1 Reply Latest reply on Oct 26, 2006 1:51 PM by Mario Van Vlasselaer

    Container based authentication, user name based authorizatio

    Marko Niinimaki Newbie

      Hello.

      somehow I did not find examples of this in the forums or documentation.

      I've set up a box where the users are required to authenticate using LDAP.
      Practically, in in jboss/server/default/login-config.xml there is a policy like
      <application-policy name = "LDAP">

      <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
      flag="required">
      ...

      and in the application's jboss-web.xml
      <security-domain>java:/jaas/LDAP</security-domain>

      and in the application's web.xml
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>SECURITY_DOMAIN</web-resource-name>
      <url-pattern>/foo</url-pattern>
      <url-pattern>/bar</url-pattern>
      </web-resource-collection>
      <auth-constraint><role-name>*</role-name> </auth-constraint>
      </security-constraint>

      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>TEST</realm-name>
      </login-config>

      It works: the users that can authenticate themselves with LDAP have an access to the application. However, of these I'd like only _some_ to be able to access the application and role names are not too usable in our organisation.

      Is there a way to define a list of accepted user names in auth-constraint or something of the same effect?

      -man