Skip to main content

Authentication agains Active Directory

  3 posts   Feedicon  
Replies: 2 - Last Post: March 30, 2013 15:58
by: random_user
showing 1 - 3 of 3
Posted: March 29, 2013 17:58 by random_user
Hi,

I want to use active directory authentication with imixs.

I configured the glassfish reaml like this: http://www.imixs.org/roller/ralphsjavablog/entry/glassfish_active_directory


my web.xml:

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>LDAP</realm-name>
</login-config>

<security-constraint>
<web-resource-collection>
<web-resource-name>restricted</web-resource-name>
<url-pattern>/pages/*</url-pattern>
<url-pattern>/rest/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>org.imixs.ACCESSLEVEL.READERACCESS</role-name>
<role-name>org.imixs.ACCESSLEVEL.AUTHORACCESS</role-name>
<role-name>org.imixs.ACCESSLEVEL.EDITORACCESS</role-name>
<role-name>org.imixs.ACCESSLEVEL.MANAGERACCESS</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>restricted</web-resource-name>
<url-pattern>/RestService/*</url-pattern>
<url-pattern>/pages/config/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>org.imixs.ACCESSLEVEL.MANAGERACCESS</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<role-name>org.imixs.ACCESSLEVEL.NOACCESS</role-name>
</security-role>
<security-role>
<role-name>org.imixs.ACCESSLEVEL.READERACCESS</role-name></security-role>
<security-role>
<role-name>org.imixs.ACCESSLEVEL.AUTHORACCESS</role-name>
</security-role>
<security-role>
<role-name>org.imixs.ACCESSLEVEL.EDITORACCESS</role-name>
</security-role>
<security-role>
<role-name>org.imixs.ACCESSLEVEL.MANAGERACCESS</role-name>
</security-role>

How should my sun-web.xml look like? I guess i need a security role mapping or something?

The following errors occour when I try to log in (in my glassfish log):

Web Login Failed: com.sun.enterprise.security.auth.login.common.LoginException: Login failed: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1u]

and

Exception in LdapRealm when trying to authenticate user. javax.security.auth.login.LoginException: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1u] at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:505) at com.sun.enterprise.security.auth.login.LDAPLoginModule.authenticate(LDAPLoginModule.java:108) at com.sun.enterprise.security.auth.login.PasswordLoginModule.authenticateUser(PasswordLoginModule.java:117) at com.sun.appserv.security.AppservPasswordLoginModule.login(AppservPasswordLoginModule.java:143) at sun.reflect.GeneratedMethodAccessor547.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) at javax.security.auth.login.LoginContext.login(LoginContext.java:594) at com.sun.enterprise.security.auth.login.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:382) at com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:240) at com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:153) at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:514) at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:455) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:169) at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1333) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:551) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:623) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161) at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231) at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317) at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195) at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:849) at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746) at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045) at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:228) at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137) at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104) at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90) at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79) at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54) at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59) at com.sun.grizzly.ContextTask.run(ContextTask.java:71) at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532) at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513) at java.lang.Thread.run(Thread.java:722) Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1u] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) at javax.naming.InitialContext.init(InitialContext.java:242) at javax.naming.InitialContext.<init>(InitialContext.java:216) at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:477)
Posted: March 30, 2013 10:18 by Ralph
Hi,

yes you need to configure the sun-web.xml to map the JAAS roles to your ldap groups. See:
http://www.imixs.org/jee/acl_deployment.html

This is an example

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 Servlet 2.5//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
<sun-web-app error-url="">

	<context-root>/workflow</context-root>

	<security-role-mapping>
		<role-name>org.imixs.ACCESSLEVEL.NOACCESS</role-name>
		<group-name>Noaccess</group-name>
		<group-name>IMIXS-WORKFLOW-Noaccess</group-name>
	</security-role-mapping>

	<security-role-mapping>
		<role-name>org.imixs.ACCESSLEVEL.READERACCESS</role-name>
		<group-name>Reader</group-name>
		<group-name>IMIXS-WORKFLOW-Reader</group-name>
	</security-role-mapping>

	<security-role-mapping>
		<role-name>org.imixs.ACCESSLEVEL.AUTHORACCESS</role-name>
		<group-name>Author</group-name>
		<group-name>IMIXS-WORKFLOW-Author</group-name>
	</security-role-mapping>

	<security-role-mapping>
		<role-name>org.imixs.ACCESSLEVEL.EDITORACCESS</role-name>
		<group-name>Editor</group-name>
		<group-name>IMIXS-WORKFLOW-Editor</group-name>
	</security-role-mapping>

	<security-role-mapping>
		<role-name>org.imixs.ACCESSLEVEL.MANAGERACCESS</role-name>
		<group-name>Manager</group-name>
		<group-name>IMIXS-WORKFLOW-Manager</group-name>
	</security-role-mapping>
</sun-web-app>


You can also checkout the imixs-web-sample application to see the complete setup for a web application:
http://java.net/projects/imixs-workflow/sources/svn/show/imixs-workflow-samples/imixs-workflow-web-sample/trunk?rev=1840

But note: the exception from your LDAP server seems more that you provide invalid credentials. Be careful with special characters.

Google for this error code:
LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e
Posted: March 30, 2013 15:58 by random_user
Hi,

I´m going to try these things out,
thanks for your quick response Smile
Replies: 2 - Last Post: March 30, 2013 15:58
by: random_user
 
 
Close
loading
Please Confirm
Close