Implement LDAP authentication in Tomcat & JBoss server for Java app

In this article we will explore the ways to implementation of LDAP (Lightweight Directory Access Protocol) authentication in Tomcat as well as JBoss server.

First let us see briefly what LDAP is.

Introduction to LDAP

Following is what Wikipedia has to say about LDAP:

The Lightweight Directory Access Protocol, or LDAP is an application protocol for querying and modifying directory services running over TCP/IP.

A directory is a set of objects with similar attributes organized in a logical and hierarchical manner. The most common example is the telephone directory, which consists of a series of names (either of persons or organizations) organized alphabetically, with each name having an address and phone number attached.

An LDAP directory tree often reflects various political, geographic, and/or organizational boundaries, depending on the model chosen. LDAP deployments today tend to use Domain name system (DNS) names for structuring the topmost levels of the hierarchy. Deeper inside the directory might appear entries representing people, organizational units, printers, documents, groups of people or anything else that represents a given tree entry (or multiple entries).

Configurations in Tomcat Server

I assume you have installed JDK and Tomcat server and have set few environment variables such as CLASSPATH, PATH, JAVA_HOME, CATALINA_HOME etc.

First step is to implement LDAP in Tomcat is to modify server.xml. Open server.xml from conf directory from your Tomcat installation directory and add following tag between tag <Host> and </Host>.

<Realm className="org.apache.catalina.realm.JNDIRealm" 
               debug="99" 
               connectionURL="ldap://ldap.viralpatel.net:389/" 
               userPattern="{0}" />
 

Also comment out the entry for <Realm>:

<!—
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" 
               debug="0" 
               resourceName="UserDatabase"/>
-->

Let us see now what are the different configuration parameters that we are using in above code.

  • className: This is the fully qualified Java class name of this Realm implementation. The value “org.apache.catalina.realm.JNDIRealm” must be specified here.
  • debug: This is the level of debugging detail logged by this Realm to the associated log file. Higher numbers generate more detailed output. If not specified, the default debugging detail level is zero (0).
  • connectionURL : This is a URL whose format is defined by the JNDI provider. It is usually an LDAP URL that specifies the domain name of the directory server to connect to, and optionally the port number and distinguished name (DN) of the required root naming context. Often the distinguished name of the user’s entry contains the username presented for authentication but is otherwise the same for all users. Here, the phrase “ldap://ldap.viralpatel.net:389/”, “ldap” represents a protocol; “ldap.viralpatel.net” represents a LDAP directory server to connect; “389” represents a valid port on the server.
  • userPattern : This is used to specify the DN, with “{0}” marking where the username should be substituted.

Next step will be to modify Web.xml and add security constraint information in it. Open the web.xml from WEB-INF directory of your J2EE project and add following code in it:

<security-constraint>
    <web-resource-collection>
          <web-resource-name>Logging Area</web-resource-name>
          <description>
              Authentication for registered users. 
          </description>
          <url-pattern>/*</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
    </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
    </security-constraint>
   <security-role>
      <role-name>*</role-name>
   </security-role>
    <login-config>
          <auth-method>BASIC</auth-method>
        <realm-name>Please enter your Username</realm-name>
</login-config>

Note that in above code we have mapped the URL /*. If we want to use authentication in some particular area of our website like some admin module than map particular URL with security-constraint.

<!—restricted files under folder “Admin” 
          <url-pattern>/Admin/*</url-pattern>
<!—restricted file OfficeDocIndex.jsp 

To fetch the user details in Java, copy following code in your JSP/Java file.

import java.security.Principal;
……
Principal principal = request.getUserPrincipal();
String userName = principal.getName();
.…

Now once you start the Tomcat and visit your website, following popup will be shown.

ldap-authentication-popup-tomcat-server

Configurations in JBoss Server

I assume you have installed JDK and JBoss server and have set few environment variables such as CLASSPATH, PATH, JAVA_HOME etc.

First step is to implement LDAP in JBoss is to modify login-config.xml. Open login-config.xml from conf directory from your JBoss installation directory and add following tag.

<application-policy name="website-domain">
          <authentication>
              <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
          <module-option name = "debug">true</module-option>
          <module-option name = "java.naming.factory.initial">
                com.sun.jndi.ldap.LdapCtxFactory
          </module-option>
                <module-option name = "java.naming.provider.url">
                             ldap://ldap.viralpatel.net:389/</module-option>
              </login-module>
          </authentication>
</application-policy>

Next step will be to create jboss-web.xml. Create a file jboss-web.xml copy following code in it. And place this file under WEB-INF directory of your project.

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
   <security-domain>java:/jaas/website-domain</security-domain>
</jboss-web>

Note that, the name website-domain is the security domain and we have specified in application policy of login-config.xml.

Now open web.xml from WEB-INF directory of your application and add following code in it.

<security-constraint>
      <web-resource-collection>
         <web-resource-name>ADMIN</web-resource-name>
         <description>An example security config that only allows users with the
            role ADMIN to access the HTTP servlets
         </description>
         <url-pattern>/*</url-pattern>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
         <role-name>*</role-name>
      </auth-constraint>
   </security-constraint>
   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Authentication require</realm-name>
   </login-config>
   <security-role>
      <role-name>*</role-name>
   </security-role>

To fetch the user details in Java, copy following code in your JSP/Java file.

import java.security.Principal;

// Get principal from the request.
Principal principal = request.getUserPrincipal();
String userName = principal.getName();

// deal with the userName get from principal.


19 Comments

  • bob 27 July, 2009, 1:55

    So interesting! I couldn’t even guess it might be so exciting!

  • Aditya 6 January, 2010, 21:30

    You can use request.getRemoteUser() instead.

  • guga 7 May, 2010, 20:52

    Hi,

    One question: what should be the LDAP “structure” for the logins to succeed?

    I mean, how can I tell what DN to use, how to find users, and where are the roles defined in LDAP?

    I can have for example a DN like this:
    uid=jack, ou=people, dc=example, dc=com

    So the user will have attributes in LDAP, the password for example, and the roles … where in LDAP will I define user roles so that JBoss will pick them from the correct attribute?

    Thanks

  • Naveen 30 September, 2010, 0:15

    Hi Viral,

    Thanks for such a wonderful site.
    I tried to implement this, but i had no success.
    The authentication window pops up but when i give uid and pwd it doesnot take it.
    After 3 attempts i get 404 error.

    1. I updated server.xml
    2.Update web.xml
    3 .Added jars to commons/lib directory too.

    Thanks,
    Naveen.

  • dhaval0129 18 March, 2011, 11:25

    Hi

    This Tutorial is incomplete and does not help,

    • Marco 7 July, 2014, 19:27

      Why is it inclomplete what is missing. plz give us details

  • rd 17 October, 2011, 22:30

    Viral,

    is the info for implementing ldap still valid for JBOSS AS 7

  • sanz 28 September, 2012, 12:38

    @rd I did not find any login-config.xml in JBoss 7. So I am not sure if this tutorial is applicable for AS 7.

  • murali 8 March, 2013, 15:50

    hi i am trying to integrate jack rabbit to the jboss .. if u have any idea just post it…. and mail me also…. and i forgot to tell something ur post s are very help full to me at the time of need

  • RahamaTullah 29 March, 2013, 12:48

    I am new to LDAP , please explain me in detail, how roles are defined in this concept, and we have to use only jboss ? no other servers we have to use please answer this

  • Tilak 24 May, 2013, 14:06

    Hi Viral,

    Have implemented the same in apache successfully. Tested too. But how the same can be done for Websphere 7?

    Can you please tell us in detail?

    Thanks !!!

    • khaleed 14 June, 2013, 12:35

      Hi Tilak,

      can you please mail me the procedure how did you implement the above code in the apache successfully.

      waiting for your reply.

      T&R,
      Khaleed K

  • khaleed 14 June, 2013, 12:39

    Hi Viral,

    I am new to LDAP can you please mail me the steps for the implementation of LDAP.

    Thanks & Regards,
    Khaleed K

  • ram 26 June, 2013, 15:19

    Hi Viral,

    I am new to LDAP can you please mail me the steps for the implementation of LDAP.

    Thanks & Regards,
    Ram.

  • brijesh 28 September, 2013, 14:54

    not working in eclipse..error of popup is::”A username and password are being requested by http://localhost:8080. The site says: “Please enter your Username””

  • brijesh 28 September, 2013, 15:07
     
    import java.security.Principal;
    
    import javax.servlet.http.HttpServletRequest;
    
    import org.apache.struts2.interceptor.ServletRequestAware;
    public class DemoLDAP implements ServletRequestAware{
    	private static HttpServletRequest request;
    	/* (non-Javadoc)
    	 * @see org.apache.struts2.interceptor.ServletRequestAware#setServletRequest(javax.servlet.http.HttpServletRequest)
    	 */
    	public void setServletRequest(HttpServletRequest httpServletRequest) {
    		 this.request = httpServletRequest;
    	} 
    	public static void main(String args[]){
    		Principal principal = request.getUserPrincipal();
    		String userName = principal.getName();
    		System.out.println("userName:::"+userName);
    	}
    }
    

    but this is not working..

  • komeiming 11 November, 2013, 9:32

    Hi Viral,
    Could you email a java demo about Configurations in JBoss Server, great thanks.

  • nitesh 23 July, 2014, 7:53

    hi Viral
    i wants to implement ldap auth feature in my application which is deployed on tomcat
    and can i use netscape plugin (if it is available for tomcat)
    can you please help me in that.

  • Praveen 25 July, 2014, 20:37

    Hi Viral,
    Firstly thanks for the blog and the Post.
    It would have been good if you have specified the JBOSS and Tomcat versions.
    This is becos
    1) in JBOSS 7.1.1 Final the login-config.xml. does not exist.
    2) JBOSS directory naming a structure is different.

    Thanks
    Praveen

Leave a Reply

Your email address will not be published. Required fields are marked *

Note

To post source code in comment, use [code language] [/code] tag, for example:

  • [code java] Java source code here [/code]
  • [code html] HTML here [/code]

Current ye@r *