DEVHIDE
Login Or Sign up

Mapping role-names to from roles

891 Views Asked by At

I configured a LDAP realm for tomcat 7. It searches for someone in the group users, once found will authenticate them and allow them to access the application.

This is my realm:

<Realm className="org.apache.catalina.realm.JNDIRealm"
          connectionURL="ldap://adldap.mycompany.com:3268"
          userSearch="(sAMAccountName={0})"
          userSubtree="true"
          userBase="DC=mycompany,DC=com"
          roleSubtree="true"
          roleName="CN"
          userRoleName="memberOf"/>

It finds the user then searches for the corresponding role-names. This is my security constraints with roles in the web.xml.

<security-constraint>
    <display-name>user</display-name>
    <web-resource-collection>
        <web-resource-name>user</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>PUT</http-method>
        <http-method>HEAD</http-method>
        <http-method>TRACE</http-method>
        <http-method>POST</http-method>
        <http-method>DELETE</http-method>
        <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description>users</description>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
</login-config>
<security-role>
    <role-name>user</role-name>
</security-role>

But the user will have roles that look like CN=Domain Users,CN=Users,DC=mycompany,DC=com. So my question is, is there a way I can map that role to the role-name of user? Otherwise I need to define my security constraints as such:

<security-constraint>
    <display-name>user</display-name>
    <web-resource-collection>
        <web-resource-name>user</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>PUT</http-method>
        <http-method>HEAD</http-method>
        <http-method>TRACE</http-method>
        <http-method>POST</http-method>
        <http-method>DELETE</http-method>
        <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description>users</description>
        <role-name>CN=Domain Users,CN=Users,DC=mycompany,DC=com</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
</login-config>
<security-role>
    <role-name>CN=Domain Users,CN=Users,DC=mycompany,DC=com</role-name>
</security-role>
ldap tomcat7 jndi web.xml security-constraint
Original Q&A
2

There are 2 best solutions below

2
On

map that role to the role-name of user?

<Realm className="org.apache.catalina.realm.JNDIRealm"
   connectionURL="ldap://adldap.mycompany.com:3268"
   userSearch="(sAMAccountName={0})"
   userSubtree="true"
   userBase="DC=mycompany,DC=com"
   roleSubtree="true"
   roleName="CN"
   userRoleName="sAMAccountName"/>

This should (I could not test it) pull the attribute (sAMAccountName) from the user entry that is authenticated.

1
On

Have you tried using 

<security-role-ref>
<role-name>CN=Domain Users,CN=Users,DC=mycompany,DC=com</role-name>
<role-link>user</role-link>
</security-role-ref>

Related Questions in LDAP

Related Questions in TOMCAT7

Related Questions in JNDI

Related Questions in WEB.XML

Related Questions in SECURITY-CONSTRAINT

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.