JAAS with active directory authentication in a web application

This is a sample to use JAAS authentication with a windows active directory server. I use a Sun Java System Application Server, so the steps with other servers could be different.

Step 1: Defining LDAP realm

In this example you must define a LDAP realm named «ads-realm» with the following parameters:

Realm class:

com.sun.enterprise.security.auth.realm.ldap.LDAPReam

Properties:

directory            = ldap://ads.host.name:389
base-dn              = DC=ads,DC=domain,DC=com
search-bind-dn       = user
search-bind-password = password
search-filter        = (&(objectClass=user)(sAMAccountName=%s))
group-search-filter  = (&(objectClass=group)(member=%d))
jaas-context         = ldapRealm

You must change directory, base-dn, search-bind-dn and search-bind-password to your active directory configuration. The «search-bind-dn» and «search-bind-password» parameters are needed, because with default settings active directory doesn't allow anonymous users to browse the directory.

Step 2: Setting the following JVM Switch for refferals

The following JVM switch is needed with active directory LDAP servers:

-Djava.naming.referral=follow

Add this switch to your server startup script or with the admin console.

Step 3a: Basic authentication

Add the following section to your web.xml or go to Step 3b for form
based authentication.

<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>ads-realm</realm-name>
</login-config>

Step 3b: Form based authentication

Add the following section to your web.xml:

<login-config>
  <auth-method>FORM</auth-method>
  <realm-name>ads-realm</realm-name>
  <form-login-config>
    <form-login-page>/login.html</form-login-page>
    <form-error-page>/login.html</form-error-page>
  </form-login-config>
</login-config>

Create the page /login.html with a least the following code:

<html>
  <head/>
  <body>
    <form action="j_security_check" method="post">
      Username: <input type="text" name="j_username"><br/>
      Password: <input type="password" name="j_password"><br/>
      <input type="submit" value="Login"/>
    </form>
  </body>
</html>

Step 4: Adding security role to web.xml

Add at least one security role to your web.xml, in this example «userRole».

<security-role>
  <role-name>userRole</role-name>
</security-role>

Step 5: Adding security constraint to web.xml

Now we must create a security constraint and the path to the pages we want to allow only authenticated access. In this sample the access to the folder /pages/ is resticted to authenticated users in role «userRole».

<security-constraint>
  <display-name>SecurityConstraint</display-name>
  <web-resource-colletion>
    <web-resource-name>SecuredFolder</web-resource-name>
      <url-pattern>/pages/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>userRole</role-name>
    </auth-constraint>
  <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>

Step 6: Create role mapping between active directory group and role

Role mappings are defined in sun-web.xml for the Sun Java System Application Server, so add the following section:

<security-role-mapping>
  <role-name>userRole</role-name>
  <group-name>users</group-name>
</security-role-mapping>

This maps the active directory group «users» to our role «userRole»,
so only users in the group «users» can access our secured folder.

 

5 thoughts on “JAAS with active directory authentication in a web application

  1. Good afternnoon Jaas,

    I would really appreciate if you can help me with follwoing:

    I am planning to design the intranet website for internal purpose ofcourse.

    Where user need to authenticate their username/passwd with W2K3 Active directory.

    If user is authenticated on ADs than this will redirected to Intranet site else

    “Incorrect username / passwd, Please re-enter”

    Thank you so much,

    Regards,
    Omasp

  2. group-search-filter = (&(objectClass=group)(member=%d)) —> get a stack trace when the LDAPRealm performs a “dynamic group search”.
    Glassfish issue 4769 – LDAPRealm (bound to ActiveDirectory) groupmembership error.

    Partial solution: Just search for a specific group (&(objectClass=group)(name=Guests)) in order to be logged in.

  3. Hey thanks for that info
    It has really proven to be helpful. I really enjoy reading easy articles leading straight to the point.

    Thanks allot.

  4. Hi! thanks, that’s very helpfull
    I’ve got one more question about groups or rather OU in AD.
    Could anybody help me understand how to make a filter query to
    find particular – one – user from known OU [Organizational Unit] in AD ?
    I can’t make it to work. Is this supposed to be in group-search-filter, i’ve tried ‘memeberOf’ and some combinations i’ve found in google.
    Also as far as I understand sun-web.xml mapping defines which AD group will be permitted/authenticated. If I choose my OU, that means when I’ll find a user from different OU he won’t be authenticated – I would like that to work like this ;)

  5. Hello,

    I think you should replace your filter by :

    (&(objectClass=user)(sAMAccountName=%s)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

    Otherwise, users with a disabled account in AD will be able to log in.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>