Clever Geek Handbook

JBoss RoleMappingLoginModule not loading role properties

I am trying to set up LDAP authentication in a standalone JBoss 6.1 EAP application. Finally, I was able to get the application to check against the LDAP server. Now I need to map "memberOf" user groups in LDAP to specific roles in JBoss.

I faced two problems. First, the following configuration allows me to login, but throws an error when I try to load the role mappings:

<security-domain name="LDAPAuth">
    <authentication>
        <login-module code="LdapExtended" flag="required">
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap://myserver.acme.com:389"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
            <module-option name="bindDN" value="CN=SUPERUSER,OU=Application Specific Resources,OU=Enterprise Configuration &amp; Resources,DC=acme,DC=com"/>
            <module-option name="bindCredential" value="secret"/>
            <module-option name="baseCtxDN" value="OU=User Accounts,DC=acme,DC=com"/>
            <module-option name="baseFilter" value="(sAMAccountName={0})"/>
            <module-option name="rolesCtxDN" value="OU=EC &amp; R,DC=acme,DC=com"/>
            <module-option name="roleFilter" value="(member={0})"/>
            <!--
            <module-option name="roleAttributeID" value="memberOf"/>
            <module-option name="roleNameAttributeID" value="CN"/>
            <module-option name="searchScope" value="SUBTREE_SCOPE"/>
            -->
            <module-option name="allowEmptyPasswords" value="false"/>
            <!-- <module-option name="roleRecursion" value="-1"/> -->
            <module-option name="throwValidateError" value="true"/>
        </login-module>
        <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
            <module-option name="rolesProperties" value="../standalone/configuration/test-roles.properties"/>
            <module-option name="replaceRole" value="false"/>
        </login-module>
    </authentication>
</security-domain>

However, I get the following error in the log:

10:46:12,740 DEBUG [org.jboss.security] (http-/0.0.0.0:8380-1) PBOX000287: Failed to open properties file from URL: java.net.MalformedURLException: no protocol: ../standalone/configuration/test-roles.properties
at java.net.URL.<init>(URL.java:567) [rt.jar:1.6.0_16]
at java.net.URL.<init>(URL.java:464) [rt.jar:1.6.0_16]
at java.net.URL.<init>(URL.java:413) [rt.jar:1.6.0_16]
at org.jboss.security.auth.spi.Util.loadProperties(Util.java:300) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.auth.spi.RoleMappingLoginModule.getRoleSets(RoleMappingLoginModule.java:127) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.auth.spi.AbstractServerLoginModule.commit(AbstractServerLoginModule.java:225) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_16]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_16]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_16]

Which suggests that role mappings are not being loaded. The log TRACE

suggests it was downloaded:

10:46:12,758 TRACE [org.jboss.security] (http-/0.0.0.0:8380-1) PBOX000288: Properties file ../standalone/configuration/test-roles.properties loaded, users: [Manager, User]

Even then, no display is performed.

My second problem is how to determine which groups memberOf

were returned in order to debug the problem.

10:46:12,762 TRACE [org.jboss.security] (http-/0.0.0.0:8380-1) PBOX000210: defaultLogin, login context: javax.security.auth.login.LoginContext@5d7c1cf0, subject: Subject(675837664).principals=org.jboss.security.SimplePrincipal@762609865(MyLogin)org.jboss.security.SimpleGroup@1001595759(Roles(members))org.jboss.security.SimpleGroup@1001595759(CallerPrincipal(members:MyLogin))

When I query the LDAP repository JXplorer

with credentials, I get the following snip-it.

cn: Technical Team
member: CN=Joe Blogs,OU=Other Users,OU=Business Units,OU=User Accounts,DC=acme,DC=com
        CN=John Doe,OU=Other Users,OU=Business Units,OU=User Accounts,DC=acme,DC=com
        CN=Peter Pan,OU=Other Users,OU=Business Units,OU=User Accounts,DC=acme,DC=com
memberOf: CN=Pilot Users,OU=Application Specific Resources,OU=EC & R,DC=acme,DC=com
          CN=Support Users,OU=Application Specific Resources,OU=EC & R,DC=acme,DC=com
name: Technical Team

In the test-roles.properties file, I have the "Manager" role mapped to "Technical Team", but that never shows up. There may be a problem with my roleFilter or roleAttributeId

Any help was appreciated.

+3


source to share


1 answer


Try using file: to specify the location of the properties file.

<module-option name="rolesProperties" 
 value="file:/path-to-properties"/>


the value identifies the file in the form as specified by the Classloader, or with its absolute location as specified by the java.net.url template (for example file: /rolesMap.properties)

https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/ch12.html#sect-RoleMappingLoginModule

0


source






More articles:


All Articles