incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <andrew.r.jaqu...@gmail.com>
Subject Re: LDAP Login problems (Login.jsp?redirect issue)
Date Fri, 27 Mar 2009 23:14:45 GMT
Wyllys --

After digging into the servlet 2.4 specification, it's clear that the
"*" role-name isn't going to work, either. The spec makes it clear
that the wildcard role means "any of the roles defined in web.xml",
NOT "any authenticated user." See this thread here:

http://marc.info/?l=tomcat-user&m=113898930221044&w=2

So, we are back to finding out what roles your container LDAP realm
returns. The documentation for your servlet container SHOULD specify
that at least one generic role is returned. You will need to check the
Sun Webserver 7 documentation to see what roles it returns. I did a
little light Googling and didn't find anything, but this has got to be
something that has already been solved. Your server admin surely knows
what roles the LDAP realm returns.

Andrew

On Fri, Mar 27, 2009 at 2:32 PM, Andrew Jaquith
<andrew.r.jaquith@gmail.com> wrote:
> The issue isn't the LDAP server -- it's the web container. The
> contents of the role-name element in web.xml must match some role that
> the container returns. The container is blocking access to Login.jsp
> because your authentication Realm doesn't grant the logged-in user the
> role called "Authenticated". If you don't know what roles your
> container LDAP realm returns, then you *might* try using the wildcard
> role (*) in the role-name element.
>
>   <security-constraint>
>       <web-resource-collection>
>           <web-resource-name>Authenticated area</web-resource-name>
> ...(snip)...
>           <url-pattern>/Login.jsp</url-pattern>
> ...(snip)...
>       <auth-constraint>
>           <role-name>*</role-name>
>       </auth-constraint>
>
> If this technique works for you, I think we will probably make this
> change to the trunk, too. It would make container integration easier
> for everybody.
>
> Let me know if this helps.
>
>
> On Fri, Mar 27, 2009 at 10:39 AM, Wyllys Ingersoll
> <wyllys.ingersoll@sun.com> wrote:
>> Andrew Jaquith wrote:
>>>
>>> Wyllys -- doesn't your LDAP server return at least one generic role for
>>> users who are authenticated? It would have to in order for
>>
>> I'm really not sure what it returns.  I can do an ldapsearch and
>> view the normal public information for anyone in the DB, but I'm not
>> sure how the data would differ after authenticating.  Is there a way
>> to find out by adding some debug statements somewhere in the JSPWiki code?
>>  I have no access or control over the administration of the LDAP DB itself.
>>
>>> container-managed auth to work. Whatever that role name is, make sure that
>>> name is part of a role-ref element in web.xml that protects the login page.
>>> It probably won't be "Authenticated".
>>>
>>> It does sound like JSPWiki knows your users are logged in. There's just a
>>> mismatch between the role name we use to protect the login page and the one
>>> your container is returning.
>>
>> If I ignore the "Forbidden" page and continue to the
>> main page, it does show my login name and "(authenticated)", so I think that
>> JSPWiki believes me to be authenticated correctly, but there is
>> definitely something wrong with the roles or the ACLs that is causing
>> it to block my access to pages that require the "Authenticated" role.
>>
>> -Wyllys
>>
>>
>>
>>
>

Mime
View raw message