With LDAP you will be able to authenticate users to a web application with existing LDAP server.
The basic steps goes as follows.
For this example I have used an online LDAP test server hosted at (http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/).
First you edit your server.xml file at your <catelina_home>/conf/server.xml as follows.
Comment out the UserDatabaseRealm class and add the JNDIRealm part there.
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<!--Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/-->
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://ldap.forumsys.com:389"
connectionName="cn=read-only-admin,dc=example,dc=com"
connectionPassword="password"
userPattern="uid={0},dc=example,dc=com"
/>
</Realm>
Note: you can use JNDIRealm class without LockOutRealm also. Lockout realm is used to lock the users if they enter the password several times incorrectly.
Note: If you set 3268 as your port in ldap you can access global catalog where you can access outside of the user pattern path also.
Then goto your maven web project and goto the web.xml file at <catelina_home>/webapps/<proj-name>/WEB_INF/web.xml and add the followings
<security-constraint>
<display-name>Example Security Constraint - part 1</display-name>
<web-resource-collection>
<web-resource-name>Protected Area - Allow methods</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/<path from cat_base>/*</url-pattern>
<!-- If you list http methods, only those methods are protected so -->
<!-- the constraint below ensures all other methods are denied -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>*</role-name>
</security-role>
Here role name * means an user with any role can login to the system.
Here I have used the basic authentication method which means you do not need to implement a login page. If you need to implement a login page use form based authentication method.
That's it. now you have successfully implemented your authentication system. Further more if you want to debug the tomcat authentication steps add the following lines to <catelina_home>/conf/logging.properties file
############################################################
# Facility specific properties.
# Provides extra control for each logger.
############################################################
# This would turn on trace-level for everything
# the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL
#org.apache.catalina.level = ALL
#org.apache.catalina.handlers = 2localhost.org.apache.juli.FileHandler
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
Now go to your web application and it will ask for a password. Use either of following names and try password as password.
- riemann
- gauss
- euler
- euclid
- einstein
- newton
- galieleo
- tesla
Special thank goes to Forum system people for hosting online LDAP server for testing purposes
No comments:
Post a Comment