LDAP based user authentication in glassfish

If you're using glassfish and developing a new web application that needs to be authenticated against an LDAP server, this blog talks about how you can do it.

For a normal (default) file-realm based authentication, your web.xml would have a security-constraint that should look something like:


 <security-constraint>
        <web-resource-collection>
            <web-resource-name>build</web-resource-name>
            <url-pattern>\*.jsf</url-pattern>
            <url-pattern>/download/\*</url-pattern>
            <url-pattern>/resource/\*</url-pattern>
            <http-method>DELETE</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>admin-realm</realm-name>
        <form-login-config>
            <form-login-page>/login.jsf</form-login-page>
            <form-error-page>/loginError.jsf</form-error-page>
        </form-login-config>
    </login-config>
    <security-role>
        <role-name>admin</role-name>
    </security-role>

Now you want to change this to have an authentication against your LDAP server. You need to do the following:

First, you should create an LDAP realm in glassfish appserver i.e. the domain.xml entries should look something like:


<auth-realm classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm" name="myLDAPRealm">
        <property name="directory" value="ldap://myldapserver:portnumber"/>
        <property name="base-dn" value="dc=sun,dc=com"/>
        <property name="jaas-context" value="ldapRealm"/>
</auth-realm>  

Now in your web.xml file configure your app to use this LDAP i.e. the web.xml entries should look like:


    <security-constraint>
        <web-resource-collection>
            <web-resource-name>protected</web-resource-name>
            <url-pattern>\*.jsf</url-pattern>
            <url-pattern>/download/\*</url-pattern>
            <url-pattern>/resource/\*</url-pattern>
            <http-method>DELETE</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>USER</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>myLDAPRealm</realm-name>
            <form-login-config>
            <form-login-page>/login.jsf</form-login-page>
            <form-error-page>/loginError.jsf</form-error-page>
        </form-login-config>
    </login-config> 
    <security-role>
        <role-name>USER</role-name>
    </security-role>

Your sun-web.xml should look something like,


<security-role-mapping>
              <role-name>USER</role-name>
              <group-name>people</group-name>
              <group-name>Employee Group</group-name>
</security-role-mapping>

VOILA!

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

manveen

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today