Example: JBoss and LDAP

JBoss 5.1.0.GA.

1. Change directory to server/default/conf and edit login-config.xml
2. Add a new block of application-policy, I put it before the "other" application-policy.

<application-policy name="mycomp-ldap"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://myldapserver:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="bindDN"></module-option> <module-option name="bindCredential"></module-option> <module-option name="baseCtxDN">o=intra,dc=mycomp,dc=com</module-option> <module-option name="baseFilter">(uid={0})</module-option> <module-option name="rolesCtxDN">o=intra,dc=mycomp,dc=com</module-option> <module-option name="roleFilter">(uid={0})</module-option> <module-option name="roleAttributeID">nsRole</module-option> <module-option name="roleAttributeIsDN">false</module-option> <module-option name="roleRecursion">0</module-option> <module-option name="searchScope">SUBTREE_SCOPE</module-option> <module-option name="allowEmptyPasswords">true</module-option> <module-option name="defaultRole">cn=ldap-authenticated,o=intra,dc=mycomp,dc=com</module-option> </login-module> </authentication> </application-policy>

3.Under the WEB-INF directory, create jboss-web.xml and add a jboss-web definition.

<?xml version="1.0"?> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd"> <jboss-web> <security-domain>java:/jaas/mycomp-ldap</security-domain> <context-root>mycontext</context-root> </jboss-web>

4. Edit the web.xml file and add security configurations.

<security-constraint> <web-resource-collection> <web-resource-name>myapp</web-resource-name> <description>my description</description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <description>Allowed only myrole users.</description> <role-name>cn=myrole,o=intra,dc=mycomp,dc=com</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>my realm</realm-name> </login-config> <security-role> <role-name>cn=myrole,o=intra,dc=mycomp,dc=com</role-name> </security-role>

5. It is nice to see what is happening behind the door, so I enable the trace in the JBoss logging configuration. Edit server/default/conf/jboss-log4j.xml.

<category name="org.jboss.security"> <priority value="TRACE"/> </category>