Hi Lorenzo, I have a dockerized fully functional running system LDAP integrated, if needed I can share some conf files.
To enable JAAS, as per [ https://jspwiki-wiki.apache.org/Wiki.jsp?page=Wiki.Admin.Security#section-Wiki.Admin.Security-IntegratingJSPWikiWithContainerManagedAuthentication | https://jspwiki-wiki.apache.org/Wiki.jsp?page=Wiki.Admin.Security#section-Wiki.Admin.Security-IntegratingJSPWikiWithContainerManagedAuthentication ] you must enable container authentication by uncommenting the <security-constraint> elements in WEB-INF/web.xml. You need two roles from the auth system and map them to the logical role defined in web.xml. You can edit web.xml accordingly but I found it easier with a role-mapping.properties file in tomcat/webapps/ROOT/WEB-INF/. Also be sure tomcat is loading only your jaas file! This caused me some trouble and "Forbidden" page msg. Best regards, Enrico Da: "Lorenzo Sparacca" <l.spara...@armundia.com.INVALID> A: user@jspwiki.apache.org Inviato: Venerdì, 4 luglio 2025 9:39:44 Oggetto: [HELP] JAAS LDAP authentication issue with JSPWiki 2.12.2 Hello JSPWiki Community, I am writing to ask for your help with a very stubborn authentication issue after migrating from JSPWiki 2.8 to JSPWiki 2.12.2 . My Goal: To set up JSPWiki 2.12.2 on Tomcat 9 (running on Amazon Linux 2023) with authentication against an external LDAP server. A key constraint is that our LDAP server contains users and passwords only, it does not manage roles or groups. What I Have Tried: 1. Container-Managed Security: My first approach was to use container-managed security in Tomcat. After realizing a simple JNDIRealm wouldn't work, I configured a CombinedRealm in server.xml . This used an inner JNDIRealm for LDAP authentication and a UserDatabaseRealm (with tomcat-users.xml ) to assign a default Authenticated role. * Result: This almost worked. The user was successfully authenticated against LDAP, but was then shown the JSPWiki "Forbidden" page. This suggested that the roles assigned by Tomcat's CombinedRealm were not being correctly recognized by JSPWiki's WebContainerAuthorizer . 2. Internal JAAS Security (Current Approach): Due to the issues with the container, I switched to the internal JAAS security model ( jspwiki.security = jaas ). I removed all security from server.xml and web.xml and created a jspwiki.jaas.conf file with a chain of LDAPLoginModule (for authentication) and DefaultRoleLoginModule (to assign default roles). The Current Problem: The application seems to be completely ignoring the JAAS configuration . * My server startup script correctly provides the JAAS config path to the JVM via the system property: -Djava.security.auth.login.config=/opt/wiki/tomcat/conf/jspwiki.jaas.conf * My jspwiki.properties file correctly specifies: * * jspwiki.security = jaas * jspwiki.jaas.app-name = JSPWiki * However, when I attempt to log in, the jspwiki.log file shows no attempts to use the LDAPLoginModule or DefaultRoleLoginModule . Instead, it only shows the default AnonymousLoginModule being used, and the user is logged in as a guest. * This also causes the jspwiki.defaultAcl = -(ANONYMOUS):view property to be ignored, leaving the entire wiki publicly visible. We have already verified with ldapsearch that all LDAP connection parameters are correct. We have also confirmed that JSPWiki is correctly reading its main data directories (like pageDir and workDir ) which are also forced via system properties. My Question: Why would JSPWiki 2.12.2 completely ignore the JAAS configuration provided via the standard -Djava.security.auth.login.config system property and fall back to its default, un-authenticated login modules? Is this a known issue, or is there a configuration step for JAAS that I am missing? I am happy to provide my full, final configuration files ( server.xml , web.xml , jspwiki.properties , jspwiki.jaas.conf , jspwiki.policy , and logs) upon request. Thank you for your time and any help you can provide. Best regards, Lorenzo Sparacca Saluti, Lorenzo Sparacca System Admin | Armundia Group www. [ http://armundiagroup.com/ | armundiagroup.com ] [ http://www.armundia.com/ ]
