1 2 Previous Next 25 Replies Latest reply on Jul 15, 2009 12:11 PM by Peter Johnson

    Tutorial for setup of Authentication in JBoss?

    Dickson Lui Newbie

      Hi all,
      I search around for setup of authentication (not in programming level) but not complete or full picture. I mean that I am not using form basis authentication ( custom coding to perform the authentication ).

      In the document of "The JBoss 4 Application Server Web Developer
      Reference" - Using Digest authentication, it just shows one example. How about the other?

      First step I want to know how to implement the basic authentication in a web application (no need for SSO SingleSignOn this moment). The authentication method may be using unix password file or ldap, ...ect.

      Thanks for anyone who can point me the right direction.

        • 2. Re: Tutorial for setup of Authentication in JBoss?
          Dickson Lui Newbie

          Thanks for Jaikiran help.

          I have read that article to get the idea of the setup for authentication.

          For the authentication with using password file, ldap and other else, it also include the role (authorization) checking. How can I ignore that role checking and just validate the username/password in my first approach?

          Thanks for any help.

          • 3. Re: Tutorial for setup of Authentication in JBoss?
            Dickson Lui Newbie

            Can anyone help for this issue?

            Thanks in advance.

            • 4. Re: Tutorial for setup of Authentication in JBoss?
              Peter Johnson Master

              The role checking is an integral part of login - without it the app server will not know the role of the user and therefore cannot grant access rights to any resources. In other words, even though the user is logged in, she would still get a 404 error because she would not have access to the desired web page.

              • 5. Re: Tutorial for setup of Authentication in JBoss?
                Dickson Lui Newbie

                Thanks for Peter so much.
                (most of my question are answered by you, thank you)

                Actually, I want to config the LDAP authentication. However, I get failure and it is hard to trace what's wrong. Do you have more example about LDAP Auth config? Or how to trace this auth error?

                At the original design of our LDAP server, no role is designed; not for this purpose. Therefore, I just want to skip this role checking in LDAP auth.

                • 6. Re: Tutorial for setup of Authentication in JBoss?
                  Dickson Lui Newbie

                  I get 403 error when test the ldap auth. It seems that the password authentication is ok because no error is in the server.log. Therefore, it means something is wrong in role authentication.

                  As my ldap server does not have role design and information, I want to use the same tree (class) for the role authentication. For example, the one attribute of "userclass" or "department" will be used for role authentication. Please help to point out how to config my ldap authentication. My setting is as the following:

                  <application-policy name = "testLdapExample1">

                  <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
                  flag="required">
                  <module-option name="java.naming.factory.initial">
                  com.sun.jndi.ldap.LdapCtxFactory
                  </module-option>
                  <module-option name="java.naming.provider.url">
                  ldap://ldap.my.com/
                  </module-option>
                  <module-option name="java.naming.security.authentication">
                  simple
                  </module-option>
                  <module-option name="principalDNPrefix">uid=</module-option>
                  <module-option name="principalDNSuffix">,ou=People,o=my.com</module-option>


                  <module-option name="rolesCtxDN">,ou=People,o=my.com</module-option>
                  <module-option name="uidAttributeID">uid</module-option>
                  <module-option name="matchOnUserDN">true</module-option>
                  <module-option name="roleAttributeID">uid</module-option>
                  <module-option name="roleAttributeIsDN">false</module-option>

                  <module-option name="searchTimeLimit">5000</module-option>
                  <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
                  </login-module>

                  </application-policy>

                  • 7. Re: Tutorial for setup of Authentication in JBoss?
                    Peter Johnson Master

                    I do not know if there is a way to get the LDAP login module to not attempt to get the role - I would have to dig through the source code to find out. I can think of two workarounds:

                    1) Subclass org.jboss.security.auth.spi.LdapLoginModule and code the subclass to ignore the role info and return a hard-set role.

                    2) Provide data for the various roles entries such that LDAP returns some value (could be anything - a department name, a country name, whatever) and use that as the role.

                    Will you applications really have just one role? In other words, once someone signs in, do they have access to everything? If so, either of the above should work.

                    • 8. Re: Tutorial for setup of Authentication in JBoss?
                      Dickson Lui Newbie

                      Thanks Peter.

                      Workaround 2 is my target too. Under the LDAP tree, find the right person with related information (department code, user class, ...etc). These information can be used as the role. The question is how to config.

                      I show the setting of LDAP login module. I want to use the "departmentcode" as the role. How to set?

                      Each applications have their own user profile. For my case, the first step is the password - basic authentication. Then, later on, centralized role checking is a long term task.

                      • 9. Re: Tutorial for setup of Authentication in JBoss?
                        Dickson Lui Newbie

                        Peter,

                        Can you help to solve my LDAP authentication problem? Thanks.

                        Thanks in advance for anyone's help.

                        • 10. Re: Tutorial for setup of Authentication in JBoss?
                          Peter Johnson Master

                          Can you supply a full DN for a "departmentcode"? Given that I might be able to provide the login module settings.

                          Also, do you have an ldapsearch utility? You will need one to ascertain that we use the correct configuration settings. Without ldapserach, configuring an LDAP login module is like wandering around in the dark.

                          Alternatively, I have a resource that goes into detail on LDAP login module configuration, but it is not free. I can provide a URL if you like.

                          • 11. Re: Tutorial for setup of Authentication in JBoss?
                            Dickson Lui Newbie

                            Thanks Peter.

                            I do not have a full DN for a "departmentcode". I only know how to config apache to do basic authentication against our ldap server. I know my departmentcode, such as "iso", "hro",...etc.

                            Also, I do not have ldapsearch utility. Please recommend me which ldapsearch utility I should use to help me to config the ldap setting.

                            Thanks again.

                            • 12. Re: Tutorial for setup of Authentication in JBoss?
                              Peter Johnson Master

                              Any ldapsearch utility will work. Two tools I use are:

                              JXplorer
                              http://sourceforge.net/projects/jxplorer/

                              http://www.sun.com/download/products.xml?id=3ea6ec4d
                              (Hmm, this last link is for the Sun ONE Directory Server Resource Kit, but the page appears to be blank. You used to be able to download a zip file containing various utilities, ldapsearch being one of them. But then JXplorer includes a search feature so that should be sufficient for testing.)

                              In addition, if you are using Active Directory, it's management tools are also handy.

                              • 13. Re: Tutorial for setup of Authentication in JBoss?
                                Dickson Lui Newbie

                                Thanks Peter.

                                I install jxplorer and can browse the ldap server; get the my DN as below. And list the ldap auth config as below. I still get 403 error code. Peter, please help to point out what's wrong. Thanks.


                                DN: uid=dickson,ou=people,o=my.com

                                ********************************************
                                login-config.xml
                                --------------------------
                                <application-policy name = "testLdapExample1">

                                <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
                                flag="required">
                                <module-option name="java.naming.factory.initial">
                                com.sun.jndi.ldap.LdapCtxFactory
                                </module-option>
                                <module-option name="java.naming.provider.url">
                                ldap://ldap.my.com/
                                </module-option>
                                <module-option name="java.naming.security.authentication">
                                simple
                                </module-option>
                                <module-option name="principalDNPrefix">uid=</module-option>
                                <module-option name="principalDNSuffix">,ou=people,o=my.com</module-option>
                                <module-option name="rolesCtxDN">,ou=people,o=my.com</module-option>
                                <module-option name="uidAttributeID">uid</module-option>
                                <module-option name="matchOnUserDN">true</module-option>
                                <module-option name="roleAttributeID">userClass</module-option>
                                <module-option name="roleAttributeIsDN">true</module-option>
                                <module-option name="searchTimeLimit">5000</module-option>
                                <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
                                </login-module>
                                </application-policy>

                                *********************************************

                                web.xml
                                -----------------
                                <security-constraint>
                                <web-resource-collection>
                                <web-resource-name>HtmlAdaptor</web-resource-name>
                                An example security config that only allows users with the
                                role JBossAdmin to access the HTML JMX console web application

                                <url-pattern>/*</url-pattern>
                                <http-method>GET</http-method>
                                <http-method>POST</http-method>
                                </web-resource-collection>
                                <auth-constraint>
                                <role-name>staff</role-name>
                                </auth-constraint>
                                </security-constraint>


                                <login-config>
                                <auth-method>BASIC</auth-method>
                                <realm-name>JBoss</realm-name>
                                </login-config>

                                <security-role>
                                <role-name>staff</role-name>
                                </security-role>

                                • 14. Re: Tutorial for setup of Authentication in JBoss?
                                  Peter Johnson Master

                                  Stating the user's DN is a good start, but I also need a DN for something that could be used for a role, such as a department. And I need to know an attribute on the user that can be used to link to that role/department.

                                  The other thing I am thinking is that perhaps there is a way to simulate a user-only LDAP module that yields a constant role (or chain some modules together to yield the same). I know that this can be done with the database login module because there the role is obtained via an SQL statement and it is easy to write SQL to return a constant. However, I would have to dig through the source code to see if this is possible.

                                  I have a very detailed description of how to set up the LDAP login module based on using ldapserach to query the LDAP server in JBoss in Action. You should get a copy and look it over, that might help you set up the roles query. http://www.manning.com/jamae

                                  1 2 Previous Next