jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wyllys Ingersoll <wyllys.ingers...@sun.com>
Subject Re: LDAP Login problems (Login.jsp?redirect issue)
Date Mon, 30 Mar 2009 06:11:42 GMT

I managed to find a solution to my problem.   The issue is that the 
users are failing the authorization
checks after they successfully authenticate.  The software is not 
automatically putting giving them
the "Authenticated" role.  I verified this by turning up the logging to 
"finest" and watched the "acl"
and security messages in the log file(s).

I had to create a WEB-INF/sun-web.xml file (consumed by the Sun Java 
Webserver and Glassfish App server software)
that has a "security-role-mapping" entry.  This file is described here:  
http://docs.sun.com/app/docs/doc/819-3673/beaql?a=view

Mine basically looks like this:

...
<sun-web-app>
<security-role-mapping>
    <role-name>Authenticated</role-name>
    <principal-name>wyllys</principal-name>
    (... more principals ...)
</security-role-mapping>
</sun-web-app>


I added a <principal-name> entry for each user that I want to allow 
authenticated access to the site.
This seems to work, but is obviously kind of a hack in my opinion.  
Ideally, I would prefer that the
software automatically assign the "authenticated" role to everyone who 
successfully authenticates.
I could not figure out how to make the container fetch the group 
information from the LDAP entries. There
is a unique group attribute that would work (it's not part of the CN, 
but a separate LDAP attribute),
but I could not figure out how to get the container to use it.

-Wyllys


Wyllys Ingersoll wrote:
> Andrew Jaquith wrote:
>> Wyllys --
>>
>> After digging into the servlet 2.4 specification, it's clear that the
>> "*" role-name isn't going to work, either. The spec makes it clear
>> that the wildcard role means "any of the roles defined in web.xml",
>> NOT "any authenticated user." See this thread here:
>>
>> http://marc.info/?l=tomcat-user&m=113898930221044&w=2
>
>
> OK, good that I read this first, I was about to try the wildcard entry.
>
>>
>> So, we are back to finding out what roles your container LDAP realm
>> returns. The documentation for your servlet container SHOULD specify
>> that at least one generic role is returned. You will need to check the
>> Sun Webserver 7 documentation to see what roles it returns. I did a
>> little light Googling and didn't find anything, but this has got to be
>> something that has already been solved. Your server admin surely knows
>> what roles the LDAP realm returns.
>
> I know the right people to talk to, I will inquire and get back to you.
>
> Thanks so much for all the help.
>
> -Wyllys


Mime
View raw message