Authentication via LDAP Using Servlet Filter

Thread view:

peeping_t@hotmail.com - 09 Nov 2005 12:16 GMT

I've spent quite a few days now browsing the net and reading the
servlet specification, but I don't seem get any wiser.

I've set up my SUN APP Server to authenticate via LDAP using predefined
roles. E.g using this entry in sun-web.xml

<security-role-mapping>
<role-name>SpecialUser_role</role-name>
<group-name>cn=SpecialUser,o=GROUPS</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>SomeGroup_role</role-name>
<group-name>cn=SomeGroup,o=GROUPS</group-name>
</security-role-mapping>

I can protect my site from users that are not part of the SpecialUser
group in LDAP using the following in web.xml

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>

<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>

<role-name>SpecialUser_role</role-name>
</auth-constraint>
</security-constraint>

The tricky bit is that I have a Filter servlet that I want to use to
protect the websites' highly sensitive areas even from SpecialUsers.
So adding this to the web.xml
<filter-mapping>
<filter-name>myAuthServletFilter</filter-name>
<url-pattern>/TopSecret/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
will make sure my filter gets called for all webpages that matches
http://host/TopSecret/...
I've also made sure that the sensitive areas are all layed out like
this
http://host/TopSecret/[SpecialGroup]/somepage.html
The idea was to have code like this in my filter

public void doFilter(req, res, chain) {
String role = extract [SpecialGroup] from URL
if(req.isUserInRole(role)){
chain.doFilter(req, res);
}else{
res.sendError(401);
}
}

Now, I don't know what [SpecialGroup] will be. Someone might add a new
area to the website that only users part of the Manager group should be
able to access.
The address would then be http://host/TopSecret/Manager/somepage.html

Finally the $10.000 question is, what are the requirements for the role
in req.isUserInRole(role). Does it need to be a predefined role listed
in the sun-web.xml?
If I don't have a role mapping in sun-web.xml am I supposed to be able
to do something like
req.isUserInRole("cn=Manager,o=GROUPS") to see if the current user is
in the Manager role? (I haven't tried the
isUserInRole("cn=Manager,o=GROUPS") yet cause I don't have access to
the ldap server)

Am I on the right track or do I need to communicate directly with the
LDAP server for this and forget about using isUserInRole?

Martin

Reply to this Message

iksrazal@terra.com.br - 09 Nov 2005 14:40 GMT

> I've spent quite a few days now browsing the net and reading the
> servlet specification, but I don't seem get any wiser.

A rough way to authenticate with LDAP ;-) .

<snip>

> If I don't have a role mapping in sun-web.xml am I supposed to be able
> to do something like
[quoted text clipped - 7 lines]
>
> Martin

You don't have an LDAP server yet? Anyways, what you're showing here is
a sun-specific way to connect to LDAP, as opposed to a java
InitialDirContext way. You're probably more likely to find help and
docs with the latter.

Check out the forums at ldapguru as they might be better place in this
case to ask questions.

iksrazal

Reply to this Message

peeping_t@hotmail.com - 09 Nov 2005 20:25 GMT

I do have an LDAP server, the declarative security is working. It's the
programatic stuff that's the problem.
As far as I can see I haven't shown anything about connecting to an
LDAP specific to SUN, beside using a sun-web.xml file.
The question is how these roles used in isUserInRole must be defined
for the container to authenticate using the Realm

Martin

Reply to this Message

Authentication via LDAP Using Servlet Filter

Free Magazines