• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Jboss 5.1 and LDAP - roles are not working

 
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,
I am migrating the application from WEBSPHERE 5 TO jboss 5.1

I am doing the LDAP security in jboss server, I can able to authenticate but I cant able to get the Roles but through LDAP browser I can able to see the Roles and same is working in Websphere, Find the below error log


014-08-11 19:29:05,508 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost%2F127.0.0.1-8080-2) Calling hasUserDataPermission()
2014-08-11 19:29:05,508 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost%2F127.0.0.1-8080-2) User data constraint has no restrictions
2014-08-11 19:29:05,508 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost%2F127.0.0.1-8080-2) Calling authenticate()
2014-08-11 19:29:05,508 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-localhost%2F127.0.0.1-8080-2) Restore request from session '64ADB7A506D6C59491DD707235667BAF'
2014-08-11 19:29:05,508 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost%2F127.0.0.1-8080-2) Authenticated 'jp01270' with type 'FORM'
2014-08-11 19:29:05,508 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-localhost%2F127.0.0.1-8080-2) Proceed to restored request
2014-08-11 19:29:05,508 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost%2F127.0.0.1-8080-2) Calling accessControl()
2014-08-11 19:29:05,508 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost%2F127.0.0.1-8080-2) Checking roles GenericPrincipal[jp01270(CIA_DVSM_ADM,SFD,all_authenticated_users,)]
2014-08-11 19:29:05,508 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-localhost%2F127.0.0.1-8080-2) [getServletName:servletmappings=[Ljava.lang.String;@79d54b:servlet.getName()=action]
2014-08-11 19:29:05,524 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost%2F127.0.0.1-8080-2) Username jp01270 does NOT have role SD_ADMINISTRATOR
2014-08-11 19:29:05,524 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-localhost%2F127.0.0.1-8080-2) hasRole:RealmBase says:false::Authz framework says:false:final=false
2014-08-11 19:29:05,524 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost%2F127.0.0.1-8080-2) No role found: SD_ADMINISTRATOR
2014-08-11 19:29:05,524 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-localhost%2F127.0.0.1-8080-2) [getServletName:servletmappings=[Ljava.lang.String;@a25f62:servlet.getName()=action]
2014-08-11 19:29:05,524 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost%2F127.0.0.1-8080-2) Username jp01270 does NOT have role SFD_USER
2014-08-11 19:29:05,524 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-localhost%2F127.0.0.1-8080-2) hasRole:RealmBase says:false::Authz framework says:false:final=false
2014-08-11 19:29:05,524 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost%2F127.0.0.1-8080-2) No role found: SD_USER
2014-08-11 19:29:05,524 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost%2F127.0.0.1-8080-2) Checking for all roles mode: authOnly
2014-08-11 19:29:05,524 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-localhost%2F127.0.0.1-8080-2) hasResourcePerm:RealmBase says:false::Authz framework says:false:final=false
2014-08-11 19:29:05,524 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost%2F127.0.0.1-8080-2) Failed accessControl() test
2014-08-11 19:29:05,524 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] (http-localhost%2F127.0.0.1-8080-2) Processing ErrorPage[errorCode=403, location=/error/error403.jsp]



-------------------------------------------------------------------------------
My settings are

login-confix.xml

<application-policy name="ldap-sd">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://sdsdds.md2.d.fr:389</module-option>;
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.referral">follow</module-option>
<module-option name="baseCtxDN">ou=People,o=renault</module-option>
<module-option name="bindDN">uid=AWTWSAD,ou=FRA,ou=People,o=renault</module-option>
<module-option name="bindCredential">AWTWSAD</module-option>
<module-option name="baseFilter">(uid={0})</module-option>
<module-option name="rolesCtxDN">ou=rights,o=renault</module-option>
<module-option name="roleFilter">(uniqueMember={1})</module-option>
<module-option name="roleAttributeID">objectClass</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="searchScope">ALL_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="defaultRole">all_authenticated_users</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="required">
<module-option name="rolesProperties">props/sd-rolesMapping-roles.properties</module-option>
<module-option name="replaceRole">true</module-option>
</login-module>
</authentication>
</application-policy>
--------------------------------------------------------------------------------------
sd-rolesMapping-roles.properties

SD_ADMINISTRATOR=SD_ADMINISTRATOR
SD_USER=SD_USER
------------------------------------------------------

web.xml


<security-constraint>
<web-resource-collection>
<web-resource-name>All authenticated users</web-resource-name>
<url-pattern>*.do</url-pattern>
<url-pattern>/jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SFD_ADMINISTRATOR</role-name>
<role-name>SFD_USER</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/user/login.jsp</form-login-page>
<form-error-page>/user/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description></description>
<role-name>SD_ADMINISTRATOR</role-name>
</security-role>
<security-role>
<description></description>
<role-name>SD_USER</role-name>
</security-role>
-----------------------------------------------------------------------------

jboss-web.xml

<!DOCTYPE jboss-web PUBLIC
"-//JBoss//DTD Web Application 5.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
<jboss-web>
<security-domain>java:/jaas/ldap-sd</security-domain>
</jboss-web>

-------------------------------------------------------------------

application.xml


<security-role>
<description>All authenticated users</description>
<role-name>SD_ADMINISTRATOR</role-name>
</security-role>
<security-role>
<role-name>SD_USER</role-name>
</security-role>



Could you please help me on this? Where I am wrong?


 
Bartender
Posts: 3648
16
Android Mac OS X Firefox Browser Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Don't know if this is the root cause, but in the web.xml <auth-constraint> you had "SFD_...." rather than "SF_..."

<auth-constraint>
<role-name>SFD_ADMINISTRATOR</role-name>
<role-name>SFD_USER</role-name>

</auth-constraint>
 
arkaes Duraimoni
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you, Tsang, the role I have changes while posting here, finally its working after giving the some wrong roles in role mapping preoperties .. but not sure why this is happening.

finally worked
 
K. Tsang
Bartender
Posts: 3648
16
Android Mac OS X Firefox Browser Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Glad I catched that typo
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic