JBoss RoleMappingLoginModule not loading role properties
I am trying to set up LDAP authentication in a standalone JBoss 6.1 EAP application. Finally, I was able to get the application to check against the LDAP server. Now I need to map "memberOf" user groups in LDAP to specific roles in JBoss.
I faced two problems. First, the following configuration allows me to login, but throws an error when I try to load the role mappings:
<security-domain name="LDAPAuth">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://myserver.acme.com:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="CN=SUPERUSER,OU=Application Specific Resources,OU=Enterprise Configuration & Resources,DC=acme,DC=com"/>
<module-option name="bindCredential" value="secret"/>
<module-option name="baseCtxDN" value="OU=User Accounts,DC=acme,DC=com"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="OU=EC & R,DC=acme,DC=com"/>
<module-option name="roleFilter" value="(member={0})"/>
<!--
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleNameAttributeID" value="CN"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
-->
<module-option name="allowEmptyPasswords" value="false"/>
<!-- <module-option name="roleRecursion" value="-1"/> -->
<module-option name="throwValidateError" value="true"/>
</login-module>
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties" value="../standalone/configuration/test-roles.properties"/>
<module-option name="replaceRole" value="false"/>
</login-module>
</authentication>
</security-domain>
However, I get the following error in the log:
10:46:12,740 DEBUG [org.jboss.security] (http-/0.0.0.0:8380-1) PBOX000287: Failed to open properties file from URL: java.net.MalformedURLException: no protocol: ../standalone/configuration/test-roles.properties
at java.net.URL.<init>(URL.java:567) [rt.jar:1.6.0_16]
at java.net.URL.<init>(URL.java:464) [rt.jar:1.6.0_16]
at java.net.URL.<init>(URL.java:413) [rt.jar:1.6.0_16]
at org.jboss.security.auth.spi.Util.loadProperties(Util.java:300) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.auth.spi.RoleMappingLoginModule.getRoleSets(RoleMappingLoginModule.java:127) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.auth.spi.AbstractServerLoginModule.commit(AbstractServerLoginModule.java:225) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_16]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_16]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_16]
Which suggests that role mappings are not being loaded. The log TRACE
suggests it was downloaded:
10:46:12,758 TRACE [org.jboss.security] (http-/0.0.0.0:8380-1) PBOX000288: Properties file ../standalone/configuration/test-roles.properties loaded, users: [Manager, User]
Even then, no display is performed.
My second problem is how to determine which groups memberOf
were returned in order to debug the problem.
10:46:12,762 TRACE [org.jboss.security] (http-/0.0.0.0:8380-1) PBOX000210: defaultLogin, login context: javax.security.auth.login.LoginContext@5d7c1cf0, subject: Subject(675837664).principals=org.jboss.security.SimplePrincipal@762609865(MyLogin)org.jboss.security.SimpleGroup@1001595759(Roles(members))org.jboss.security.SimpleGroup@1001595759(CallerPrincipal(members:MyLogin))
When I query the LDAP repository JXplorer
with credentials, I get the following snip-it.
cn: Technical Team
member: CN=Joe Blogs,OU=Other Users,OU=Business Units,OU=User Accounts,DC=acme,DC=com
CN=John Doe,OU=Other Users,OU=Business Units,OU=User Accounts,DC=acme,DC=com
CN=Peter Pan,OU=Other Users,OU=Business Units,OU=User Accounts,DC=acme,DC=com
memberOf: CN=Pilot Users,OU=Application Specific Resources,OU=EC & R,DC=acme,DC=com
CN=Support Users,OU=Application Specific Resources,OU=EC & R,DC=acme,DC=com
name: Technical Team
In the test-roles.properties file, I have the "Manager" role mapped to "Technical Team", but that never shows up. There may be a problem with my roleFilter or roleAttributeId
Any help was appreciated.
source to share
Try using file: to specify the location of the properties file.
<module-option name="rolesProperties"
value="file:/path-to-properties"/>
the value identifies the file in the form as specified by the Classloader, or with its absolute location as specified by the java.net.url template (for example file: /rolesMap.properties)
source to share