I'm trying to configure a J2EE application running on my local jboss EAP 6.1 server to use a Microsoft AD LDAP for authentication. What I have isn't working, and I can't figure out what the problem is.
If I define a user within the application-users.properties file, I can authenticate.
Here is my web application's web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp" version="3.0"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<servlet>
<servlet-name>TestServlet</servlet-name>
<servlet-class>com.company.test.project.servlet.TestServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>TestServlet</servlet-name>
<url-pattern>/test.do</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured Resources</web-resource-name>
<description>All CrossSells resources not viewable by the public</description>
<url-pattern>/test.do</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>DV_User_1</role-name>
<role-name>DV_User_2</role-name>
<role-name>DV_Super_User</role-name>
<role-name>DV_Admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>LdapRealm</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/error.jsp?message=Invalid+Username+or+Password</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>DV_User_1</role-name>
</security-role>
<security-role>
<role-name>DV_User_2</role-name>
</security-role>
<security-role>
<role-name>DV_Super_User</role-name>
</security-role>
<security-role>
<role-name>DV_Admin</role-name>
</security-role>
</web-app>
and here's the security settings in my jboss EAP server's standalone.xml:
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<local default-user="$local" allowed-users="*"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="LdapRealm">
<authentication>
<ldap connection="MicrosoftAD" base-dn="DC=co,DC=company,DC=local">
<advanced-filter filter="(sAMAccountName={0})"/>
</ldap>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="MicrosoftAD" url="ldap://server:389" search-dn="CN=server\, server,OU=Service Accounts,OU=POD,DC=co,DC=company,DC=local" search-credential="password"/>
</outbound-connections>
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="ManagementRealm">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
</management>
in Management interfaces change security-realm="managementRealm" for security-realm="LdapRealm"
#braybaut
Related
UPDATE 2:
What seems to be the root of the problem is that I can only succesfully secure the root of the application (e.g. the "/"). When I try to secure any other url, it gives me a 403. Unsecured urls work without problem.
ORIGINAL QUESTION:
I made this basic application where I want to be able have one secured page and one unsecured page. I currently get a 403 whenever I try to access my secured page (after giving the correct login data). Below I've posted my web.xml I have been trying to work with. I can access the unsecured page with no problem.
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_10" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>Login test</display-name>
<!-- Servlet config -->
<servlet>
<servlet-name>AfterLoginServlet</servlet-name>
<servlet-class>test.AfterLoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AfterLoginServlet</servlet-name>
<url-pattern>/secured</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>UnsecuredServlet</servlet-name>
<servlet-class>test.UnsecuredServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>UnsecuredServlet</servlet-name>
<url-pattern>/unsecured</url-pattern>
</servlet-mapping>
<!-- Login and security config -->
<servlet>
<servlet-name>Login</servlet-name>
<servlet-class>test.Login</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Login</servlet-name>
<url-pattern>/login</url-pattern>
</servlet-mapping>
<security-role>
<role-name>demorole</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>secured pages</web-resource-name>
<url-pattern>/secured</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>demorole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyRealm</realm-name>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/error</form-error-page>
</form-login-config>
</login-config>
<session-config>
<session-timeout>20</session-timeout>
</session-config>
</web-app>
I've tried a few other options to make sure my application was working.
Turned security off completely: this worked without a hitch.
Set security to everything: I adapted the security-constraint to have the url-pattern be /*. This made me able to access only / (if I changed my servlet mapping).
So I succeed at securing either all pages or none of my pages, but I don't manage to secure only a portion of them. I don't really know what I could be doing wrong (though I'm sure it's something stupid).
UPDATE 1:
I have 2 working options now (for my simple test case):
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
Login test
<!-- Servlet config -->
<servlet>
<servlet-name>AfterLoginServlet</servlet-name>
<servlet-class>test.AfterLoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AfterLoginServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>UnsecuredServlet</servlet-name>
<servlet-class>test.UnsecuredServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>UnsecuredServlet</servlet-name>
<url-pattern>/unsecured</url-pattern>
</servlet-mapping>
<!-- Login and security config -->
<servlet>
<servlet-name>Login</servlet-name>
<servlet-class>test.Login</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Login</servlet-name>
<url-pattern>/login</url-pattern>
</servlet-mapping>
<security-role>
<role-name>demorole</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>unsecured</web-resource-name>
<url-pattern>/unsecured</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>secured pages</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>demorole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyRealm</realm-name>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/error</form-error-page>
</form-login-config>
</login-config>
<session-config>
<session-timeout>20</session-timeout>
</session-config>
</web-app>
I can also change the servlet mapping for AfterLoginServlet to /*. This still works on the / url, but not anything else...
UPDATE 3: Roles
So I actually have several applications that all suffer that same problem with security having to be /*.
I've used to possible configurations for roles that work:
The one you see here with demorole (defined role in web.xml and defined security-role assigment in weblogic.xml)
For this one, when I look in Security Realms -> [realm name] -> Roles and Policies -> Realm Roles, I see for every application that uses that role URL Pattern:/ Role:demorole in -> Web module -> Url Patterns and Role
One where I do not define a role and I just use All in the security constraint (no extra definitions in web.xml or weblogic.xml):
.
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>All</role-name>
</auth-constraint>
</security-constraint>
Try putting this in the weblogic.xml file:
<security-role-assignment>
<role-name>demorole</role-name>
<externally-defined/>
</security-role-assignment>
I have a created a project, i wish to make sure the user is logged in and authenticated with my ldap server, how would i go about this,
|-- META-INF
|-- WEB-INF
|-- resources
| |-- css
| | `-- style.css
|
|-- upload
| |-- uploadText.xhtml
|
|-- index.xhtml
|-- SubmittedText.xhtml
|-- etc.xhtml
i want to protect everything apart from the resources folder
this is my current web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<filter>
<filter-name>Upload Filter</filter-name>
<filter-class>richard.fileupload.UploadFilter</filter-class>
<init-param>
<param-name>sizeThreshold</param-name>
<param-value>1024</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Upload Filter</filter-name>
<url-pattern>/upload/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<context-param>
<param-name>facelets.LIBRARIES</param-name>
<param-value>/WEB-INF/corejsf.taglib.xml</param-value>
</context-param>
<context-param>
<param-name>javax.faces.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL</param-name>
<param-value>true</param-value>
</context-param>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>LDAP</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/login-failed.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restircted resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Allowed resources</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
<!-- <http-method>GETLIB</http-method>
<http-method>COPY</http-method>
<http-method>MOVE</http-method>
<http-method>DELETE</http-method>
<http-method>PROPFIND</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>MKCOL</http-method>
<http-method>PROPPATCH</http-method>
<http-method>LOCK</http-method>
<http-method>UNLOCK</http-method>
<http-method>VERSION-CONTROL</http-method>
<http-method>CHECKIN</http-method>
<http-method>CHECKOUT</http-method>
<http-method>UNCHECKOUT</http-method>
<http-method>REPORT</http-method>
<http-method>UPDATE</http-method>
<http-method>CANCELUPLOAD</http-method>-->
</web-resource-collection>
<!-- No Auth Contraint! -->
</security-constraint>
</web-app>
Your <security-constraint> is missing the <auth-constraint>. A security constraint without an authentication constraint is basically a public resource. As an example, if you'd like to restrict all roles, then you should put the following authentication constraint within the security constraint.
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
All with all, if you want to restrict everything /* expect of /javax.faces.resource/*, then you should have the following security constraints, exactly in this order in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Restircted resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Allowed resources</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
</web-resource-collection>
<!-- No Auth Contraint! -->
</security-constraint>
Your list of HTTP method restrictions is somewhat ridiculous, just omit it. It by default already applies on every single HTTP method.
I'm doing a project and I'm using LDAP+CAS for authentification.
I created a facade Class for LDAP Query ( to get the user, name & mail ).
My question is : how to test after the authentification if the user is allowed to access to this page & exist in the application database before showing the jsf page. (how can I configure my application to test before showing jsf page).
Thank you :)
I'm sorry I don't know what does CAS mean, but I use JAAS+LDAP+JBoss to Authorize & Authenticate a JSF2 web, I hope this help you:
In your LDAP server create next hierarchy:
+ o=your-organization-name (partition)
+ ou=users (organizationalUnit)
- uid=your-id-user (inetOrgPerson), add userPassword attribute
+ ou=groups (organizationalUnit)
- cn=your-user-role (groupOfNames), add the uid before created
security-domain on JBoss 7.1 (standalone.xml):
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
...
<security-domain name="SecurityRealm" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://host-ldap-server:port-ldap-server/"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="principalDNPrefix" value="uid="/>
<module-option name="principalDNSuffix" value=",ou=users,o=your-organization-name"/>
<module-option name="rolesCtxDN" value="ou=groups,o=your-organization-name"/>
<module-option name="uidAttributeID" value="member"/>
<module-option name="matchOnUserDN" value="true"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="roleAttributeIsDN" value="false"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
in your jboss-web.xml
<security-domain>SecurityRealm</security-domain>
and the most important: is the user allowed to access to this page? (web.xml):
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<!-- Protected Areas -->
<security-constraint>
<display-name>Protected</display-name>
<web-resource-collection>
<url-pattern>url-pages-you-want-protect</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>your-user-role</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Validation By Form -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>your-login-page</form-login-page>
<form-error-page>your-error-page</form-error-page>
</form-login-config>
</login-config>
<!-- Allowed Roles -->
<security-role>
<role-name>your-user-role</role-name>
</security-role>
</web-app>
hello i'm trying to perform a based form authentication on jboss:
these are my configuration files.
login-config.xml:
<application-policy name="MyPolicy">
<authentication>
<login-module flag="required"
code="org.jboss.security.auth.spi.DatabaseServerLoginModule">
<module-option name="dsJndiName">java:/espritDS</module-option>
<module-option name="principalsQuery">SELECT password FROM users WHERE
username=?</module-option>
<module-option name="rolesQuery">SELECT groupname FROM groups WHERE
username=?</module-option>
</login-module>
</authentication>
web.xml:
<!-- Security -->
<security-constraint>
<web-resource-collection>
<web-resource-name>secret</web-resource-name>
<url-pattern>/faces/secret/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/faces/login.jsp</form-login-page>
<form-error-page>/faces/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
and jboss-web.xml:
<jboss-web>
<!-- A security domain that restricts access -->
<security-domain>java:/jaas/MyPolicy</security-domain>
</jboss-web>
i thought i don't need to setup users and roles files since i have a database where i inserted some users and roles but i'm having this exception and didn't manage to deal with it:
11:57:26,587 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
You have error in your rolesQuery. It should looks just like that:
<module-option name="rolesQuery">SELECT groupname, 'Roles' FROM groups WHERE
username=?</module-option>
I don't see other errors.
You can read more about DatabaseServerLoginModule modules here: http://community.jboss.org/wiki/DatabaseServerLoginModule
I'm currently trying out the JDBCRealm in Glasshfish v3:
I have 2 roles USER and ADMIN.
I have a LoginServlet that redirects to a url (say /admin or /user) based on the request.isUserInRole("ADMIN") method.
Problem is when a ADMIN is logged in it returns true, so gets redirected to /admin but he can also access the /user. When a USER is logged in request.isUserInRole("ADMIN") returns true also. request.isUserInRole("NONEXISTINGROLE") returns false for both.
Eg:
request.isUserInRole("ADMIN") +" "+
request.isUserInRole("USER")+" "+
request.isUserInRole("NONEXISTINGROLE")
for loggedin USER: returns true true false
for loggedin ADMIN returns true
true false
This is a part of my web.xml:
<security-constraint>
<display-name>Constraint1</display-name>
<web-resource-collection>
<web-resource-name>adminProtected</web-resource-name>
<description>Administrator restricted area</description>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Constraint2</display-name>
<web-resource-collection>
<web-resource-name>userProtected</web-resource-name>
<description>User restricted area</description>
<url-pattern>/user/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>USER</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Constraint3</display-name>
<web-resource-collection>
<web-resource-name>LoginServlet</web-resource-name>
<description>All restricted area</description>
<url-pattern>/LoginServlet</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>USER</role-name>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>securityJDBC</realm-name>
<form-login-config>
<form-login-page>/login.jsf</form-login-page>
<form-error-page>/login.jsf</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description></description>
<role-name>USER</role-name>
</security-role>
<security-role>
<description></description>
<role-name>ADMIN</role-name>
</security-role>
<servlet>
<description></description>
<display-name>LoginServlet</display-name>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>controllers.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>
And my sun-web.xml:
<security-role-mapping>
<role-name>USER</role-name>
<group-name>USER</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>ADMIN</role-name>
<group-name>ADMIN</group-name>
</security-role-mapping>
Thank you!
Fixed it by making sure the Realm setting "Assign Groups" is empty. Glassfish will load them from the Group Table.
Your security mappings look fine at first glance. How about your user mappings? It look like that the same username is mapped on both the user and admin roles.