Java Tomcat LDAP 身份验证

2022-01-17 00:00:00 ldap openldap java tomcat tomcat6

由于我使用 Tomcat6 作为 servlet 容器运行 Java,我发现使用 Tomcat JNDIRealm 功能 以便 LDAP 用户无需任何额外工作即可登录我的站点.我使用的 LDAP 服务器是 OpenLDAP on Ubuntu.

Since I'm running Java with Tomcat6 as servlet container I found it appropriate to use the Tomcat JNDIRealm feature so that LDAP users can log into my site without any additional efforts. The LDAP server I'm using is OpenLDAP on Ubuntu.

除此之外,我还有使用 基于表单的身份验证 通过 https 连接.

On top of this I have the login page using form-based authentication over an https connection.

我发现了两个非常好的通过 LDAP 验证用户的例子,这里和这里,两者都实现了什么我觉得我几乎达到了.为什么几乎实现了?

I found two very good examples of authentication users via LDAP, here and here, that both achieve what I feel I almost achieved. Why almost achieved?

当我尝试使用错误的凭据登录时,我会适当地发送到 <form-error-page>, login-failed.html.

When I attempt to login with the wrong credentials I'm appropriately sent to the <form-error-page>, login-failed.html in my case.

当我的凭据良好且身份验证成功时,我开始在站点中获得 403 for all urls.除非我重新启动 Tomcat,否则我无法删除 403 错误(即使是登录页面!).

When my credentials are good and I authenticate successfully I start getting a 403 for all urls in the site. And I cannot remove the 403 error (not even for the login page!) unless I restart Tomcat.

我怀疑原因是因为我没有正确设置领域中的 roles 或其他配置文件.为简洁起见,我将相关配置文件摘录放在 pastebin 上:

I suspect the reason is because I don't have roles in the realm or other config files set up correctly. For the sake of brevity I put the relevant config files excerpts on pastebin:

  • Tomcat 中的领域 server.xml
  • 相关tomcat-users.xml部分
  • 相关web.xml部分
  • 基本 LDAP 结构,短划线表示树形结构
  • Realm in Tomcat server.xml
  • Relevant tomcat-users.xml part
  • Relevant web.xml part
  • Basic LDAP structure, dashes indicate tree structure

请注意,基于 Tomcat 的身份验证可以完美运行,因为角色很容易在 tomcat-users.xml 中附加到用户.因此,我认为一旦成功通过身份验证,从 LDAP 获取经过身份验证的用户的角色是一个问题.

Note that Tomcat-based auth works perfectly since the role is easily attached to the user in the tomcat-users.xml. Therefore I believe it's a problem in getting the role for an authenticated user from LDAP once it has been successfully been authenticated.

TL/DR

我在将 Tomcat 连接到 LDAP 身份验证时遇到配置问题.正确获取了用户数据,但未正确获取用户的角色.可根据要求提供 LDAP 日志消息;)

I have a config issue in connecting Tomcat to LDAP auth. User data fetched properly, but not the user's role. LDAP log messages available on request ;)

更新:我在此处粘贴了 LDAP 数据.

UPDATE: I pasted the LDAP data here.

推荐答案

没错.JNDIRealm 找不到您的 LDAP 角色.您需要在 Tomcat 之外测试您的角色搜索字符串,以确保它产生您认为应该产生的结果.由于您尚未提供任何 LDAP 详细信息,因此无法进一步评论.

That is correct. Your LDAP roles aren't being found by the JNDIRealm. You need to test your role search string outside Tomcat to ensure it yields what you think it should yield. As you haven't provided any LDAP details it isn't possible to comment further.

使用/* 在整个站点上设置安全权限是错误的.您需要排除登录页面,可能还有首页和忘记密码页面,也许更多,需要角色.

Putting a security-permission on the entire site with /* is a mistake. You need to exclude the login page and probably also the front page and the forgot-password page, maybe more, from requiring a role.

相关文章