Home
english
Home
.NET Server
Java Server
.NET Client
AJAX Client
AJAX Browser
Map Drive
Pricing
Contacts
info@ithit.com


Home
Features
Licensing Options
Download
Server Examples
Creating WebDAV Server
Class 1 / 3 Server
Class 2 / 3 Server
DeltaV Server
Working with MS Office
Authentication
Tomcat Basic/Digest
GlassFish LDAP
Custom Handlers
Resumable Upload
Class Library

Configuring LDAP (Active Directory) Authentication for Glassfish-based WebDAV Server

To configure LDAP authentication:

 

  1. Create new realm. Open administrative console of the Glassfish server. From the main tree (Common Tasks) expand Configuration and go to Security > Realms. Create new realm:
    1. Name=LDAP
    2. Class Name=com.sun.enterprise.security.auth.realm.ldap.LDAPReam
    3. JAAS Context=ldapRealm
    4. Directory=ldap://server:389
    5. Base DN=DC=ithit,DC=com
    6. Assign Groups=Authenticated
      Note: Authenticated group will be assigned to all authenticated roles.
    Specify following additional properties:
    1. search-filter=(&(objectClass=user)(sAMAccountName=%s))
    2. search-bind-password=password
    3. group-search-filter=(&(objectClass=group)(member=%d))
    4. search-bind-dn=ithit\user
    Note: You must change directory, base-dn, search-bind-dn and search-bind-password to your active directory configuration. The «search-bind-dn» and «search-bind-password» parameters are needed, because with default settings active directory doesn't allow anonymous users to browse the directory.

    You may optionally specify Assign Groups. These groups will be assigned to authenticated users.

  2. Configure JVM Settings. From the main tree (Common Tasks) expand Configuration and go to JVM Settings.  Go to tab JVM Options. Add JVM option:
    1. Djava.naming.referral=follow
  3. Configure HTTP authentication. Add following element after <security-constraint> element of your web.xml. For oraclestorage sample the web.xml file is located in oraclestorage/WEB-INF/ folder:
    1. For Basic authentication:
      <web-app ... > 
         ... 
         <login-config>
              <auth-method>BASIC</auth-method>
              <realm-name>LDAP</realm-name>
         </login-config>
         ...
      </web-app>
    2. For Digest authentication:
      <web-app ... > 
         ... 
         <login-config>
              <auth-method>DIGEST</auth-method>
              <realm-name>LDAP</realm-name>
         </login-config>
         ...
      </web-app>
    Note: In some cases only Basic works.
  4. Add security role. Add at least one security role to your web.xml file. We add at least Authenticated because we configured it in step 1:
    <web-app ... > 
       ... 
       <security-role>
          <role-name>role1</role-name>
       </security-role>
       ...
    </web-app>
  5. Add security constraint. Add security constraint element to your web.xml file:
    <web-app ... >
       ...
       <security-constraint>
          <!-- web resources that are protected -->
          <web-resource-collection>
             <web-resource-name>All Resources</web-resource-name>
             <url-pattern>/*</url-pattern>
             <!-- All methods but OPTIONS must be authenticated. OPTIONS must work without authentication for cross domain in Firefox to work -->
             <http-method>GETLIB</http-method>
             <http-method>COPY</http-method>
             <http-method>MOVE</http-method>
             <http-method>DELETE</http-method>
             <http-method>PROPFIND</http-method>
             <http-method>GET</http-method>
             <http-method>HEAD</http-method>
             <http-method>PUT</http-method>
             <http-method>MKCOL</http-method>
             <http-method>PROPPATCH</http-method>
             <http-method>LOCK</http-method>
             <http-method>UNLOCK</http-method>
             <http-method>VERSION-CONTROL</http-method>
             <http-method>CHECKIN</http-method>
             <http-method>CHECKOUT</http-method>
             <http-method>UNCHECKOUT</http-method>
             <http-method>REPORT</http-method>
             <http-method>UPDATE</http-method>
             <http-method>CANCELUPLOAD</http-method>
          </web-resource-collection>
          <auth-constraint>
              <!-- role-name indicates roles that are allowed to access the web resource specified above -->
              <role-name>role1</role-name>
          </auth-constraint>
       </security-constraint>
       ...
    </web-app>
  6. Configure LDAP role mapping. Configure user role mapping to LDAP roles in sun-web.xml which should lie in the same directory as web.xml file:
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 8.1 Servlet 2.4//EN"  "http://www.sun.com/software/appserver/dtds/sun-web-app_2_4-1.dtd">
    <sun-web-app>
        <security-role-mapping>
            <role-name>role1</role-name>
            <group-name>Authenticated</group-name>
        </security-role-mapping>
    </sun-web-app>
  7. Redeploy application.
  8. Get user name in your Java code. In your code you will be able to access logged in user using request.isUserInRole method:
    public List<HierarchyItemImpl> getChildren() throws ServerException {
        if (this.getEngine().getRequest().isUserInRole("role1")){
            //list items
        }
        else{
            throw new ServerException(WebDavStatus.ACCESS_DENIED);
        }
    }

Selected Customers:
Country: Norway
DnB NOR Group
Country: Finland
Bank of Finland
USA
Symantec
Country: Sweden
Toyota
Country: Denmark
Danfoss Group
Country: USA
Microsoft
Country: Ukraine
Raiffeisen Bank
Country: USA
Siemens
Country: Ukraine
OTP Bank
Country: USA
Intel Corporation
Country: Austria
Austrian Federal Railways
Country: Israel
Autodesk, Inc.
Country: USA
U.S. Customs and Border Protection Agency
Home .NET Server Java Server .NET Client AJAX Client AJAX Browser Map Drive Pricing Contacts

Updated: Monday, February 28, 2011