Glassfish role to LDAP group mapping (JSPWiki)
Glassfish role to LDAP group mapping (JSPWiki)
December 6, 2011 - 05:35
Hi All,
I have seen from forum searches that similar questions have been asked in the past (e.g. http://www.java.net/node/783668) but without any apparent resolution. Would someone kindly be able to look at the issue I have here and point me to what I am doing wrong?
I am using Glassfish 3.0.1 build 22. My LDAP server is OpenDJ 2.4.2. Both are running on the same host system.
In my particular example, I am trying to integrate JSPWiki with Glassfish and OpenDJ for container based authentication. I have got as far as being able to authenticate LDAP users successfully to JSPWiki, but it appears that group information is not being retrieved.
These are the steps I have followed. I will also attach copies of my web.xml, sun-web.xml, and jspwiki.policy files.
1) I have deployed JSPWIki v2.8.3 as a web application successfully in Glassfish.
2) In Glassfish under Configuration -> Security -> Realms, I have created an LDAP realm with the following settings as copied from the Glassfish admin BUI:
Realm Name: JSPWikiUsers
Class Name: com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
JAAS Context: ldapRealm
Directory: ldap://mycomputer:1389
Base DN: ou=People,dc=example,dc=co,dc=nz
The Assign Groups field has been left blank. My test directory does not permit anonymous connections, so I have added the search-bind-password and search-bind-dn properties along with the relevant values.
I have added the group-base-dn property, and given it the value ou=Groups,dc=example,dc=co,dc=nz
3) In Glassfish under Configuration -> Security, I have made JSPWikiUsers the default realm. I have then restarted Glassfish.
4) I have then configured JSPWiki to enable container based authentication. JSPWiki supports this out of the box, as stated in the jspwiki.properties file in a default configuration:
"A) CONTAINER AUTHENTICATION - JSPWiki will always (passively) collect credentials supplied by your servlet container, via HttpServletRequest.getUserPrincipal/getRemote user. You do not need to do anything to enable this. In addition, you can cause JSPWiki users to log in to the web container by uncommenting the the security-constraint elements in WEB-INF/web.xml."
I have attached a copy of my web.xml file. As you can see, I have defined two roles: "wiki-users" for all authenticated users, and "wiki-admin" for JSPWiki administrative users.
5) In OpenDJ, have created relevant users under the People OU, some sample LDIF data as copied from the OpenDJ control panel for my test LDAP user account follows:
dn: cn=Dave K,ou=People,dc=example,dc=co,dc=nz
cn: Dave K
gidNumber: 119
givenName: Dave
homeDirectory: /home/dave
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
sn: K
uid: dave
6) In OpenDJ, I have created the wiki-admin and wiki-users groups in the Groups OU. A sample of the LDIF data for the wiki-users entry follows:
dn: cn=wiki-users,ou=Groups,dc=example,dc=co,dc=nz
cn: wiki-users
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: cn=Dave K,ou=People,dc=example,dc=co,dc=nz
7) I have created the sun-web.xml file and placed it in the same WEB-INF directory as my web.xml file. I have attached the file itself, and you can see that I am mapping the roles I have defined in web.xml to what should me my LDAP groups.
8) Finally, I have modified the jspwiki.policy file to what should only allow users in the wiki-users and wiki-admin group to permit modification of JSPWiki pages. I have attached this file as well.
Observations:
Upon rebooting the domain, I can indeed log in to JSPWIki successfully as an LDAP user, using the uid of "dave" for the example account. However, I can log in as *any* LDAP user in the People OU, not just those that are unique members of wiki-users. Furthermore, logging in as the LDAP user "dave", I would expect to have the ability to modify wiki pages (i.e. edit etc.) if the wiki-users role was successfully being mapped to the wiki-users group. This isn't the case however, and my test LDAP user can only view pages, which is what would be expected as defined by the "All" role in the jspwiki.policy file, i.e. all users have the abililty to view pages and edit their own profile information only. JSPWiki reports that the user is not authorized to edit pages.
Based on this and the other forum posts describing similar issues regarding role to LDAP group mapping, I believe the mapping in my case is not working for whatever reason. Does anyone have any pointers here?
Cheers,
Dave
Re: Glassfish role to LDAP group mapping (JSPWiki)
December 11, 2011 - 16:29
Or do I just give up on Glassfish and use Tomcat?
Re: Glassfish role to LDAP group mapping (JSPWiki)
December 12, 2011 - 12:48
Hi,
Can you please try the following and let us know?
1. Add another property to the ldap realm:
group-mapping=
2. Just to be sure, can you provide a group-search-filter property with value: uniqueMember=%d
group-search-filter=uniqueMember=%d
Re: Glassfish role to LDAP group mapping (JSPWiki)
December 20, 2011 - 21:25
Hi Niktal,
Do you have any pointers as to what is going on here based on the information I've collected thus far?
Cheers,
Dave
Re: Glassfish role to LDAP group mapping (JSPWiki)
December 18, 2011 - 04:13
Thanks for your reply, before making the changes you have suggested I have altered my jspwiki.policy file so that it reads like the attached. In summary, this is the policy file in its default state, with only the following changes:
- the "Admin" container role with the "All" permission has been renamed to "wiki-admin"
- the "wiki-users" container role has been added and granted the "All" permission.
As I understand it, if container role to group mapping works successfully, then any user in the LDAP group "wiki-admin" or "wiki-users" should have complete control over the wiki, (best represented by the ability to delete pages).
I have then enabled the Security Configuration diagnostic UI in JSPWiki, which is a way to determine JSPWiki's understanding of its security configuration. JSPWiki successfully detects the presence of these roles in its web.xml file, and you can see from the two attached screengrabs that the roles should indeed have "All" permissions over the wiki.
For my LDAP realm, I have then added the group-mapping property with a value of wiki-admin. I have also added the group-search-filter with the value of "uniqueMember=%d" as you have suggested. Unfortunately this has not changed the behaviour described in my original post: logging in with the UID "Dave K" I can authenticate but do not apparently have "All" permissions.
Finally, I have attached the output of the Glassfish server log, captured at the point the "Dave K" user logs in to JSPWiki. The errors which read "JACC Policy Provider: Failed Permission Check" could be of relevance.
Cheers,
Dave
Re: Glassfish role to LDAP group mapping (JSPWiki)
January 8, 2012 - 20:11
So I have upgraded to Glassfish v3.1.1 Build 12 and I see the exact same thing.
Anyone?
Cheers,
Dave
Re: Glassfish role to LDAP group mapping (JSPWiki)
January 24, 2012 - 06:51
I am going to keep bumping this, as
a) I am sure someone has the answer,
b) it shouldn't be this difficult,
c) This is community support after all.
Re: Glassfish role to LDAP group mapping (JSPWiki)
January 28, 2012 - 07:41
I have solved this and blogged the solution here, for anyone interested:
http://blog.davekoelmeyer.co.nz/2012/01/28/container-based-authenticatio...
Anybody? I'm surely not the only person with this problem.