Reputation: 311
Jetty ldap authentication
I am trying to set up Jetty 9.1 with ldap (active directory) authentication. I have googled like crazy without finding the answers I need... I extended the included demo-app to use ldap. When visitng the page I get the following message: Problem accessing /test-jaas/auth.html. Reason: !role . In the console / logs I see "Found User?: true", so the user is found but it is the role matching that is causing problems.
Hope someone can give me some pointers...
Here are my configurations:
test-jaas.xml:
<Set name="securityHandler">
<New class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<Set name="loginService">
<New class="org.eclipse.jetty.jaas.JAASLoginService">
<Set name="name">Test JAAS Realm</Set>
<Set name="loginModuleName">xyz</Set>
</New>
</Set>
</New>
</Set>
login.conf:
xyz {
org.eclipse.jetty.jaas.spi.LdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
hostname="host.domain"
port="389"
bindDn="CN=xxx,OU=xxx,..."
bindPassword="xxxx"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="ou=xxxx,..."
userRdnAttribute="cn"
userIdAttribute="userPrincipalName"
userPasswordAttribute="unicodePwd"
userObjectClass="user"
roleBaseDn="ou=xxxx,..."
roleNameAttribute="cn"
roleMemberAttribute="userPrincipalName"
roleObjectClass="group";
};
web.xml contains these:
<security-constraint>
<web-resource-collection>
<web-resource-name>JAAS Role</web-resource-name>
<url-pattern>/auth.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
<role-name>*</role-name>
<role-name>**</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Test JAAS Realm</realm-name>
<form-login-config>
<form-login-page>
/login.html
</form-login-page>
<form-error-page>
/authfail.html
</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
<security-role>
<role-name>*</role-name>
</security-role>
<security-role>
<role-name>**</role-name>
</security-role>
Upvotes: 4
Views: 6503
Answers (1)
Reputation: 311
I think I found the answer, putting it here so others might have use for it.
I was trying to authenticate against an ou. I had set the correct name in the web.xml auth-constraint and security-role but without luck. When I changed the roleBaseDn to a real group and adding that to the web.xml it started to work. In many examples that I have found they use an ou in the roleBaseDn, don't know if it is because of some configuration in our AD or what but didn't work for me...
So:
roleBaseDn="cn=group,ou=xxx,..."
and adding the group to web.xml was the answer. :)
Upvotes: 1
Related Questions
- Embedded Jetty - Programmatically add form based authentication
- LDAP bind authentication with Jetty
- Jetty LdapLoginModule: Login Failure: all modules ignored
- Hawtio/Jaas ldap login
- LDAP authentication with Java
- Java LDAP password authentication
- Java ldap authentication issue
- JHipster ldap Authentication
- LDAP authentication with JBoss 7
- LDAP authentication with Jetty