java - Jetty - JAAS and Active Directory - Authentication Only? -


i working on simple java application needs secured username , password. have use active directory authentication. can allow authenticated users access it. not need kind of group/role checking determine users may see or not. i'm using jetty run application.

i've been trying quite time implement ldap login module jetty. every time submit login form, 403 error "!role" message.

http error 403  problem accessing /jaas/. reason:      !role

jetty standard output when submit login form:

2013-07-18 19:28:47.035:info:oejpjs.ldaploginmodule:searching users filter: '(&(objectclass={0})({1}={2}))' base dn: dc=mydomain,dc=test,dc=local 2013-07-18 19:28:47.041:info:oejpjs.ldaploginmodule:found user?: true 2013-07-18 19:28:47.042:info:oejpjs.ldaploginmodule:attempting authentication: cn=user name,ou=admin_home,dc=mydomain,dc=test,dc=local

jetty log file when submit login form (the username entered appears in log, part of authentication seems work):

0:0:0:0:0:0:0:1 -  -  [18/jul/2013:17:28:38 +0000] "get /jaas/ http/1.1" 302 0  0:0:0:0:0:0:0:1 -  -  [18/jul/2013:17:28:38 +0000] "get /jaas/login.html http/1.1" 304 0  0:0:0:0:0:0:0:1 -  -  [18/jul/2013:17:28:47 +0000] "post /jaas/j_security_check http/1.1" 302 0  0:0:0:0:0:0:0:1 - username [18/jul/2013:17:28:47 +0000] "get /jaas/ http/1.1" 403 1362

extract of web.xml security-constraint , security-roke declared:

<security-constraint>     <web-resource-collection>          <web-resource-name>entire application</web-resource-name>          <url-pattern>/*</url-pattern>     </web-resource-collection>      <auth-constraint>        <role-name>*</role-name>     </auth-constraint>   </security-constraint>      <security-role>         <role-name>*</role-name>     </security-role>      <security-role>         <role-name>domain users</role-name>     </security-role>      <security-role>         <role-name>mylocalgroup</role-name>     </security-role>

ldap login module configuration file (ldaploginmodule.conf):

myloginmodule {    org.eclipse.jetty.plus.jaas.spi.ldaploginmodule required    debug="true"    debugnative="true"    contextfactory="com.sun.jndi.ldap.ldapctxfactory"    hostname="ldapserver"    port="389"    binddn="cn=administrator,cn=users,dc=mydomain,dc=test,dc=local"    bindpassword="secret"    directgroupextraction="true"    usergroupattribute="cn"    allrolesmode="authonly"    userfilter="(objectclass=organizationalperson)"    authenticationmethod="simple"    forcebindinglogin="true"    userbasedn="dc=mydomain,dc=test,dc=local"    userrdnattribute="cn"    useridattribute="samaccountname"    userpasswordattribute="unicodepwd"    userobjectclass="user"    rolesearch="(member={0})"     rolename="cn"     rolesubtree="true"    rolebasedn="cn=users,dc=mydomain,dc=test,dc=local";    };

jetty realm configuration (my-jaas.xml):

<configure id="server" class="org.eclipse.jetty.server.server">      <!-- jaas test -->     <call name="addbean">        <arg>           <new class="org.eclipse.jetty.plus.jaas.jaasloginservice">              <set name="name">test jaas realm</set>              <set name="loginmodulename">myloginmodule</set>               <set name="roleclassnames">                 <array type="java.lang.string">                    <item>org.eclipse.jetty.plus.jaas.jaasrole</item>                 </array>              </set>            </new>       </arg>     </call>  </configure>

finally, jetty startup command:

java -xdebug -djava.naming.referral=follow -djava.security.auth.login.config=etc/ldaploginmodule.conf -jar start.jar etc/my-jaas.xml

i checked windows security event log , see successful audit entry logon user provided in login form.

the thing is, don't need role. want perform authentication , allow authenticated users access application.

any idea how have authentication , avoid roles? thinking overriding ldaploginmodule class , force 'dummy' role declare in web.xml. i'm not sure if right way it.

your authentication successful.

since want allow authenticated users access everything, still need protect url pattern /* doing. can use regexpauthorizationfilter (see https://wiki.apache.org/solr/solrsecurity). now, don't include class in regular distribution. found code here (https://issues.apache.org/jira/secure/attachment/12572819/solr-4470_branch_4x_r1454444.patch) , compiled easily.

when configure filter, specify 1 arbitrary (non-existent, /abcde) url pattern role. way works see if url being requested matches pattern. since doesn't, moves forward. there no more rules, , access allowed.

so requires authentication urls valid urls accessible after successful authentication.

my setup in context of solr running on jetty. however, think configuration tied standard stuff such web.xml.


Comments

Post a Comment

Popular posts from this blog

How to mention the localhost in android -

i trying call localhost in android application. unfortunately not possible used several methods emulator local host http://10.0.2.2/android/dbconnection.php and network ip address http://192.168.1.xx/android/dbconnection.php also http://localhost:8080/android/dbconnection.php but nothing connected localhost. purpose refer stackoverflow answers not working i facing same problem when worked on localhost. referred stackoverflow answer got solution create new emulator works fine in new emulator.
Read more

php - Calling a template part from a post -

i include iframe within post in wordpress. located inside content of post, meaning cannot in post template file, otherwise either before or after. i'd add facebook plugin within posts: <div id="socialwrap"><div class="fb-like" data-href="http://onlinearizonahomes.info" data-send="true" data-width="450" data-show-faces="true" data-font="arial"></div></div> i thinking of calling template part within post <?php get_template_part( 'social' ); ?> cannot use php within post without plugin (i'd avoid using plugin this). an alternative using javascript create html in post, seems unnecessary use of javascript. what best way add html within wordpress post? you can use shortcode. add functions.php function cudjex_fbshare( $atts, $content = null ) { global $post; $link = get_permalink($post->id); return '<div id="socialwrap...
Read more

c# - String.format() DateTime With Arabic culture -

check below code snippet, namespace testdateconvertion { class program { static void main(string[] args) { datetime testvalue = new datetime(2013, 12, 15, 15, 33, 44); cultureinfo culture = new cultureinfo("ar-sa"); string stringvalue = string.format(culture, "{0:d} {0:hh:mm:ss}", testvalue); console.writeline(stringvalue); console.readline(); } } } it gives output 22/02/35 15:33:44 i not getting how possible. whats 35 doing in output there that's 13/12/2015 in hijri, 35 means 1435 in hijri, default date format saudi arabia.
Read more