Level: Intermediate Krishnakumar Balachandar (krishnakumarb@in.ibm.com), Software Engineer, WebSphere Application Server Community Edition Support Team, IBM
26 Apr 2006 Learn how to implement user authentication and authorization for WebSphere® Application Server Community Edition, using IBM® Tivoli® Directory Server to configure a LDAP realm .
Introduction
IBM WebSphere Application Server Community Edition is a Java® 2 Platform, Enterprise Edition (J2EE) application server based on Apache Geronimo. This article tells you how to use IBM Tivoli Directory Server V 6.0 ( hereafter called Directory Server ) with IBM WebSphere Community Edition 1.0.1 ( hereafter called Community Edition ) for user authentication and authorization. This article is intended for J2EE application developers who want to configure a LDAP realm with Directory Server for their applications to be deployed in Community Edition.
Application servers store credentials in a repository based on files, a database, LDAP or other custom registries. LDAP repositories can store static information related to users and can be used across the enterprise by all applications. This article shows how to use Directory Server to configure an LDAP realm in Community Edition. We will also deploy a sample application that uses LDAP entries in Directory Server.
Before you continue: This article was written for WebSphere Application Server Community Edition V1.0.1, which was the current version at the time the article was published. Some of the information in this article may not be applicable to later versions. To follow along with this article, be sure to use the product version on which this article is based. If you wish, you can download the current version of WebSphere Application Server Community Edition, or you can download an earlier version by visiting the product archive page.
About LDAP Records
You can use LDAP to store user information like IDs, addresses, telephone numbers, roles and passwords. The data is organized in a tree structure starting from the root of the hierarchy. Listing 1 shows a sample LDAP user record.
Listing 1. Sample LDAP user record
dn: uid=guest1,ou=people,dc=ibm,dc=com
objectclass: ePerson
objectclass: inetOrgPerson
cn: guest1
sn: guest1
displayName: Guest
uid: guest
userpassword: welcome
ou: people
|
The record in Listing 1 is for a user called Guest1, whose user ID is guest1 and password is welcome. An LDAP record of type ePerson stores other user information like address, telephone, etc.
You can group users created in a LDAP tree based on role. For example, you can group all users with administration rights under the admin role. Listing 2 shows users (user1, user2) grouped by role.
Listing 2. Users grouped by role
dn: cn=users,ou=groups, dc=ibm,dc=com
objectClass: groupOfUniqueNames
uniqueMember: cn=user2,cn=user1,ou=groups,dc=ibm,dc=com
cn: users
|
Similar to the two previous LDAP entries, you can create a complex structure to map users and roles. You can store these details in a LDIF file, and upload to any LDAP server. The sample application used in this article contains an LDIF file that has the LDAP structure shown in Figure 1.
Figure 1. LDAP structure
Configuring Tivoli Directory Server
In this section we'll configure Tivoli Directory Server.
You can install Tivoli Directory Server as a separate product on the same machine as the application server, or on a different machine. It is available on port 389 by default. Tivoli Directory Server provides utilities for performing operations on the server. You can invoke these operations through a Web interface (http://localhost:12100/IDSWebApp/IDSjsp/IDSConsoleFrameWork.jsp), but you need to have installed WebSphere Application Server - Express when you installed IBM Tivoli Directory Server.
To start IBM Tivoli Directory Server and upload the LDIF file to the server, enter the commands shown in Listing 3:
Listing 3. Directory Server commands
adding suffix : idscfgsuf -s dc=ibm,dc=com
start itds : ibmslapd
add ldap entries from ldif : ldapadd -h ldap://<ldaphostname> -D "cn=root" -w
"********" -f <ldif_directory_path><filename>.ldif
|
Figure 2 shows the LDAP entries created in Directory Server.
Figure 2. LDAP entries in Directory Server
Web Application Security and LDAP
Web application security consists of authentication and authorization. You define these in the deployment descriptor. Within the deployment descriptor, you can configure specific realms for authentication and authorization. To use LDAP, define the authentication as FORM based, and invoke LDAP to check for the user ID and credentials.
Similarly, you can group users based on roles defined in the deployment descriptor, and create corresponding entries in the LDAP server. Figure 3 shows the security constraints and roles in the Web deployment descriptor, a "Geronimo" plan for WebSphere Application Server Community Edition, and their mapping to entries in LDAP.
Figure 3. Security constraint and role mappings
Creating a Community Edition Plan for the LDAP Realm
To use LDAP in WebSphere Application Server Community Edition, you need to create a realm plan. You can then deploy this plan server-wide, or within the scope of an application or module. Listing 4 shows a sample LDAP realm plan for Community Edition.
Listing 4. LDAP realm plan
<?xml version="1.0" encoding="UTF-8"?>
<configuration
xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0"
configId="org/apache/geronimo/ldap-secure"
>
<gbean name="ldap-login"
class="org.apache.geronimo.security.jaas.LoginModuleGBean">
<attribute name="loginModuleClass">
org.apache.geronimo.security.realm.providers.LDAPLoginModule</attribute>
<attribute name="serverSide">true</attribute>
<attribute name="options">
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL=ldap://<host>:389
connectionUsername=cn=root
connectionPassword=*******
connectionProtocol=
authentication=simple
userBase=ou=people,dc=ibm,dc=com
userSearchMatching=uid={0}
userSearchSubtree=false
roleBase=ou=groups,dc=ibm,dc=com
roleName=cn
roleSearchMatching=(uniqueMember={0})a
roleSearchSubtree=false
userRoleName=
</attribute>
<attribute name="loginDomainName">ldap-realm</attribute>
</gbean>
<gbean name="ldap-realm"
class="org.apache.geronimo.security.realm.GenericSecurityRealm">
<attribute name="realmName">ldap-realm</attribute>
<reference name="LoginModuleConfiguration">
<name>ldap-login</name>
</reference>
<reference name="ServerInfo">
<module>geronimo/j2ee-system/1.0/car</module>
<name>ServerInfo</name>
</reference>
<reference name="LoginService">
<module>geronimo/j2ee-security/1.0/car</module>
<name>JaasLoginService</name></reference>
</gbean>
<gbean name="ldap-login" class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
<attribute name="controlFlag">REQUIRED</attribute>
<reference name="LoginModule">
<name>ldap-login</name>
</reference>
</gbean>
</configuration>
|
This LDAP realm plan consists of three Gbeans. When deployed, it configures JAAS to use LDAPLoginModule to connect to LDAP server and retrieve the user credentials. To get user details, you use this query:
userSearchMatching=uid={0} and roleSearchMatching=(uniqueMember={0}). Based on these entries, the LDAPLoginModule retrieves the users and roles.
You can deploy the LDAP realm using the Community Edition console or deploy tool:
java -jar bin\deployer.jar deploy ldap-realm-ibm.xml
Now that we have a LDAP realm in place, we need to configure our LDAP Web application to use the LDAP realm. You add these details to the geronimo-web.xml plan file as shown in Listing 5.
Listing 5. geronimo-web.xml plan
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://geronimo.apache.org/xml/ns/web"
xmlns:sec="http://geronimo.apache.org/xml/ns/security"
configId="org/apache/geronimo/ldap-secure-demo"
parentId="org/apache/geronimo/ldap-secure">
<context-root>/ldap-demo</context-root>
<context-priority-classloader>false</context-priority-classloader>
<container-config container="Tomcat">
<config-param name="TomcatRealm">TomcatJAASRealm</config-param>
</container-config>
<security-realm-name>ldap-realm</security-realm-name>
<security>
<default-principal realm-name="ldap-realm">
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
name="system" />
</default-principal>
<role-mappings>
<role role-name="admin">
<realm realm-name="ldap-realm">
<principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
name="admin" designated-run-as="true" />
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
name="system" />
</realm>
</role>
<role role-name="users">
<realm realm-name="ldap-realm">
<principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
name="users" designated-run-as="true" />
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
name="user1" />
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
name="user2" />
</realm>
</role>
<role role-name="guest">
<realm realm-name="ldap-realm">
<principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
name="guest" designated-run-as="true" />
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
name="guest1" />
</realm>
</role>
</role-mappings>
</security>
</web-app>
|
The roles in the geronimo-web plan should match those you created in the Web deployment descriptor and LDAP groups.
The Web application is packaged in a EAR file and available in the sample zip file (LDAPExample.ear). You deploy it using the Community Edition console.
Using the Sample Application
In the previous sections we created an LDAP realm, and configured our Web application to use that realm. We alsp deployed both the application and the realms. To access the Web application, enter the following url: http://localhost:8080/LDAPWeb. Now you can login to the Web application, which verifies the user ID and credentials by retrieving the entries from the LDAP directory. At login, the application checks access to protected resources based on roles defined in the Web deployment descriptor.
Conclusion
In this article we created user records in Directory Server, and deployed a LDAP realm in Community Edition. The sample Web application showed how to use the LDAP realm to get user credentials and roles.
Download | Description | Name | Size | Download method |
|---|
| Sample Web application | wasce-ldap-sample.zip | 25 KB | FTP |HTTP |
|---|
Resources Learn
Get products and technologies
Discuss
About the author | 
| |
Krishnakumar Balachandar is a senior staff software engineer at IBM Software labs in Bangalore, India. He is part of the support team for Geronimo and WebSphere Community Edition. |
Rate this page
| 
