Hi all,
I'm fairly new to Tomcat and to this mailing list, so apologies in
advance if not being clear in explaining my problem.
I'm tasked with the implementation of JAAS for a web application by
leveraging the existing LDAP server (MSAD) present at our company.
The first problem I faced was due to the fact that the bundled
LDAPplugin doesn't support authentication so I needed a enhanced one.
I read that the Geronimo's LDAPLoginModule can be of help and I
decided to follow that path.
- I downloaded the Geronimo's zip file, [1]
- I extracted the LDAPplugin jar file [2] and copied inside Tomcat's
lib directory
- I configured the jaas.config file [3] and configured it in the
Tomcat startup command line [4]
- I modified the server.xml by defining the Realm [5]
- I modified my test application by requiring BASIC authentication for
the dummy protected resource [6]
I know that the jaas.config file comes read because at first I had
syntax problems reported in catalina.err and now fixed.
Now I can access the application by having a popup asking me to bind,
BUT the application doesn't permit me to access (it asks me to
authenticate again).
With tcpdump I can see that the tcp connection to the LDAP server is
not even tried
However, I can't see any error in catalina.out or catalina.err.
Could you tell me if, in your opinion, I have done something wrong?
What would you suggest to do in order to at least augment the
possibility to see the error logged?
Thanks in advance
Marco
--------------------------------------------------------------------
[1] geronimo-tomcat7-javaee6-3.0.1-bin.zip
[2] geronimo-security-3.0.1.jar
[3] This is the (sanitized) content of my jaas.config
GERONIMO {
org.apache.geronimo.security.realm.providers.LDAPLoginModule REQUIRED
initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory"
connectionURL="ldap://test.com:389";
connectionUsername="uid=test,ou=mycompany,dc=test,dc=com"
connectionPassword="test"
connectionProtocol=""
authentication="simple"
userBase="ou=employee,dc=test,dc=com"
userSearchMatching="uid={0}"
userSearchSubtree="true"
roleBase="ou=groups,dc=test,dc=com"
roleName="cn"
roleSearchMatching="(member={0})"
roleSearchSubtree="true"
userRoleName="member";
};
[4] -Djava.security.auth.login.config==/opt/tomcat/conf/jaas.config
[5] This is the line I added inside <Engine>
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="testPrincipals" debug="9"/>
[6]
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns="http://java.sun.com/xml/ns/javaee";
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"; id="WebApp_ID"
version="2.5">
<display-name>testPrincipals</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>AdminConstraint</display-name>
<web-resource-collection>
<web-resource-name>Admin</web-resource-name>
<description>Only for administrators</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>My_LDAP_Group</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>GERONIMO</realm-name>
</login-config>
<security-role>
<description>Administrators</description>
<role-name>My_LDAP_Group</role-name>
</security-role>
</web-app>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
