tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bragg, Casey" <Casey.Br...@allegiancetelecom.com>
Subject RE: LDAPRealm & JNDIReam for Tomcat 3.2 and 4.0 beta 1 is availab le
Date Mon, 30 Jul 2001 19:09:00 GMT
Hey Alex : 
 
I've got a question about your JNDIRealm stuff...
 
I'm using your SimpleRoleMapper to get started, but I can't get it to work.
I can't find in your code where a distinguished name (dn) is linked to
roles.  In your translateroles function, I can see how users are assigned
roles assigned to everybody (*), but I can't find anything like
(String[])userRoles.get(distinghushedname) as I might expect.  All my users
are reporting only a role of [guest] even though I've carefully matched the
dn in the rolemapper file to the dn stored by jndirealm.
 
The translateroles code seems to be looking for rolenames as keys in the
userroles Map : 
        String items[] = (String[])userRoles.get(ur);
 
Shouldn't this be something like : 
        (String[])userRoles.get(distinghushedname) 
 
Please let me know if I'm looking at this wrong or not.
 
Thanks...
 
..Casey
 
============================================== 
Casey Bragg - Software Engineer 
Allegiance Telecom, Inc.  Dallas, TX 
469-259-2702 - casey.bragg@allegiancetelecom.com 
============================================== 

-----Original Message-----
From: Roytman, Alex [mailto:roytmana@peacetech.com]
Sent: Monday, June 04, 2001 5:03 PM
To: 'tomcat-user@jakarta.apache.org'
Subject: LDAPRealm & JNDIReam for Tomcat 3.2 and 4.0 beta 1 is available



http://www.peacetech.com/java/files/apache/tomcat/default.htm
<http://www.peacetech.com/java/files/apache/tomcat/default.htm>  


JndiRealm authenticates and authorizes users against JNDI. It was tested
against LDAP JNDI 
  with Sun's and Netscape's jndi providers 
  LdapRealm authenticates and authorizes users directly against LDAP using
Netscape LDAP JDK. 
  These two realms are interchangeable you can switch between them without
many configuration changes. 
  According to my tests it performs 10 faster under 20 concurrent threads
than JNDI with 
  Sun's LDAP provider. This is not final result because I need to test and
tune-up multithreaded 
  access and synchronization there might be some misunderstanding on my
part. 
  I also noticed some cases of JNDI loosing connection to the server under
heavy multithreaded 
  load while Netscape's LDAP handled it nicely. Because I use LdapRealm for
Tomcat 3.2 for my 
  production system it is tested better than JndiRealm. 
  There are four classes in the package : 
    JndiRealm and LdapRealm are for Tomcat 3.2x 
    JndiRealmCatalina and LdapRealmCatalina for Tomcat 4.0 

  className="com.peacetech.webtools.tomcat.JndiRealm"           JNDI TOMCAT
3.2x 
  className="com.peacetech.webtools.tomcat.JndiRealmCatalina"   JNDI TOMCAT
4.0 
  className="com.peacetech.webtools.tomcat.LdapRealmCatalina"   LDAP TOMCAT
4.0 
  className="com.peacetech.webtools.tomcat.LdapRealm"           LDAP TOMCAT
3.2x 

  Jndi/LdapRealm uses searchBindDN and searchBindCredentials to connect to a
directory. 
  Then it looks for exactly one user name matching searchFilter in
searchBaseContext 
  scoped by searchScopeAsString (values are "base", "one", "sub" according
to LDAP URL rules) 
  If one and only one matching directory object is found it will use this
object and 
  tomcat supplied credentials to authenticate the user. 
  If successful Realm will fetch user roles using JNDI attributes listed in
securityAttributes 
  (comma separated directory attribute names). If attributesReadByOwner =
"true" Realm will use 
  authenticated user itself to pool the attributes from directory otherwise
it will use searchBindDN 
  to retrieve the attributes. 
  If roleMapperClass is specified Realm will use it to map user roles onto
application roles 
  specific for each web context for tomcat 3.2x and specific for each
defined Realm for tomcat 4.2. 
  Provided SimpleRoleMapper implementation will read role map from either
roleMapperSourceUrl 
  (if specified) or for tomcat 3.2x from WEB-INF/role-map.xml file in each
web context 
  if no roleMapperSourceUrl was defined (if WEB-INF/role-map.xml file does
not exist in a context 
  no mapping for this context will occur). 
  You can use principalAttributes parameter to specify LDAP attributes to be
stored in principal 
  so you can access them from your servlets 


  PARAMETERS: 

  jndiInitialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory" 
                              (or
"com.netscape.jndi.ldap.LdapContextFactory") 
  This attribute for JndiRealm ONLY. 
  It corresponds to javax.naming.Context.INITIAL_CONTEXT_FACTORY 

  directoryUrl = "ldap://207.176.93.66:389" 
  This attribute for both JndiRealm and LdapRealm. 
  If you want to use SSL for LdapRealm you can use "ldaps" protocol:
directoryUrl = "ldaps://207.176.93.66:636" 
  You will need to configure Sun's JSSE to use SSL 
  It corresponds to javax.naming.Context.PROVIDER_URL 

  jndiSecurityAuthentication = "simple" 
  This attribute for JndiRealm ONLY. 
  It corresponds to javax.naming.Context.SECURITY_AUTHENTICATION 

  jndiSecurityProtocol = "" ("" vendor default or "ssl", or vendor specific)

  This attribute for JndiRealm ONLY. 
  It corresponds to javax.naming.Context.SECURITY_PROTOCOL 

  searchBindDN = "cn=ldap-user,o=pti" 
  This attribute for both JndiRealm and LdapRealm. User name to bind to
directory 
  a to perform user name lookups. It corresponds to
javax.naming.Context.SECURITY_PRINCIPAL 

  searchBindCredentials = "mypassword" 
  This attribute for both JndiRealm and LdapRealm. Password for searchBindDN

  It corresponds to javax.naming.Context.SECURITY_CREDENTIALS 

  searchBaseContext = "o=pti" 
  Base context for user lookups 

  ldapVersion = "3" 
  This attribute for LdapRealm ONLY. Defines LDAP version. 

  searchScopeAsString = "base" | "one" | "sub" 
  defines search scope "base" - object scope, "one" - one level scope, "sub"
- subtree scope. 

  attributesReadByOwner = "true" 
  defines who will read securityAttribures from the directory. If "true"
authenticating user account 
  will be used to retrieve the roles otherwise the searchBindDN account used
for user name lookups will 
  fetch the attributes. It is useful when either one or the other do not
have permission to read the 
  attributes so you can chose the one which has this permissions 

  searchFilter = "cn={0}" 
  Filter to lookup authorizing user. Support java.text.MessageFormat. 
  The only parameter is to java.text.MessageFormat pattern authorizing
username. 
  i.e. jndiSearchFilter = "cn={0}" for user alex will result in lookup for
"cn=alex" 

  securityAttributes = "securityEquals" 
  One or more directory attributes separated with semicolon which contains
security roles 
  attributes can be multivalued. If blank no attempt to retrieve roles from
directory will be done 

  roleMapperClass = "com.peacetech.webtools.tomcat.SimpleRoleMapper"/> 
  ATTNTION: It requires SAX2/JAX1.1 (Apache Xerces or Sun JAXP1.1
distribution) 
  Implemntation of RoleMapper interface to be used to transform user
directory roles 
  to application roles. In tomcat 3.2x MapperClass is server wide but actual
mapping data 
  is context specific (unless you specified roleMapperSourceUrl) 
  in tomcat 4.0 both RoleMapper and mapping data are Realm specific and you
have to specify 
  roleMapperSourceUrl. If it is blank no role mapping will occur 

  roleMapperSourceUrl=" file:///d:/tomcat4/conf/my-role-map.xml
<file:///d:/tomcat4/conf/my-role-map.xml> " 
  URL to RoleMapper source. In tomcat 3.2x if it is not specified we try to
find file 
  WEB-INF/role-map.xml in every initializing tomcat context. 

  connectionMaxPoolSize = 10 
  JNDI does not allow multi-threaded access to a single context instance. We
pool contexts which 
  do user filter lookup instead creating and re-authenticating every time.
Access to pool 
  is synchronized. In LdapPrincipal factory we pool user connection so we
reauthenticate without reconnecting 

  principalAttributes = "workforceID,fullName,title" 
  Coma separated list of LDAP attributes to be read from LDAP and stored in
principal 
  It can be accessed via DirectoryPrincipal.getAttribute(String attrName).
This method returns 
  String array or null if no attribute with specified name was found. 
  This is only implemented for LdapRealm it has not been ported to JndiRealm
yet 

  SAMPLES: 

  TOMCAT 4: 
  <Realm className="com.peacetech.webtools.tomcat.LdapRealmCatalina" 
    debug="1" 
    directoryUrl = "ldap://207.176.93.66:389" 
    searchBindDN = "cn=ldap-user,o=pti" 
    searchBindCredentials = "mypassword" 
    searchBaseContext = "o=pti" 
    searchFilter = "cn={0}" 
    searchScopeAsString = "sub" 
    securityAttributes = "securityEquals" 
    attributesReadByOwner = "true" 
    connectionMaxPoolSize = "10" 
    ldapVersion = "3" 
    roleMapperClass = "com.peacetech.webtools.tomcat.SimpleRoleMapper" 
    roleMapperSourceUrl="
file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml
<file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml> " /> 

  <Realm className="com.peacetech.webtools.tomcat.JndiRealmCatalina" 
    debug="1" 
    jndiInitialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory" 
    jndiSecurityAuthentication = "simple" 
    directoryUrl = "ldap://207.176.93.66:389" 
    jndiSecurityProtocol = "" 
    searchBindDN = "cn=ldap-user,o=pti" 
    searchBindCredentials = "mypassword" 
    searchBaseContext = "o=pti" 
    searchFilter = "cn={0}" 
    searchScopeAsString = "sub" 
    securityAttributes = "securityEquals" 
    attributesReadByOwner = "true" 
    connectionMaxPoolSize = "10" 
    roleMapperClass = "com.peacetech.webtools.tomcat.SimpleRoleMapper" 
    roleMapperSourceUrl="
file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml
<file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml> " /> 



  TOMCAT 3: 
  <RequestInterceptor className="com.peacetech.webtools.tomcat.LdapRealm" 
    debug="1" 
    directoryUrl = "ldap://207.176.93.66:389" 
    searchBindDN = "cn=ldap-user,o=pti" 
    searchBindCredentials = "mypassword" 
    searchBaseContext = "o=pti" 
    searchFilter = "cn={0}" 
    searchScopeAsString = "sub" 
    securityAttributes = "securityEquals" 
    attributesReadByOwner = "true" 
    connectionMaxPoolSize = "10" 
    ldapVersion = "3" 
    roleMapperClass = "com.peacetech.webtools.tomcat.SimpleRoleMapper" 
    roleMapperSourceUrl="
file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml
<file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml> " /> 

  <RequestInterceptor className="com.peacetech.webtools.tomcat.JndiRealm" 
    debug="1" 
    jndiInitialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory" 
    jndiSecurityAuthentication = "simple" 
    directoryUrl = "ldap://207.176.93.66:389" 
    jndiSecurityProtocol = "" 
    searchBindDN = "cn=ldap-user,o=pti" 
    searchBindCredentials = "mypassword" 
    searchBaseContext = "o=pti" 
    searchFilter = "cn={0}" 
    searchScopeAsString = "sub" 
    securityAttributes = "securityEquals" 
    attributesReadByOwner = "true" 
    connectionMaxPoolSize = "10" 
    roleMapperClass = "com.peacetech.webtools.tomcat.SimpleRoleMapper" 
    roleMapperSourceUrl="
file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml
<file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml> " /> 
--> 

<!-- *********** End of PeaceTech JNDI Authentication Support
****************** --> 



Mime
View raw message