Return-Path: Delivered-To: apmail-incubator-jspwiki-user-archive@minotaur.apache.org Received: (qmail 61569 invoked from network); 27 Mar 2009 23:15:15 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 27 Mar 2009 23:15:15 -0000 Received: (qmail 39816 invoked by uid 500); 27 Mar 2009 23:15:15 -0000 Delivered-To: apmail-incubator-jspwiki-user-archive@incubator.apache.org Received: (qmail 39795 invoked by uid 500); 27 Mar 2009 23:15:15 -0000 Mailing-List: contact jspwiki-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jspwiki-user@incubator.apache.org Delivered-To: mailing list jspwiki-user@incubator.apache.org Received: (qmail 39785 invoked by uid 99); 27 Mar 2009 23:15:15 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Mar 2009 23:15:15 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of andrew.r.jaquith@gmail.com designates 74.125.92.145 as permitted sender) Received: from [74.125.92.145] (HELO qw-out-1920.google.com) (74.125.92.145) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Mar 2009 23:15:06 +0000 Received: by qw-out-1920.google.com with SMTP id 5so968455qwc.54 for ; Fri, 27 Mar 2009 16:14:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=n0HLdY3eKz1CuyxdKb1iF8C9tQO5wTyE1hkwbIie0Gg=; b=B4ELK0QLBM+LGhvf7VtJUFayUDiQRxwlRcGa/gv0oTFkxr+05nbPfWpzSJ+4/1kW3j GgZxMqQgN1f6Lhnn2ffih4uFm+r4/Abf1ZWC/OqyFkr6WZBD/UMhzYuOQ6rIugJByR4c 2MkL3su0wxmqgCgJPhZzphs++CyhciOkA34LI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=SREko/I+CuYm11vUgIS1Zsqu7eEx20bsn5K1MvAaKw+poDMSWPlILHlyRcP/KCRjZ7 vLjERjRtYl2d63Ppquo5ewSQeivnvdpn/sS9Gtnqi3IafoVZ+gIzxLdKucBy48Yl5phh IWikob+wxRyTTLFCSwesEm9eaexoarZfk1Buo= MIME-Version: 1.0 Received: by 10.229.85.14 with SMTP id m14mr1226227qcl.64.1238195685575; Fri, 27 Mar 2009 16:14:45 -0700 (PDT) In-Reply-To: References: <49C4F6E5.3050400@sun.com> <49C92837.9090907@sun.com> <823F18E5-0B73-4237-98E3-FA42081ECA74@gmail.com> <49CBAD7F.70702@sun.com> <49CCD3BA.3000605@sun.com> <49CCE52F.7050007@sun.com> Date: Fri, 27 Mar 2009 19:14:45 -0400 Message-ID: Subject: Re: LDAP Login problems (Login.jsp?redirect issue) From: Andrew Jaquith To: jspwiki-user@incubator.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Wyllys -- After digging into the servlet 2.4 specification, it's clear that the "*" role-name isn't going to work, either. The spec makes it clear that the wildcard role means "any of the roles defined in web.xml", NOT "any authenticated user." See this thread here: http://marc.info/?l=3Dtomcat-user&m=3D113898930221044&w=3D2 So, we are back to finding out what roles your container LDAP realm returns. The documentation for your servlet container SHOULD specify that at least one generic role is returned. You will need to check the Sun Webserver 7 documentation to see what roles it returns. I did a little light Googling and didn't find anything, but this has got to be something that has already been solved. Your server admin surely knows what roles the LDAP realm returns. Andrew On Fri, Mar 27, 2009 at 2:32 PM, Andrew Jaquith wrote: > The issue isn't the LDAP server -- it's the web container. The > contents of the role-name element in web.xml must match some role that > the container returns. The container is blocking access to Login.jsp > because your authentication Realm doesn't grant the logged-in user the > role called "Authenticated". If you don't know what roles your > container LDAP realm returns, then you *might* try using the wildcard > role (*) in the role-name element. > > =A0 > =A0 =A0 =A0 > =A0 =A0 =A0 =A0 =A0 Authenticated area > ...(snip)... > =A0 =A0 =A0 =A0 =A0 /Login.jsp > ...(snip)... > =A0 =A0 =A0 > =A0 =A0 =A0 =A0 =A0 * > =A0 =A0 =A0 > > If this technique works for you, I think we will probably make this > change to the trunk, too. It would make container integration easier > for everybody. > > Let me know if this helps. > > > On Fri, Mar 27, 2009 at 10:39 AM, Wyllys Ingersoll > wrote: >> Andrew Jaquith wrote: >>> >>> Wyllys -- doesn't your LDAP server return at least one generic role for >>> users who are authenticated? It would have to in order for >> >> I'm really not sure what it returns. =A0I can do an ldapsearch and >> view the normal public information for anyone in the DB, but I'm not >> sure how the data would differ after authenticating. =A0Is there a way >> to find out by adding some debug statements somewhere in the JSPWiki cod= e? >> =A0I have no access or control over the administration of the LDAP DB it= self. >> >>> container-managed auth to work. Whatever that role name is, make sure t= hat >>> name is part of a role-ref element in web.xml that protects the login p= age. >>> It probably won't be "Authenticated". >>> >>> It does sound like JSPWiki knows your users are logged in. There's just= a >>> mismatch between the role name we use to protect the login page and the= one >>> your container is returning. >> >> If I ignore the "Forbidden" page and continue to the >> main page, it does show my login name and "(authenticated)", so I think = that >> JSPWiki believes me to be authenticated correctly, but there is >> definitely something wrong with the roles or the ACLs that is causing >> it to block my access to pages that require the "Authenticated" role. >> >> -Wyllys >> >> >> >> >