• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Tomcat JNDIRealm authenticate and ignore all roles

 
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Tomcat container use LDAP to authenticate user

I am trying to replace Tomcat's inMemory user database with LDAP authentication. making changes in conf/server.xml

When user login popus up i want to compare user credentials against ldap.



My web.xml, if user is authenticated straight take him to the application



When i provide correct username and password i see in following log that user is authenticated but i guess failed in autherization. any help is appreciated.

 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Actually, the log seems to say that you authenticated, but failed to match an allowed role. And in any event, you apparently didn't define any roles.

Putting "/*" in as a secured URL has problems. It doesn't just screen web page URL requests, it also screens image file URL requests, javascript, css, etc., etc., etc.

Usually you'd want to be a bit more discriminating. Also, I usually like to have an unsecured "welcome" page that tells people what webapp they're talking to and whether they should be using it.
 
Muhammad Faisal khan
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am just doing test project. although i changed url pattern as following but still no luck.




log ouput

org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /index.html --> true
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /index.html --> true
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user "fkhan002c" with realm "org.apache.catalina.realm.JNDIRealm"
org.apache.catalina.realm.CombinedRealm.authenticate Authenticated user "fkhan002c" with realm "org.apache.catalina.realm.JNDIRealm"
org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated 'fkhan002c' with type 'BASIC'
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl()
org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles GenericPrincipal[fkhan002c()]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed accessControl() test



Tim Holloway wrote:Actually, the log seems to say that you authenticated, but failed to match an allowed role. And in any event, you apparently didn't define any roles.

Putting "/*" in as a secured URL has problems. It doesn't just screen web page URL requests, it also screens image file URL requests, javascript, css, etc., etc., etc.

Usually you'd want to be a bit more discriminating. Also, I usually like to have an unsecured "welcome" page that tells people what webapp they're talking to and whether they should be using it.

 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'd have to do something icky like RTFM to be sure, but try removing the role-name "*" from the security constraint. I think that a wild card may not actually be a wild card there, and that the actual "everything" role is something more like either no role-name or an empty role-name.

In other words, it may be checking the user to see if he/she has role named literally "*" and that's not a defined role for that user.
 
Muhammad Faisal khan
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Found a problem

Web-resource-collection is for java resources as i was trying to autherize static content as you can see following i also needed for static contents.

 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If I'm not mistaken, you just defined a role and named it "*".

That matches the pattern you'd defined earlier, but I really don't recommend naming a role "*".
 
Muhammad Faisal khan
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If i do not define the role it keep giving me 403 until i define it and it worked well.


Tim Holloway wrote:If I'm not mistaken, you just defined a role and named it "*".

That matches the pattern you'd defined earlier, but I really don't recommend naming a role "*".

 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, you do have to define a role, but I'd name the role something like "user", not "*".
 
Muhammad Faisal khan
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have to define * b/c i am using ldap for authentication and ldap does not return any role like 'user' * defines any role.


Tim Holloway wrote:Yes, you do have to define a role, but I'd name the role something like "user", not "*".

 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Your LDAP is set up wrong then.

I use LDAP for authentication and authorization of almost everything my network does, whether Java or not. Among the things LDAP manages is my Sonatype Nexus server, which has fairly fine-grained role-based access control. Some users have read-only roles, some have both read-only and write roles.

I have external contractors who belong to different access groups so that I can keep them out of each others resources. Not to mention my own.
 
Muhammad Faisal khan
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Here is my ldap configuration in server.xml, can you please help to identify any issue in following code ?
I don't have any role search or role filter.




Muhammad FAisal khan wrote:I have to define * b/c i am using ldap for authentication and ldap does not return any role like 'user' * defines any role.


Tim Holloway wrote:Yes, you do have to define a role, but I'd name the role something like "user", not "*".

 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You haven't defined where a user's roles are located. You need either a "roleName" or "userRoleName" attribute on the Realm definition.

Something like this:
 
Muhammad Faisal khan
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I tried this code without defining security role but didn't work out still got the same error 403. the only way i was able to work it out with defining security role *

Can you please help me to understand that why we defined roleName="cn" ?

Tim Holloway wrote:You haven't defined where a user's roles are located. You need either a "roleName" or "userRoleName" attribute on the Realm definition.

 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Actually, you defined what roles the webapp was sensitive to, and what URLs the role applies to.

That's only half the story.

You also have to define within Active Directory/LDAP the role(s) a specific user has. For example, my user account has roles such as "svn-administrator", "svn-committer", "svn-read", "app1-sysadmin", and others defined in various LDAP ou subtrees via the "memberOf" attribute.

That's how the Nexus app knows that I can upload new artefacts to the Nexus repository but the contractors in Belarus can only check out copies of those artefacts and not upload their own.
 
Muhammad Faisal khan
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I got your point, but what i am trying to do is. by pass ldap autherization and implementation autherization in web app using spring security b/c we do not to manage web app roles in ldap.
in that case using * is choice for me i guess.
 
reply
    Bookmark Topic Watch Topic
  • New Topic