How to get credentials from LDAP using Apache Tomcat JNDIRealm [Archive]

View Full Version : How to get credentials from LDAP using Apache Tomcat JNDIRealm

ganesh.boil

17-09-2009, 15:02

Hi,
recently i have been started to make a POC on Apache Tomcat JNDIRealm.
For this i have followed the tutorial available at

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm and

http://viralpatel.net/blogs/2008/12/implement-ldap-authentication-in-tomcat-jboss-server-for-java-app.html

I have created a couple of users and groups in openldap. And configures server.xml in tomcat as suggested in the above link.
And configured web.xml in my j2ee application as suggested in the second url.

Now my question is how to get the user credentials in .java file where i have login() method.
So can anyone suggest me how to get user name and password from ldap using thios Tomcat JNDIRealm.

Any sample code is more helpful.

Thanks in advance.

regards,
Ganesh

Kees de Kooter

17-09-2009, 20:39

You can get find the username by calling HttpServletRequest.getUserPrincipal().getName()

There is no API for the password, for obvious security reasons.

ganesh.boil

18-09-2009, 07:36

Hi Kees de Kooter ,
thnaks for your right.
Can you have a look into my application.
I'm using the Apache Tomcat JNDIRealm for authentication againist LDAP.
For this i'm following the tutorial at http://tomcat.apache.org/tomcat-4.0-doc/realm-howto.html#JNDIRealm and http://viralpatel.net/blogs/2008/12/implement-ldap-authentication-in-tomcat-jboss-server-for-java-app.html

According to this, i configured the server.xml(inside tomcat) and web.xml (inside my web application).

The following is my server.xml.
[CODE]<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionName="cn=Manager,dc=example,dc=com"
connectionPassword="secret"
connectionURL="ldap://192.168.25.193:389"
userPassword="userPassword"
userPattern="uid={0},ou=People,dc=example,dc=com"
roleBase="ou=Roles,dc=example,dc=com"
roleName="cn"
roleSearch="(member={0})" />[CODE]

The following is my web.xml

[CODE]<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_5.xsd"
version="2.5">

<description>Tomcat JNDIRealm to Authenticate User</description>
<display-name>Tomcat JNDIRealm to Authenticate User</display-name>

<servlet>
<servlet-name>LoginAuthentication</servlet-name>
<servlet-class>
com.test.realm.LoginAuthentication
</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>LoginAuthentication</servlet-name>
<url-pattern>/login</url-pattern>
</servlet-mapping>


<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>



<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>

<url-pattern>/*</url-pattern>

<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>org.apache.catalina.realm.JNDIRealm</realm-name>
</login-config>

</web-app>[CODE]

And my LoginAuthentication.java servlet is,

[CODE]package com.test.realm;

import java.io.IOException;
import java.io.PrintWriter;

import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.security.Principal;

public class LoginAuthentication extends HttpServlet {

/**
*
*/
private static final long serialVersionUID = 1L;
private ServletConfig config;

public void init(ServletConfig config) throws ServletException {
this.config = config;
}

public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {

PrintWriter out = response.getWriter();
response.setContentType("text/html");

Principal principal = request.getUserPrincipal();
String userName = principal.getName();

// String userName = "ganesh";
// String passwrd = "ganesh";

/*
* if (userName.equals(request.getParameter("user")) &&
* passwrd.equals(request.getParameter("pass"))) {
*/

if (userName.equals(request.getParameter("user"))) {

out.println("WELCOME " + userName);

} else {
out.println("Please enter correct username and password");
out.println("<a href='AuthenticLogin.jsp'><br>Login again</a>");
}
}

}
[CODE]

and my login.jsp is,
[CODE]<form name="frm" action="login"
method="post" >
Name:      <input type="text" name="user"
value="" /><br>
Password:<input type="password" name="pass" value="" /><br>
<br>
   <input type="submit" value="Sign-In" />
     <input type="reset" value="Reset" />
</form>[CODE]

NOTE: I kept jndi.jar inside the tomcat/common/lib directory.

But after restarting the server , AFter issueing admin and admin (tomcat admin name and pwd) it is showing the following error instead of showing all the deployed applications.

*"HTTP Status 403 - Access to the requested resource has been denied"*

So can You suggest me how to authenticate (code for checking the login credentials with ldap)... In ldap i have some users and some roles. each user is associated with some roles. My requirement is After login, if login is successful, then i need to display the username and his roles in the success page else failure page.
Now please help me.

Thanks again for ur support,

Regards,
Ganesh

Kees de Kooter

18-09-2009, 10:09

If you want to see the deployed applications you have to go to the manager application: http://<hostname>:<port>/manager/html. The manager app has its own authentication mechanism.

In your example you have secured your application. The login you did was for this application, so you should use a valid ldap username / password.

If you want to use a login page you have to configure auth-method as FORM instead of BASIC. The form should have specific field names:

<form action='j_security_check' method='post'>
<table>
<tr><td>Name:</td>
<td><input type='text' name='j_username'></td></tr>
<tr><td>Password:</td>
<td><input type='password' name='j_password'></td>
</tr>
</table>
<br>
<input type='submit' value='login'>
</form>

Using the standard servlet-spec authentication it is not possible to redirect to a specific page after succesfull login.

ganesh.boil

18-09-2009, 13:48

Hi kees,
Thanks for your reply. I changed the auth-method to FORM. but still i'm not able to redirect to success.jsp.
If I enter wrong credentials then it is redirecting me to error.jsp, and if I enter valid credentials then it is not redirecting me into the success.jsp.
instead it is showing the following error.

*"HTTP Status 403 - Access to the requested resource has been denied"*

And I want to display the user name and his associated roles in success.jsp.

here I have 2 q's.
1. How to redirect to success.jsp
2.How to display user name and his associated roles in success.jsp
how can I achieve this?

Kees de Kooter

18-09-2009, 23:01

ad 1. as already mentioned in my previous post: Using the standard servlet-spec authentication it is not possible to redirect to a specific page after succesfull login.

ad 2. as also mentioned earlier you can find the username by
HttpServletRequest.getPrincipal().getName()

You can check the user's roles by calling
HttpServletRequest.getPrincipal().isUserInRole(<rolename>)

ganesh.boil

19-09-2009, 14:09

Hi Kees thanks for ur help.

I think the following code can do my requirement. # <security-constraint>
# <display-name>Security Constraint</display-name>
# <web-resource-collection>
# <web-resource-name>Protected Area</web-resource-name>
# 
# <url-pattern>/*</url-pattern>
# 
# </web-resource-collection>
# <auth-constraint>
# 
# <role-name>AppUsers</role-name>
# </auth-constraint>
# </security-constraint>

Like this I need to mention several roles and corresponding urls? AM i right? And after authentication is happening successfully, then the home page is not displaying? I think I did a mistake in some where. After login is successfull , how to redirect or call a controller i.e a servlet. Do i need to mention the <url-pattern> in the above code ?

for example I want to call the Servlet named LoginServelt , In this servlet I will find the role then dispatch the request appropriately..

<servlet>

<servlet-name>LoginSevlet</servlet-name>
<servlet-class>com.test.LoginServlet</servlet-class>

</servlet>

<servlet-mapping>
<servlet-name>LoginSevlet</servlet-name>
<url-pattern>/login</url-pattern>
</servlet-mapping>

for calling this servlet how to code in web.xml

<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

I think in the above <url-pattern>/*</url-pattern> instead of this do i need to use <url-pattern>/login</url-pattern> like this? or something else.

can you make changes in the above code appropriately... My plan is in this LoginServlet I will check the appropriate role and enable the features in home page. Is it a right way to achieve the role based authentication ? Please guide me ...

Thanks again for your support. Have a nice week end... will catch you on Monday...

Bye,
Ganesh

Kees de Kooter

20-09-2009, 19:58

For the third (and last) time Ganesh: using the standard servlet-spec authentication it is NOT possible to redirect to a specific page after succesfull login.

You use the security-constraint tag to protect resources in your application.

In your application you can check for roles using the isUserInRole() method.

1. I suggest you carefully study the servlet specification, especially the chapter on security: http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index.html
2. If you need a more powerful solution take a look at Spring Security: http://static.springsource.org/spring-security/site/

ganesh.boil

21-09-2009, 05:20

Hi Keeds,

Good Morning!!!
Thanks for giving the deep details of container managed security. Now I got a clear idea about it. And my application is working almost 75% with a small configuration mistake.

Because of lack of knowledge on Realm settings I'm not able to get what I want.
What i have done is i have been created a folder called "protected" under root folder of my application. And kept a page named with success.jsp.
And the following is my web.xml.

<security-constraint>
<display-name>Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Apache_Realm</web-resource-name>

<url-pattern>/protected/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>

</web-resource-collection>
<auth-constraint>

<role-name>AppUsers</role-name>
</auth-constraint>
</security-constraint>


<login-config>
<auth-method>FORM</auth-method>
<realm-name>Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>
/index.jsp
</form-login-page>
<form-error-page>
/error.jsp
</form-error-page>
</form-login-config>
</login-config>


<security-role>
<role-name>AppUsers</role-name>
<role-name>Admin</role-name>
<role-name>AppAdmin</role-name>
<role-name>Manager</role-name>
</security-role>

If i enter wrong credentials which are not there in ldap then it is working fine means redirecting to the error.jap. After entering the right credentials it is not redirecting or showing the success.jsp. instead of this it is showing the following error.

"HTTP Status 400 - Invalid direct reference to form login page"

I'm using Tomcat 5.5.27... Is it tomcat problem? or my configuration problem?

can you suggest me the errors.

Thanks again for your help.

Regards,
Ganesh

Kees de Kooter

21-09-2009, 08:01

Dear Ganesh,

Please re-read my remarks about redirecting after login in my previous 3 posts very very carefully.