Ok, it's working. I changed too many things at once, so I'm not sure which one
fixed it. I shouldn't have done that, but I can't spend too much time on this,
3 days already.
I changed server.xml to this:
<!-- This Realm uses Active Directory -->
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://servername.plandev.maricopa.gov:389";
connectionName="CN=username,OU=Service Accounts,OU=PLANDEV
Dept,DC=plandev,DC=maricopa,DC=gov"
connectionPassword="password"
roleBase="OU=Groups,OU=PLANDEV
Dept,DC=plandev,DC=maricopa,DC=gov"
roleSubtree="true"
roleName="cn"
roleSearch="(member={0})"
userBase="OU=PLANDEV Dept,DC=plandev,DC=maricopa,DC=gov"
userSearch="(&(objectCategory=person)(sAMAccountName={0}))"
userSubtree="true"
userRoleName="memberOf"
/>
I also changed the realm-name web.xml:
<!-- SECURITY CONSTRAINT -->
<security-constraint>
<web-resource-collection>
<web-resource-name>samplewebapp</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>arcgisserver_reader</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- LOGIN CONFIGURATION-->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JNDIRealm</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>arcgisserver_reader</role-name>
</security-role>
Now when I navigate to http://servername:8080/sample I accept the certificate,
enter my windows login and password, and then I'm taken to the
https://servername:8080/sample welcome page.
I don't have a lock icon which bothers me, but that is IE7 for you. The
address bar is pink. What can I tell you. Firefox gives me a lock icon.
-----Original Message-----
From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov]
Sent: Tuesday, March 09, 2010 2:25 PM
To: 'Tomcat Users List'
Subject: RE: JNDI Realm question
I downloaded the Apache Directory Tool. Very nice. Much better than the ldap
browser tool I was using.
I was able to create a search using the Filter Editor, of the Apache Directory
Tool, that returns sAMAccounts that I wanted.
The filter:
(&
(objectCategory=person)
(sAMAccountName=*)
(memberOf=CN=arcgisserver_reader,OU=Groups,OU=PLANDEV
Dept,DC=plandev,DC=maricopa,DC=gov)
)
This query returns the three user accounts with the role "arcgisserver_reader",
which is right.
I think my issue is that I don't understand what I'm supposed to be supplying
in the JNDI Realm, among other things. The examples I saw in the Tomcat docs
use something similar to what I have below, but I don't understand the purpose
roleSearch attribute. How does it know that I want to use the role
"arcgisserver_reader" when it has a parameter? It plugs in the role specified
in the web.xml? I know roleSearch is the filter expression for performing role
searches, but is that what I'm doing? I want to search for any user that
belongs to a specific role - that's what I'm attempting anyway.
This is what I have in server.xml:
<!-- This Realm uses Active Directory -->
<Realm className="org.apache.catalina.realm.JNDIRealm"
digest="md5"
connectionURL="ldap://servername.plandev.maricopa.gov:389";
connectionName="username"
connectionPassword="password"
userSearch="(&(objectCategory=person)(sAMAccountName={0})(memberOf=CN=arcgisserver_reader,OU=Groups,OU=PLANDEV
Dept,DC=plandev,DC=maricopa,DC=gov))"
userBase="OU=PLANDEV Dept,DC=plandev,DC=maricopa,DC=gov"
userSubtree="true"
roleBase="OU=Groups,OU=PLANDEV
Dept,DC=plandev,DC=maricopa,DC=gov"
roleName="cn"
roleSearch="(uniqueMember={0})"
/>
This is what I have in my webapp's web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd";>
<context-param>
<param-name>com.sun.faces.verifyObjects</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<param-name>com.sun.faces.validateXml</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<!-- SECURITY CONSTRAINT -->
<security-constraint>
<web-resource-collection>
<web-resource-name>samplewebapp</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>arcgisserver_reader</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- LOGIN CONFIGURATION-->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Sample</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>arcgisserver_reader</role-name>
</security-role>
</web-app>
This is my faces-config.xml:
<?xml version='1.0' encoding='UTF-8'?>
<!-- =========== FULL CONFIGURATION FILE ================================== -->
<faces-config version="1.2"
xmlns="http://java.sun.com/xml/ns/javaee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-facesconfig_1_2.xsd";>
<managed-bean>
<managed-bean-name>sampleModelBean</managed-bean-name>
<managed-bean-class>gov.maricopa.rdsa.gis.SampleModelBean</managed-bean-class>
<managed-bean-scope>session</managed-bean-scope>
</managed-bean>
</faces-config>
The sample JSF page is really nothing, just a checkbox and a button for the
sake of having something on the page and testing an valueChangedListener.
When I browse to http://servername:8080/sample (this webapp has a index.jsp
that forwards to welcome.jsp)
I get the self signed certificate warning. I continue, then the Tomcat prompts
for username/password. I supply my login name without the domain part, Tomcat
then tells me I am denied using my windows login.
This tells me I don't have this quite right just yet. HTTP Status 403 is the
result and the URL changed to https://servername:8443/sample/
The logs are empty until I stop Tomcat. After stopping Tomcat, catalina log
now shows this exception. Is that my problem or is my query still not right?
Mar 9, 2010 2:05:50 PM org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
javax.naming.directory.InvalidSearchFilterException: invalid escape sequence:
[...@1dd8136; remaining name 'OU=PLANDEV Dept,DC=plandev,DC=maricopa,DC=gov'
at com.sun.jndi.ldap.Filter.unescapeFilterValue(Filter.java:216)
-----Original Message-----
From: Stefan Zoerner [mailto:ste...@labeo.de]
Sent: Tuesday, March 09, 2010 6:43 AM
To: Tomcat Users List
Subject: Re: JNDI Realm question
Hi Leo,
in general I would recommend to use an LDAP tool like Apache Directory Studio
in order to develop and verify the JNDI Realm specific parameters.
http://directory.apache.org/studio/
If this works (authentication, authorization searches), add the parameters to
your tomcat configuration in server.xml
The userPattern attribute is in almost all cases not appropriate for Active
Directory (AD), because the users are not organized flat in the tree there
(check with a tool). Use a search filter instead as Felix suggested.
userSearch="(&(objectCategory=user)(sAMAccountName={0}))"
Adding objectCategory to the search filter will lead to better performance,
because it has an index in AD.
Greetings from Hamburg,
StefanZ
Leo Donahue - PLANDEVX wrote:
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm
> <http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html>
>
> Using Tomcat 6.0.24 on Windows Server 2003 Standard R2 SP2
>
> 1. We use MS Active Directory, is the "uid" in the following example for
> userPattern the same as the "sAMAccountName" ?
>
> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
> connectionURL="ldap://localhost:389";
> userPattern="uid={0},ou=people,dc=mycompany,dc=com"
> roleBase="ou=groups,dc=mycompany,dc=com"
> roleName="cn"
> roleSearch="(uniqueMember={0})"
> />
>
> 2. The quick start section said to create a user account for the Tomcat user,
> if required. That is the account Tomcat uses to browse the LDAP, I understand
> that, but where is it used in the Realm? Is it the connectionName and
> connectionPassword attributes?
>
> The way Active Directory is setup for us looks something like this:
>
> dc=mycompany,dc=com
> ou=mydept
> ou=division1
> ou=division2
> ou=division...n
> ou=service accounts (this is where we created the tomcat user account,
> and the role accounts for the webapp)
> ou=other depts, etc.
>
> I would like to set up the realm so that any user in any division, under
> "mydept" will be found. Does this look right? (aside from changing the
> connection url to ours) Or do I substitue the sAMAccountName for "uid"?
>
> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
> connectionURL="ldap://localhost:389";
> connectionName="tomcat user account name"
> connectionPassword="tomcat user account pw"
> userPattern="uid={0},ou=mydept,dc=mycompany,dc=com"
> roleBase="ou=mydept,dc=mycompany,dc=com"
> roleName="ou=service accounts,cn=ourwebapprolename,dc=mycompany,dc=com"
> roleSearch="(uniqueMember={0})"
> userSubtree="true"
> />
>
>
> Leo Donahue
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
