Configuring LDAP (Active Directory) Authentication for Glassfish-based WebDAV Server

To configure LDAP authentication:

 

  1. Create new realm. Open administrative console of the Glassfish server. From the main tree (Common Tasks) expand Configuration and go to Security > Realms. Create new realm:
    1. Name=LDAP
    2. Class Name=com.sun.enterprise.security.auth.realm.ldap.LDAPReam
    3. JAAS Context=ldapRealm
    4. Directory=ldap://server:389
    5. Base DN=DC=ithit,DC=com
    6. Assign Groups=Authenticated
      Note: Authenticated group will be assigned to all authenticated roles.
    Specify following additional properties:
    1. search-filter=(&(objectClass=user)(sAMAccountName=%s))
    2. search-bind-password=password
    3. group-search-filter=(&(objectClass=group)(member=%d))
    4. search-bind-dn=ithit\user
    Note: You must change directory, base-dn, search-bind-dn and search-bind-password to your active directory configuration. The «search-bind-dn» and «search-bind-password» parameters are needed, because with default settings active directory doesn't allow anonymous users to browse the directory.

    You may optionally specify Assign Groups. These groups will be assigned to authenticated users.

  2. Configure JVM Settings. From the main tree (Common Tasks) expand Configuration and go to JVM Settings.  Go to tab JVM Options. Add JVM option:
    1. Djava.naming.referral=follow
  3. Configure HTTP authentication. Add following element after <security-constraint> element of your web.xml. For oraclestorage sample the web.xml file is located in oraclestorage/WEB-INF/ folder:
    1. For Basic authentication:
      <web-app ... > 
         ... 
         <login-config>
              <auth-method>BASIC</auth-method>
              <realm-name>LDAP</realm-name>
         </login-config>
         ...
      </web-app>
    2. For Digest authentication:
      <web-app ... > 
         ... 
         <login-config>
              <auth-method>DIGEST</auth-method>
              <realm-name>LDAP</realm-name>
         </login-config>
         ...
      </web-app>
    Note: In some cases only Basic works.
  4. Add security role. Add at least one security role to your web.xml file. We add at least Authenticated because we configured it in step 1:
    <web-app ... > 
       ... 
       <security-role>
          <role-name>role1</role-name>
       </security-role>
       ...
    </web-app>
  5. Add security constraint. Add security constraint element to your web.xml file:
    <web-app ... >
       ...
       <security-constraint>
          <!-- web resources that are protected -->
          <web-resource-collection>
             <web-resource-name>All Resources</web-resource-name>
             <url-pattern>/*</url-pattern>
             <!-- All methods but OPTIONS must be authenticated. OPTIONS must work without authentication for cross domain in Firefox to work -->
             <http-method>GETLIB</http-method>
             <http-method>COPY</http-method>
             <http-method>MOVE</http-method>
             <http-method>DELETE</http-method>
             <http-method>PROPFIND</http-method>
             <http-method>GET</http-method>
             <http-method>HEAD</http-method>
             <http-method>PUT</http-method>
             <http-method>MKCOL</http-method>
             <http-method>PROPPATCH</http-method>
             <http-method>LOCK</http-method>
             <http-method>UNLOCK</http-method>
             <http-method>VERSION-CONTROL</http-method>
             <http-method>CHECKIN</http-method>
             <http-method>CHECKOUT</http-method>
             <http-method>UNCHECKOUT</http-method>
             <http-method>REPORT</http-method>
             <http-method>UPDATE</http-method>
             <http-method>CANCELUPLOAD</http-method>
          </web-resource-collection>
          <auth-constraint>
              <!-- role-name indicates roles that are allowed to access the web resource specified above -->
              <role-name>role1</role-name>
          </auth-constraint>
       </security-constraint>
       ...
    </web-app>
  6. Configure LDAP role mapping. Configure user role mapping to LDAP roles in sun-web.xml which should lie in the same directory as web.xml file:
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 8.1 Servlet 2.4//EN"  "http://www.sun.com/software/appserver/dtds/sun-web-app_2_4-1.dtd">
    <sun-web-app>
        <security-role-mapping>
            <role-name>role1</role-name>
            <group-name>Authenticated</group-name>
        </security-role-mapping>
    </sun-web-app>
  7. Redeploy application.
  8. Get user name in your Java code. In your code you will be able to access logged in user using request.isUserInRole method:
    public List<HierarchyItemImpl> getChildren() throws ServerException {
        if (this.getEngine().getRequest().isUserInRole("role1")){
            //list items
        }
        else{
            throw new ServerException(WebDavStatus.ACCESS_DENIED);
        }
    }