Weblog

Monday December 05, 2005

LDAP authentication in Sun Application server Today, I would like to describe the steps to enable LDAP authentication in web module that is deployed in Sun Application server. Authentication is the way an entity determines that another entity is who it claims to be.
Very important for understanding security for SJAS is Realm. A realm, also called a security policy domain or security domain, is a scope over which the server defines and enforces a common security policy. In practical terms, a realm is a repository where the server stores user and group information. The Application Server comes pre-configured with three realms: file (the initial default realm), certificate, and admin-realm. In this post we will add and setup new ldap realm.
I will use open source implementation of the Lightweight Directory Access Protocol server that is avalaible here.

• First, we should create new user. I created users.ldif file with one entry that represents user:

       dn: uid=blaha,ou=people,dc=netbeans,dc=cz
       uid: blaha
       givenName: blaha
       objectClass: top
       objectClass: person
       objectClass: organizationalPerson
       objectClass: inetorgperson
       sn: blaha
       cn: Petr Blaha
       userPassword: {SSHA}Z9RXgOsVA6395NtLw6ot7XjkO3dJAeUIqDdWdA==
     

  The entry should have defined uid attribute. The container will search entry according to this attribute during authentication.
• Add this entry in ldap server, execute folowing command:
  ldapadd -x -D "cn=Manager,dc=netbeans,dc=cz" -W -f users.ldif
• Open web admin console (bu default http://localhost:4848) and go to Security -- Realms page and click New button. Specify name, class name should be com.sun.enterprise.security.auth.realm.ldap.LDAPRealm and add these properties:
  directory: ldap://localhost:389 (change to right name)
  base-dn: ou=people,dc=netbeans,dc=cz (base distinguished name it represents from whence the search will start)
  jaas-context: ldapRealm (type of login module to use for this realm. Use ldapRealm)
• Create new web application. I will use form authentication method. Therefore, I created new login page contains HTML form with these fields:

      <form method="POST" action="j_security_check">
        Username: <input type="text" name="j_username"/>
   
        Password: <input type="password" name="j_password"/>
        <input type="submit" value="Submit"/>
      
    

• Update web.xml file according to new realm:

  18 <security-role>
  19     <role-name>USER</role-name>
  20   </security-role>
  21 
  22   <security-constraint>
  23     <web-resource-collection>
  24       <web-resource-name>protected area</web-resource-name>
  25       <url-pattern>/index.jsp</url-pattern>
  26       <http-method>GET</http-method>
  27       <http-method>POST</http-method>
  28     </web-resource-collection>
  29     <auth-constraint>
  30       <role-name>USER</role-name>
  31     </auth-constraint>
  32   </security-constraint>
  33 
  34   <login-config>
  35     <auth-method>FORM</auth-method>
  36     <realm-name>ldaprealmperapp</realm-name><!-- name of LDAP realm-->
  37     <form-login-config>
  38       <form-login-page>/login.jsp</form-login-page>
  39       <form-error-page>/error.jsp</form-error-page>
  40     </form-login-config>
  41   </login-config>
  

• Now you can test LDAP authentication.