This week's book giveaway is in the Beginning Java forum.
We're giving away four copies of Murach's Java Programming and have Joel Murach on-line!
See this thread for details.
Win a copy of Murach's Java Programming this week in the Beginning Java forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

how to set up role-name in securityrole or auth-constraint  RSS feed

 
ilan sch
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I integrated waffle into my tomcat 7.
I need to define the users in the active directory group that can visit the site, web.xml looks like:



<security-constraint>
<display-name>not relevant</display-name>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>workflowusers</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<description>not relevant</description>
<role-name>workflowusers</role-name>
</security-role>

I want all the users of certain group (e.g workflowusers) will be able to access this hosted site.
What is excatly the object i need to create in Active directory and add users to it ?
I Created a workflowusers group under the main DOMAIN object that looks like this (not working..):

"SEE ATTACHED IMAGE FOR ACTIVE DIRECTORY SETTINGS"

This is link instruction from waffle:
https://github.com/dblock/waffle/blob/master/Docs/tomcat/TomcatSingleSignOnValve.md

If i replace the role-name to "Everyone" or place "*" it will work, e.g:

<role-name>workflowusers</role-name>


Capture.JPG
[Thumbnail for Capture.JPG]
ActiveDirectory
 
Tim Holloway
Saloon Keeper
Posts: 18636
70
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's not a good idea to make "/*" be a secured URL pattern. Since that pattern covers everything, you make it impossible for a non-authenticated user to even fetch the images, css and other static assets until you've signed on. That can cause problems with the login process itself. Also, I prefer that every webapp should have an insecure "welcome" page, even if that page only says: "This app is secured, if you aren't authorized, go away!"

Setting up LDAP configuration can be tricky, and doubly so when using Active Directory, which has specific patterns for security-related entries. Obviously, this means that you should read this documentation: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm very carefully.

One thing that your screenshot does not show is how users are defined as members of a group. Java's security model requires 2 pair relationships - one between userid and password and one between userid and group(s). Since AD has handled the login, the userid/password relationship isn't normally important for your system, but the userid/group relationship is essential.
 
What are you doing? You are supposed to be reading this tiny ad!
Thoughts on deprecation in Java
https://coderanch.com/t/683016/java/Deprecation-Java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!