• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Knute Snortum
  • Paul Clapham
  • Tim Cooke
Sheriffs:
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Frits Walraven
Bartenders:
  • Ganesh Patekar
  • Tim Holloway
  • salvin francis

JNDI Realm LDAP authentication  RSS feed

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have working on putting JNDI realm authentication into my application and have managed to get most of it to work.
Basically I am authenticating a user against LDAP, then checking the user is in a particular AD group. I've been able to successfully authenticate a user against LDAP, and my logs indicate that the GenericPrincipal list is being populated with all the groups that the user belongs to, however when it comes to the point where the application compares this list it cannot find the group I've specified to check for.
My server.xml looks something like this (I've had to substitute particular details of the userBase and roleBase though to post it here):


My web.xml:


I have been able to get a log in page working, and the application is authenticating users against LDAP successfully however authorisation is failing. I've been able to set up logging to see the errors:

FINE: Authenticated 'testuser' with type 'FORM'
07-May-2014 12:03:56 org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling accessControl()
07-May-2014 12:03:56 org.apache.catalina.realm.RealmBase hasResourcePermission
FINE: Checking roles GenericPrincipal[testuser(CN=........) (I had to remove the AD groups for the puposes of posting here but I am getting a list back of all the AD groups the user is in, which includes the role defined in my web.xml 'admin')
07-May-2014 12:03:56 org.apache.catalina.realm.RealmBase hasRole
FINE: Username testuser does NOT have role admin
07-May-2014 12:03:56 org.apache.catalina.realm.RealmBase hasResourcePermission
FINE: No role found: admin
07-May-2014 12:03:56 org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Failed accessControl() test

So in summary, the Generic principal list is being populated for a logged in user, but then when it comes to org.apache.catalina.realm.RealmBase hasResourcePermission it is failing to find the role in the Generic principle list...which seems odd. Has anyone got any ideas on why this might be happening?

I have double checked the name of the role I'm looking for using an an LDAP browser and confirmed that my user does belong to the group as well.

Thanks,
Amy
 
Amy Robinson
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I meant to add I am running Tomcat 6, using Netbeans 7.1.2 if that matters.
 
Bartender
Posts: 20739
124
Android Eclipse IDE Java Linux Redhat Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I always have trouble making sense of LDAP specs for Tomcat, but I think I understand what it's attempting here, assuming I haven't missed anything.

The version of Tomcat and CERTAINLY the IDE should make no difference. Well, except for the way that Eclipse WTP screws up Tomcat runtime configs in general.

You have - or so I interpret it - set up your Active Directory so that it's something like this:



At least I think that's what's expected. And I haven't attempted to put in all the minor attributes and stuff.

One thing that isn't obvious is if you have your qualifying levels in the correct order, since they're all "sample".
 
So I left, I came home, and I ate some pie. And then I read this tiny ad:
ScroogeXHTML - small and flexible RTF to HTML converter library
https://coderanch.com/t/710903/ScroogeXHTML-RTF-HTML-XHTML-converter
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!