How to map Ldap groups to Tomcat Roles (Java)

1
votes

I am writing a web project using Servlets/JSP etc.. At the moment the program uses basic authentication for security.. but my work want the security roles picked up from our active directory.

I have modified apache's server.xml with the following:

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
       connectionURL="ldap://adclds001.mycompgroup.local:389"
       connectionName="************.local:389"
       connectionPassword="********"
       userPattern="CN={0},OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
       roleBase="OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
       roleName="cn"
       roleSearch="member={0}"
     />

The authentication works fine, but I do not know how to map ldap groups to Tomcat roles.

I have tried adding things like group-name to the entries to the deployment descriptor but to no avail.

I have also heard that extending the JNDIRealm class and overriding the getRoles method might give me what I want..But I cant find full details on what might be required.

So what is the best way to map ldap groups to tomcat roles?

The application is still not picking up the roles.

My realm details are currently:

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
       connectionURL="ldap://adclds001.mycomp.local:389"
       connectionName="[email protected]:389"
       connectionPassword="****"
       userPattern="CN={0},OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
       userRoleName="Domain Users"
       roleBase="OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
       roleName="cn"
       roleSearch="member={0}"
     />

I have a security constaint in my deployment descriptor:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Domain Users</role-name>
            <role-name>admin_user</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

security roles in web.xml:

    <security-role>
        <role-name>basic_user</role-name>
    </security-role>
    <security-role>
        <role-name>admin_user</role-name>
    </security-role>

    <security-role>
        <role-name>Domain Users</role-name>
    </security-role>

I also have:

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>

Also

My IT dept are telling me that everybody is in the following group: CN=Domain Users,CN=Users,DC=mycompgroup,DC=local

Can anybody suggest why I am not able to use the Domain Users role?

4
javatomcatldap
Are you able to include a sample group? Looking at the Tomcat documentation it appears that should work. Which version of Tomcat are you using?ipsi

4 Answers

0
votes

You've already done it. When the user logs in, the CN of all the roles he is in will be associated with the user automatically. There is nothing left to do.

0
votes

You have done step one.

You then need to add "security-constraint" to the context of you application. (typically the web.xml file).

A simple example can be found here.

0
votes

Here is a description of subclassing JNDIRealm for these purposes. He suggests using a properties file.

I did something similar, however, I allowed adding entries by an attribute in the Realm element. To do that, create a JavaBean property in your subclass, e.g. rolesForServer. Given application roles of "event_requester", "approver", "manager", the setRolesForServer can then parse the string, e.g. rolesForServer='HR=approver,manager;all=event_requester'.

0
votes

You can use LDAPAdminExe to browse the ldap structure. And find which "group" are you locate.

For example, your group is CN=Domain Users,CN=Users,DC=mycompgroup,DC=local.

Step1. You should check is this group in the role base (Use LDAPAdminExe to check):

OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local

If not you should changed this roleBase setting. I think it's may can set this config to

DC=mycompgroup,DC=local

So you will set the config in server.xml:

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
       connectionURL="ldap://adclds001.mycomp.local:389"
       connectionName="[email protected]:389"
       connectionPassword="****"
       userPattern="CN={0},OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
       userRoleName="Domain Users"
       roleBase="DC=mycompgroup,DC=local"
       roleName="cn"
       roleSearch="member={0}"
     />

Step 2. You should add the groups name in your web.xml:

<security-constraint>
....
    <auth-constraint>
        <role-name>Domain Users</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>

<security-role>
    <role-name>Domain Users</role-name>
</security-role>

Step 3. Restart this tomcat server

Enjoy it!!!