SmartGWT Project with JBoss AS authentication against an LDAP Server

One way to protect the resources of SmartGWT Projects, is to use JBoss AS authentication against an LDAP server. We have developed a SmartGWT Project  to demonstrate how to protect the resources. The following software versions have been used:

JBoss AS version 7.0.1 and 6.1.0. The application server can be downloaded from here.

Apache Directory Server 1.5.7. The LDAP server can be downloaded from here.


On JBoss AS 6.1.0

To run the project, perform the following steps:

1.- Install the Apache Directory Server, or if you already have one installed, create a new partition.  This partition will contain the new directory structure that will use our project.

Locate the server.xml configuration file in <APACHEDS_PATH>/ instances/default/conf/ and add the following lines:

<jdbmPartition id="isomorphic" suffix="dc=isomorphic,dc=com" optimizerEnabled="true" syncOnWrite="true" />

This has to be inside of the element:

<partitions>
</partitions>

Then, restart the server. You can fins more information about this here.

2.- Apache Directory Studio can be used to connect to our ApacheDS, to load the new directory structure, copy complete detail below into an isomorphic.ldif file.

version: 1

dn: dc=isomorphic,dc=com
objectClass: organization
objectClass: dcObject
objectClass: top
dc: isomorphic
o: ISOMORPHIC

dn: ou=People,dc=isomorphic,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People

dn: ou=Roles,dc=isomorphic,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Roles

dn: cn=Admin,ou=Roles,dc=isomorphic,dc=com
objectClass: groupOfNames
objectClass: top
cn: Admin
member: uid=admin,ou=People,dc=isomorphic,dc=com
member: uid=peter,ou=People,dc=isomorphic,dc=com
description: the admin group

dn: cn=Regular,ou=Roles,dc=isomorphic,dc=com
objectClass: groupOfNames
objectClass: top
cn: Regular
member: uid=joe,ou=People,dc=isomorphic,dc=com
description: the regular group

dn: uid=admin,ou=People,dc=isomorphic,dc=com
objectClass: person
objectClass: uidObject
objectClass: top
cn: Admin
sn: Admin
uid: admin
userPassword:: admin

dn: uid=joe,ou=People,dc=isomorphic,dc=com
objectClass: person
objectClass: uidObject
objectClass: top
cn: Joe
sn: Joe
uid: joe
userPassword:: joe

dn: uid=peter,ou=People,dc=isomorphic,dc=com
objectClass: person
objectClass: uidObject
objectClass: top
cn: Peter
sn: Peter
uid: peter
userPassword:: peter

You should now have a directory structure similar to the example below.

3.-  Next, setup the JBoss AS to allow it to authenticate against an LDAP server. Locate the login-config.xml configuration file in <JBOSS_HOME>/ server/default/conf/, and add the following lines:

<application-policy name="testLdap">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                <module-option name="java.naming.provider.url">ldap://localhost:10389/</module-option>
                <module-option name="java.naming.security.authentication">simple</module-option>
                <module-option name="principalDNPrefix">uid=</module-option>
                <module-option name="principalDNSuffix">,ou=People,dc=isomorphic,dc=com</module-option>
                <module-option name="rolesCtxDN">ou=Roles,dc=isomorphic,dc=com</module-option>
                <module-option name="uidAttributeID">member</module-option>
                <module-option name="matchOnUserDN">true</module-option>
                <module-option name="roleAttributeID">cn</module-option>
                <module-option name="roleAttributeIsDN">false</module-option>
            </login-module>
        </authentication>
</application-policy>

Finally restart the server. More information about JBoss Security can be found here.

4.-As we have now setup the project to use this authentication method, open the web.xml configuration file of the project located in WEB-INF/ and add the following lines:

    <login-config>
	<auth-method>FORM</auth-method>
	<realm-name>User Auth</realm-name>
  	   <form-login-config>
		<form-login-page>/login.jsp</form-login-page>
		<form-error-page>/error.jsp</form-error-page>
	   </form-login-config>
    </login-config>
    <security-role>
	<role-name>*</role-name>
    </security-role>

    <security-constraint>
	  <web-resource-collection>
		  <web-resource-name>Sample Application</web-resource-name>
		  <url-pattern>*.html</url-pattern>
		  <http-method>POST</http-method>
		  <http-method>GET</http-method>
	  </web-resource-collection>

	  <auth-constraint>
		<role-name>*</role-name>
	  </auth-constraint>

    </security-constraint>
 

There are 2 points to consider here:

1) The authentication method selected is FORM, and for that purpose we have two JSP files. login.jsp which is used to ask for users the credentials and error.jsp which is used to redirect in cases where the authentication fails.

There is an example of a replacement login page with some attractive styling showing this in action Here

2) We need to protect the HTML files because, for this project, we are not assuming the roles are assigned to the users.

5.- Create a new configuration file for the project, named jboss-web.xml and place it in the WEB-INF/ director. This new configuration file will contain:

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
   <security-domain>java:/jaas/testLdap</security-domain>
</jboss-web>

Note.- testLdap is the name of our authentication policy that we just added to the login-config.xml configuration file.

Now you can deploy and test the project.


On JBoss AS 7.0.1

The are certain changes that have to be done with respect to version 6.1.0 are as follows:

Open the standalone.xml configuration file. This file is located in <JBOSS_HOME>/standalone/configuration

change:

<subsystem xmlns="urn:jboss:domain:ee:1.0" /> 

to:

<subsystem xmlns="urn:jboss:domain:ee:1.0" >
        <global-modules>
                <module name="sun.jdk" slot="main"/>
        </global-modules>
</subsystem>

and then add:

<security-domain name="testLdap">
    <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap://localhost:10389/"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
            <module-option name="principalDNPrefix" value="uid="/>
            <module-option name="principalDNSuffix" value=",ou=People,dc=isomorphic,dc=com"/>
            <module-option name="rolesCtxDN" value="ou=Roles,dc=isomorphic,dc=com"/>
            <module-option name="uidAttributeID" value="member"/>
            <module-option name="matchOnUserDN" value="true"/>
            <module-option name="roleAttributeID" value="cn"/>
            <module-option name="roleAttributeIsDN" value="false"/>
        </login-module>
    </authentication>
</security-domain>

into:

<subsystem xmlns="urn:jboss:domain:security:1.0">
    <security-domains>
    ......
    </security-domains>
</subsystem>

If you need to refer to or review this project, the complete source code can be found  here.