views:

107

answers:

0

Hi,

I'm trying to change the authentication mode of my application from JDBC-REALM to JNDI-REALM.

I configured the following section inside the Server.xml

    <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" 
connectionURL="ldap://****:389/DC=onsetinc,DC=com??sAMccountName?sub?(objectClass=*)"    
connectionName="[email protected]" 
connectionPassword="password" userBase="CN=Users"    
referrals="follow" 
userSearch="(sAMAccountName={0})" 
userSubtree="true" roleBase="CN=Users" 
roleName="name" 
roleSubtree="true" 
roleSearch="(member={1})"/>

I have also configured the web.xml under my appfolder to contain the following:

<security-role>
  <role-name>Admin</role-name>
 </security-role>
 <security-role>
  <role-name>WaterlooUsers</role-name>
 </security-role>

 <security-constraint>
  <web-resource-collection>
   <web-resource-name>Tube</web-resource-name>
   <url-pattern>/ComposeMessage.jsp</url-pattern>       
   <url-pattern>/PageStatus.jsp</url-pattern>
   <url-pattern>/UserStatus.jsp</url-pattern>
   <url-pattern>/SearchEC.jsp</url-pattern>
   <url-pattern>/SearchEC2.jsp</url-pattern>
   <url-pattern>/SearchMessageStatisticsEC.jsp</url-pattern>   
   <url-pattern>/SearchMessageStatus.jsp</url-pattern>
   <url-pattern>/SearchMessageStatisticsPager.jsp</url-pattern> 
   <url-pattern>/SearchPageStatus.jsp</url-pattern>
  </web-resource-collection>      
  <auth-constraint>
   <role-name>WaterlooUsers</role-name>
  </auth-constraint>      
 </security-constraint>

In my Active directory i have created a new group called WaterlooUsers It's distinguish name is : distinguishedName: CN=WaterlooUsers,CN=Users,DC=onsetinc,DC=com

It has a property member which contains the following user:

member: CN=Itay Levin,CN=Users,DC=onsetinc,DC=com (which is my user)

My record on the active directory looks like that:

sAMAccountName: itayL

distinguishedName: CN=Itay Levin,CN=Users,DC=onsetinc,DC=com

memberOf: CN=WaterlooUsers,CN=Users,DC=onsetinc,DC=com

and when i get the popup for user/password i enter the username "ItayL" in the authentication message box (and my password)

I have 2 questions:

  1. How do i configure correctly the roles parameters correctly in the Realm section in the server.xml to enable me to both authenticate and authorize this group of users WaterlooUsers and also assign them to the appropriate role so that they can see all the relevant pages in my website. - currently it seems that all the Users in my domain are authenticated to the site but get the http-403 Error and can't access any of the pages in the site.

  2. I also want to be able to create 2 different set of roles in my site - which can both have access to the same pages - but will see different things on the page. (for instance adding some administrative ability to the admin)

Hope it was clear enough and not too long. Thanks in advance, Itay