In a Tomcat 9 I have a LDAP authentication running via the JNDIRealm. So my server.xml contains:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://mysub.mydomain.com:1234"
userSubtree="true"
userBase="OU=Name A,OU=Name B,DC=doma,DC=domb,DC=com"
userSearch="(xyzAccountName={0})"
userRoleName="memberof"
roleBase="OU=Groups,DC=doma,DC=domb,DC=com"
roleName="CN"
roleSearch="(memberOf={0})"
roleSubtree="true"
roleNested="true"/>
When I use this in a JSP page displaying request.getUserPrincipal().getName() I see:
GenericPrincipal[USERNAME(CN=Special Users,OU=Name C,OU=Groups,DC=doma,DC=domb,DC=com,CN=Other Users,OU=Name D,DC=doma,DC=domb,DC=com,CN=All Users,OU=Name D,DC=doma,DC=domb,DC=com,)]
So the user USERNAME is authenticated via the roles Special Users, Other Users and All Users.
I now want that only users with the roles Special Users and Other Users are allowed to see this JSP page. Users who have only the All Users role should be rejected (getting a 401 or 403 error) from Tomcat.
How do I do this? I tried setting
userRoleName="Special Users,Other Users"
in the JNDIRealm, but that doesn't work at all.
Related
RE: https://jfrog.com/knowledge-base/when-do-the-groups-associated-with-an-ldap-user-get-updated-in-artifactory/
The Knowledge Base article above says:
"LDAP user authentication requests using Encrypted password or plain text password will update the LDAP group association changes from the LDAP server."
We've added a user to a group, but that user still can't see the artifacts governed by that group even after he has logged in. How can we cause Artifactory to update its group membership cache?
Please ask the user to logout and log back in after being added to the groups. Artifactory will try to reach to the LDAP server for validating the creds and then get the groups associated with the user which is returned from the LDAP server.
There is a chance that LDAP cache as mentioned in here https://www.jfrog.com/confluence/display/JFROG/LDAP#LDAP-Non-UIAuthenticationCache might take effect the groups to be associated if the user session is not hitting the LDAP server.
I have a problem with the configuration of a LDAP server on Tomcat 8.
I have a LDAP server configured and working on a WAS 8.5 server and I would like to configure the same LDAP on Tomcat.
The WAS configuration is (translating from italian):
User filter: (&(cn=%v)(objectclass=inetOrgPerson))
Group filter: (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))
User ID map: *:cn
Group ID map: *:cn
Map ID member of group: ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember
The Realm tag in server.xml on tomcat is:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="10"
connectionURL="ldap://192.168.0.3:389"
userBase="o=organization,c=it"
userSearch="(cn={0})"
userSubtree="true"
connectionName="cn=test,cn=Directory Administrators,o=organization,c=it"
connectionPassword="testpass"
/>
How can I fill the Realm tag with the role attributes?
And in the web.xml, what role I have to specify? I just want to grant access to all authenticated users.
I think you are already well on your way to authenticate users with the above settings.
Roles
For roles/groups, you can translate the WAS settings as follows:
<...your config...
roleBase="o=organization,c=it"
roleSubtree="true"
roleSearch="(&(uniqueMember={0})(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))"
roleName="cn"/>
The roles that a user is assigned in Tomcat, will then be a list of group names from the directory. As this may vary, you will need to set up a number of groups beforehand which are listed in your web.xml. Assigning those groups to users will then give them the appropriate access.
Authenticated Users
If you just want to allow any authenticated user, you can set the attribute allRolesMode to authOnly like this:
<...your config...
allRolesMode="authOnly"/>
Your web.xml should then use * for the role specification like this:
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
Maybe you should also set the security-role element as indicated here: Tomcat security constraint for valid user
Personally I have no setup which uses authOnly but I know it can be done and have seen it in action.
I used liferay 5.2 and I can integrate ldap correctly with liferay and I activated ldap in login.
and I arrived to import only users from ldap wich exists in my groups using this configuration :
my problem now is when I try to login in liferay
it checks user if exist or not in all locations in ldap
I want in login state to check user if exist or not only in my specifics group which is exist in my configuration.
meaning in login state check user only in :
testGroup1 and testGroup2 and not in all locations in ldap
Apache tomcat version: 6.0.20
If user is already logged, and he tries to login again from login page, the j_security_check is not available error is encountered. Is it normal behaviour or I have to do something?
Actually I have different user roles for accessing different pages, and when access to a page is denied to a particular user, I want to redirect him to login page, where he can login with corresponding credentials.
This behavior is normal: the servlet spec only lays-out the procedure for container-managed authentication (i.e. login) when the user requests a protected resource and the user has not already provided credentials. All other scenarios are left undefined, including yours.
If you want to capture "forbidden" conditions, you can use <error-page> mappings in your WEB-INF/web.xml to send the user anywhere you want, including a login page. Just remember that the container will only accept a login after the above conditions are true, so you may have to log the user out first (by terminating the user's session).
What I might recommend is a "forbidden" page that says "You don't have access to this resource. If you'd like to log-in as a different user to access it, please click [HERE]" where [HERE] is a link to a servlet that terminates the user's session and then redirects to the resource the user was trying to access. This will cause the container to request authentication (i.e. present the login form), verify the credentials, and send the user to the desired resource.
If you are using a container (and webapp) along with version 3.0 of the servlet specification, there is a new HttpServletRequest.login() method that can be used to programmatically log a user into your webapp. You might be able to use that instead of terminating the session and doing all those redirects... instead, you could collect the username and password yourself and then ask the container to do the login for you.
I have two different security constraints in my web app deployed on Apache tomcat 6. And tomcat is handling different authentication scenarios for my website.
My Problem:
E.g. page1 is accessible to only user1 and page2 is only accessible to user2. This is working fine.
The problem is if user1 is logged in, and he accesses page2 (which is not accessible to user1) then access denied error is presented to him instead of allowing him to login as different user. Authentication challenge should be presented if logged in user is
This behavior is mandated by the servlet specification. As suggested by #Rob, you should present your users with some options for dealing with the "unauthorized" condition: for example, logging-out and trying to access the resource again (which will ask for new credentials).