Professional Documents
Culture Documents
For my application, I needed a basic login function where only users from a
certain LDAP group are allowed to access the application.
Specify the paths you want to secure: (in this case every .do page)
<security-constraint>
<web-resource-collection>
<web-resource-name>my web application</web-resource-name>
<description>This application has limited access.</description>
<url-pattern>*.do</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>authenticated</role-name>
</auth-constraint>
</security-constraint>
List all your security roles (nothing more than repeating the role-names from the
last step.), eventually with description.
<security-role>
<description>This role is for authenticated users.</description>
<role-name>authenticated</role-name>
</security-role>
Configure the manner of login you want to provide to your users. (BASIC, FORM,
DIGEST or CLIENT-CERT) Check
http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security5.html for more
information. Usually FORM is used. When you choose this option, the user gets a
custom-made html form.
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jspx</form-login-page>
<form-error-page>/login.jspx?fout=1</form-error-page>
</form-login-config>
</login-config>
Your login form should send the data to 'j_security_check' action and uses
'j_username' and 'j_password' as fieldnames. (See
http://www.onjava.com/pub/a/onjava/2002/06/12/form.html for more information.)
Configuring OC4J
Authentication with Active Directory is built in OC4J and called jazn (Java
AuthoriZatioN). There are many files involved with this jazn, but actually, we only
need the orion-application.xml. This configuration is OC4J specific.
To query the LDAP, you need a service user for Active Directory. Ask system
administration to create one.
First, map your earlier defined security role to a group in Active Directory:
<security-role-mapping name="authenticated">
<group name="LDAP_GROUP" /> <!--LDAP group-->
</security-role-mapping>
<jazn provider="XML">
<property name="custom.ldap.provider" value="true"/>
</jazn>
Configure the LDAP retrieval. (change the searchbases and service user
information to your situation.) Mind the Distinguished Names (e.g.
OU=Users,OU=ABC,DC=esk,DC=local): no spaces.
<jazn-loginconfig>
<application>
<name>[application name, should match the deployment name]</name>
<login-modules>
<login-module>
<class>oracle.security.jazn.login.module.LDAPLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>oracle.security.jaas.ldap.user.searchbase</name>
<value>OU=Users,OU=ABC,DC=esk,DC=local</value>
</option>
<option>
<name>oracle.security.jaas.ldap.user.object.class</name>
<value>user</value>
</option>
<option>
<name>oracle.security.jaas.ldap.lm.cache_enabled</name>
<value>true</value>
</option>
<option>
<name>oracle.security.jaas.ldap.membership.searchscope</name>
<value>nested</value>
</option>
<option>
<name>oracle.security.jaas.ldap.provider.connect.pool</name>
<value>true</value>
</option>
<option>
<name>oracle.security.jaas.ldap.user.searchscope</name>
<value>subtree</value>
</option>
<option>
<name>oracle.security.jaas.ldap.role.searchbase</name>
<value>OU=Groups,OU=ABC,DC=esk,DC=local</value>
</option>
<option>
<name>oracle.security.jaas.ldap.user.name.attribute</name>
<value>sAMAccountName</value>
</option>
<option>
<name>oracle.security.jaas.ldap.role.object.class</name>
<value>group</value>
</option>
<option>
<name>oracle.security.jaas.ldap.member.attribute</name>
<value>member</value>
</option>
<option>
<name>oracle.security.jaas.ldap.connect.pool.initsize</name>
<value>2</value>
</option>
<option>
<name>oracle.security.jaas.ldap.connect.pool.prefsize</name>
<value>10</value>
</option>
<option>
<name>oracle.security.jaas.ldap.provider.type</name>
<value>Active Directory</value>
</option>
<option>
<name>oracle.security.jaas.ldap.connect.pool.maxsize</name>
<value>25</value>
</option>
<option>
<name>oracle.security.jaas.ldap.role.name.attribute</name>
<value>cn</value>
</option>
<option>
<name>oracle.security.jaas.ldap.provider.user</name>
<value>[Service User: username]</value>
</option>
<option>
<name>oracle.security.jaas.ldap.provider.credential</name>
<value>[Service User: password]</value>
</option>
<option>
<name>oracle.security.jaas.ldap.role.searchscope</name>
<value>subtree</value>
</option>
<option>
<name>oracle.security.jaas.ldap.connect.pool.timeout</name>
<value>300000</value>
</option>
<option>
<name>oracle.security.jaas.ldap.provider.url</name>
<value>ldap://ldap.organisation.be:389</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
More nice to know
• Use a LDAP browser to find out where the groups and users are located
and what their DNs are: e.g. http://ldapadmin.sourceforge.net/