1 Reply Latest reply on May 30, 2007 10:55 AM by BHASKARA PRASAD ILLIPILLA

    Complete set of example snippets of JAAS + LDAP code and con

    Francisco Antônio Newbie

      Hi you all everybody! :)

      Could someone post an example with all the configurations (snippets of web.xml etc) and Java access code to do authentication and roles reading with a LDAP server?

      Thanks in advance.
      Francisco Antônio

        • 1. Re: Complete set of example snippets of JAAS + LDAP code and
          BHASKARA PRASAD ILLIPILLA Newbie

          1. Add the following snippet to the conf/login-config.xml. You want modify the basefilter and rolefilter as per your needs.

          <!-- LDAP Integration Details-->
          <application-policy name = "testLDAP">

          <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
          <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
          <module-option name="java.naming.provider.url">ldap://LDAPSERVER:389</module-option>
          <module-option name="bindDN">uid=adminuser,ou=admin,ou=corporate,dc=company,dc=com</module-option>
          <module-option name="bindCredential">xxxxxxxx</module-option>
          <module-option name="baseCtxDN">dc=company,dc=com</module-option>
          <module-option name="baseFilter">(uid={0})</module-option>

          <module-option name="rolesCtxDN">dc=company,dc=com</module-option>
          <module-option name="roleFilter">(uniquemember={1})</module-option>
          <module-option name="roleAttributeIsDN">false</module-option>
          <module-option name="roleAttributeID">cn</module-option>
          <!-- need to understand the impact of enabling roleRecursion -->
          <module-option name="roleRecursion">0</module-option>
          <module-option name="searchScope">SUBTREE_SCOPE</module-option>
          </login-module>

          </application-policy>

          2. A sample web.xml snippet that secures some webpages with roles

          <security-constraint>
          <!-- all the pages in this webapp are secured -->
          <web-resource-collection>
          <web-resource-name>SecuredPages</web-resource-name>
          <url-pattern>/index.jsp</url-pattern>
          </web-resource-collection>
          <auth-constraint>
          <role-name>WebAccessRole</role-name>
          </auth-constraint>
          <user-data-constraint>
          <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
          </security-constraint>

          <login-config>
          <auth-method>FORM</auth-method>
          <form-login-config>
          <form-login-page>/login.jsp</form-login-page>
          <form-error-page>/login.jsp</form-error-page>
          </form-login-config>
          </login-config>

          <security-role>
          <role-name>WebAccessRole</role-name>
          </security-role>


          3. Edit the jboss specific web descriptor jboss-web.xml to configure jboss application to use the configured IPlanet LDAP as security domain for authentication purposes. Please add the below lines.

          <security-domain>java:/jaas/testLDAP</security-domain>
          <security-role>
          <role-name>WebAccessRole</role-name>
          <principal-name>yourLDAPGroup</principal-name>
          </security-role>

          4. 5. To retrieve the roles gathered by the container as part of authentication use the below code snippet.

          //Get the Authenticated Subject
          Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");

          //out.println(subject+"");

          //Now look for a Group called Roles
          Set principals = subject.getPrincipals(Principal.class);
          Iterator iter = principals.iterator();
          while(iter.hasNext())
          {
          Principal p = (Principal)iter.next();
          out.println("Principals: "+p+"");
          if(p instanceof SimpleGroup)
          {
          SimpleGroup sg = (SimpleGroup)p;
          if("Roles".equals(sg.getName())) {
          System.out.println(sg.toString()+"");
          //Do anything with role here
          }
          }
          }

          5. Restart the jboss process