Skip to main content

Authenticate OpenXava users with ActiveDirectory

The following allows you to use JNDIRealm's LDAP authentication to authenticate users of OpenXava application with Active Directory. The users will be prompt to enter their windows credentials, when entering the usernames they need to avoid entering the domain name; they just need to enter the username.

If you have multiple Active Directory domains to authenticate against, you can use  org.apache.catalina.realm.CombinedRealm to allow Tomcat to search on both.

In the web.xml you will need to specify the security-constraint setting. This will force the user to authenticate when they reach any OpenXava module. in role-name, you have to enter the Windows Group name of that is allow to access the application. If you need finer restrictions, you can use OpenXava's Users.getCurrent() to get the username of the current user in your Java code. For example, you could have a validation logic to prevent a certain user from creating a new record.

Please note that you must use a security-constraint setting in web.xml in order to use Users.getCurrent() in your Java code.

web.xml in app folder

<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
  <web-resource-name>Protected Area</web-resource-name>
  <!-- Define the context-relative URL(s) to be protected -->
  <url-pattern>/modules/*</url-pattern>
  <!-- If you list http methods, only those methods are protected -->
  <http-method>DELETE</http-method>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  <http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
  <role-name>THE NAME OF A WINDOWS GROUP (NO NEED TO SPECIFY DOMAIN NAME)</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Windows Login</realm-name>
</login-config>
<security-role>
    <role-name>THE NAME OF A WINDOWS GROUP (NO NEED TO SPECIFY DOMAIN NAME)</role-name>
</security-role> 

In the server.xml file, you need to add the JNDIRealm that will allow Tomcat to connect to Active Directory via LDAP. The example below uses the CombinedRealm class to combine two Active Directory domains.

server.xml in tomcat's conf folder


<!-- make sure to remove the existing realms –>
  <Realm className="org.apache.catalina.realm.CombinedRealm" >
<Realm
        className="org.apache.catalina.realm.JNDIRealm"
        debug="99"
        connectionURL="ldap://DOMAIN-CONTROLLER-NAME.YOUDOMAIN.local:389"
        connectionName="SOMEUSER@YOUDOMAIN.local"
        connectionPassword="YOURPASSWORD"
        referrals="follow"
        userBase="DC=YOUDOMAIN,DC=local"
        userSearch="(sAMAccountName={0})"
        userSubtree="true"
        roleBase="DC=YOUDOMAIN,DC=local"
        roleName="cn"
        roleSearch="(member={0})"
        roleSubtree="true"/>
       
   <Realm
        className="org.apache.catalina.realm.JNDIRealm"
        debug="99"
        connectionURL="ldap://OTHERSERVER.YOUSECONDDOMAIN.LOCAL:389"
        connectionName="SOMEUSER@YOUDOMAIN.local"
        connectionPassword="YOURPASSWORD"
        referrals="follow"
        userBase="DC=YOUSECONDDOMAIN,DC=local"
        userSearch="(sAMAccountName={0})"
        userSubtree="true"
        roleBase="DC=YOUSECONDDOMAIN,DC=local"
        roleName="cn"
        roleSearch="(member={0})"
        roleSubtree="true"/>
       
 
</Realm>

In your OpenXava java code, you can obtain the username (no domain name) of the user visiting the page by calling Users.getCurrent(). The Users class lives in the org.openxava.util package

This approach works inside of a secure Intranet, hence the sending of credentials in plain text (BASIC in auth-method). To improve security, please configure Tomcat to use HTTPS only.

You can use a similar configuration to allow other Java web based application to authenticate users with Active Directory. You would probably have to modify the web.xml of the app and use the same server.xml configuration shown here.

Comments

JohnMiller said…
Just checked back here (to look again at your excellent 'How to create online multiplayer HTML5 games in Construct2') and discovered that you've changed your blog title. I like it! Very apprpriate for a thoughtful software developer!
5:40 PM
Post a Comment

Popular posts from this blog

Powershell script for converting JPG to TIFF

The following Powershell script will convert a batch of JPEG files to TIFF format: #This Code is released under MIT license [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing") $files_folder = 'C:\path-where-your-jpg-files-are\' $pdfs = get-childitem $files_folder -recurse | where {$_.Extension -match "jpg"} foreach($pdf in $pdfs) { $picture = [System.Drawing.Bitmap]::FromFile( $pdf.FullName ) $tiff = $pdf.FullName.replace('.PDF','').replace('.pdf','').replace('.jpg','').replace('.JPG','') + '.tiff' $picture.Save($tiff) }
Post a Comment
Read more

Power Automate: SFTP action "Test connection failed"

When I added an SFTP create file action to my Power Automate flow ( https://flow.microsoft.com ) , I got the following error in the action step, within the designer: "Test connection failed" To troubleshoot the Power Automate connection, I had to: go the Power Automate portal then "Data"->"Connections"  the sftp connection was there, I clicked on the ellipsis, and entered the connection info It turns out, that screen provides more details about the connection error. In my case, it was complaining that "SSH host key finger-print xxx format is not supported. It must be in 'MD5' format". I had provided the sha fingerprint that WinScp shows. Instead, I needed to use the MD5 version of the fingerprint. To get that, I had to run in command line (I was in a folder that had openssh in it): ssh -o FingerprintHash=md5 mysftpsite.com To get the fingerprint in MD5 format. I took the string (without the "MD5:" part of the string) and put
Post a Comment
Read more

Alert if file missing using Powershell

The following Powershell script can be used to send an email alert when a file is missing from a folder or it is the same file from a previous check: $path_mask = "yourfile_*.txt" $previous_file_store = "lastfileread.txt" $script_name = "File Check" ###### Functions ########## Function EMailLog($subject, $message) {    $emailTo = "juanito@yourserver.com"    $emailFrom = "alert@yourserver.com"    $smtpserver="smtp.yourserver.com"       $smtp=new-object Net.Mail.SmtpClient($smtpServer)    $smtp.Send($emailFrom, $emailTo, $subject, $message) } Try {    #get files that match the mask    $curr_file = dir $path_mask |  select name    if ($curr_file.count -gt 0)    {        #file found        #check if the file is different from the previous file read        $previous_file = Get-Content $previous_file_store        $curr_file_name = $curr_file.Item(0).Name        if ($
Post a Comment
Read more