Skip to main content

LDAP Authentication

4 replies [Last post]
tanww888
Offline
Joined: 2007-07-25

Hi,

I'm having a problem to retrieve the value for request.getUserPrincipal().getName(). It always return a null value. I used the similar configuration in Sun App Server 7 and I don't have this problem. Here is my web.xml:

<?xml version="1.0" encoding="UTF-8"?>

30

index.jsp

Restricted Area

Restricted Area

/ldap/*
GET
POST
HEAD
PUT
OPTIONS
TRACE
DELETE

Users

FORM
ldap

/logon.jsp
/ldap_error.jsp

All Users
Users

sun-web.xml:

<?xml version="1.0" encoding="UTF-8"?>

/ldap

Users
*

Keep a copy of the generated servlet class' java code.

Is this a bug in Glassfish V2? Thanks for any help!

Regards,

Johnny

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
monzillo
Offline
Joined: 2004-05-08

the url-pattern you used in your security-constraint is relative to the context root.
so you have protected /ldap/ldap/*, but I don't think /ldap/* is protected. Maybe that is what you intended.

In any event, I would expect you to be able to access /ldap without authenticating, in which case request.getUserPrincipal() would return null.

also in your principal2Role mapping you have attempted to map the Group "*" to
the role "Users". I don't think that will work. you will need to provide the name of the group you want to be mapped to the role.

you might find the following posting useful.

http://blogs.sun.com/monzillo/date/20080115

Ron

tanww888
Offline
Joined: 2007-07-25

Hi Ron,

Thanks for the reply. Yes, I want to protect the web pages under /ldap/*. In that case, what should the url-pattern be? This works under Sun App Server 7.

Also, Can I omit the group and role? I just want to allow any employee to authenticate when they access the page. I read the document you provide, but I don't really know what group to use at the moment.

Another way without dealing with group and role, I can use the JAAS Authentication, but it requires to write some codes.

Thanks!

Regards,

Johnny

monzillo
Offline
Joined: 2004-05-08

> Hi Ron,
>
> Thanks for the reply. Yes, I want to protect the
> web pages under /ldap/*. In that case, what should
> the url-pattern be? This works under Sun App Server
> 7.

you don't include the context root in the url-patterns used
to define security-constraints. It sounds like you want to
protect everything under the context-root "/ldap". If so, you could
use the url-pattern "/*" in your security constraint.

> Also, Can I omit the group and role? I just want to
> allow any employee to authenticate when they access
> the page. I read the document you provide, but I
> don't really know what group to use at the moment.

you need to define a permitted role in the auth-constraint, and you need
to map the established authentication id/principals to a permitted role.

I try to describe what I think is the simplest way
for you to set things up to do (what I think) you want

1. change the url-pattern in your web.xml as described above (i.e., use the
pattern "/*")
-------
2a. Assuming that you want to grant access to principals in the "Users" role, modify the principal-2-role mapping (in sun-web.xml) such that the group "Users" is mapped to the role "Users"
-- or alternatively ---
2b. remove all of the principal-2-role mapping elements from your sun-web.xml and access the admin console via your browser (e.g. http://localhost:4848), navigate to Configurations, open the Security screen, click the enable box next to Default Principal to Role Mapping, and push the save button.
--------

3: access the admin console via your browser, navigate to Configurations -> Security -> Realms -> ldap, add the group "Users" to The "Assign Groups" field, and push save button.

4. restart the appserver and redeploy your app.

As a result of the change in 3a, the realm will add the Users group principal to every user who successfully authenticates (in addition to their caller principal).

either of steps 2a or 2b will ensure that any user who has been assigned the group principal "Users", will be mapped to the role "Users".

> Another way without dealing with group and role, I
> can use the JAAS Authentication, but it requires to
> write some codes.
>

I don't think you need to do this, as I don't think it will provide you with
any utility assuming you want the container to enforce your authorization
constraints.

If you want to move the access checking into your app, or
create a new type of "realm", then you might get some benefit,
but it doesn't sound to me like you need to do either of these things.

Ron

> Thanks!
>
> Regards,
>
> Johnny

tanww888
Offline
Joined: 2007-07-25

Hi Ron,

I followed your instructions and it's working now. Thank you so much!

Regards,

Johnny