I have working on putting JNDI realm authentication into my application and have managed to get most of it to work.
Basically I am authenticating a user against LDAP, then checking the user is in a particular AD group. I've been able to successfully authenticate a user against LDAP, and my logs indicate that the GenericPrincipal list is being populated with all the groups that the user belongs to, however when it comes to the point where the application compares this list it cannot find the group I've specified to check for.
My server.xml looks something like this (I've had to substitute particular details of the userBase and roleBase though to post it here):
My web.xml:
I have been able to get a log in page working, and the application is authenticating users against LDAP successfully however authorisation is failing. I've been able to set up logging to see the errors:
FINE: Authenticated 'testuser' with type 'FORM'
07-May-2014 12:03:56 org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling accessControl()
07-May-2014 12:03:56 org.apache.catalina.realm.RealmBase hasResourcePermission
FINE: Checking roles GenericPrincipal[testuser(CN=........) (I had to remove the AD groups for the puposes of posting here but I am getting a list back of all the AD groups the user is in, which includes the role defined in my web.xml 'admin')
07-May-2014 12:03:56 org.apache.catalina.realm.RealmBase hasRole
FINE: Username testuser does NOT have role admin
07-May-2014 12:03:56 org.apache.catalina.realm.RealmBase hasResourcePermission
FINE: No role found: admin
07-May-2014 12:03:56 org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Failed accessControl()
test
So in summary, the Generic principal list is being populated for a logged in user, but then when it comes to org.apache.catalina.realm.RealmBase hasResourcePermission it is failing to find the role in the Generic principle list...which seems odd. Has anyone got any ideas on why this might be happening?
I have double checked the name of the role I'm looking for using an an LDAP browser and confirmed that my user does belong to the group as well.
Thanks,
Amy