We Keep Coding

Mapping role-names to from roles

I configured a LDAP realm for tomcat 7. It searches for someone in the group users, once found will authenticate them and allow them to access the application.
This is my realm:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://adldap.mycompany.com:3268"
userSearch="(sAMAccountName={0})"
userSubtree="true"
userBase="DC=mycompany,DC=com"
roleSubtree="true"
roleName="CN"
userRoleName="memberOf"/>
It finds the user then searches for the corresponding role-names. This is my security constraints with roles in the web.xml.
<security-constraint>
<display-name>user</display-name>
<web-resource-collection>
<web-resource-name>user</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<description>users</description>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
But the user will have roles that look like CN=Domain Users,CN=Users,DC=mycompany,DC=com. So my question is, is there a way I can map that role to the role-name of user? Otherwise I need to define my security constraints as such:
<security-constraint>
<display-name>user</display-name>
<web-resource-collection>
<web-resource-name>user</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<description>users</description>
<role-name>CN=Domain Users,CN=Users,DC=mycompany,DC=com</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>CN=Domain Users,CN=Users,DC=mycompany,DC=com</role-name>
</security-role>

map that role to the role-name of user?
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://adldap.mycompany.com:3268"
userSearch="(sAMAccountName={0})"
userSubtree="true"
userBase="DC=mycompany,DC=com"
roleSubtree="true"
roleName="CN"
userRoleName="sAMAccountName"/>
This should (I could not test it) pull the attribute (sAMAccountName) from the user entry that is authenticated.

Have you tried using
<security-role-ref>
<role-name>CN=Domain Users,CN=Users,DC=mycompany,DC=com</role-name>
<role-link>user</role-link>
</security-role-ref>

how can we provide access for all authenticated users(basic authentication) in websphere for any role

For Wildfly,any authenticated user can access to any protected resource by below change in web.xml
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
in security-constraint and defining security role as below
<security-role>
<role-name>*</role-name>
</security-role>
But the same is not working for Websphere, throwing authorisation failed exception, for making it work below change is required in Websphere Adminconsole.
WAS AdminConsole -> Applications > Enterprise Applications -> click .EAR
click the Security role to user/group mapping
Select the roles you wish to use for authentication.(in my case it is
*,defined in web.xml)
Map special subject to "All authenticated in Application Realm"
How can I skip the adminconsole change to make it work, or any other better approach.

What works for me is that I define the ff in my web.xml:
<security-role>
role1
</security-role>
<security-role>
role2
</security-role>
<security-constraint>
<display-name>All Authenticated</display-name>
<web-resource-collection>
<web-resource-name>
All Authenticated Pages
</web-resource-name>
<url-pattern>/webpage.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>
<role-name>role2</role-name>
</auth-constraint>
</security-constraint>
Essentially this defines the roles and then a separate definition for the pages and the roles that will be permitted to access it.
And then I also define an ibm-application-bnd.xml in my EAR File as follows:
<?xml version="1.0" encoding="UTF-8"?>
<application-bnd
xmlns="http://websphere.ibm.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_2.xsd"
version="1.2">
<security-role name="role1">
<group name="role1" />
</security-role>
<security-role name="role2">
<group name="role2" />
</security-role>
</application-bnd>
This one I think WebSphere uses to map to its grouping your defined roles.
Hope this helps or puts you forward.

For achieving the above goal i.e authorization for all authenticated users in WebSphere, create one logical Role[No need to create any physical group] say "AllAuthneticated" in web.xml and provide it as authorization constrain.
<auth-constraint>
<role-name>AllAuthneticated</role-name>
</auth-constraint>
<security-role>
<role-name>AllAuthneticated</role-name>
</security-role>
And then define an ibm-application-bnd.xml in EAR File as follows:
<security-role name="AllAuthneticated">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
The above role mapping will allow all authenticated user to access protected resource.

JAAS configuration in web.xml shows white screen

i try to use JAAS for authetification so i configured my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin</web-resource-name>
<url-pattern>/servlets/ForbiddenServlet</url-pattern>
</web-resource-collection>
<web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Admin</realm-name>
<form-login-config>
<form-login-page>/../pages/login.jsp</form-login-page>
<form-error-page>/../pages/error.jsp</form-error-page>
</form-login-config>
</login-config>
If i go on my ForbiddenServlet page theres just a white screen...
i thought the login.jsp would be shown.
If id dont use FORM and use BASIC instead it works fine!
EDIT: with "it works fine!" i dont mean that the login.jsp is shown
but a default login window pops up.

form-login-page and form-error-page are paths relative to the webapp root. I think you should remove the "/.." part.

adding security to embedded jetty

I have a problem configuring BASIC-auth in jetty
here's my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>resources</web-resource-name>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MyRealm</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
and here's my java code where I try to add a LoginService
HashLoginService myrealm = new HashLoginService("MyRealm");
myrealm.setConfig("src/main/resources/jetty-realm.properties");
root.getSecurityHandler().setLoginService(myrealm);
my jetty-realm.properties file has following user
user: Lag976JGQdeosfQM,user
I can make a connection but I can't authenticate, and I'm stuck on this for a long time now, so whoever helps me out get's a free digital beer! ;)

Ok so I've found out what I didn't do,
you have to start a LoginService before you can use it so I changed my java code to
HashLoginService myrealm = new HashLoginService("MyRealm");
myrealm.setConfig("src/main/resources/jetty-realm.properties");
myrealm.start();
root.getSecurityHandler().setLoginService(myrealm);

Tomcat Protect files

does anyone knows if tomcat is able to password protect file (like apache .htaccess )?
i mean when user request a file from tomcat webapp its prompt a dialogue to enter user-name and password and made this using configuration.
or protect the file depend on its IP address .
hope someone can help me ?
regads

you can set basic authentication in tomcat.
Add your user to tomcat-users.xml. Something like :
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="tomcat"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="myname" password="mypassword" roles="tomcat"/>
<user username="test" password="test"/>
</tomcat-users>
And Add configuration to your apps web.xml. like:
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/references/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>your-role</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Application</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the Manager Application
</description>
<role-name>your-role</role-name>
</security-role>
links to understand more:
http://www.avajava.com/tutorials/lessons/how-do-i-use-basic-authentication-with-tomcat.html