Converting LDAP from Tomcat to GlassFish

Question

Hi, I have a simple web-app that is developed in Netbeans(6.8) and works fine in Tomcat(6) using LDAP(Active Directory).

I need to convert this to an EE (JSF2), so I am moving from Tomcat to GlassFish(v3).

I have changed the web files to xhtml and configured the xml files. However, I cannot get the GlassFish LDAP configuration to authenticate.

I am attaching my old web.xml and server.xml (from Tomcat) snippets and the portions of the new web.xml, sun-web.xml, and the GlassFish configuration.

If anyone can help me figure out where I am missing the piece that will allow a user to be authenticated, I would appreciate it. (btw, I am not using roles, just authenticating against the LDAP db is good enought.)

As it is right now, my app will prompt me to enter a user when I try to access a file in the 'protected' area and the GlassFish server throws an exception when it fails to authenticate. Because it works under Tomcat, I know I have the right information, I just don't know how to format it to get GlassFish to pass it along.

Thanks.

TOMCAT FILES: - Tomcat server.xml:

• web.xml:

  <web-resource-collection>
    <web-resource-name>Protected Area</web-resource-name>
    <description>Authentication Required</description>
    <url-pattern>/faces/protected/*</url-pattern>
  </web-resource-collection>
  
  
  <auth-constraint>
    <role-name>*</role-name>
  </auth-constraint>
  

  *

  BASIC Please enter your user name and password:

GLASSFISH FILES: (I enabled the Security Manager on the Security panel, set the Default Realm to 'LDAPRealm', and added "-Djava.naming.referral=follow" JVM options.) - domain.xml:

<auth-realm name="certificate" classname="com.sun.enterprise.security.auth.realm.certificate.CertificateRealm" />
<auth-realm classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm" name="LdapRealm">
  <property description="()" name="search-bind-password" value="xxxxxxxx" />
  <property description="()" name="search-bind-dn" value="cn=xxxxxxxx,ou=Administrators,ou=Information Technology,ou=ITTS,ou=Administrative,ou=xxx,dc=xxxxxx,dc=xxx" />
  <property name="jaas-context" value="ldapRealm" />
  <property name="base-dn" value="ou=xxx,dc=xxxxxx,dc=xxx" />
  <property name="directory" value="ldap://xxxx.xxxxxx.xxx:389" />
  <property name="search-filter" value="(&amp;(objectClass=user)(sAMAccountName=%s))" />
</auth-realm>

-web.xml:

  <security-constraint>
    <display-name>protected</display-name>

    <web-resource-collection>
      <web-resource-name>ProtectedArea</web-resource-name>
      <description/>
      <url-pattern>/faces/protected/*</url-pattern>
    </web-resource-collection>

    <auth-constraint>
      <description/>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>

  <security-role>
    <description/>
    <role-name>*</role-name>
  </security-role>

  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>LDAPRealm</realm-name>
    <form-login-config>
      <form-login-page>/faces/login.xhtml</form-login-page>
      <form-error-page>/faces/loginError.xhtml</form-error-page>
    </form-login-config>
  </login-config>

• sun-web.xml:

Here is the exception that it throws:

SEVERE: SEC1113: Exception in LdapRealm when trying to authenticate user.
javax.security.auth.login.LoginException: javax.security.auth.login.LoginException: User yyyyyyy not found.
        at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:450)

Answer 1

Well, I have resolved this issue. Glassfish does not appear to be as forgiving as Tomcat on groups. Using * for group name didn't work for me.

• In domain.xml, I added this line:

<property name="assign-groups" value="Domain Users" />

-- "Domain Users" is the group in Active Directory that everyone is put into when their account is created. (This app only needed to verify that a person was within AD, it uses internal security for access within the app.)

• In web.xml, this auth-constraint had to be added to 'security-contraints':

<auth-constraint>
  <description/>
  <role-name>users</role-name>
</auth-constraint>

-- "users" is referenced in sun-web.xml, but not in my application.

• In sun-web.xml, this mapping is needed to link "users" with "Domain Users":

&lt security-role-mapping &gt

&lt role-name &gt users &lt /role-name &gt
&lt group-name &gt Domain Users &lt /group-name &gt    

&lt /security-role-mapping &gt

-- Apparently, this message edit function doesn't handle the gt and lt characters very well in quotes or code. The above code should have the correct symbols. (I guess stackoverflow needs better testing...)

It appears the key component I was missing was the "assign-groups" in the domain.xml.

Hopefully this helps anyone else who is having issues with this.