Use ldap-based authentication per a context

This article will be useful if you want to use a separated authentication system for each context with Apache Tomcat

Why?

Apache Tomcat’s manager application has its own security roles. If you define  configuration in server.xml ( after deleting “),  a Manager application deployed in a same host can’t use its own roles/users configuration.

If you can create roles with same names in a LDAP server  and add users to it, that’s a simple solution. But you have to request it to LDAP server manager if you don’t have rights.

This configuration help you to deploy an web application without requesting LDAP server configuration changes..

How to

  1. Create a META-INF/context.xml in a context’s application directory with default contents
    <?xml version="1.0" encoding="UTF-8"?>
    <Context antiResourceLocking="false" privileged="true" >
    
    </Context>
    
  2. Create  definition in  tag
    <Context antiResourceLocking="false" privileged="true" >
    <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://192.168.0.12:3268" authentication="simple" referrals="follow" connectionName="CN=ad_user,CN=Users,DC=Apache,DC=NET" connectionPassword="xxxxxx" userSearch="(sAMAccountName={0})" userBase="dc=Apache,dc=NET" userSubtree="true" roleSearch="(cn={0})" roleName="cn" roleSubtree="true" roleBase="dc=Apache,dc=NET">
    </Realm>
    </Context>
    
  3. Add this xml code in web.xml
    <web-app>
       <!-- Other codes -->
        <security-constraint>
            <web-resource-collection>
                <web-resource-name>opengrok.org</web-resource-name>
                <description></description>
                <url-pattern>/*</url-pattern>
            </web-resource-collection>
            <auth-constraint>
                <role-name>*</role-name>
            </auth-constraint>
        </security-constraint>
        <login-config>
            <auth-method>FORM</auth-method>
            <form-login-config>
                <form-login-page>/login.html</form-login-page>
            </form-login-config>
        </login-config>
        <security-role>
            <role-name>*</role-name>
        </security-role>
    </web-app>
    

    If you change <auth-method>‘s value to ‘BASIC’, you can remove <form-login-config> tag and use Browser’s default login dialog.

  4. Create login.html page
    <form action="j_security_check" method="POST">
    <table>
    <tbody>
    <tr>
    <td colspan="2">Login to the TVL's OpenGrok System</td>
    </tr>
    <tr>
    <td colspan="2">Use LGE AD account and password:</td>
    </tr>
    <tr>
    <td>Name:</td>
    <td><input name="j_username" type="text" /></td>
    </tr>
    <tr>
    <td>Password:</td>
    <td><input name="j_password" type="password" /></td>
    </tr>
    <tr>
    <td colspan="2"><input type="submit" value="Go" /></td>
    </tr>
    </tbody>
    </table>
    </form>
    
    
  5. Restart Tomcat or a context itself.

 

Advertisements