• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

JNDI Realm LDAP authentication

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have working on putting JNDI realm authentication into my application and have managed to get most of it to work.
Basically I am authenticating a user against LDAP, then checking the user is in a particular AD group. I've been able to successfully authenticate a user against LDAP, and my logs indicate that the GenericPrincipal list is being populated with all the groups that the user belongs to, however when it comes to the point where the application compares this list it cannot find the group I've specified to check for.
My server.xml looks something like this (I've had to substitute particular details of the userBase and roleBase though to post it here):


My web.xml:


I have been able to get a log in page working, and the application is authenticating users against LDAP successfully however authorisation is failing. I've been able to set up logging to see the errors:

FINE: Authenticated 'testuser' with type 'FORM'
07-May-2014 12:03:56 org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling accessControl()
07-May-2014 12:03:56 org.apache.catalina.realm.RealmBase hasResourcePermission
FINE: Checking roles GenericPrincipal[testuser(CN=........) (I had to remove the AD groups for the puposes of posting here but I am getting a list back of all the AD groups the user is in, which includes the role defined in my web.xml 'admin')
07-May-2014 12:03:56 org.apache.catalina.realm.RealmBase hasRole
FINE: Username testuser does NOT have role admin
07-May-2014 12:03:56 org.apache.catalina.realm.RealmBase hasResourcePermission
FINE: No role found: admin
07-May-2014 12:03:56 org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Failed accessControl() test

So in summary, the Generic principal list is being populated for a logged in user, but then when it comes to org.apache.catalina.realm.RealmBase hasResourcePermission it is failing to find the role in the Generic principle list...which seems odd. Has anyone got any ideas on why this might be happening?

I have double checked the name of the role I'm looking for using an an LDAP browser and confirmed that my user does belong to the group as well.

Thanks,
Amy
 
Amy Robinson
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I meant to add I am running Tomcat 6, using Netbeans 7.1.2 if that matters.
 
Saloon Keeper
Posts: 28469
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I always have trouble making sense of LDAP specs for Tomcat, but I think I understand what it's attempting here, assuming I haven't missed anything.

The version of Tomcat and CERTAINLY the IDE should make no difference. Well, except for the way that Eclipse WTP screws up Tomcat runtime configs in general.

You have - or so I interpret it - set up your Active Directory so that it's something like this:



At least I think that's what's expected. And I haven't attempted to put in all the minor attributes and stuff.

One thing that isn't obvious is if you have your qualifying levels in the correct order, since they're all "sample".
 
So you made a portal in time and started grabbing people. This tiny ad thinks that's rude:
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic