Glassfish OpenDS integration
By treydrake on Jan 26, 2007
To get started, you'll first need to install an OpenDS instance. Installation is made quick and easy via the "Quick Setup" Web Start installer and step-by-step instructions. During the installation process note the installation path, LDAP listener port, administrative User DN/password and the Directory Base DN as you'll need these properties to configure the Glassfish realm.
Next, load sample users and groups into OpenDS. The sample data is provided in LDIF format as it is the quickest and easiest method to import data into OpenDS. For test purposes I defined a single group, "webappgroup", with 1 member "treydrake". An additional user "noaccess" is defined to verify the solution works. Note that the web.xml, defined at the bottom of the page, grants access only to members of the group "webappgroup".
# add group dn: ou=Groups,dc=example,dc=com changetype: add ou: Groups description: Group ou objectClass: top objectClass: organizationalUnit # add people ou dn: ou=People,dc=example,dc=com changetype: add ou: People description: People objectClass: top objectClass: organizationalUnit # add an authorized user (belongs to the group webappgroup) dn: uid=treydrake,ou=People,dc=example,dc=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: treydrake cn: Trey Drake sn: Drake givenName: Trey userPassword: password # unauthorized user dn: uid=noaccess,ou=People,dc=example,dc=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: noaccess cn: No Access sn: access givenName: no userPassword: noaccess # add user to the webapp group dn: cn=webappgroup,ou=Groups,dc=example,dc=com changetype: add objectClass: top objectClass: groupOfUniqueNames uniqueMember: uid=treydrake,ou=People,dc=example,dc=com cn: webappgroup
Use the ldapmodify tool included in the OpenDS install to import the LDIF file as shown below. In the following examples I assume OpenDS is installed locally, the port is 1389, and the administrative user/password is the default "Directory Manager"/"password". If you customized the install and/or need to use more advanced options type "ldapmodify -H" to get complete usage info. For example:
Use ldapsearch to verify that the new user 'treydrake' can successfully authenticate to OpenDS and that the user is a member of the webappgroup. For example:
Next, add an OpenDS realm to the Glassfish application server via the Glassfish console. Login to the console; e.g., http://localhost:4848 and navigate to Configuration -> Security -> Realms and click the "New" button. See the screen shot below for property settings:
- directory - LDAP URL to the OpenDS instance; e.g., ldap://localhost:1389
- base-dn - Base Distinguished Name (DN) for the location of user data, which can be at any level above the user data, since a tree scope search is performed. The smaller the search tree, the better the performance.
- jaas-context - Must be "ldapRealm".
- search-filter - Search filter to use to find the user. The default value is uid=%s (%s expands to the subject name).
- group-base-dn - Base DN for the location of group data. Same as the base-dn but it can be tuned if necessary.
- group-search-filter - Search filter to find group memberships for the user. Defaults to uniquemember=%d (%d expands to the user element DN).
- group-target - LDAP attribute name that contains group name entries. Defaults to CN.
- search-bind-dn - Optional DN used to authenticate to the directory for performing the search-filter lookup. Only required for directories that do not allow anonymous search.
- search-bind-password - LDAP password for the DN given in search-bind-dn.
Next, configure the web.xml and sun-web.xml descriptors to authenticate using the OpenDS realm by adding the security-constraint and login-config elements to your application's web.xml file and the role <-> group mapping in sun-web.xml. See samples below: web.xml
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xsi="http://www.w3.org/2001/XMLSchema-instance" schemalocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <welcome-file-list> <welcome-file>Index.jsp</welcome-file> </welcome-file-list> <!-- grant access to all users that possess the role 'secure' and deny all others --> <security-constraint> <web-resource-collection> <web-resource-name>opendsauthtest</web-resource-name> <url-pattern>/\*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>secure</role-name> </auth-constraint> </security-constraint> <!-- declare the app uses FORM based authentication using your newly created OpenDS realm --> <login-config> <auth-method>FORM</auth-method> <realm-name>OpenDS</realm-name> <form-login-config> <form-login-page>/WEB-INF/jsp/Login.jsp</form-login-page> <form-error-page>/WEB-INF/jsp/LoginError.jsp</form-error-page> </form-login-config> </login-config> </web-app>
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 8.1 Servlet 2.4//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_4-1.dtd"> <sun-web-app> <security-role-mapping> <role-name>secure</role-name> <group-name>webappgroup</group-name> </security-role-mapping> </sun-web-app>
Finally, deploy your application and attempt to login using the username "treydrake" and password "password". Authenticating as "noaccess", or any other user for that matter, should fail. For convenience sake, I've uploaded a web application that's configured using the above instructions. Good luck.