I configured a LDAP realm for tomcat 7. It searches for someone in the group users, once found will authenticate them and allow them to access the application.
This is my realm:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://adldap.mycompany.com:3268"
userSearch="(sAMAccountName={0})"
userSubtree="true"
userBase="DC=mycompany,DC=com"
roleSubtree="true"
roleName="CN"
userRoleName="memberOf"/>
It finds the user then searches for the corresponding role-names. This is my security constraints with roles in the web.xml.
<security-constraint>
<display-name>user</display-name>
<web-resource-collection>
<web-resource-name>user</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<description>users</description>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
But the user will have roles that look like CN=Domain Users,CN=Users,DC=mycompany,DC=com. So my question is, is there a way I can map that role to the role-name of user? Otherwise I need to define my security constraints as such:
<security-constraint>
<display-name>user</display-name>
<web-resource-collection>
<web-resource-name>user</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<description>users</description>
<role-name>CN=Domain Users,CN=Users,DC=mycompany,DC=com</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>CN=Domain Users,CN=Users,DC=mycompany,DC=com</role-name>
</security-role>
map that role to the role-name of user?
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://adldap.mycompany.com:3268"
userSearch="(sAMAccountName={0})"
userSubtree="true"
userBase="DC=mycompany,DC=com"
roleSubtree="true"
roleName="CN"
userRoleName="sAMAccountName"/>
This should (I could not test it) pull the attribute (sAMAccountName) from the user entry that is authenticated.
Have you tried using
<security-role-ref>
<role-name>CN=Domain Users,CN=Users,DC=mycompany,DC=com</role-name>
<role-link>user</role-link>
</security-role-ref>
Related
I have the following config web.xml
<security-constraint>
<display-name>Login Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Login Protection</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Login Access</role-name>
</auth-constraint>
</security-constraint>
I have my own Login servlet which I have authenticated the user and created a session using
HttpSession session = request.getSession(true);
But how do I add the role name "Login Access" to the session?
I found I had to implement a JDBCRelam and use call in servlet to authenticate the session
request.login(username, password);
Here is my code and the credentials are not working on the pop-up shown on application load.please have a look
tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users>
<role rolename="admin"/>
<user username="admin" password="admin" role="admin"/>
</tomcat-users>
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Web Application</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
Plus this Application is deployed on Heroku, so I might need help with this too
Make sure codes are not commented.
Also add below line instead of < role rolename="admin"/>
< role rolename="admin-gui"/>
< role rolename="manager-gui"/>
< user username="admin" password="admin" role="manager-gui,admin-gui"/>
restart tomcat and then check
i try to use JAAS for authetification so i configured my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin</web-resource-name>
<url-pattern>/servlets/ForbiddenServlet</url-pattern>
</web-resource-collection>
<web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Admin</realm-name>
<form-login-config>
<form-login-page>/../pages/login.jsp</form-login-page>
<form-error-page>/../pages/error.jsp</form-error-page>
</form-login-config>
</login-config>
If i go on my ForbiddenServlet page theres just a white screen...
i thought the login.jsp would be shown.
If id dont use FORM and use BASIC instead it works fine!
EDIT: with "it works fine!" i dont mean that the login.jsp is shown
but a default login window pops up.
form-login-page and form-error-page are paths relative to the webapp root. I think you should remove the "/.." part.
I can restrict access to web application through defining (among other things) security-constraint in web.xml. Each security-constraint consist of 1) <web-resource-collection> which contains a set of restricted resources, and 2) <auth-constraint> which contains a set of authorized users (security roles) which can access web-resource-collection defined in this constraint .
So I think I can do either in each constraint a) define single resource (address) and a set of authorized users or b) define a set of resources (addresses) and a single authorized user.
Am I right? What my approach should be.
I for example defined constrains like this:
<security-constraint>
<display-name>ConstraintAdminUser</display-name>
<web-resource-collection>
<web-resource-name>adminResources</web-resource-name>
<url-pattern>/protected/admin/*</url-pattern>
<url-pattern>/protected/main/*</url-pattern>
<url-pattern>/protected/user/*</url-pattern>
<url-pattern>/protected/lang/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>AdminUserRole</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>ConstraintUserOnly</display-name>
<web-resource-collection>
<web-resource-name>userResources</web-resource-name>
<url-pattern>/protected/main/*</url-pattern>
<url-pattern>/protected/user/*</url-pattern>
<url-pattern>/protected/lang/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>UserOnlyRole</role-name>
</auth-constraint>
</security-constraint>
But I don't know if it is a "right way" to do :)
I have a problem configuring BASIC-auth in jetty
here's my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>resources</web-resource-name>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MyRealm</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
and here's my java code where I try to add a LoginService
HashLoginService myrealm = new HashLoginService("MyRealm");
myrealm.setConfig("src/main/resources/jetty-realm.properties");
root.getSecurityHandler().setLoginService(myrealm);
my jetty-realm.properties file has following user
user: Lag976JGQdeosfQM,user
I can make a connection but I can't authenticate, and I'm stuck on this for a long time now, so whoever helps me out get's a free digital beer! ;)
Ok so I've found out what I didn't do,
you have to start a LoginService before you can use it so I changed my java code to
HashLoginService myrealm = new HashLoginService("MyRealm");
myrealm.setConfig("src/main/resources/jetty-realm.properties");
myrealm.start();
root.getSecurityHandler().setLoginService(myrealm);