aspose file tools*
The moose likes Tomcat and the fly likes How to configure Tomcat for authentication against Active Directory of Windows Server 2003 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "How to configure Tomcat for authentication against Active Directory of Windows Server 2003" Watch "How to configure Tomcat for authentication against Active Directory of Windows Server 2003" New topic
Author

How to configure Tomcat for authentication against Active Directory of Windows Server 2003

vidyasagar Namburi
Greenhorn

Joined: Oct 05, 2009
Posts: 6
Hi every one,
Presently in our application we are using Tomcat authentication which authenticates users from database.
I have got a requirement to authenticate users from Active Directory(we are using WindowsServer 2003) rather than Database.
If any user wants to access the application ,the Tomcat should take those login name and password given by user to authenticate against the users in active directory.Here I am using administrator user name and password for tomcat to authenticate itself to connect to Active directory which is in another system not local host (done changes as shown in code of first URL ), then it authenticates the user based on the info given by the user. I think I have start from scratch as I am new to Active Directory.
I have searched the web found some samples but not so clear on how to move forward.As I tried them, My application itself is not starting(may be because of any mistake done by me in configuring changes)
sample code
Info I saw regarding JNDIRealm
If you see the above links(second link),they have given a sample format for Active Directory entries i.e:how they look in the Active Directory.
But it's looking different in my active directory. It's showing three columns namely
Name(user name),Type(Ex:user,<groupname(if he belongs to any group)> etc..),description.
Can any one help me out of this.....Please contact me if anyone want any clarifications in this regard..
Thanks in advance for any help ....
I am sorry if have given lot of text to read.

Regards,
vidyasagar
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15641
    
  15

Welcome to the JavaRanch, Vidyasagar.

The container-based authentication and authorization system for J2EE is based on 2 user attributes: the user ID and the role(s) in which the user is allowed to participate. Associated with the userID is the user password and the user's role(s). All that any A&A provider (Realm) has to be able to do is query for a match on userID+password (for authentication) and for a match on userId+role (for authorization).

All that is just the basic stuff, and it's true whether the Realm does its queries against JNDI/Active Directory, a database, a web service, or whatever.

For AD, the common approach is to use the samAccount information for the userId and password, so that the user's credentials will be the same as for a normal Windows network user login. Roles are more up to you. Commonly, you'd set up a JNDI group and add user references within that group. I believe, in fact that last time I did this, we made each role a sub-group, so that the role-checking query expression was basically for a match against the app, role, and userID. For a general business function, you might even skip using the appId as a query credential.


Customer surveys are for companies who didn't pay proper attention to begin with.
vidyasagar Namburi
Greenhorn

Joined: Oct 05, 2009
Posts: 6
Thank you Tim for your reply,
Below are the changes that I have made in my server.xml file

The hierarchy in the AD looks like

Active Directory users and computers
*
***mycompany.com
------*
------***Users

Under the Users the user is created.With this hierarchy the parameters that I have given for userSearch and userBase are correct??can you please tell me what does roleName exactly specify if it is given as above(i.e;roleName=CN ,small confusion).

The changes that I have made in my web.xml file are shown below



when I use the above changes I am able to see the login page of my application .If I use wrong user name and password it's showing wrong user name and password message . But If I give correct user name and password it's showing the message "You are not authorised to do this operation. Please contact your system administrator for more information. " What I think is it might be my application itself giving the message restricting the access to server or is there any other problem? My application is responding to correct user names and passwords which are created in AD. Does it mean that my application is authenticating ,But don't have required permissions . Your help in this regard will be appreciated.
Can I provide any other info for better understanding??Please ask.

Thank you.

With regards
vidyasagar
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15641
    
  15

I haven't gone over every last possibility, but it looks like your authentication info is correct and you're logging in, but the role information isn't, so anything that runs under a role will be forbidden.

Your problem is that you're attempting to store the roles in the same "directory" as the user account information. Actually, more like "com/mycompany/cn/cn", to express it in disk directory form for simplicity's sake.

Normally you'd store the roles in a separate directory, such as "ou=groups,dc=mycompany,dc=com". Inside that directory, you'd have "cn" entries for the roles, and under those cn entries, you'd have attributes that would list the users who'd participate in those roles. Here's a more complete example, based on the Tomcat samples:


The roleBase is "dc=mycompany,dc=com". That's the root directory of the search (set userSubTree if you want to to search subdirectories).

The roleSearch is on the "uniqueMember" attribute. It's what you're going to match against, and you specified the "{0}" value, so it's going to match against the user's complete directory path.

Finally, the roleName is the "cn" attribute of the roleBase entry. Which is either "clerk", "auditor" or "sysadmin" in this example.

Note that jwelch has both audit and sysadmin capabilities and "fbloggs" is both a clerk and an auditor. The J2EE security system understands the "many hats" concept of business where one person has multiple functions. Especially after the downsizing, but that's another matter.
vidyasagar Namburi
Greenhorn

Joined: Oct 05, 2009
Posts: 6
Thank you very much Tim,
I'll try what you have said and get back to you if I have any doubts regarding this.
Once again, Thanks a lot Tim.

With regards,
vidyasagar
vidyasagar Namburi
Greenhorn

Joined: Oct 05, 2009
Posts: 6
Hi Tim,
Ours is a windows 2003 server and don't know how to create roles as you said. There is GUI for creating users and I didn't find any thing to create roles.
I think there are some roles defined in the web.xml file as shown below



Does the above declaration means that all these roles are declared in the AD?? If not please tell me why they might have declared them in the XML file.
I think , as you said, I am getting connected to the server but unable to login after authentication getting the message from my application that I cannot do that operation and to contact the administrator.
As you asked me to create roles,Is there any possibility to use any of these roles as in the above code?? Also you said that we are trying to store the roles in the same folder as users (I think you said this because I used "Users" insted of "groups" for roleSearch,if I am wrong please tell me). Can I know is there any operation involved while authentication that requires administrative privileges as the application is throwing the message " you cannot do this operation" after providing only corrrect user name and password. Also I removed the CN attribute in the roleBase but application is not working with out that. Can you please tell me the possible reason for my application or server throwing that message after successful authentication of user. Is there any thing involved in this authentication process that does other than authenticating the user and allowing the resources to him based on his role which might be the reason for that message?? Please give some suggestions based on your experience with this kind of problems.

waiting for Your reply and thank you for all your help which helped me a lot in understanding the task in a better way...

with Regards,
vidyasagar
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15641
    
  15

The role definitions in web.xml define the roles that the webapp uses and maps them to URL patterns. So, for example, I could map the "/admin" part of my webapp to be only accessible to someone with an administrative role. These role names are matched against the role names that you define for users in AD in order to determine what user can operate in what roles. They can also be aliased in modern-day web.xml, but that's something you should ignore for what you're doing.

I was never allowed to play with the AD admin tools when I did that kind of stuff. Which was a problem, because they AD administrators didn't know what I needed and I didn't know how to tell them. But "Users" and "Groups" need to be 2 separate directories. One defines the Windows users, the other defines the groups and what users belong to those groups. They should be equals, with neither directory being subordinate to the other. As to how to set up a groups "directory" in AD, as I said, I don't know.
vidyasagar Namburi
Greenhorn

Joined: Oct 05, 2009
Posts: 6
Thank you for your support Tim,
I am trying it and I will back for further queries.

With Regards,
vidyasagar
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to configure Tomcat for authentication against Active Directory of Windows Server 2003
 
Similar Threads
Servlet Security/Authentication question
Windwos Authentication using local window xp users and Tomcat (Prompt window to the users)
Authentication and re-Authentication for authorization on Tomcat 4.1.24
How to get user credentials from LDAP using Apache Tomacet JNDIRealm
Single sign using windows credentials