问题
I am writing a web project using Servlets/JSP etc.. At the moment the program uses basic authentication for security.. but my work want the security roles picked up from our active directory.
I have modified apache's server.xml with the following:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://adclds001.mycompgroup.local:389"
connectionName="************.local:389"
connectionPassword="********"
userPattern="CN={0},OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
roleBase="OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
roleName="cn"
roleSearch="member={0}"
/>
The authentication works fine, but I do not know how to map ldap groups to Tomcat roles.
I have tried adding things like group-name to the entries to the deployment descriptor but to no avail.
I have also heard that extending the JNDIRealm class and overriding the getRoles method might give me what I want..But I cant find full details on what might be required.
So what is the best way to map ldap groups to tomcat roles?
The application is still not picking up the roles.
My realm details are currently:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://adclds001.mycomp.local:389"
connectionName="trainee1@mycomp.local:389"
connectionPassword="****"
userPattern="CN={0},OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
userRoleName="Domain Users"
roleBase="OU=Trainers, OU=Academy, OU=Staff, OU=Users, OU=UK, OU=Countries, DC=mycompgroup, DC=local"
roleName="cn"
roleSearch="member={0}"
/>
I have a security constaint in my deployment descriptor:
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Domain Users</role-name>
<role-name>admin_user</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
security roles in web.xml:
<security-role>
<role-name>basic_user</role-name>
</security-role>
<security-role>
<role-name>admin_user</role-name>
</security-role>
<security-role>
<role-name>Domain Users</role-name>
</security-role>
I also have:
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
Also
My IT dept are telling me that everybody is in the following group: CN=Domain Users,CN=Users,DC=mycompgroup,DC=local
Can anybody suggest why I am not able to use the Domain Users role?
回答1:
You've already done it. When the user logs in, the CN of all the roles he is in will be associated with the user automatically. There is nothing left to do.
回答2:
You have done step one.
You then need to add "security-constraint" to the context of you application. (typically the web.xml file).
A simple example can be found here.
回答3:
Here is a description of subclassing JNDIRealm for these purposes. He suggests using a properties file.
I did something similar, however, I allowed adding entries by an attribute in the Realm element. To do that, create a JavaBean property in your subclass, e.g. rolesForServer. Given application roles of "event_requester", "approver", "manager", the setRolesForServer can then parse the string, e.g. rolesForServer='HR=approver,manager;all=event_requester'.
来源:https://stackoverflow.com/questions/35245231/how-to-map-ldap-groups-to-tomcat-roles-java