Java Tomcat LDAP身份验证 [英] Java Tomcat LDAP authentication
问题描述
由于我使用Tomcat6作为servlet容器运行Java,因此我发现使用 Tomcat JNDIRealm功能,以便LDAP用户无需任何额外工作即可登录我的网站。我正在使用的LDAP服务器是 Ubuntu上的OpenLDAP 。
Since I'm running Java with Tomcat6 as servlet container I found it appropriate to use the Tomcat JNDIRealm feature so that LDAP users can log into my site without any additional efforts. The LDAP server I'm using is OpenLDAP on Ubuntu.
On top of this I have the login page using form-based authentication over an https connection.
我通过LDAP找到了两个非常好的身份验证用户示例,此处和这里,这两者都达到了我几乎达到的目标。为什么几乎实现?
I found two very good examples of authentication users via LDAP, here and here, that both achieve what I feel I almost achieved. Why almost achieved?
当我尝试使用错误的凭据登录时,我已适当地发送到<在我的情况下,form-error-page>
, login-failed.html
。
When I attempt to login with the wrong credentials I'm appropriately sent to the <form-error-page>
, login-failed.html
in my case.
当我的凭据良好并且我成功进行身份验证后,我开始在网站中获得 403 for all urls 。并且我无法删除403错误(甚至没有登录页面!),除非我重新启动Tomcat。
When my credentials are good and I authenticate successfully I start getting a 403 for all urls in the site. And I cannot remove the 403 error (not even for the login page!) unless I restart Tomcat.
我怀疑原因是因为我没有<$ c领域中的$ c> roles 或正确设置的其他配置文件。为简洁起见,我将相关的配置文件摘录放在 pastebin 上:
I suspect the reason is because I don't have roles
in the realm or other config files set up correctly. For the sake of brevity I put the relevant config files excerpts on pastebin:
- Realm in Tomcat
server.xml
- Relevant
tomcat-users.xml
part - Relevant
web.xml
part - Basic LDAP structure, dashes indicate tree structure
请注意,基于Tomcat的身份验证工作正常,因为角色很容易附加到用户身上 tomcat-users.xml
。因此,我认为在成功通过身份验证后,从LDAP获取经过身份验证的用户角色是一个问题。
Note that Tomcat-based auth works perfectly since the role is easily attached to the user in the tomcat-users.xml
. Therefore I believe it's a problem in getting the role for an authenticated user from LDAP once it has been successfully been authenticated.
TL / DR
我在将Tomcat连接到LDAP身份验证时遇到配置问题。用户数据正确获取,但不是用户的角色。可根据要求提供LDAP日志消息;)
I have a config issue in connecting Tomcat to LDAP auth. User data fetched properly, but not the user's role. LDAP log messages available on request ;)
更新:我粘贴了LDAP数据这里。
UPDATE: I pasted the LDAP data here.
推荐答案
这是正确的。 JNDIRealm找不到您的LDAP角色。您需要在Tomcat之外测试您的角色搜索字符串,以确保它产生您认为应该产生的内容。由于您没有提供任何LDAP详细信息,因此无法进一步评论。
That is correct. Your LDAP roles aren't being found by the JNDIRealm. You need to test your role search string outside Tomcat to ensure it yields what you think it should yield. As you haven't provided any LDAP details it isn't possible to comment further.
使用/ *在整个站点上设置安全权限是错误的。您需要排除登录页面,可能还需要排除首页和忘记密码页面(可能更多)。
Putting a security-permission on the entire site with /* is a mistake. You need to exclude the login page and probably also the front page and the forgot-password page, maybe more, from requiring a role.
这篇关于Java Tomcat LDAP身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!