geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wolff, Dave" <DavidWo...@letu.edu>
Subject RE: Problems configuring a web-app to use an LDAP realm
Date Wed, 23 Aug 2006 19:21:08 GMT
I found my problem.  After digging through the LDAPLoginModule code I
realized that setting the roleUserMatching value to null is not allowed
with the current LDAPLoginModule.   I had been setting the
roleUserMatching parameter to null because we do not place user members
under our group structure but instead store group memberships under each
user's entry (using a memberOf attribute).  To get the LDAP realm
working I had to enter a bogus value in the roleUserMatching paramter
and now things work like a charm.
 
Is there any way the getRoles(context, dn, username, roles) call on line
253 could be made optional just as the list.add(userRoleName) on line
215 is optional?  Also it would be very helpful if NamingExceptions
under the authenticate method would either be logged or passed up to the
top layer so users can see what the actual problem is with their LDAP
config if it should fail in that method.
 
Thanks!
Dave Wolff
 
My latest LDAP deployment descriptor is as follows and seems to work
like a charm:
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.1">
 
 <environment>
  <moduleId>
   <groupId>letu</groupId>
   <artifactId>letnet-realm</artifactId>
   <version>1.0</version>
  </moduleId>
  <dependencies>
   <dependency>
    <groupId>geronimo</groupId>
    <artifactId>geronimo-management</artifactId>
    <version>1.1</version>
    <type>jar</type>
   </dependency>
   <dependency>
    <groupId>geronimo</groupId>
    <artifactId>j2ee-security</artifactId>
    <version>1.1</version>
    <type>car</type>
   </dependency>
  </dependencies>
 </environment>
 
 <gbean name="letnet-login"
  class="org.apache.geronimo.security.jaas.LoginModuleGBean">
  <attribute
name="loginModuleClass">org.apache.geronimo.security.realm.providers.LDA
PLoginModule</attribute>
  <attribute name="serverSide">true</attribute>
  <attribute name="options">
   initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
   connectionURL=ldap://ldap.letnet.net:389
   connectionUsername=
   connectionPassword=
   connectionProtocol=
   authentication=simple
   userBase=ou=accounts,dc=letnet,dc=net
   userSearchMatching=(cn={0})
   userSearchSubtree=true
   roleBase=ou=groups,dc=letnet,dc=net
   roleName=cn
   roleSearchMatching=(member={0})
   roleSearchSubtree=true
   userRoleName=memberOf
  </attribute>
  <attribute name="loginDomainName">letnet-realm</attribute>
 </gbean>
 
 <gbean name="letnet-realm"
class="org.apache.geronimo.security.realm.GenericSecurityRealm">
  <attribute name="realmName">letnet-realm</attribute>
  <reference name="LoginModuleConfiguration">
   <name>letnet-login</name>
  </reference>
  <reference name="ServerInfo">
   <name>ServerInfo</name>
  </reference>
  
  <reference name="LoginService">
   <name>JaasLoginService</name>
  </reference>
 </gbean>
 
 <gbean name="letnet-login"
class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
  <attribute name="controlFlag">REQUIRED</attribute>
  <reference name="LoginModule">
   <name>letnet-login</name>
  </reference>
 </gbean>
</module>


________________________________

From: Wolff, Dave [mailto:DavidWolff@letu.edu] 
Sent: Wednesday, August 23, 2006 11:15 AM
To: user@geronimo.apache.org
Subject: RE: Problems configuring a web-app to use an LDAP realm


I suppose I should clarify...
 
It appears that the LDAP realm I have deployed is working as the packet
sniffer shows all the necessary information from the LDAP server
(binding to LDAP, searching for group memberships, and returning group
memberships); however, the web application always redirects to the
invalid username and password page.  Here is the stacktrace from the
login attempt:
 
10:00:22,701 WARN  [TomcatGeronimoRealm] Login exception authenticating
username "davidwolff"
javax.security.auth.login.LoginException: Error filling callback list
 at
org.apache.geronimo.security.jaas.client.ServerLoginProxy.login(ServerLo
ginProxy.java:78)
 at
org.apache.geronimo.security.jaas.client.JaasLoginCoordinator.performLog
in(JaasLoginCoordinator.java:199)
 at
org.apache.geronimo.security.jaas.client.JaasLoginCoordinator.login(Jaas
LoginCoordinator.java:120)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
 at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
 at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
 at java.security.AccessController.doPrivileged(Native Method)
 at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
 at
org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm.authenticate(Tomcat
GeronimoRealm.java:325)
 at
org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm.authenticate(Tomcat
GeronimoRealm.java:275)
 at
org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAut
henticator.java:257)
 at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
Base.java:416)
 at
org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.inv
oke(GeronimoStandardContext.java:342)
 at
org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(Geronim
oBeforeAfterValve.java:31)
 at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:126)
 at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:105)
 at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:107)
 at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541
)
 at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1
48)
 at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:86
9)
 at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proc
essConnection(Http11BaseProtocol.java:667)
 at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint
.java:527)
 at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow
erWorkerThread.java:80)
 at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
.java:684)
 at java.lang.Thread.run(Thread.java:595)
Caused by: javax.security.auth.login.LoginException: LDAP Error
 at
org.apache.geronimo.security.realm.providers.LDAPLoginModule.login(LDAPL
oginModule.java:162)
 at
org.apache.geronimo.security.jaas.server.JaasLoginService.performLogin(J
aasLoginService.java:236)
 at
org.apache.geronimo.security.jaas.client.ServerLoginProxy.login(ServerLo
ginProxy.java:74)
 ... 29 more
Caused by: javax.security.auth.login.FailedLoginException
 at
org.apache.geronimo.security.realm.providers.LDAPLoginModule.login(LDAPL
oginModule.java:157)
 ... 31 more

________________________________

From: Wolff, Dave [mailto:DavidWolff@letu.edu] 
Sent: Wednesday, August 23, 2006 9:42 AM
To: user@geronimo.apache.org
Subject: Problems configuring a web-app to use an LDAP realm


Hello,
    I've deployed an LDAP realm and now I am having problems deploying a
test web application that uses the global LDAP realm to login.  I've
taken the TimeReportApp example as my test and tried to use my own LDAP
realm for authentication.  The error I'm receiving is a
javax.security.auth.login.LoginException "Error filling callback list" .
I have used a packet sniffer to verify that I'm getting a list of groups
that a user is a member of from LDAP, so it appears that my LDAP
security realm is working appropriately.  
 
Thanks in advance!
Dave Wolff
 
Here is my web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
  http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
  version="2.4"> 
  
 <welcome-file-list>
  <welcome-file>index.jsp</welcome-file>
   </welcome-file-list>
   
 <security-constraint>
  <web-resource-collection>
   <web-resource-name>employee</web-resource-name>
   <url-pattern>/employee/*</url-pattern>   
  </web-resource-collection>
  <auth-constraint>
   <role-name>employee</role-name>    
  </auth-constraint>
 </security-constraint>
 
 <security-constraint>
  <web-resource-collection>
   <web-resource-name>manager</web-resource-name>
   <url-pattern>/manager/*</url-pattern>   
  </web-resource-collection>
  <auth-constraint>
   <role-name>manager</role-name>
  </auth-constraint>
 </security-constraint>
 
 <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>letnet-realm</realm-name>
  <form-login-config>
   <form-login-page>/login/login.jsp</form-login-page>
   <form-error-page>/login/login_error.jsp</form-error-page>
  </form-login-config>
 </login-config>
 
 <security-role>
  <role-name>employee</role-name>  
     </security-role>
 <security-role>
  <role-name>manager</role-name>  
    </security-role>
     
    <servlet>
     <display-name>AddTimeRecordServlet</display-name>
     <servlet-name>AddTimeRecordServlet</servlet-name>
 
<servlet-class>org.apache.geronimo.samples.timereport.web.AddTimeRecordS
ervlet</servlet-class>
   </servlet>
   <servlet>
     <display-name>AddEmployeeServlet</display-name>
     <servlet-name>AddEmployeeServlet</servlet-name>
 
<servlet-class>org.apache.geronimo.samples.timereport.web.AddEmployeeSer
vlet</servlet-class>
   </servlet>
   
   <servlet-mapping>
     <servlet-name>AddTimeRecordServlet</servlet-name>
     <url-pattern>/employee/add_timerecord</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
     <servlet-name>AddEmployeeServlet</servlet-name>
     <url-pattern>/manager/add_employee</url-pattern>
    </servlet-mapping>
        
</web-app>
 
And here is the geronimo-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app
 xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.1">
 
 <environment>
  <moduleId>
   <artifactId>TimeReportApp</artifactId>
  </moduleId>  
 </environment>
  
 <context-root>/timereport</context-root>
 
 <security-realm-name>letnet-realm</security-realm-name>
 
 <security>
  <default-principal realm-name="letnet-realm">
   <principal name="anonymous"
 
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipa
l"
       />
  </default-principal>
  <role-mappings>   
   <role role-name="employee">
    <realm realm-name="letnet-realm">
     <principal name="SG-FacultyStaff" 
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincip
al"
        />
    </realm>
   </role>
   <role role-name="manager">
    <realm realm-name="letnet-realm">
     <principal name="SG-FacultyStaff" 
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincip
al"
     />     
    </realm>        
   </role>
  </role-mappings>
    </security>
</web-app>

Mime
View raw message