• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

how to set up role-name in securityrole or auth-constraint

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I integrated waffle into my tomcat 7.
I need to define the users in the active directory group that can visit the site, web.xml looks like:



<security-constraint>
<display-name>not relevant</display-name>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>workflowusers</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<description>not relevant</description>
<role-name>workflowusers</role-name>
</security-role>

I want all the users of certain group (e.g workflowusers) will be able to access this hosted site.
What is excatly the object i need to create in Active directory and add users to it ?
I Created a workflowusers group under the main DOMAIN object that looks like this (not working..):

"SEE ATTACHED IMAGE FOR ACTIVE DIRECTORY SETTINGS"

This is link instruction from waffle:
https://github.com/dblock/waffle/blob/master/Docs/tomcat/TomcatSingleSignOnValve.md

If i replace the role-name to "Everyone" or place "*" it will work, e.g:

<role-name>workflowusers</role-name>


Capture.JPG
[Thumbnail for Capture.JPG]
ActiveDirectory
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's not a good idea to make "/*" be a secured URL pattern. Since that pattern covers everything, you make it impossible for a non-authenticated user to even fetch the images, css and other static assets until you've signed on. That can cause problems with the login process itself. Also, I prefer that every webapp should have an insecure "welcome" page, even if that page only says: "This app is secured, if you aren't authorized, go away!"

Setting up LDAP configuration can be tricky, and doubly so when using Active Directory, which has specific patterns for security-related entries. Obviously, this means that you should read this documentation: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm very carefully.

One thing that your screenshot does not show is how users are defined as members of a group. Java's security model requires 2 pair relationships - one between userid and password and one between userid and group(s). Since AD has handled the login, the userid/password relationship isn't normally important for your system, but the userid/group relationship is essential.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic