'[JBoss-user] [Security & JAAS/JBoss] - EJB3 OpenLDAP LdapLoginModule role validation failure'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       jboss-user
Subject:    [JBoss-user] [Security & JAAS/JBoss] - EJB3 OpenLDAP LdapLoginModule role validation failure
From:       schuller007 <do-not-reply () jboss ! com>
Date:       2006-03-31 23:06:34
Message-ID: 4622545.1143846394445.JavaMail.jboss () colo-br-02 ! atl ! jboss ! com
[Download RAW message or body]

EJB3 Code:

@Stateless
@SecurityDomain ("test")
@RolesAllowed("Allora-User")
public class EJBOps implements EJBOpsRemote {...}

If I do not specify the RolesAllowed, a remote client gets authenticated OK and is \
able to call the EJB. With the RolesAllowed in, I get Insufficient permissions, \
principal=test1, requiredRoles=[Allora-User], principalRoles=[] Not sure why the \
principalRoles is empty.



login-config.xml
 <application-policy name="test">
     
       <login-module code="org.jboss.security.auth.spi.LdapLoginModule" \
                flag="required">
         <module-option \
                name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                
         <module-option \
name="user.provider.url">ldap://padymelon/ou=People,dc=padymelon,dc=abc,dc=com</module-option>
  <module-option name="group.provider.url">ldap://padymelon/ou=People,dc=padymelon,dc=abc,dc=com</module-option>
  <module-option name="java.naming.provider.url">ldap://padymelon:389/</module-option>
                
         <module-option \
                name="java.naming.security.authentication">simple</module-option>
         <module-option name="principalDNPrefix">uid=</module-option>                 \
                
         <module-option \
                name="principalDNSuffix">,ou=People,dc=padymelon,dc=abc,dc=com</module-option>
                
         <module-option \
name="rolesCtxDN">ou=Group,dc=padymelon,dc=abc,dc=com</module-option>  <module-option \
name="uidAttributeID">member</module-option>  <module-option \
name="matchOnUserDN">true</module-option>  <module-option \
name="roleAttributeID">cn</module-option>  <module-option \
name="roleAttributeIsDN">false</module-option>  <module-option \
name="roleNameAttributeID">name</module-option>  <module-option \
name="allowEmptyPasswords">false</module-option>  <module-option \
name="searchTimeLimit">5000</module-option>  </login-module>
      
    </application-policy>



OpenLDAP Schema:

# LDIF Export for: dc=padymelon,dc=abc,dc=com
# Generated by phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) on March 31, \
2006 3:00 pm # Server: Padymelon (localhost)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 8

dn: dc=padymelon,dc=abc,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: abc
dc: padymelon

dn: cn=admin,dc=padymelon,dc=abc,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: {crypt}1VzCGZDqLJ9gk

dn: ou=Group,dc=padymelon,dc=abc,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

dn: cn=Allora-Eng,ou=Group,dc=padymelon,dc=abc,dc=com
cn: Allora-Eng
gidNumber: 1001
memberUid: test2
objectClass: posixGroup
objectClass: top

dn: cn=Allora-User,ou=Group,dc=padymelon,dc=abc,dc=com
gidNumber: 1000
memberUid: test1
memberUid: test2
objectClass: posixGroup
objectClass: top
cn: Allora-User

dn: ou=People,dc=padymelon,dc=abc,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: uid=test1,ou=People,dc=padymelon,dc=abc,dc=com
userPassword: {SMD5}CTQgwdPkl7p42Jt3mjbJ2WZqynM=
loginShell: /bin/false
uidNumber: 1050
gidNumber: 1010
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
uid: test1
gecos: testuser1
shadowLastChange: 13090
cn: testuser1
homeDirectory: /home/test1

dn: uid=test2,ou=People,dc=padymelon,dc=abc,dc=com
userPassword: {SMD5}HgYFdQN7wkkNxIfSmSwUtCGb2so=
loginShell: /bin/false
uidNumber: 1051
gidNumber: 1010
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
uid: test2
gecos: testuser2
shadowLastChange: 13090
cn: testuser2
homeDirectory: /home/test2


View the original post : \
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3934118#3934118

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3934118



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic