File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Tomcat and the fly likes JNDI Realm LDAP authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "JNDI Realm LDAP authentication" Watch "JNDI Realm LDAP authentication" New topic

JNDI Realm LDAP authentication

Amy Robinson

Joined: May 07, 2014
Posts: 2
I have working on putting JNDI realm authentication into my application and have managed to get most of it to work.
Basically I am authenticating a user against LDAP, then checking the user is in a particular AD group. I've been able to successfully authenticate a user against LDAP, and my logs indicate that the GenericPrincipal list is being populated with all the groups that the user belongs to, however when it comes to the point where the application compares this list it cannot find the group I've specified to check for.
My server.xml looks something like this (I've had to substitute particular details of the userBase and roleBase though to post it here):

My web.xml:

I have been able to get a log in page working, and the application is authenticating users against LDAP successfully however authorisation is failing. I've been able to set up logging to see the errors:

FINE: Authenticated 'testuser' with type 'FORM'
07-May-2014 12:03:56 org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling accessControl()
07-May-2014 12:03:56 org.apache.catalina.realm.RealmBase hasResourcePermission
FINE: Checking roles GenericPrincipal[testuser(CN=........) (I had to remove the AD groups for the puposes of posting here but I am getting a list back of all the AD groups the user is in, which includes the role defined in my web.xml 'admin')
07-May-2014 12:03:56 org.apache.catalina.realm.RealmBase hasRole
FINE: Username testuser does NOT have role admin
07-May-2014 12:03:56 org.apache.catalina.realm.RealmBase hasResourcePermission
FINE: No role found: admin
07-May-2014 12:03:56 org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Failed accessControl() test

So in summary, the Generic principal list is being populated for a logged in user, but then when it comes to org.apache.catalina.realm.RealmBase hasResourcePermission it is failing to find the role in the Generic principle list...which seems odd. Has anyone got any ideas on why this might be happening?

I have double checked the name of the role I'm looking for using an an LDAP browser and confirmed that my user does belong to the group as well.

Amy Robinson

Joined: May 07, 2014
Posts: 2
I meant to add I am running Tomcat 6, using Netbeans 7.1.2 if that matters.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17410

I always have trouble making sense of LDAP specs for Tomcat, but I think I understand what it's attempting here, assuming I haven't missed anything.

The version of Tomcat and CERTAINLY the IDE should make no difference. Well, except for the way that Eclipse WTP screws up Tomcat runtime configs in general.

You have - or so I interpret it - set up your Active Directory so that it's something like this:

At least I think that's what's expected. And I haven't attempted to put in all the minor attributes and stuff.

One thing that isn't obvious is if you have your qualifying levels in the correct order, since they're all "sample".

An IDE is no substitute for an Intelligent Developer.
I agree. Here's the link:
subject: JNDI Realm LDAP authentication
It's not a secret anymore!