Mapping ldap role to a custom role in tomcat

0
votes

sAMAccountName attribute of a particular role in ldap server is "OrgAdmin". But the java application checks if the user has the role "Administrator".

Since I dont have access to this code, I would like to know how to map "OrgAdmin" role to "Administrator" role so that the application considers "OrgAdmin" as "Administrator" and allows admin access.

I want to achieve this through tomcat. Below is the jndi realm in server.xml file.

        <Realm className="com.speedlegal.catalina.realm.JNDIRealm" debug="9"
                connectionName="CN=app-name,OU=America,OU=Service,OU=User,DC=xxx,DC=yyy,DC=net" 
                connectionPassword="***" 
                connectionURL="ldaps://domain:3269"
                alternateURL="ldaps://domain:3269"  
                userBase="DC=xxx,DC=yyy,DC=net" 
                userSubtree="true" 
                userSearch="(sAMAccountName={0})" 
                roleBase="OU=America,OU=Universal,OU=Group,DC=xxx,DC=yyy,DC=net"
                roleSubtree="true"
                roleName="sAMAccountName"
                roleSearch="(member={0})"/>

Below is the conf/web.xml of my tomcat.

    <web-app>

       <servlet>
            <servlet-name>default</servlet-name>
            <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
            <init-param>
                <param-name>debug</param-name>
                <param-value>0</param-value>
            </init-param>
            <init-param>
                <param-name>listings</param-name>
                <param-value>false</param-value>
            </init-param>
            <load-on-startup>1</load-on-startup>
        </servlet>


      <servlet>
            <servlet-name>jsp</servlet-name>
            <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
            <init-param>
                <param-name>fork</param-name>
                <param-value>false</param-value>
            </init-param>
            <init-param>
                <param-name>xpoweredBy</param-name>
                <param-value>false</param-value>
            </init-param>
            <init-param>
                <param-name>mappedfile</param-name>
                <param-value>false</param-value>
            </init-param>
            <load-on-startup>3</load-on-startup>
        </servlet>


       <!-- The mapping for the default servlet -->
        <servlet-mapping>
            <servlet-name>default</servlet-name>
            <url-pattern>/</url-pattern>
        </servlet-mapping>

        <!-- The mappings for the JSP servlet -->
        <servlet-mapping>
            <servlet-name>jsp</servlet-name>
            <url-pattern>*.jsp</url-pattern>
            <url-pattern>*.jspx</url-pattern>
        </servlet-mapping>

        <session-config>
            <session-timeout>30</session-timeout>
        </session-config>

        <mime-mapping>
            <extension>z7</extension>
            <mime-type>application/x-zmachine</mime-type>
        </mime-mapping>
        <welcome-file-list>
            <welcome-file>index.html</welcome-file>
            <welcome-file>index.htm</welcome-file>
            <welcome-file>index.jsp</welcome-file>
        </welcome-file-list>

    </web-app>
2
tomcatldap
By code do you mean the Java code itself or the web.xml file ? The association URLs <-> user roles is defined in the web.xml and it is easy to change at this place. - Eugène Adell
@EugèneAdell I mean java code itself. Is there any way to maybe edit the role under <Realm> itself? I have added my web.xml in the post. Also there are 3 types of roles for the users of the organisation; "OrgAdmin", "OrgAuthor", "OrgUser". But the code checks for Admin,Author, User. So even if a user is valid and his role is "OrgAdmin" in ldap, he is not authorized since the role is not exactly "Admin". The java code is not with me. - Rosily
There's no security-constraint in your web.xml ? It means all is handled by the Java code. How come the dev didn't produce code for the good role names ? - Eugène Adell

2 Answers

0
votes

You need something in web.xml, or the context, for like:

 <security-constraint>
       <web-resource-collection>
           <web-resource-name>Administrative Area</web-resource-name>
           <url-pattern>/Delete.jsp</url-pattern>
       </web-resource-collection>
       <auth-constraint>
           <role-name>Admin</role-name>
       </auth-constraint>
       <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
   </security-constraint>

As shown on https://ldapwiki.com/wiki/Tomcat%20And%20LDAP

Remembering that there are MANY different parameters and versions involved.

-jim

0
votes

One way in Tomcat is to create a subclass of JNDIRealm. See SO answer here, or referenced source page here.