I'm doing a project and I'm using LDAP+CAS for authentification.
I created a facade Class for LDAP Query ( to get the user, name & mail ).
My question is : how to test after the authentification if the user is allowed to access to this page & exist in the application database before showing the jsf page. (how can I configure my application to test before showing jsf page).
Thank you :)
I'm sorry I don't know what does CAS mean, but I use JAAS+LDAP+JBoss to Authorize & Authenticate a JSF2 web, I hope this help you:
In your LDAP server create next hierarchy:
+ o=your-organization-name (partition)
+ ou=users (organizationalUnit)
- uid=your-id-user (inetOrgPerson), add userPassword attribute
+ ou=groups (organizationalUnit)
- cn=your-user-role (groupOfNames), add the uid before created
security-domain on JBoss 7.1 (standalone.xml):
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
...
<security-domain name="SecurityRealm" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://host-ldap-server:port-ldap-server/"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="principalDNPrefix" value="uid="/>
<module-option name="principalDNSuffix" value=",ou=users,o=your-organization-name"/>
<module-option name="rolesCtxDN" value="ou=groups,o=your-organization-name"/>
<module-option name="uidAttributeID" value="member"/>
<module-option name="matchOnUserDN" value="true"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="roleAttributeIsDN" value="false"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
in your jboss-web.xml
<security-domain>SecurityRealm</security-domain>
and the most important: is the user allowed to access to this page? (web.xml):
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<!-- Protected Areas -->
<security-constraint>
<display-name>Protected</display-name>
<web-resource-collection>
<url-pattern>url-pages-you-want-protect</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>your-user-role</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Validation By Form -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>your-login-page</form-login-page>
<form-error-page>your-error-page</form-error-page>
</form-login-config>
</login-config>
<!-- Allowed Roles -->
<security-role>
<role-name>your-user-role</role-name>
</security-role>
</web-app>
Related
I currently have a working SPNEGO-configuration to login with a kerberos ticket. Now I want to fallback to FORM-based authentication using j_security_check and authenticate username/password against AD/LDAP.
If I set <auth-method>SPNEGO,FORM</auth-method> I'm redirected to the login page. Now I have no idee how to proceed from here?
Do I need a bean at all for my login form or are the values passed to the server automatically?
What configuration is needed in the standalone.xml?
Any help is highly appreciated. Using Wildfly 11.
My current configuration:
web.xml
<security-constraint>
<display-name>Security Constraint on Conversation</display-name>
<web-resource-collection>
<web-resource-name>MyApp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>SPNEGO</realm-name>
</login-config>
<security-role>
<description>Role required to log in to the Application</description>
<role-name>*</role-name>
</security-role>
jboss-web.xml
<jboss-web version="8.0" xmlns="http://www.jboss.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/schema/jbossas/jboss-web_8_0.xsd">
<context-root>/MyApp</context-root>
<default-encoding>UTF-8</default-encoding>
<security-domain>SPNEGO</security-domain>
<jacc-star-role-allow>true</jacc-star-role-allow>
</jboss-web>
standalone.xml
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="required">
<module-option name="serverSecurityDomain" value="host"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required" module="org.jboss.security.negotiation">
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="keyTab" value="${jboss.server.config.dir}/wildfly.keytab"/>
<module-option name="storeKey" value="true"/>
<module-option name="principal" value="HTTP/me.example.com#EXAMPLE.COM"/>
<module-option name="debug" value="true"/>
</login-module>
</authentication>
</security-domain>
login.xhtml
<form method="post" action="j_security_check">
<h:form prependId="false" >
<h:outputText value="Username"/>
<p:password id="j_username" value="#{login.username}" />
<p/>
<h:outputText value="Passwort"/>
<p:password id="j_password" value="#{login.password}" />
<p/>
<p:commandButton ajax="false" value="Login" action="#{login.login()}" />
</h:form>
</form>
Haven't seen any WildFly code, but that is not possible with CMS (container-managed security). The element auth-method is singular, not plural.
You have to peform a hybrid authentication which supports SPNEGO and then falls back to form auth. But this will be very tricky because how do you know that the client has not provided a SPNEGO ticket? You have to maintain a per connection state for this and redirect to the form. If you send a form upfront with the WWW-Authenticate: Negotiate then client will never re-retrieve your resource and your form won't kick it b/c SPNEGO has kicked it.
I would recommend against and combine Negotiate with Basic. This is little/less headache.
I'm trying to configure a J2EE application running on my local jboss EAP 6.1 server to use a Microsoft AD LDAP for authentication. What I have isn't working, and I can't figure out what the problem is.
If I define a user within the application-users.properties file, I can authenticate.
Here is my web application's web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp" version="3.0"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<servlet>
<servlet-name>TestServlet</servlet-name>
<servlet-class>com.company.test.project.servlet.TestServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>TestServlet</servlet-name>
<url-pattern>/test.do</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured Resources</web-resource-name>
<description>All CrossSells resources not viewable by the public</description>
<url-pattern>/test.do</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>DV_User_1</role-name>
<role-name>DV_User_2</role-name>
<role-name>DV_Super_User</role-name>
<role-name>DV_Admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>LdapRealm</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/error.jsp?message=Invalid+Username+or+Password</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>DV_User_1</role-name>
</security-role>
<security-role>
<role-name>DV_User_2</role-name>
</security-role>
<security-role>
<role-name>DV_Super_User</role-name>
</security-role>
<security-role>
<role-name>DV_Admin</role-name>
</security-role>
</web-app>
and here's the security settings in my jboss EAP server's standalone.xml:
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<local default-user="$local" allowed-users="*"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="LdapRealm">
<authentication>
<ldap connection="MicrosoftAD" base-dn="DC=co,DC=company,DC=local">
<advanced-filter filter="(sAMAccountName={0})"/>
</ldap>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="MicrosoftAD" url="ldap://server:389" search-dn="CN=server\, server,OU=Service Accounts,OU=POD,DC=co,DC=company,DC=local" search-credential="password"/>
</outbound-connections>
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="ManagementRealm">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
</management>
in Management interfaces change security-realm="managementRealm" for security-realm="LdapRealm"
#braybaut
I have the classic form based authentication setup in my web.xml file:
<security-constraint>
<display-name>AccessoRiservato</display-name>
<web-resource-collection>
<web-resource-name>webResourceCollectionReserved</web-resource-name>
<url-pattern>*.htm</url-pattern>
<url-pattern>*.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>guest</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Pubblico</display-name>
<web-resource-collection>
<web-resource-name>webResourceCollectionFree</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
<url-pattern>/login.htm</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.htm</form-login-page>
<form-error-page>/login.htm</form-error-page>
</form-login-config>
</login-config>
I'm correctly redirected to my login.xhtml page:
<h:form>
<h:outputLabel for="j_username" value="Nome Utente:"/>
<h:inputText value="#{sessioneController.username}" id="j_username" size="20"/>
<h:outputLabel for="j_password" value="Password:"/>
<h:inputText value="#{sessioneController.password}" id="j_password" size="20"/>
<h:commandButton action="#{sessioneController.login}" value="Login" />
</h:form>
I'd like to check by myself whether user is valid or not:
in case of success, how can I say to the container (JBoss 8 - Wildly in this case) "hey, authenticate this user please!". I cannot create a realm unfortunately.
hello i'm trying to perform a based form authentication on jboss:
these are my configuration files.
login-config.xml:
<application-policy name="MyPolicy">
<authentication>
<login-module flag="required"
code="org.jboss.security.auth.spi.DatabaseServerLoginModule">
<module-option name="dsJndiName">java:/espritDS</module-option>
<module-option name="principalsQuery">SELECT password FROM users WHERE
username=?</module-option>
<module-option name="rolesQuery">SELECT groupname FROM groups WHERE
username=?</module-option>
</login-module>
</authentication>
web.xml:
<!-- Security -->
<security-constraint>
<web-resource-collection>
<web-resource-name>secret</web-resource-name>
<url-pattern>/faces/secret/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/faces/login.jsp</form-login-page>
<form-error-page>/faces/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
and jboss-web.xml:
<jboss-web>
<!-- A security domain that restricts access -->
<security-domain>java:/jaas/MyPolicy</security-domain>
</jboss-web>
i thought i don't need to setup users and roles files since i have a database where i inserted some users and roles but i'm having this exception and didn't manage to deal with it:
11:57:26,587 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
You have error in your rolesQuery. It should looks just like that:
<module-option name="rolesQuery">SELECT groupname, 'Roles' FROM groups WHERE
username=?</module-option>
I don't see other errors.
You can read more about DatabaseServerLoginModule modules here: http://community.jboss.org/wiki/DatabaseServerLoginModule
I'm currently trying out the JDBCRealm in Glasshfish v3:
I have 2 roles USER and ADMIN.
I have a LoginServlet that redirects to a url (say /admin or /user) based on the request.isUserInRole("ADMIN") method.
Problem is when a ADMIN is logged in it returns true, so gets redirected to /admin but he can also access the /user. When a USER is logged in request.isUserInRole("ADMIN") returns true also. request.isUserInRole("NONEXISTINGROLE") returns false for both.
Eg:
request.isUserInRole("ADMIN") +" "+
request.isUserInRole("USER")+" "+
request.isUserInRole("NONEXISTINGROLE")
for loggedin USER: returns true true false
for loggedin ADMIN returns true
true false
This is a part of my web.xml:
<security-constraint>
<display-name>Constraint1</display-name>
<web-resource-collection>
<web-resource-name>adminProtected</web-resource-name>
<description>Administrator restricted area</description>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Constraint2</display-name>
<web-resource-collection>
<web-resource-name>userProtected</web-resource-name>
<description>User restricted area</description>
<url-pattern>/user/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>USER</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Constraint3</display-name>
<web-resource-collection>
<web-resource-name>LoginServlet</web-resource-name>
<description>All restricted area</description>
<url-pattern>/LoginServlet</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>USER</role-name>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>securityJDBC</realm-name>
<form-login-config>
<form-login-page>/login.jsf</form-login-page>
<form-error-page>/login.jsf</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description></description>
<role-name>USER</role-name>
</security-role>
<security-role>
<description></description>
<role-name>ADMIN</role-name>
</security-role>
<servlet>
<description></description>
<display-name>LoginServlet</display-name>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>controllers.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>
And my sun-web.xml:
<security-role-mapping>
<role-name>USER</role-name>
<group-name>USER</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>ADMIN</role-name>
<group-name>ADMIN</group-name>
</security-role-mapping>
Thank you!
Fixed it by making sure the Realm setting "Assign Groups" is empty. Glassfish will load them from the Group Table.
Your security mappings look fine at first glance. How about your user mappings? It look like that the same username is mapped on both the user and admin roles.