</role-name>
       </auth-constraint>
       <user-data-constraint>
       <description>Encryption is not required for the application in general. </description>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
      


      I guess where I am confused is what ties my security-constraint (the info I put in my web.xml file) to the application-policy (what I put in my login-config.xml file)?

      -- Thanks --
      Seth

        • 1. Re: LDAP Authentication
          Seth Buntin Newbie

          I forgot that I have this is my web.xml file also

          <login-config>
           <auth-method>FORM</auth-method>
           <form-login-config>
           <form-login-page>/login.jsp</form-login-page>
           <form-error-page>/login_error.html</form-error-page>
           </form-login-config>
           </login-config>
          


          • 2. Re: LDAP Authentication
            Brian Stansberry Master

            In jboss-web.xml:

            <security-domain>java:/jaas/kwormSecurity</security-domain>
            


            • 3. Re: LDAP Authentication
              Seth Buntin Newbie

              does this:

              <application-policy name="kwormSecurity">
               <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
               <module-option name="java.naming.provider.url">ldap://server.school.edu</module-option>
               <module-option name="rolesCtxDN">dc=school,dc=edu</module-option>
               <module-option name="matchOnUserDN">false</module-option>
               <module-option name="principalDNSuffix">@school.edu</module-option>
               <module-option name="uidAttributeID">userPrincipalName</module-option>
               <module-option name="roleAttributeID">memberOf</module-option>
               <module-option name="roleAttributeIsDN">true</module-option>
               <module-option name="roleNameAttributeID">name</module-option>
               </login-module>
               </application-policy>
              


              need to be this???:

              <application-policy name="kwormSecurity">
               <authentication>
               <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
               <module-option name="java.naming.provider.url">ldap://server.school.edu</module-option>
               <module-option name="rolesCtxDN">dc=school,dc=edu</module-option>
               <module-option name="matchOnUserDN">false</module-option>
               <module-option name="principalDNSuffix">@school.edu</module-option>
               <module-option name="uidAttributeID">userPrincipalName</module-option>
               <module-option name="roleAttributeID">memberOf</module-option>
               <module-option name="roleAttributeIsDN">true</module-option>
               <module-option name="roleNameAttributeID">name</module-option>
               </login-module>
               </authentication>
               </application-policy>