Skip to content

JbossWS and LdapLoginModule

October 7, 2009

Conclusions of study:

Simple ldap validation possible in jboss without authorization check.
Default LdapLoginModule has fixed structure of using principal suffix/prefix for DN formation for bind that may not be suitable
Custom Login module can be built either using CAS or simple JNDI.
Authorization can be customized.
Multiple login modules can be stacked using JAAS . [This needs to be explored further]

Two files need to be modified:
1. Login-config.xml
In this file we need to indicate the configurations of the ldap server as well as the principal suffix and prefix.

<application-policy name = "JBossWS">
        <authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule"
                          flag="required">
                <module-option name="java.naming.factory.initial">
                    com.sun.jndi.ldap.LdapCtxFactory
                    </module-option>
                <module-option name="java.naming.provider.url">
                    ldap://ldapServer:1020
                </module-option>
                <module-option name="java.naming.security.authentication">
                    simple
                </module-option>
   <module-option name="principalDNPrefix">id=</module-option>
<module-option name="principalDNSuffix">dc=com</module-option>
            </login-module>
        </authentication>
    </application-policy>

2. Jboss-web.xml

The security realm defined in this file is mapped to the application-policy name as mentioned in the login-config.xml file. This file is in the path /WEB-INF/ at the level of web.xml

 	<jboss-web>
		<security-domain>java:/jaas/JBossWS</security-domain>
</jboss-web>

3. Web.xml

The security constraint tag is mandatory – even if roles validation is not required. If authorization check is not required then give * in role-name. Similarly login-config tag is mandatory required.

<security-constraint>
    <web-resource-collection>
      <web-resource-name>All resources</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <!--role-name>friend</role-name-->
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>
  <!--security-role>
    <role-name>friend</role-name>
  </security-role-->
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>JbossWS4899</realm-name>
  </login-config>

If a role validation is required then the security role name tag will be used for validation with user’s profile.

References:
http://www.jboss.org/community/wiki/JBossWS-Authentication

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: