This is so embarrassing. In my
previous post, I though I have already done the AD configuration, but that was only for management, not the application. There are 2 different story. Assume I have the following AD configuration:
dn: CN=user1,OU=Users,DC=huahsin68,DC=org
objectClass: user
objectClass: organizationalPerson
objectClass: person
objectClass: top
memberOf: CN=Role_1,OU=Groups,OU=Users,DC=huahsin68,DC=org
sAMAccountName: user1
...
dn: CN=Role_1,OU=Groups,OU=Users,DC=huahsin68,DC=org
objectClass: group
objectClass: top
cn: Role_1
member: CN=user1,OU=Users,DC=huahsin68,DC=org
name: Role_1
...
For web application, there are 2 things need to be done in order to authenticate users through Active Directory (AD) in JBoss. One is deployment descriptor (
web.xml) configuration, and the other one is JBoss configuration (either in
domain.xml or
standalone.xml). In deployment descriptor, the following configuration shows the regular piece in securing a web application:
<security-constraint>
<web-resource-collection>
<web-resource-name>Authentication</web-resource-name>
<description>Please login</description>
<url-pattern>/pages/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Role_1</role-name>
<role-name>Role_2</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/error.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>Role_1</role-name>
</security-role>
<security-role>
<role-name>Role_2</role-name>
</security-role>
Next is JBoss configuration. It has been a hard time for me to configure this as I mess up the role configuration causing me keep hitting HTTP 403. This is not fun at all, but at last I managed to find the solution. Configuration below shows how this is done in order to authenticate through AD.
<security-domain name="ADRealm" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="java.naming.provider.url" value="ldap://127.0.0.1:10389"/>
<module-option name="debug" value="true"/>
<module-option name="bindDN" value="CN=huahsin,OU=Users,DC=huahsin68,DC=org"/>
<module-option name="bindCredential" value="Abcd1234"/>
<module-option name="baseCtxDN" value="OU=Users,DC=huahsin68,DC=org"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="rolesCtxDN" value="OU=Groups,OU=Users,DC=huahsin68,DC=org"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
</login-module>
</authentication>
</security-domain>
A new security domain is created under the
<subsystem xmlns="urn:jboss:domain:security:1.1">, don't confuse with the management's configuration. There are 2 different entity. Last but not least, remember to link
ADRealm which is define in JBoss configuration in
jboss-web.xml (as shown in the following code), otherwise the web application would not be able to authenticate though the AD.
<jboss-web>
<security-domain>java:/jaas/ADRealm</security-domain>
</jboss-web>
Some site info, when the role is found in AD, following log could be seen in server log.
15:21:48,811 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-2) Checking roles GenericPrincipal[huahsin68(Role_1,)]
15:21:48,811 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-2) JBWEB000017: User [user1] has role [Role_1]
15:21:48,811 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-2) Role found: Role_1
But if it doesn’t found, following log would be seen in server log:
11:32:40,401 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-2) Checking roles GenericPrincipal[huahsin68()]
11:32:40,415 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-2) JBWEB000016: User [user1] does not have role [Role_1]
11:32:40,415 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-2) No role found: Role_1
No comments:
Post a Comment