users@glassfish.java.net

Re: LDAP Authentication

From: <glassfish_at_javadesktop.org>
Date: Thu, 01 May 2008 10:32:26 PDT

> Hi Ron,
>
> Thanks for the reply. Yes, I want to protect the
> web pages under /ldap/*. In that case, what should
> the url-pattern be? This works under Sun App Server
> 7.

you don't include the context root in the url-patterns used
to define security-constraints. It sounds like you want to
protect everything under the context-root "/ldap". If so, you could
use the url-pattern "/*" in your security constraint.

> Also, Can I omit the group and role? I just want to
> allow any employee to authenticate when they access
> the page. I read the document you provide, but I
> don't really know what group to use at the moment.

you need to define a permitted role in the auth-constraint, and you need
to map the established authentication id/principals to a permitted role.

I try to describe what I think is the simplest way
for you to set things up to do (what I think) you want

1. change the url-pattern in your web.xml as described above (i.e., use the
pattern "/*")
-------
2a. Assuming that you want to grant access to principals in the "Users" role, modify the principal-2-role mapping (in sun-web.xml) such that the group "Users" is mapped to the role "Users"
-- or alternatively ---
2b. remove all of the principal-2-role mapping elements from your sun-web.xml and access the admin console via your browser (e.g. http://localhost:4848), navigate to Configurations, open the Security screen, click the enable box next to Default Principal to Role Mapping, and push the save button.
--------

3: access the admin console via your browser, navigate to Configurations -> Security -> Realms -> ldap, add the group "Users" to The "Assign Groups" field, and push save button.

4. restart the appserver and redeploy your app.

As a result of the change in 3a, the realm will add the Users group principal to every user who successfully authenticates (in addition to their caller principal).

either of steps 2a or 2b will ensure that any user who has been assigned the group principal "Users", will be mapped to the role "Users".

> Another way without dealing with group and role, I
> can use the JAAS Authentication, but it requires to
> write some codes.
>

I don't think you need to do this, as I don't think it will provide you with
any utility assuming you want the container to enforce your authorization
constraints.

If you want to move the access checking into your app, or
create a new type of "realm", then you might get some benefit,
but it doesn't sound to me like you need to do either of these things.

Ron

> Thanks!
>
> Regards,
>
> Johnny
[Message sent by forum member 'monzillo' (monzillo)]

http://forums.java.net/jive/thread.jspa?messageID=272414