Avatar of sakkie6yster
sakkie6yster asked on

LDAP Authentication on JBoss

I'm trying to setup LDAP authentication on Jboss (404GA).  I have setup form based authentication on the web.xml, have created the security domain in the jboss-web.xml and added the LdapLoginModule in the login-config.xml.  Furthermore I'm using the j_security_check action in my jsp.  (Will attach the necessary code snippets from these different sources).  

As soon as I enter a valid username and password (ie. that exist on LDAP), I get an "HTTP Status 403 - Access to the requested resource has been denied" error message and have not been able to resolve this problem.  

Has anybody have the same problem or know what I can do to resolve this? Please?


login.jsp:
==========
<form action="j_security_check" method="post" name="loginFrom">
 
web.xml:
========
<security-constraint>
		<display-name>Administrator Constraint</display-name>
		<web-resource-collection>
			<web-resource-name>Administrator Constraint</web-resource-name>
			<description></description>
			<url-pattern>*.jsp</url-pattern>
			<url-pattern>*.do</url-pattern>
			<http-method>GET</http-method>
			<http-method>PUT</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>
		<auth-constraint>
			<description></description>
			<role-name>SystemAdministrator</role-name>
			<role-name>StandardUser</role-name>
			<role-name>QualityChecker</role-name>
			<role-name>TeamLeader</role-name>
			<role-name>QualityAssessor</role-name>
			<role-name>ViewOnlyUser</role-name>
			<role-name>StandardUserFO</role-name>
			<role-name>StandardUserBO</role-name>
			<role-name>Administrator</role-name>			
		</auth-constraint>
	</security-constraint>
	<login-config>
		<auth-method>FORM</auth-method>
 		<realm-name>ldap-security</realm-name>
		<form-login-config>
			<form-login-page>/login.jsp</form-login-page>
			<form-error-page>/login.jsp?error=true</form-error-page>
		</form-login-config>
	</login-config>
 
jboss-web.xml:
==============
 <security-domain>java:/jaas/ldap-security</security-domain>
 
login-config.xml:
==================
 
 
   <application-policy name="ldap-security">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                <module-option name="java.naming.provider.url">ldap://fnb400:389/</module-option>
                <module-option name="java.naming.security.authentication">simple</module-option>                
                
		<module-option name="java.naming.security.principal">cn=wasadmin,o=fnbinsuranceprdmass</module-option>
                <module-option name="java.naming.security.credentials">password</module-option>
                
                <module-option name="principalDNPrefix">cn=</module-option>
                <module-option name="principalDNSuffix">,o=fnbinsuranceprdmass</module-option>
                <module-option name="rolesCtxDN">cn=Administrator,o=fnbinsuranceprdmass</module-option>
                <module-option name="roleAttributeIsDN">false</module-option>
                <module-option name="searchTimeLimit">5000</module-option>
		<module-option name="searchScope">SUBTREE_SCOPE</module-option>
            </login-module>
        </authentication>
   </application-policy>

Open in new window

DatabasesJSPJava App Servers

Avatar of undefined
Last Comment
sakkie6yster

8/22/2022 - Mon
giltjr

What is the exact resource that you are not authorized to access?
ASKER
sakkie6yster

I'm not exactly sure, as this is a system that was written by somebody else specifically for Websphere (it is currently running without any problems on WAS) and I need to get it running on JBoss.  I am not all that familiar with the j_security_check action and have very little time to get up to speed with all the technologies referenced by the code, but it would seem that the RESOURCE that I'm not authorized to access, is a jsp that it tries to forward to after login,  portalRedirector.jsp.
SOLUTION
giltjr

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
sakkie6yster

Okay, I will download and try out wireshark to test the LDAP calls. Will let you know what the results are.  And yes, I am connecting to the same LDAP server that WAS is using.  Not sure about the type of LDAP server, will find that out for you too. Thank you for your help thus far.  I am quite concerned as I have been stuck with this problem for quite a while.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
sakkie6yster

I installed wireshark and did a "capture" while clicking on the login button on the login page.  I'm attaching a screen shot of the capture file for you to review the communication between jboss and ldap on logging in.  To my knowledge the LDAP calls seem fine, I can see a successful bindResponse for both the user (cn=0005098M,o=fnbinsuranceprdmass) and the principle (cn=wasadmin,o=fnbinsuranceprdmass). I saw there's an unbindingRequest, I take it that is the way it's suppose to work?

If this means LDAP is working and something is wrong with the security descriptors, which ones and should I post them for you?

The LDAP server type is IBM Secureway.
wireshark-prnt-scrn.PNG
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
sakkie6yster

Okay, I've clicked on the "Follow TCP Stream" and here is what I get from the LDAP packets (it doesn't say anything about successful query or any role(s)):

The entire conversation for info "localinfosrvr > ldap [ACK]":
===========================================
04...`/....!cn=0005098M,o=fnbinsuranceprdmass..frosty10........a.....
......

The entire conversation for info bindRequest(1) :
===================================
04...`/....!cn=0005098M,o=fnbinsuranceprdmass..frosty10........a.....
......

The entire conversation for another bindRequest:
===================================
05...`0....!cn=wasadmin,o=fnbinsuranceprdmass..password0........a.....
......0"...B...0...2.16.840.1.113730.3.4.2

I looked at a couple of the TCP packets as well, couldn't find anything containing the roles.  Does this mean that the roles are not returned? There wasn't anything about a security violation, I take it you're talking about the security violation on jboss right? What would be the next step to fix this?
ASKER
sakkie6yster

Is giltjr still around?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
giltjr

Yes, missed the e-mail. As I don't know you full structure do you see anything in the trace about group names, or anything that maps back to the role names?  Off hand I don't.  This would mean that JBOSS is not sending a LDAP query to get this information.

I will have to check with somebody at my work, but I believe in our WebSphere environment that our initial login page is setup to that anybody with a valid userid and password can see it, then our applications issues "Java/J2EE" requests that causes WebSphere to issue LDAP commands that get the groups the user is in and this is mapped to roles.
ASKER
sakkie6yster

This is why I post the entire conversations, there is nothing about groups/roles here, when you look at these traces can you see that they're missing stuff?  How do I get Jboss to send this LDAP query that you're talking about? Isn't it suppose to happen after binding? When you're talking about something that would map back to a role name, what would a typical "mapping" look like?  I did the "follow stream" on the LDAP packages as you suggested and all I found were these conversations:

The entire conversation for info "localinfosrvr > ldap [ACK]":
===========================================
04...`/....!cn=0005098M,o=fnbinsuranceprdmass..frosty10........a.....
......

The entire conversation for info bindRequest(1) :
===================================
04...`/....!cn=0005098M,o=fnbinsuranceprdmass..frosty10........a.....
......

The entire conversation for another bindRequest:
===================================
05...`0....!cn=wasadmin,o=fnbinsuranceprdmass..password0........a.....
......0"...B...0...2.16.840.1.113730.3.4.2

is it possible that the "a" or "B" could be a type of mapping? And where could I check for these?

In the very first question, I posted all the setup and configuration I've done to connect to the LDAP server.  Did I miss anything? Is my login-config.xml correct?  Okay so, for argument sake, if these aren't mappings, how do I get the roles back?
giltjr

You need to talk to both the application developers and to whomever manages the WAS enviroment and see how this is setup and works there.

From what you have provided I can see you have told JBOSS about the role names.  Normally the application will get this information or ask JBOSS to get it.

Did you setup the WAS enviroment?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
sakkie6yster

No, I did not setup the WAS environment, and the application developers and people who setup the WAS environment are both long gone.  If I could speak to them, I wouldn't be posting my question on here.

I don't understand your advice anymore. Do you have experience with setting up LDAP connections on Jboss? Or should I be speaking to a different expert? Perhaps you could refer me to somebody else with this experience if you can't help.

Initially you said I should use WireShark to see if LDAP is working fine, I did the WireShark thing and posted all the LDAP conversations for you to see, still you are unable to tell me if the LDAP conversation is actually working.  You asked me if the roles were returned by LDAP, and it doesn't seem to be.  Surely you'll be able to see this by looking at the TCP Streams, or did I misunderstood the TCP Stream?  You mentioned something about possible mappings to roles.  I have asked you what these mappings would look like, but you didn't answer.  Perhaps I'm asking too many questions? Should I try and number?

You mentioned having to talk to people at your work about your Websphere setup.  Does this mean you don't really work on JBoss?  

I am already 2 weeks overdue, and desperately need help on getting the LDAP authentication/authorization working (that is, if this is even the problem?? - something you still haven't been able to really confirm).  As I explained earlier (right in the beginning with the first question), when I use a wrong username or password on the login screen, j_security_check actually returns an error, asif it is actually validating the credentials.  And as soon as I insert a valid username and password that exist in the ldap directory it continues and returns the HTTP error.  If I understand you correctly, everything we've done thus far points to LDAP not returning the correct roles.  Is this correct? Can you confirm this? Or do you need more information from my side to confirm?  

I hope I don't sound rude, I'm just kinda in a flat spin, desperate to deliver something asap.  Please help!
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.