This is a sample to use JAAS authentication with a windows active directory server. I use a Sun Java System Application Server, so the steps with other servers could be different.
Step 1: Defining LDAP realm
In this example you must define a LDAP realm named «ads-realm» with the following parameters:
Realm class:
com.sun.enterprise.security.auth.realm.ldap.LDAPReam
Properties:
directory = ldap://ads.host.name:389
base-dn = DC=ads,DC=domain,DC=com
search-bind-dn = user
search-bind-password = password
search-filter = (&(objectClass=user)(sAMAccountName=%s))
group-search-filter = (&(objectClass=group)(member=%d))
jaas-context = ldapRealm
You must change directory, base-dn, search-bind-dn and search-bind-password to your active directory configuration. The «search-bind-dn» and «search-bind-password» parameters are needed, because with default settings active directory doesn’t allow anonymous users to browse the directory.
Step 2: Setting the following JVM Switch for refferals
The following JVM switch is needed with active directory LDAP servers:
-Djava.naming.referral=follow
Add this switch to your server startup script or with the admin console.
Step 3a: Basic authentication
Add the following section to your web.xml or go to Step 3b for form
based authentication.
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ads-realm</realm-name>
</login-config>
Step 3b: Form based authentication
Add the following section to your web.xml:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ads-realm</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/login.html</form-error-page>
</form-login-config>
</login-config>
Create the page /login.html with a least the following code:
<html>
<head/>
<body>
<form action="j_security_check" method="post">
Username: <input type="text" name="j_username"><br/>
Password: <input type="password" name="j_password"><br/>
<input type="submit" value="Login"/>
</form>
</body>
</html>
Step 4: Adding security role to web.xml
Add at least one security role to your web.xml, in this example «userRole».
<security-role>
<role-name>userRole</role-name>
</security-role>
Step 5: Adding security constraint to web.xml
Now we must create a security constraint and the path to the pages we want to allow only authenticated access. In this sample the access to the folder /pages/ is resticted to authenticated users in role «userRole».
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-colletion>
<web-resource-name>SecuredFolder</web-resource-name>
<url-pattern>/pages/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>userRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
Step 6: Create role mapping between active directory group and role
Role mappings are defined in sun-web.xml for the Sun Java System Application Server, so add the following section:
<security-role-mapping>
<role-name>userRole</role-name>
<group-name>users</group-name>
</security-role-mapping>
This maps the active directory group «users» to our role «userRole»,
so only users in the group «users» can access our secured folder.