This week's giveaway is in the JDBC forum.
We're giving away four copies of Java Database Connections & Transactions (e-book only) and have Marco Behler on-line!
See this thread for details.
Win a copy of Java Database Connections & Transactions (e-book only) this week in the JDBC forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Knute Snortum
  • Paul Clapham
  • Tim Cooke
Sheriffs:
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Frits Walraven
Bartenders:
  • Ganesh Patekar
  • Tim Holloway
  • salvin francis

how to set up role-name in securityrole or auth-constraint  RSS feed

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I integrated waffle into my tomcat 7.
I need to define the users in the active directory group that can visit the site, web.xml looks like:



<security-constraint>
<display-name>not relevant</display-name>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>workflowusers</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<description>not relevant</description>
<role-name>workflowusers</role-name>
</security-role>

I want all the users of certain group (e.g workflowusers) will be able to access this hosted site.
What is excatly the object i need to create in Active directory and add users to it ?
I Created a workflowusers group under the main DOMAIN object that looks like this (not working..):

"SEE ATTACHED IMAGE FOR ACTIVE DIRECTORY SETTINGS"

This is link instruction from waffle:
https://github.com/dblock/waffle/blob/master/Docs/tomcat/TomcatSingleSignOnValve.md

If i replace the role-name to "Everyone" or place "*" it will work, e.g:

<role-name>workflowusers</role-name>


Capture.JPG
[Thumbnail for Capture.JPG]
ActiveDirectory
 
Bartender
Posts: 20766
124
Android Eclipse IDE Java Linux Redhat Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's not a good idea to make "/*" be a secured URL pattern. Since that pattern covers everything, you make it impossible for a non-authenticated user to even fetch the images, css and other static assets until you've signed on. That can cause problems with the login process itself. Also, I prefer that every webapp should have an insecure "welcome" page, even if that page only says: "This app is secured, if you aren't authorized, go away!"

Setting up LDAP configuration can be tricky, and doubly so when using Active Directory, which has specific patterns for security-related entries. Obviously, this means that you should read this documentation: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm very carefully.

One thing that your screenshot does not show is how users are defined as members of a group. Java's security model requires 2 pair relationships - one between userid and password and one between userid and group(s). Since AD has handled the login, the userid/password relationship isn't normally important for your system, but the userid/group relationship is essential.
 
So I left, I came home, and I ate some pie. And then I read this tiny ad:
how do I do my own kindle-like thing - without amazon
https://coderanch.com/t/711421/engineering/kindle-amazon
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!