0 Replies Latest reply on Mar 8, 2007 12:42 PM by Andrew Cheung

    LDAP authentication and role-based permission question (x-po

    Andrew Cheung Newbie

      Hi. I'm trying to useLdapLoginModule for authenticating into the portal that runs on JBOSS AS 4.0.5GA. The authentication part is ok (the trace logs returns loginOK=true), when I put in the user's username and password in and hit enter. However, in the browser it gives me a 403 error. Error message as follows :

      HTTP Status 403 - Access to the requested resource has been denied

      --------------------------------------------------------------------------------

      type Status report

      message Access to the requested resource has been denied

      description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.


      --------------------------------------------------------------------------------

      Here are the details:

      1. LDAP server (we use eDirectory) :

      Sample user :

      cn=abc,ou=users,ou=MyDivision,o=MyCompany

      Sample Role :

      cn=finance,ou=DistributionLists,ou=MyDivision,o=MyCompany

      The member attribute will contain the users that are assigned to this role.
      For example :

      member=cn=abc,ou=users,ou=MyDivision,o=MyCompany

      2. jboss-4.0.5.GA\server\default\deploy\jboss-portal.sar\portal-server.war\WEB-INF\web.xml :


      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Authenticated</web-resource-name>

      <url-pattern>/auth/*</url-pattern>
      </web-resource-collection>
      <!--<auth-constraint>
      <role-name>Authenticated</role-name>
      </auth-constraint>-->
      <auth-constraint>
      <role-name>finance</role-name>
      </auth-constraint>
      </security-constraint>


      also :

      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>JBoss Portal</realm-name>
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/error.jsp</form-error-page>
      </form-login-config>
      </login-config>
      <!--<security-role>
      <role-name>Authenticated</role-name>
      </security-role>-->
      <security-role>
      <role-name>finance</role-name>
      </security-role>


      3. jboss-4.0.5.GA\server\default\deploy\jboss-portal.sar\conf\login-config.xml :


      <application-policy name="portal">

      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
      <module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory</module-option>
      <module-option name="java.naming.provider.url">ldap://myLDAPserverIP:389/</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="principalDNPrefix">cn=</module-option>
      <module-option name="principalDNSuffix">,ou=users,ou=MyDivision,o=MyCompany </module-option>
      <module-option name="rolesCtxDN">ou=DistributionLists,ou=MyDivision,o=MyCompany</module-option>
      <module-option name="uidAttributeID">member</module-option>
      <module-option name="matchOnUserDN">true</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      </login-module>

      </application-policy>


      4. database table "jbp_users" in the portal database :

      The user abc is added to the jbp_users table. The jbp_uid is 11.

      Note : I did not synchronize the passord here from the LDAP server because I thought the password here is not used anymore since we authenticate using the LDAP server


      5. database table "jbp_roles" in the portal datatabase :

      The role "finance" is added to the jbp_roles table. jbp_name and jbp_displayName are both set to "finance". The jbp_rid value is 7.

      6. database table "jbp_role_membership" in the portal database :

      The entry with values jbp_uid = 11 and jbp_rid = 7 is added to the jbp_role_membership table.


      Is any other configurations I need to do in order to make it work?

      Also, is there a way to do more detailed logging so that I can see what's happening after the authentication? Right now the log doesn't show what went wrong regarding to the role permissions.

      Any help is appreciated.

      -Andrew