JAAS with active directory authentication in a web application

This is a sample to use JAAS authentication with a windows active directory server. I use a Sun Java System Application Server, so the steps with other servers could be different.

Step 1: Defining LDAP realm

In this example you must define a LDAP realm named «ads-realm» with the following parameters:

Realm class:



directory            = ldap://ads.host.name:389
base-dn              = DC=ads,DC=domain,DC=com
search-bind-dn       = user
search-bind-password = password
search-filter        = (&(objectClass=user)(sAMAccountName=%s))
group-search-filter  = (&(objectClass=group)(member=%d))
jaas-context         = ldapRealm

You must change directory, base-dn, search-bind-dn and search-bind-password to your active directory configuration. The «search-bind-dn» and «search-bind-password» parameters are needed, because with default settings active directory doesn't allow anonymous users to browse the directory.

Step 2: Setting the following JVM Switch for refferals

The following JVM switch is needed with active directory LDAP servers:


Add this switch to your server startup script or with the admin console.

Step 3a: Basic authentication

Add the following section to your web.xml or go to Step 3b for form
based authentication.


Step 3b: Form based authentication

Add the following section to your web.xml:


Create the page /login.html with a least the following code:

    <form action="j_security_check" method="post">
      Username: <input type="text" name="j_username"><br/>
      Password: <input type="password" name="j_password"><br/>
      <input type="submit" value="Login"/>

Step 4: Adding security role to web.xml

Add at least one security role to your web.xml, in this example «userRole».


Step 5: Adding security constraint to web.xml

Now we must create a security constraint and the path to the pages we want to allow only authenticated access. In this sample the access to the folder /pages/ is resticted to authenticated users in role «userRole».


Step 6: Create role mapping between active directory group and role

Role mappings are defined in sun-web.xml for the Sun Java System Application Server, so add the following section:


This maps the active directory group «users» to our role «userRole»,
so only users in the group «users» can access our secured folder.


  1. omasp:

    Good afternnoon Jaas,

    I would really appreciate if you can help me with follwoing:

    I am planning to design the intranet website for internal purpose ofcourse.

    Where user need to authenticate their username/passwd with W2K3 Active directory.

    If user is authenticated on ADs than this will redirected to Intranet site else

    “Incorrect username / passwd, Please re-enter”

    Thank you so much,


  2. Felipe Campos Vega:

    group-search-filter = (&(objectClass=group)(member=%d)) —> get a stack trace when the LDAPRealm performs a “dynamic group search”.
    Glassfish issue 4769 – LDAPRealm (bound to ActiveDirectory) groupmembership error.

    Partial solution: Just search for a specific group (&(objectClass=group)(name=Guests)) in order to be logged in.

  3. Johnny:

    Hey thanks for that info
    It has really proven to be helpful. I really enjoy reading easy articles leading straight to the point.

    Thanks allot.

  4. c____g:

    Hi! thanks, that’s very helpfull
    I’ve got one more question about groups or rather OU in AD.
    Could anybody help me understand how to make a filter query to
    find particular – one – user from known OU [Organizational Unit] in AD ?
    I can’t make it to work. Is this supposed to be in group-search-filter, i’ve tried ‘memeberOf’ and some combinations i’ve found in google.
    Also as far as I understand sun-web.xml mapping defines which AD group will be permitted/authenticated. If I choose my OU, that means when I’ll find a user from different OU he won’t be authenticated – I would like that to work like this ;)

  5. Raphael Tagliani:


    I think you should replace your filter by :


    Otherwise, users with a disabled account in AD will be able to log in.

Leave a comment