Hi,
I'm trying to change the authentication mode of my application from JDBC-REALM to JNDI-REALM.
I configured the following section inside the Server.xml
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://****:389/DC=onsetinc,DC=com??sAMccountName?sub?(objectClass=*)" connectionName="
[email protected]" connectionPassword="password" userBase="CN=Users" referrals="follow" userSearch="(sAMAccountName={0})" userSubtree="true" roleBase="CN=Users" roleName="name" roleSubtree="true" roleSearch="(member={1})"/>
I have also configured the web.xml under my appfolder to contain the following:
<security-role>
<role-name>Admin</role-name>
</security-role>
<security-role>
<role-name>WaterlooUsers</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Tube</web-resource-name>
<url-pattern>/ComposeMessage.jsp</url-pattern>
<url-pattern>/PageStatus.jsp</url-pattern>
<url-pattern>/UserStatus.jsp</url-pattern>
<url-pattern>/SearchEC.jsp</url-pattern>
<url-pattern>/SearchEC2.jsp</url-pattern>
<url-pattern>/SearchMessageStatisticsEC.jsp</url-pattern>
<url-pattern>/SearchMessageStatus.jsp</url-pattern>
<url-pattern>/SearchMessageStatisticsPager.jsp</url-pattern>
<url-pattern>/SearchPageStatus.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>WaterlooUsers</role-name>
</auth-constraint>
</security-constraint>
In my Active directory i have created a new group called WaterlooUsers
It's distinguish name is :
distinguishedName: CN=WaterlooUsers,CN=Users,DC=onsetinc,DC=com
It has a property member which contains the following user:
member: CN=Itay Levin,CN=Users,DC=onsetinc,DC=com (which is my user)
My record on the active directory looks like that:
sAMAccountName: itayL
distinguishedName: CN=Itay Levin,CN=Users,DC=onsetinc,DC=com
memberOf: CN=WaterlooUsers,CN=Users,DC=onsetinc,DC=com
and when i get the popup for user/password i enter the username "ItayL"
in the authentication message box (and my password)
I have 2 questions:
How do i
configure correctly the roles parameters correctly
in the Realm section
in the server.xml to enable me to both authenticate and authorize both this group of users WaterlooUsers and also assign them to the appropriate role so that they can see all the relevant pages
in my website. - currently it seems that all the Users
in my domain are authenticated to the site but get the http-403 Error and can't access any of the pages
in the site.
I also want to be able to create 2 different set of roles
in my site - which can both have access to the same pages - but will see different things on the page. (for instance adding some administrative ability to the admin)
Hope it was clear enough and not too long.
Thanks
in advance,
Itay