sakkie6yster
asked on
LDAP Authentication on JBoss
I'm trying to setup LDAP authentication on Jboss (404GA). I have setup form based authentication on the web.xml, have created the security domain in the jboss-web.xml and added the LdapLoginModule in the login-config.xml. Furthermore I'm using the j_security_check action in my jsp. (Will attach the necessary code snippets from these different sources).
As soon as I enter a valid username and password (ie. that exist on LDAP), I get an "HTTP Status 403 - Access to the requested resource has been denied" error message and have not been able to resolve this problem.
Has anybody have the same problem or know what I can do to resolve this? Please?
As soon as I enter a valid username and password (ie. that exist on LDAP), I get an "HTTP Status 403 - Access to the requested resource has been denied" error message and have not been able to resolve this problem.
Has anybody have the same problem or know what I can do to resolve this? Please?
login.jsp:
==========
<form action="j_security_check" method="post" name="loginFrom">
web.xml:
========
<security-constraint>
<display-name>Administrator Constraint</display-name>
<web-resource-collection>
<web-resource-name>Administrator Constraint</web-resource-name>
<description></description>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.do</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>SystemAdministrator</role-name>
<role-name>StandardUser</role-name>
<role-name>QualityChecker</role-name>
<role-name>TeamLeader</role-name>
<role-name>QualityAssessor</role-name>
<role-name>ViewOnlyUser</role-name>
<role-name>StandardUserFO</role-name>
<role-name>StandardUserBO</role-name>
<role-name>Administrator</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ldap-security</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp?error=true</form-error-page>
</form-login-config>
</login-config>
jboss-web.xml:
==============
<security-domain>java:/jaas/ldap-security</security-domain>
login-config.xml:
==================
<application-policy name="ldap-security">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://fnb400:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.security.principal">cn=wasadmin,o=fnbinsuranceprdmass</module-option>
<module-option name="java.naming.security.credentials">password</module-option>
<module-option name="principalDNPrefix">cn=</module-option>
<module-option name="principalDNSuffix">,o=fnbinsuranceprdmass</module-option>
<module-option name="rolesCtxDN">cn=Administrator,o=fnbinsuranceprdmass</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="searchTimeLimit">5000</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
</login-module>
</authentication>
</application-policy>
giltjr
What is the exact resource that you are not authorized to access?
ASKER
I'm not exactly sure, as this is a system that was written by somebody else specifically for Websphere (it is currently running without any problems on WAS) and I need to get it running on JBoss. I am not all that familiar with the j_security_check action and have very little time to get up to speed with all the technologies referenced by the code, but it would seem that the RESOURCE that I'm not authorized to access, is a jsp that it tries to forward to after login, portalRedirector.jsp.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, I will download and try out wireshark to test the LDAP calls. Will let you know what the results are. And yes, I am connecting to the same LDAP server that WAS is using. Not sure about the type of LDAP server, will find that out for you too. Thank you for your help thus far. I am quite concerned as I have been stuck with this problem for quite a while.
ASKER
I installed wireshark and did a "capture" while clicking on the login button on the login page. I'm attaching a screen shot of the capture file for you to review the communication between jboss and ldap on logging in. To my knowledge the LDAP calls seem fine, I can see a successful bindResponse for both the user (cn=0005098M,o=fnbinsuranc
If this means LDAP is working and something is wrong with the security descriptors, which ones and should I post them for you?
The LDAP server type is IBM Secureway.
wireshark-prnt-scrn.PNG
If this means LDAP is working and something is wrong with the security descriptors, which ones and should I post them for you?
The LDAP server type is IBM Secureway.
wireshark-prnt-scrn.PNG
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, I've clicked on the "Follow TCP Stream" and here is what I get from the LDAP packets (it doesn't say anything about successful query or any role(s)):
The entire conversation for info "localinfosrvr > ldap [ACK]":
==========================
04...`/....!cn=0005098M,o=
......
The entire conversation for info bindRequest(1) :
==========================
04...`/....!cn=0005098M,o=
......
The entire conversation for another bindRequest:
==========================
05...`0....!cn=wasadmin,o=
......0"...B...0...2.16.84
I looked at a couple of the TCP packets as well, couldn't find anything containing the roles. Does this mean that the roles are not returned? There wasn't anything about a security violation, I take it you're talking about the security violation on jboss right? What would be the next step to fix this?
The entire conversation for info "localinfosrvr > ldap [ACK]":
==========================
04...`/....!cn=0005098M,o=
......
The entire conversation for info bindRequest(1) :
==========================
04...`/....!cn=0005098M,o=
......
The entire conversation for another bindRequest:
==========================
05...`0....!cn=wasadmin,o=
......0"...B...0...2.16.84
I looked at a couple of the TCP packets as well, couldn't find anything containing the roles. Does this mean that the roles are not returned? There wasn't anything about a security violation, I take it you're talking about the security violation on jboss right? What would be the next step to fix this?
ASKER
Is giltjr still around?
Yes, missed the e-mail. As I don't know you full structure do you see anything in the trace about group names, or anything that maps back to the role names? Off hand I don't. This would mean that JBOSS is not sending a LDAP query to get this information.
I will have to check with somebody at my work, but I believe in our WebSphere environment that our initial login page is setup to that anybody with a valid userid and password can see it, then our applications issues "Java/J2EE" requests that causes WebSphere to issue LDAP commands that get the groups the user is in and this is mapped to roles.
I will have to check with somebody at my work, but I believe in our WebSphere environment that our initial login page is setup to that anybody with a valid userid and password can see it, then our applications issues "Java/J2EE" requests that causes WebSphere to issue LDAP commands that get the groups the user is in and this is mapped to roles.
ASKER
This is why I post the entire conversations, there is nothing about groups/roles here, when you look at these traces can you see that they're missing stuff? How do I get Jboss to send this LDAP query that you're talking about? Isn't it suppose to happen after binding? When you're talking about something that would map back to a role name, what would a typical "mapping" look like? I did the "follow stream" on the LDAP packages as you suggested and all I found were these conversations:
The entire conversation for info "localinfosrvr > ldap [ACK]":
==========================
04...`/....!cn=0005098M,o=
......
The entire conversation for info bindRequest(1) :
==========================
04...`/....!cn=0005098M,o=
......
The entire conversation for another bindRequest:
==========================
05...`0....!cn=wasadmin,o=
......0"...B...0...2.16.84
is it possible that the "a" or "B" could be a type of mapping? And where could I check for these?
In the very first question, I posted all the setup and configuration I've done to connect to the LDAP server. Did I miss anything? Is my login-config.xml correct? Okay so, for argument sake, if these aren't mappings, how do I get the roles back?
The entire conversation for info "localinfosrvr > ldap [ACK]":
==========================
04...`/....!cn=0005098M,o=
......
The entire conversation for info bindRequest(1) :
==========================
04...`/....!cn=0005098M,o=
......
The entire conversation for another bindRequest:
==========================
05...`0....!cn=wasadmin,o=
......0"...B...0...2.16.84
is it possible that the "a" or "B" could be a type of mapping? And where could I check for these?
In the very first question, I posted all the setup and configuration I've done to connect to the LDAP server. Did I miss anything? Is my login-config.xml correct? Okay so, for argument sake, if these aren't mappings, how do I get the roles back?
You need to talk to both the application developers and to whomever manages the WAS enviroment and see how this is setup and works there.
From what you have provided I can see you have told JBOSS about the role names. Normally the application will get this information or ask JBOSS to get it.
Did you setup the WAS enviroment?
From what you have provided I can see you have told JBOSS about the role names. Normally the application will get this information or ask JBOSS to get it.
Did you setup the WAS enviroment?
ASKER
No, I did not setup the WAS environment, and the application developers and people who setup the WAS environment are both long gone. If I could speak to them, I wouldn't be posting my question on here.
I don't understand your advice anymore. Do you have experience with setting up LDAP connections on Jboss? Or should I be speaking to a different expert? Perhaps you could refer me to somebody else with this experience if you can't help.
Initially you said I should use WireShark to see if LDAP is working fine, I did the WireShark thing and posted all the LDAP conversations for you to see, still you are unable to tell me if the LDAP conversation is actually working. You asked me if the roles were returned by LDAP, and it doesn't seem to be. Surely you'll be able to see this by looking at the TCP Streams, or did I misunderstood the TCP Stream? You mentioned something about possible mappings to roles. I have asked you what these mappings would look like, but you didn't answer. Perhaps I'm asking too many questions? Should I try and number?
You mentioned having to talk to people at your work about your Websphere setup. Does this mean you don't really work on JBoss?
I am already 2 weeks overdue, and desperately need help on getting the LDAP authentication/authorizati
I hope I don't sound rude, I'm just kinda in a flat spin, desperate to deliver something asap. Please help!
I don't understand your advice anymore. Do you have experience with setting up LDAP connections on Jboss? Or should I be speaking to a different expert? Perhaps you could refer me to somebody else with this experience if you can't help.
Initially you said I should use WireShark to see if LDAP is working fine, I did the WireShark thing and posted all the LDAP conversations for you to see, still you are unable to tell me if the LDAP conversation is actually working. You asked me if the roles were returned by LDAP, and it doesn't seem to be. Surely you'll be able to see this by looking at the TCP Streams, or did I misunderstood the TCP Stream? You mentioned something about possible mappings to roles. I have asked you what these mappings would look like, but you didn't answer. Perhaps I'm asking too many questions? Should I try and number?
You mentioned having to talk to people at your work about your Websphere setup. Does this mean you don't really work on JBoss?
I am already 2 weeks overdue, and desperately need help on getting the LDAP authentication/authorizati
I hope I don't sound rude, I'm just kinda in a flat spin, desperate to deliver something asap. Please help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.