incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <andrew.r.jaqu...@gmail.com>
Subject Re: LDAP Login problems (Login.jsp?redirect issue)
Date Fri, 27 Mar 2009 18:32:12 GMT
The issue isn't the LDAP server -- it's the web container. The
contents of the role-name element in web.xml must match some role that
the container returns. The container is blocking access to Login.jsp
because your authentication Realm doesn't grant the logged-in user the
role called "Authenticated". If you don't know what roles your
container LDAP realm returns, then you *might* try using the wildcard
role (*) in the role-name element.

   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Authenticated area</web-resource-name>
...(snip)...
           <url-pattern>/Login.jsp</url-pattern>
...(snip)...
       <auth-constraint>
           <role-name>*</role-name>
       </auth-constraint>

If this technique works for you, I think we will probably make this
change to the trunk, too. It would make container integration easier
for everybody.

Let me know if this helps.


On Fri, Mar 27, 2009 at 10:39 AM, Wyllys Ingersoll
<wyllys.ingersoll@sun.com> wrote:
> Andrew Jaquith wrote:
>>
>> Wyllys -- doesn't your LDAP server return at least one generic role for
>> users who are authenticated? It would have to in order for
>
> I'm really not sure what it returns.  I can do an ldapsearch and
> view the normal public information for anyone in the DB, but I'm not
> sure how the data would differ after authenticating.  Is there a way
> to find out by adding some debug statements somewhere in the JSPWiki code?
>  I have no access or control over the administration of the LDAP DB itself.
>
>> container-managed auth to work. Whatever that role name is, make sure that
>> name is part of a role-ref element in web.xml that protects the login page.
>> It probably won't be "Authenticated".
>>
>> It does sound like JSPWiki knows your users are logged in. There's just a
>> mismatch between the role name we use to protect the login page and the one
>> your container is returning.
>
> If I ignore the "Forbidden" page and continue to the
> main page, it does show my login name and "(authenticated)", so I think that
> JSPWiki believes me to be authenticated correctly, but there is
> definitely something wrong with the roles or the ACLs that is causing
> it to block my access to pages that require the "Authenticated" role.
>
> -Wyllys
>
>
>
>

Mime
View raw message