将LDAP组映射到JBoss 5中的角色
我正在尝试使用将LDAP组映射到JBoss 5中的角色,ldap,seam,jboss5.x,Ldap,Seam,Jboss5.x,我正在尝试使用conf/login config.xml中定义的LDAP提供程序对管理控制台(Admin、JMX、JBoss-Web和JBoss-WS)的用户进行身份验证: <application-policy name="LDAP"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
conf/login config.xml
中定义的LDAP提供程序对管理控制台(Admin、JMX、JBoss-Web和JBoss-WS)的用户进行身份验证:
<application-policy name="LDAP">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldaps://ldap.company.com:636</module-option>
<module-option name="java.naming.security.protocol">ssl</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">uid=dummy,cn=users,cn=accounts,dc=company,dc=com</module-option>
<module-option name="bindCredential">secret</module-option>
<module-option name="baseCtxDN">cn=accounts,dc=company,dc=com</module-option>
<module-option name="baseFilter">(&(objectClass=inetOrgPerson)(uid={0}))</module-option>
<module-option name="rolesCtxDN">cn=groups,cn=accounts,dc=company,dc=com</module-option>
<module-option name="roleAttributeID">dn</module-option>
<module-option name="roleFilter">(&(objectClass=posixgroup)(member={1}))</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="searchTimeLimit">-1</module-option>
</login-module>
<!-- This login-module is used only in one use case, see below for details
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties">props/admin-console-roles.properties</module-option>
</login-module>
-->
</authentication>
</application-policy>
<category name="org.jboss.security.auth.spi">
<priority value="TRACE" class="org.jboss.logging.XLevel"></priority>
</category>
我还为org.jboss.seam
组件设置了DEBUG
级别:
<category name="org.jboss.seam">
<priority value="DEBUG"/>
</category>
授权似乎有问题,我无法访问管理控制台
,即使用户已正确验证。我尝试了两种不同的方法:
JBossAdmin
(默认情况下使用的角色)的组:
道具/管理控制台角色.属性的内容是:
someuser=JBossAdmin
如文件所述,语法为username=role1,role2
JBossAdmin
替换为LDAP结构中的一个组,例如developers
:
$ grep developers -R *
facelets/resourceNavigation.xhtml: <h:form id="navTreeForm" rendered="#{s:hasRole('developers')}">
pages.xml: <rule if="#{s:hasRole('developers')}">
pages.xml: <restrict>#{s:hasRole('developers')}</restrict>
web.xml: <role-name>developers</role-name>
$grep开发者-R*
facelets/resourceNavigation.xhtml:
pages.xml:
pages.xml:#{s:hasRole('developers')}
web.xml:开发人员
RoleMappingLoginModule
时,是否可以在role.properties
文件中使用组名(而不是用户名)
$ grep JBossAdmin -R *
facelets/resourceNavigation.xhtml: <h:form id="navTreeForm" rendered="#{s:hasRole('JBossAdmin')}">
pages.xml: <rule if="#{s:hasRole('JBossAdmin')}">
pages.xml: <restrict>#{s:hasRole('JBossAdmin')}</restrict>
web.xml: <role-name>JBossAdmin</role-name>
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties">props/admin-console-roles.properties</module-option>
</login-module>
someuser=JBossAdmin
$ grep developers -R *
facelets/resourceNavigation.xhtml: <h:form id="navTreeForm" rendered="#{s:hasRole('developers')}">
pages.xml: <rule if="#{s:hasRole('developers')}">
pages.xml: <restrict>#{s:hasRole('developers')}</restrict>
web.xml: <role-name>developers</role-name>