You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Bragg, Casey" <Ca...@allegiancetelecom.com> on 2001/07/30 21:09:00 UTC
RE: LDAPRealm & JNDIReam for Tomcat 3.2 and 4.0 beta 1 is availab
le
Hey Alex :
I've got a question about your JNDIRealm stuff...
I'm using your SimpleRoleMapper to get started, but I can't get it to work.
I can't find in your code where a distinguished name (dn) is linked to
roles. In your translateroles function, I can see how users are assigned
roles assigned to everybody (*), but I can't find anything like
(String[])userRoles.get(distinghushedname) as I might expect. All my users
are reporting only a role of [guest] even though I've carefully matched the
dn in the rolemapper file to the dn stored by jndirealm.
The translateroles code seems to be looking for rolenames as keys in the
userroles Map :
String items[] = (String[])userRoles.get(ur);
Shouldn't this be something like :
(String[])userRoles.get(distinghushedname)
Please let me know if I'm looking at this wrong or not.
Thanks...
..Casey
==============================================
Casey Bragg - Software Engineer
Allegiance Telecom, Inc. Dallas, TX
469-259-2702 - casey.bragg@allegiancetelecom.com
==============================================
-----Original Message-----
From: Roytman, Alex [mailto:roytmana@peacetech.com]
Sent: Monday, June 04, 2001 5:03 PM
To: 'tomcat-user@jakarta.apache.org'
Subject: LDAPRealm & JNDIReam for Tomcat 3.2 and 4.0 beta 1 is available
http://www.peacetech.com/java/files/apache/tomcat/default.htm
<http://www.peacetech.com/java/files/apache/tomcat/default.htm>
JndiRealm authenticates and authorizes users against JNDI. It was tested
against LDAP JNDI
with Sun's and Netscape's jndi providers
LdapRealm authenticates and authorizes users directly against LDAP using
Netscape LDAP JDK.
These two realms are interchangeable you can switch between them without
many configuration changes.
According to my tests it performs 10 faster under 20 concurrent threads
than JNDI with
Sun's LDAP provider. This is not final result because I need to test and
tune-up multithreaded
access and synchronization there might be some misunderstanding on my
part.
I also noticed some cases of JNDI loosing connection to the server under
heavy multithreaded
load while Netscape's LDAP handled it nicely. Because I use LdapRealm for
Tomcat 3.2 for my
production system it is tested better than JndiRealm.
There are four classes in the package :
JndiRealm and LdapRealm are for Tomcat 3.2x
JndiRealmCatalina and LdapRealmCatalina for Tomcat 4.0
className="com.peacetech.webtools.tomcat.JndiRealm" JNDI TOMCAT
3.2x
className="com.peacetech.webtools.tomcat.JndiRealmCatalina" JNDI TOMCAT
4.0
className="com.peacetech.webtools.tomcat.LdapRealmCatalina" LDAP TOMCAT
4.0
className="com.peacetech.webtools.tomcat.LdapRealm" LDAP TOMCAT
3.2x
Jndi/LdapRealm uses searchBindDN and searchBindCredentials to connect to a
directory.
Then it looks for exactly one user name matching searchFilter in
searchBaseContext
scoped by searchScopeAsString (values are "base", "one", "sub" according
to LDAP URL rules)
If one and only one matching directory object is found it will use this
object and
tomcat supplied credentials to authenticate the user.
If successful Realm will fetch user roles using JNDI attributes listed in
securityAttributes
(comma separated directory attribute names). If attributesReadByOwner =
"true" Realm will use
authenticated user itself to pool the attributes from directory otherwise
it will use searchBindDN
to retrieve the attributes.
If roleMapperClass is specified Realm will use it to map user roles onto
application roles
specific for each web context for tomcat 3.2x and specific for each
defined Realm for tomcat 4.2.
Provided SimpleRoleMapper implementation will read role map from either
roleMapperSourceUrl
(if specified) or for tomcat 3.2x from WEB-INF/role-map.xml file in each
web context
if no roleMapperSourceUrl was defined (if WEB-INF/role-map.xml file does
not exist in a context
no mapping for this context will occur).
You can use principalAttributes parameter to specify LDAP attributes to be
stored in principal
so you can access them from your servlets
PARAMETERS:
jndiInitialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory"
(or
"com.netscape.jndi.ldap.LdapContextFactory")
This attribute for JndiRealm ONLY.
It corresponds to javax.naming.Context.INITIAL_CONTEXT_FACTORY
directoryUrl = "ldap://207.176.93.66:389"
This attribute for both JndiRealm and LdapRealm.
If you want to use SSL for LdapRealm you can use "ldaps" protocol:
directoryUrl = "ldaps://207.176.93.66:636"
You will need to configure Sun's JSSE to use SSL
It corresponds to javax.naming.Context.PROVIDER_URL
jndiSecurityAuthentication = "simple"
This attribute for JndiRealm ONLY.
It corresponds to javax.naming.Context.SECURITY_AUTHENTICATION
jndiSecurityProtocol = "" ("" vendor default or "ssl", or vendor specific)
This attribute for JndiRealm ONLY.
It corresponds to javax.naming.Context.SECURITY_PROTOCOL
searchBindDN = "cn=ldap-user,o=pti"
This attribute for both JndiRealm and LdapRealm. User name to bind to
directory
a to perform user name lookups. It corresponds to
javax.naming.Context.SECURITY_PRINCIPAL
searchBindCredentials = "mypassword"
This attribute for both JndiRealm and LdapRealm. Password for searchBindDN
It corresponds to javax.naming.Context.SECURITY_CREDENTIALS
searchBaseContext = "o=pti"
Base context for user lookups
ldapVersion = "3"
This attribute for LdapRealm ONLY. Defines LDAP version.
searchScopeAsString = "base" | "one" | "sub"
defines search scope "base" - object scope, "one" - one level scope, "sub"
- subtree scope.
attributesReadByOwner = "true"
defines who will read securityAttribures from the directory. If "true"
authenticating user account
will be used to retrieve the roles otherwise the searchBindDN account used
for user name lookups will
fetch the attributes. It is useful when either one or the other do not
have permission to read the
attributes so you can chose the one which has this permissions
searchFilter = "cn={0}"
Filter to lookup authorizing user. Support java.text.MessageFormat.
The only parameter is to java.text.MessageFormat pattern authorizing
username.
i.e. jndiSearchFilter = "cn={0}" for user alex will result in lookup for
"cn=alex"
securityAttributes = "securityEquals"
One or more directory attributes separated with semicolon which contains
security roles
attributes can be multivalued. If blank no attempt to retrieve roles from
directory will be done
roleMapperClass = "com.peacetech.webtools.tomcat.SimpleRoleMapper"/>
ATTNTION: It requires SAX2/JAX1.1 (Apache Xerces or Sun JAXP1.1
distribution)
Implemntation of RoleMapper interface to be used to transform user
directory roles
to application roles. In tomcat 3.2x MapperClass is server wide but actual
mapping data
is context specific (unless you specified roleMapperSourceUrl)
in tomcat 4.0 both RoleMapper and mapping data are Realm specific and you
have to specify
roleMapperSourceUrl. If it is blank no role mapping will occur
roleMapperSourceUrl=" file:///d:/tomcat4/conf/my-role-map.xml
<file:///d:/tomcat4/conf/my-role-map.xml> "
URL to RoleMapper source. In tomcat 3.2x if it is not specified we try to
find file
WEB-INF/role-map.xml in every initializing tomcat context.
connectionMaxPoolSize = 10
JNDI does not allow multi-threaded access to a single context instance. We
pool contexts which
do user filter lookup instead creating and re-authenticating every time.
Access to pool
is synchronized. In LdapPrincipal factory we pool user connection so we
reauthenticate without reconnecting
principalAttributes = "workforceID,fullName,title"
Coma separated list of LDAP attributes to be read from LDAP and stored in
principal
It can be accessed via DirectoryPrincipal.getAttribute(String attrName).
This method returns
String array or null if no attribute with specified name was found.
This is only implemented for LdapRealm it has not been ported to JndiRealm
yet
SAMPLES:
TOMCAT 4:
<Realm className="com.peacetech.webtools.tomcat.LdapRealmCatalina"
debug="1"
directoryUrl = "ldap://207.176.93.66:389"
searchBindDN = "cn=ldap-user,o=pti"
searchBindCredentials = "mypassword"
searchBaseContext = "o=pti"
searchFilter = "cn={0}"
searchScopeAsString = "sub"
securityAttributes = "securityEquals"
attributesReadByOwner = "true"
connectionMaxPoolSize = "10"
ldapVersion = "3"
roleMapperClass = "com.peacetech.webtools.tomcat.SimpleRoleMapper"
roleMapperSourceUrl="
file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml
<file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml> " />
<Realm className="com.peacetech.webtools.tomcat.JndiRealmCatalina"
debug="1"
jndiInitialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory"
jndiSecurityAuthentication = "simple"
directoryUrl = "ldap://207.176.93.66:389"
jndiSecurityProtocol = ""
searchBindDN = "cn=ldap-user,o=pti"
searchBindCredentials = "mypassword"
searchBaseContext = "o=pti"
searchFilter = "cn={0}"
searchScopeAsString = "sub"
securityAttributes = "securityEquals"
attributesReadByOwner = "true"
connectionMaxPoolSize = "10"
roleMapperClass = "com.peacetech.webtools.tomcat.SimpleRoleMapper"
roleMapperSourceUrl="
file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml
<file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml> " />
TOMCAT 3:
<RequestInterceptor className="com.peacetech.webtools.tomcat.LdapRealm"
debug="1"
directoryUrl = "ldap://207.176.93.66:389"
searchBindDN = "cn=ldap-user,o=pti"
searchBindCredentials = "mypassword"
searchBaseContext = "o=pti"
searchFilter = "cn={0}"
searchScopeAsString = "sub"
securityAttributes = "securityEquals"
attributesReadByOwner = "true"
connectionMaxPoolSize = "10"
ldapVersion = "3"
roleMapperClass = "com.peacetech.webtools.tomcat.SimpleRoleMapper"
roleMapperSourceUrl="
file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml
<file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml> " />
<RequestInterceptor className="com.peacetech.webtools.tomcat.JndiRealm"
debug="1"
jndiInitialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory"
jndiSecurityAuthentication = "simple"
directoryUrl = "ldap://207.176.93.66:389"
jndiSecurityProtocol = ""
searchBindDN = "cn=ldap-user,o=pti"
searchBindCredentials = "mypassword"
searchBaseContext = "o=pti"
searchFilter = "cn={0}"
searchScopeAsString = "sub"
securityAttributes = "securityEquals"
attributesReadByOwner = "true"
connectionMaxPoolSize = "10"
roleMapperClass = "com.peacetech.webtools.tomcat.SimpleRoleMapper"
roleMapperSourceUrl="
file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml
<file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml> " />
-->
<!-- *********** End of PeaceTech JNDI Authentication Support
****************** -->