File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Tomcat and the fly likes Tomcat 7.0.20 authentication w/ LDAP Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat 7.0.20 authentication w/ LDAP" Watch "Tomcat 7.0.20 authentication w/ LDAP" New topic

Tomcat 7.0.20 authentication w/ LDAP

Filipe Vieira

Joined: Nov 07, 2011
Posts: 6

I'm having a really hard time configuring my tomcat to authenticate a user by my active directory information.
I've managed to get the login process correctly, but after that I get a 403 error message.

Here's my complete information:



Tomcat log:

FINE: Calling authenticate()
FINE: Authenticated 'nb18054' with type 'BASIC'
FINE: Calling accessControl()
FINE: Checking roles GenericPrincipal[nb18054()]
FINE: Username nb18054 does NOT have role Users
FINE: No role found: Users

I know that the error is related to the role, but i really don't why..maybe i'm making some confusion about the role name
When I perform a search by my username (nb18054) in my active directory, I get this result:

MSDOS PROMT>dsquery user -samid nb18054
"CN=Here'sMyName, CN=Users, DC=novabase,DC=intra"

Shoul't I be using this Users as the role?


Rob Spoor

Joined: Oct 27, 2005
Posts: 20279

I never got LDAP authentication working with the JNDI realm, but I did have success with both JCIFS (free) and Jespa (commercial). See this thread for the filter configuration for JCIFS. Jespa's own operator manual is sufficient to get it to work.
There are also other projects like WAFFLE and Tomcatspnego but neither let me authenticate in browsers.

How To Ask Questions How To Answer Questions
Filipe Vieira

Joined: Nov 07, 2011
Posts: 6
I've just solved my problem, the issue was really with the Role Name.
I've used an application called Active Directory Explorer, here i've managed to get the real role name.

Thanks for the help Rob
Rob Spoor

Joined: Oct 27, 2005
Posts: 20279

You're welcome.
Eknath Padekar

Joined: Oct 02, 2013
Posts: 1
HI Filipe Vieira,

I am also getting same error:

13:33:30,361 DEBUG [RealmBase] Checking roles GenericPrincipal[310138760()]
13:33:30,361 DEBUG [RealmBase] Username 310138760 does NOT have role code1
13:33:30,361 DEBUG [RealmBase] No role found: code1
13:33:30,361 DEBUG [AuthenticatorBase] Failed accessControl() test

I am not sure what roles needs to be given in web.xml

My username : 310138760 in AD is listed below.


Can you please reply based on your findings.

Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17421

Welcome to the JavaRanch, Eknath!

I would venture to say that at a minimum you need a security role named "code1" defined in your web.xml.

The container security system is broken into 2 parts: one part defines userids and associated passwords, the other maps userids to security roles in a 1-many mapping.

When databases are used, therefore, 2 separate tables are usually employed. When using a directory service such as LDAP, usually 2 separate directory trees within the LDAP directory are used.

An IDE is no substitute for an Intelligent Developer.
I agree. Here's the link:
subject: Tomcat 7.0.20 authentication w/ LDAP
It's not a secret anymore!