Glassfish JAAS active directory
https://stackoverflow.com/questions/3122487
-
30-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
I'm attempting to use JAAS in Glassfish to handle authentication and authorization in my web applications against Active Directory. First off I have written some POJO programs that can successfully connect to my AD and authenticate against the users and groups I have setup. So I am confident that the usernames, passwords, and groups I'm using inside my web application are correct.
I'm following This tutorial to setup a Realm in Glassfish to handle the authentication and authorization inside my webapp. I have modified my web.xml and sun-web.xml with my data that I want.
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>myapp</display-name>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>activedirectory</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>authorized</role-name>
</security-role>
<security-constraint>
<display-name>Security</display-name>
<web-resource-collection>
<web-resource-name>Secured</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>authorized</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
and my sun-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 Servlet 2.5//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
<sun-web-app error-url="">
<context-root>/myapp</context-root>
<security-role-mapping>
<role-name>authorized</role-name>
<group-name>Test</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class java code.</description>
</property>
</jsp-config>
</sun-web-app>
My Realm
name: activedirectory
class name: com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
JAAS context: ldapRealm
Directory: ldap://myADServersIPAddress:389
Base DN: DC=myAD,DC=com
search-filter (&(objectClass=user)(userPrincipalName=%s))
search-bind-password fakepasswordhere
group-search-filter (&(objectClass=group)(member=%d))
search-bind-dn DN=Administrator
The error message I get in my logs when I login and it fails is
Login failed: javax.security.auth.login.LoginException:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-
0C090290, comment: AcceptSecurityContext error, data 525, v893]
I did some research about the error code "data 525" and apparently it means the username is invalid. I'm using an id and password that I know is valid and I know is a member of "Test" as defined in my sun-web.xml. I've tried the userPrincipal format (username@domain) with the current settings as well as the sAMAccountName form (domain\username) with no luck. I've also changed search-filter in my realm to use sAMAccountName where userPrincipalName is and that didn't work using both combos either. Does anyone have any clues or suggestions? I feel like I've done the research and I'm very close but very stuck at this point. Thank you if anyone actually takes the time to read all of this!
Solução
What I would actually test might be your Lookup Credentials, since you are searching based on DN=Administrator, right? Have you tried giving it the full dn to the Administrator account for the search-bind-dn? Typically by default that would DN=Administrator, CN=Users, DC=myAD, DC=com based on your info above.
Outras dicas
I agree with REW - my search-bind-dn had to be fully qualified for the search-bind id to work.
