How to configure the roles in my tomcat application to work with JNDI(WIN AUTH)
Posted
by Itay Levin
on Stack Overflow
See other posts from Stack Overflow
or by Itay Levin
Published on 2010-05-11T12:28:33Z
Indexed on
2010/05/11
12:34 UTC
Read the original article
Hit count: 349
Hi,
I'm trying to change the authentication mode of my application from JDBC-REALM to JNDI-REALM.
I configured the following section inside the Server.xml
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://****:389/DC=onsetinc,DC=com??sAMccountName?sub?(objectClass=*)" connectionName="[email protected]" connectionPassword="password" userBase="CN=Users" referrals="follow" userSearch="(sAMAccountName={0})" userSubtree="true" roleBase="CN=Users" roleName="name" roleSubtree="true" roleSearch="(member={1})"/>
I have also configured the web.xml under my appfolder to contain the following:
<security-role>
<role-name>Admin</role-name>
</security-role>
<security-role>
<role-name>WaterlooUsers</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Tube</web-resource-name>
<url-pattern>/ComposeMessage.jsp</url-pattern>
<url-pattern>/PageStatus.jsp</url-pattern>
<url-pattern>/UserStatus.jsp</url-pattern>
<url-pattern>/SearchEC.jsp</url-pattern>
<url-pattern>/SearchEC2.jsp</url-pattern>
<url-pattern>/SearchMessageStatisticsEC.jsp</url-pattern>
<url-pattern>/SearchMessageStatus.jsp</url-pattern>
<url-pattern>/SearchMessageStatisticsPager.jsp</url-pattern>
<url-pattern>/SearchPageStatus.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>WaterlooUsers</role-name>
</auth-constraint>
</security-constraint>
In my Active directory i have created a new group called WaterlooUsers It's distinguish name is : distinguishedName: CN=WaterlooUsers,CN=Users,DC=onsetinc,DC=com
It has a property member which contains the following user: member: CN=Itay Levin,CN=Users,DC=onsetinc,DC=com (which is my user)
My record on the active directory looks like that: sAMAccountName: itayL distinguishedName: CN=Itay Levin,CN=Users,DC=onsetinc,DC=com memberOf: CN=WaterlooUsers,CN=Users,DC=onsetinc,DC=com
and when i get the popup for user/password i enter the username "ItayL" in the authentication message box (and my password)
I have 2 questions:
How do i configure correctly the roles parameters correctly in the Realm section in the server.xml to enable me to both authenticate and authorize both this group of users WaterlooUsers and also assign them to the appropriate role so that they can see all the relevant pages in my website. - currently it seems that all the Users in my domain are authenticated to the site but get the http-403 Error and can't access any of the pages in the site.
I also want to be able to create 2 different set of roles in my site - which can both have access to the same pages - but will see different things on the page. (for instance adding some administrative ability to the admin)
Hope it was clear enough and not too long. Thanks in advance, Itay
© Stack Overflow or respective owner
