users@glassfish.java.net

Converting LDAP from Tomcat to Glassfish

From: <glassfish_at_javadesktop.org>
Date: Mon, 10 May 2010 19:24:58 PDT

Hi,
 I have a simple web-app that is developed in Netbeans(6.8) and works fine in Tomcat(6) using LDAP(Active Directory).

I need to convert this to an EE (JSF2), so I am moving from Tomcat to GlassFish(v3).

I have changed the web files to xhtml and configured the xml files. However, I cannot get the GlassFish LDAP configuration to authenticate.

I am attaching my old web.xml and server.xml (from Tomcat) snippets and the portions of the new web.xml, sun-web.xml, and the GlassFish configuration.

If anyone can help me figure out where I am missing the piece that will allow a user to be authenticated, I would appreciate it. (btw, I am not using roles, just authenticating against the LDAP db is good enought.)

As it is right now, my app will prompt me to enter a user when I try to access a file in the 'protected' area and the GlassFish server throws an exception when it fails to authenticate. Because it works under Tomcat, I know I have the right information, I just don't know how to format it to get GlassFish to pass it along.

Thanks.

TOMCAT FILES:
- Tomcat server.xml:
[code] <Realm className="org.apache.catalina.realm.JNDIRealm"
             debug="99"
             connectionURL="ldap://xxxx.xxxxxx.xxx:389/"
             connectionName="cn=xxxxxxxx,ou=Administrators,ou=Information Technology,ou=ITTS,ou=Administrative,ou=xxx,dc=xxxxxx,dc=xxx"
             connectionPassword="xxxxxxxx"
             authentication="simple"
             userBase="ou=xxx,dc=xxxxxx,dc=xxx"
             userSubtree="true"
             userSearch="sAMAccountName={0}"
      />
[/code]
- web.xml:
[code] <security-constraint>
  
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <description>Authentication Required</description>
      <url-pattern>/faces/protected/*</url-pattern>
    </web-resource-collection>

    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>

  </security-constraint>
  
  <security-role>
    <role-name>*</role-name>
  </security-role>
  
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Please enter your user name and password:</realm-name>
  </login-config>
[/code]

GLASSFISH FILES:
(I enabled the Security Manager on the Security panel, set the Default Realm to 'LDAPRealm', and added "-Djava.naming.referral=follow" JVM options.)
- domain.xml:
[code] <auth-realm name="certificate" classname="com.sun.enterprise.security.auth.realm.certificate.CertificateRealm" />
        <auth-realm classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm" name="LdapRealm">
          <property description="()" name="search-bind-password" value="xxxxxxxx" />
          <property description="()" name="search-bind-dn" value="cn=xxxxxxxx,ou=Administrators,ou=Information Technology,ou=ITTS,ou=Administrative,ou=xxx,dc=xxxxxx,dc=xxx" />
          <property name="jaas-context" value="ldapRealm" />
          <property name="base-dn" value="ou=xxx,dc=xxxxxx,dc=xxx" />
          <property name="directory" value="ldap://xxxx.xxxxxx.xxx:389" />
          <property name="search-filter" value="(&amp;(objectClass=user)(sAMAccountName=%s))" />
        </auth-realm>
[/code]
-web.xml:
[code] <security-constraint>
    <display-name>protected</display-name>

    <web-resource-collection>
      <web-resource-name>ProtectedArea</web-resource-name>
      <description/>
      <url-pattern>/faces/protected/*</url-pattern>
    </web-resource-collection>

    <auth-constraint>
      <description/>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>

  <security-role>
    <description/>
    <role-name>*r</role-name>
  </security-role>

  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>LDAPRealm</realm-name>
    <form-login-config>
      <form-login-page>/faces/login.xhtml</form-login-page>
      <form-error-page>/faces/loginError.xhtml</form-error-page>
    </form-login-config>
  </login-config>
[/code]
- sun-web.xml:
[code] <security-role-mapping>
    <role-name>*</role-name>
    <group-name>*</group-name>
  </security-role-mapping>
[/code]

Here is the exception that it throws:
[code]SEVERE: SEC1113: Exception in LdapRealm when trying to authenticate user.
javax.security.auth.login.LoginException: javax.security.auth.login.LoginException: User yyyyyyy not found.
        at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:450)[/code]
[Message sent by forum member 'jontucich']

http://forums.java.net/jive/thread.jspa?messageID=469304