As Kumar points out, this should have worked by default. Could you also
please attach the web.xml that you have used along with the stack trace ?
Thanks
Nithya
On Monday 21 March 2011 08:36 PM, Kumar.Jayanti wrote:
> On 21/03/11 6:31 PM, forums_at_java.net wrote:
>> hi,
>>
>> i want to port a existing application from websphere application
>> server 7
>> to glassfish. for this to work i need ldap for security. this
>> application
>> hast 20+ groups with diffrent rolles in the application.
>>
>> the first step was to create a new security realm. Configurations >
>> server-config > Security > Realms > new
>>
>> domain1.xml content:
>>
>> <auth-realm name="ldapAuth"
>> classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
>> <property description="null" name="directory"
>> value="ldap://ldapserver:389"></property> <property
>> description="null" name="base-dn" value="dc=company"></property>
>> <property name="jaas-context"
>> value="ldapRealm"></property> <property
>> name="search-bind-password" value="password"></property>
>> <property name="search-bind-dn"
>> value="uid=authuser,cn=test,cn=com,dc=company"></property>
>> </auth-realm>
>> this config works because when i enter a non existing username or the
>> wrong
>> password i get the right response from the ldap server. but what
>> doessent
>> work is the mapping from the ldap groups to the security roles.
>>
>> here is a snipped of the was7 ibm-application-bnd.xml:
>>
>> <application-bnd
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xmlns="http://websphere.ibm.com/xml/ns/javaee"
>> xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee
>> http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd"
>> version="1.0"> <security-role name="ADMIN"> <group
>> name="cn=ADMIN,cn=app1,cn=appgroups,cn=groups,dc=COMPANY"/>
>> </security-role>
>> and here is the gallsfish-application.xml:
>>
>> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE
>> glassfish-application PUBLIC
>> "-//GlassFish.org//DTD GlassFish Application Server 3.1 Java EE
>> Application
>> 6.0//EN" "http://glassfish.org/dtds/glassfish-application_6_0-1.dtd">
>> <glassfish-application> <security-role-mapping>
>> <role-name>ADMIN</role-name>
>> <group-name>cn=ADMIN,cn=app1,cn=appgroups,cn=groups,dc=COMPANY</group-name>
>>
>> </security-role-mapping>
>> when i try to login with a user who has this ADMIN group i always get
>> a 403
>> permission denied. but with no further message.
>>
>> i also changed the <group-name> to just ADMIN. because i thought that
>> the
>> other cn and dc information is distracting glassfish. but this also i
>> not
>> working.
>>
>> in the web.xml i havent changed anything since the app is working
>> fine on the
>> WAS7.
>>
>> i also added <property name="group-target"
>> value="ibm-allgroups"></property>
>> to the domain.xml but with this i get a nullpointer exception:
>>
>> WARNUNG: SEC1106: Error during LDAP search with filter
>> [uniquemember=uid=admin1,o=company,c=com,dc=company]. WARNUNG: SEC1000:
>> Caught exception. java.lang.NullPointerException at
>> com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.groupSearch(LDAPRealm.java:705)
>>
>> at
>> com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:497)
>>
>> at
>> com.sun.enterprise.security.auth.login.LDAPLoginModule.authenticate(LDAPLoginModule.java:108)
>>
>> so my problem is that the ldap response does somehow not contain the
>> group
>> information of the logged in user, or maybe the mapping is wrong in the
>> config? if anyone has a good idea what i may have done wrong, please
>> give me
>> a hint ;)
>>
> We are sorry to hear it is not working. From the description it seems
> like it should have worked. Are you using GF 3.1 release build ?.
>
> Can you add <property name="group-search-filter"
> value="cn=%s"></property> in additon to group-target.
>
>
> It appears the current group search filter that it is showing the logs
> above [uniquemember=uid=admin1,o=company,c=com,dc=company]
> is incorrect for you LDAP settings.
>
> Also send me the full stack trace of the NPE that you mention above,
> so we can fix the NPE issue on our trunk and do something more
> meaningful instead of an NPE.
>
> Another data point would be to try explicit role to principal mapping
> in glassfish-application.xml and see if that works. That will validate
> that the LDAP setup is otherwise fine.
>
> When you wrote gallsfish-application.xml there is a spelling mistake
> there, i hope the physical file is named correctly otherwise your
> mappings (role to group) would be ignored.
>
> regards,
> kumar
>>
>> --
>>
>> [Message sent by forum member 'mike_ko']
>>
>> View Post: http://forums.java.net/node/783668
>>
>>
>