hi,
i want to port a existing application from websphere application server 7
to glassfish. for this to work i need ldap for security. this application
hast 20+ groups with diffrent rolles in the application.
the first step was to create a new security realm. Configurations >
server-config > Security > Realms > new
domain1.xml content:
<auth-realm name="ldapAuth"
classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
<property description="null" name="directory"
value="ldap://ldapserver:389"></property> <property
description="null" name="base-dn" value="dc=company"></property>
<property name="jaas-context"
value="ldapRealm"></property> <property
name="search-bind-password" value="password"></property>
<property name="search-bind-dn"
value="uid=authuser,cn=test,cn=com,dc=company"></property>
</auth-realm>
this config works because when i enter a non existing username or the wrong
password i get the right response from the ldap server. but what doessent
work is the mapping from the ldap groups to the security roles.
here is a snipped of the was7 ibm-application-bnd.xml:
<application-bnd xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xmlns="
http://websphere.ibm.com/xml/ns/javaee"
xsi:schemaLocation="
http://websphere.ibm.com/xml/ns/javaee
http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd"
version="1.0"> <security-role name="ADMIN"> <group
name="cn=ADMIN,cn=app1,cn=appgroups,cn=groups,dc=COMPANY"/>
</security-role>
and here is the gallsfish-application.xml:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE glassfish-application PUBLIC
"-//GlassFish.org//DTD GlassFish Application Server 3.1 Java EE Application
6.0//EN" "
http://glassfish.org/dtds/glassfish-application_6_0-1.dtd">
<glassfish-application> <security-role-mapping>
<role-name>ADMIN</role-name>
<group-name>cn=ADMIN,cn=app1,cn=appgroups,cn=groups,dc=COMPANY</group-name>
</security-role-mapping>
when i try to login with a user who has this ADMIN group i always get a 403
permission denied. but with no further message.
i also changed the <group-name> to just ADMIN. because i thought that the
other cn and dc information is distracting glassfish. but this also i not
working.
in the web.xml i havent changed anything since the app is working fine on the
WAS7.
i also added <property name="group-target" value="ibm-allgroups"></property>
to the domain.xml but with this i get a nullpointer exception:
WARNUNG: SEC1106: Error during LDAP search with filter
[uniquemember=uid=admin1,o=company,c=com,dc=company]. WARNUNG: SEC1000:
Caught exception. java.lang.NullPointerException at
com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.groupSearch(LDAPRealm.java:705)
at
com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:497)
at
com.sun.enterprise.security.auth.login.LDAPLoginModule.authenticate(LDAPLoginModule.java:108)
so my problem is that the ldap response does somehow not contain the group
information of the logged in user, or maybe the mapping is wrong in the
config? if anyone has a good idea what i may have done wrong, please give me
a hint ;)
--
[Message sent by forum member 'mike_ko']
View Post: http://forums.java.net/node/783667