In this blog entry I am going to describe configuring JSPWiki to use container based authentication to authenticate LDAP users existing in an OpenDJ directory. I am using GlassFish as my web application container, so this can be considered an alternative solution to using Tomcat, for example as described here.
I am running JSPWiki version 2.8.3, deployed in GlassFish Open Source Edition 3.1.1 (build 12) on OpenIndiana oi_151 x86. OpenDJ is version 2.4.4, and I am using Java 6 update 26.
I am assuming prior basic familiarity with installing, configuring, and managing GlassFish and OpenDJ. Our starting point will be a freshly deployed instance of JSPWiki, for which the initial first-run setup procedure has taken place and without any configuration to the JSPWiki configuration files.
This is an insecure setup intended for testing purposes.
Create user and admin groups for JSPWiki in OpenDJ
I have created the Groups OU under my Base DN, and within it created the groups wiki-admin and wiki-users.
Members of the wiki-admin group will be authorized with full permissions in JSPWiki once authenticated. Members of the wiki-users group however will have a lesser set of permissions, suitable for regular day-to-day use of the wiki. You can use LDIF commands if you wish to create the directory entries, however, I just use OpenDJ’s super-easy GUI to do the work. For example:
Image may be NSFW.
Clik here to view.
Create an LDAP security realm in GlassFish
This can be performed in the GlassFish admin BUI. Note that we perform this step under the Configurations -> server-config node in the BUI (not the Configurations -> default-config node):
Image may be NSFW.
Clik here to view.
I have created the LDAP realm JSPWikiUsers with the following settings:
Image may be NSFW.
Clik here to view.
Some observations on the above can be noted here:
- The search-bind-dn and search-bind-password properties may be optional for your OpenDJ installation: they are required in my case because I have disabled anonymous access to my OpenDJ server
- The port used for access to your OpenDJ server may not necessarily be 1389 – change this as necessary.
Change the JACC provider from default to simple
I found that if this step is not performed, LDAP group lookup from GlassFish to OpenDJ will plain just not work.
Navigate to the Configurations -> server-config -> Security node of the GlassFish admin BUI and make the setting as illustrated:
Image may be NSFW.
Clik here to view.
This should be all the configuration needed in GlassFish using the admin BUI, so we can now proceed to making the required modifications to the following JSPWiki deployment descriptor and policy files:
- web.xml
- jspwiki.policy
- glassfish-web.xml
In the following steps, we are assuming that JSPWiki has been deployed to the domain1 domain, and the path to the deployment descriptor and policy configuration files is:
/opt/glassfishv3/glassfish/domains/domain1/applications/JSPWiki/WEB-INF
(Also, in my case no changes needed to be made at all to the jspwiki.properties file.)
Enable container based authentication in the web.xml file
In the web.xml file (in its unmodified state in JSPWiki v2.8.3), look for the section near the end of the file which begins with the following comment:
<!-- REMOVE ME TO ENABLE CONTAINER-MANAGED AUTH
Simply uncomment the section and replace it with the following:
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrative Area</web-resource-name>
<url-pattern>/Delete.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>wiki-admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Authenticated area</web-resource-name>
<url-pattern>/Edit.jsp</url-pattern>
<url-pattern>/Comment.jsp</url-pattern>
<url-pattern>/Login.jsp</url-pattern>
<url-pattern>/NewGroup.jsp</url-pattern>
<url-pattern>/Rename.jsp</url-pattern>
<url-pattern>/Upload.jsp</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Read-only Area</web-resource-name>
<url-pattern>/attach</url-pattern>
<http-method>DELETE</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>wiki-admin</role-name>
<role-name>wiki-users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>JSPWikiUsers</realm-name>
<form-login-config>
<form-login-page>/LoginForm.jsp</form-login-page>
<form-error-page>/LoginForm.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>
This logical role includes all authenticated users
</description>
<role-name>wiki-users</role-name>
</security-role>
<security-role>
<description>
This logical role includes all administrative users
</description>
<role-name>wiki-admin</role-name>
</security-role>
Modify the jspwiki.policy file
This will allow users in the wiki-admin LDAP group to be granted full permissions upon authenticating to JSPWiki.
Look for the following section at the end of the jspwiki.policy file (in its unmodified state in a JSPWiki v2.8.3 installation):
// Administrators (principals or roles possessing AllPermission)
// are allowed to delete any page, and can edit, rename and delete
// groups. You should match the permission target (here, 'JSPWiki')
// with the value of the 'jspwiki.applicationName' property in
// jspwiki.properties. Two administative groups are set up below:
// the wiki group "Admin" (stored by default in wiki page GroupAdmin)
// and the container role "Admin" (managed by the web container).
grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};
And modify it to read:
// Administrators (principals or roles possessing AllPermission)
// are allowed to delete any page, and can edit, rename and delete
// groups. You should match the permission target (here, 'JSPWiki')
// with the value of the 'jspwiki.applicationName' property in
// jspwiki.properties. Two administative groups are set up below:
// the wiki group "Admin" (stored by default in wiki page GroupAdmin)
// and the container role "Admin" (managed by the web container).
// grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
// permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
// };
// grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
// permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
// };
grant principal com.ecyrd.jspwiki.auth.authorize.Role "wiki-admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};
Create the glassfish-web.xml file
The primary purpose of this file will be to map the security roles we defined in the web.xml file to the JSPWiki groups we created in OpenDJ. The file should be created at:
/opt/glassfishv3/glassfish/domains/domain1/applications/JSPWiki/WEB-INF
The glassfish-web.xml file should contain the following only:
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app>
<security-role-mapping>
<role-name>wiki-admin</role-name>
<group-name>wiki-admin</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>wiki-users</role-name>
<group-name>wiki-users</group-name>
</security-role-mapping>
</glassfish-web-app>
Restart the GlassFish domain, and test LDAP logins to JSPWiki
First, restart the domain either using the asadmin utility or the GlassFish admin BUI. Then test LDAP logins to JSPWiki.
In my case, we can observe that logging in as a user that is a member of the wiki-admin group in OpenDJ, I do indeed have full permissions in JSPWiki:
Image may be NSFW.
Clik here to view.
Whereas logging in as a user that is a member of the wiki-users group in OpenDJ, I am restricted from certain destructive actions:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
