Implement LDAP authentication in Tomcat & JBoss server for Java app

In this article we will explore the ways to implementation of LDAP (Lightweight Directory Access Protocol) authentication in Tomcat as well as JBoss server.

First let us see briefly what LDAP is.

Introduction to LDAP

Following is what Wikipedia has to say about LDAP:

The Lightweight Directory Access Protocol, or LDAP is an application protocol for querying and modifying directory services running over TCP/IP.

A directory is a set of objects with similar attributes organized in a logical and hierarchical manner. The most common example is the telephone directory, which consists of a series of names (either of persons or organizations) organized alphabetically, with each name having an address and phone number attached.

An LDAP directory tree often reflects various political, geographic, and/or organizational boundaries, depending on the model chosen. LDAP deployments today tend to use Domain name system (DNS) names for structuring the topmost levels of the hierarchy. Deeper inside the directory might appear entries representing people, organizational units, printers, documents, groups of people or anything else that represents a given tree entry (or multiple entries).

Configurations in Tomcat Server

I assume you have installed JDK and Tomcat server and have set few environment variables such as CLASSPATH, PATH, JAVA_HOME, CATALINA_HOME etc.

First step is to implement LDAP in Tomcat is to modify server.xml. Open server.xml from conf directory from your Tomcat installation directory and add following tag between tag <Host> and </Host>.

<Realm className="org.apache.catalina.realm.JNDIRealm"
               debug="99"
               connectionURL="ldap://ldap.viralpatel.net:389/"
               userPattern="{0}" />
 

Also comment out the entry for <Realm>:

<!—
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               debug="0"
               resourceName="UserDatabase"/>
-->

Let us see now what are the different configuration parameters that we are using in above code.

• className: This is the fully qualified Java class name of this Realm implementation. The value “org.apache.catalina.realm.JNDIRealm” must be specified here.
• debug: This is the level of debugging detail logged by this Realm to the associated log file. Higher numbers generate more detailed output. If not specified, the default debugging detail level is zero (0).
• connectionURL : This is a URL whose format is defined by the JNDI provider. It is usually an LDAP URL that specifies the domain name of the directory server to connect to, and optionally the port number and distinguished name (DN) of the required root naming context. Often the distinguished name of the user’s entry contains the username presented for authentication but is otherwise the same for all users. Here, the phrase “ldap://ldap.viralpatel.net:389/”, “ldap” represents a protocol; “ldap.viralpatel.net” represents a LDAP directory server to connect; “389” represents a valid port on the server.
• userPattern : This is used to specify the DN, with “{0}” marking where the username should be substituted.

Next step will be to modify Web.xml and add security constraint information in it. Open the web.xml from WEB-INF directory of your J2EE project and add following code in it:

<security-constraint>
    <web-resource-collection>
          <web-resource-name>Logging Area</web-resource-name>
          <description>
              Authentication for registered users.
          </description>
          <url-pattern>/*</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
    </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
    </security-constraint>
   <security-role>
      <role-name>*</role-name>
   </security-role>
    <login-config>
          <auth-method>BASIC</auth-method>
        <realm-name>Please enter your Username</realm-name>
</login-config>

Note that in above code we have mapped the URL /*. If we want to use authentication in some particular area of our website like some admin module than map particular URL with security-constraint.

<!—restricted files under folder “Admin”
          <url-pattern>/Admin/*</url-pattern>
<!—restricted file OfficeDocIndex.jsp

To fetch the user details in Java, copy following code in your JSP/Java file.

import java.security.Principal;
……
Principal principal = request.getUserPrincipal();
String userName = principal.getName();
.…

Now once you start the Tomcat and visit your website, following popup will be shown.

Configurations in JBoss Server

I assume you have installed JDK and JBoss server and have set few environment variables such as CLASSPATH, PATH, JAVA_HOME etc.

First step is to implement LDAP in JBoss is to modify login-config.xml. Open login-config.xml from conf directory from your JBoss installation directory and add following tag.

<application-policy name="website-domain">
          <authentication>
              <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
          <module-option name = "debug">true</module-option>
          <module-option name = "java.naming.factory.initial">
                com.sun.jndi.ldap.LdapCtxFactory
          </module-option>
                <module-option name = "java.naming.provider.url">
                             ldap://ldap.viralpatel.net:389/</module-option>
              </login-module>
          </authentication>
</application-policy>

Next step will be to create jboss-web.xml. Create a file jboss-web.xml copy following code in it. And place this file under WEB-INF directory of your project.

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
   <security-domain>java:/jaas/website-domain</security-domain>
</jboss-web>

Note that, the name website-domain is the security domain and we have specified in application policy of login-config.xml.

Now open web.xml from WEB-INF directory of your application and add following code in it.

<security-constraint>
      <web-resource-collection>
         <web-resource-name>ADMIN</web-resource-name>
         <description>An example security config that only allows users with the
            role ADMIN to access the HTTP servlets
         </description>
         <url-pattern>/*</url-pattern>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
         <role-name>*</role-name>
      </auth-constraint>
   </security-constraint>
   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Authentication require</realm-name>
   </login-config>
   <security-role>
      <role-name>*</role-name>
   </security-role>

To fetch the user details in Java, copy following code in your JSP/Java file.

import java.security.Principal;

// Get principal from the request.
Principal principal = request.getUserPrincipal();
String userName = principal.getName();

// deal with the userName get from principal.