Wildfly LDAP integration
LDAP login possibility for wildfly server
In the past, I spent a lot of time to figuring out, how to add the integrated LDAP module of the wildfly server. To do this, you have to take changes in some different places:
Wildfly server side
Add ‘LDAPExtended’ module in wildfly configuration
In the first place you have to add a module to your server configuration. Do it like this:
Wildfly admin console: Configuration -> Subsystems -> Security -> [Add] Name: "LDAPAuth"
this name will be connected in the jboss-web.xml
file in your project.
Add some configuration parameters to this module
View
the module configuration and add the following parameters:
Name: LDAPAuth
Code: LdapExtended
Flag: required
Module:
Module options:
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
java.naming.provider.url=ldap://ldapserver:389
bindDN=CN=Testuser,OU=Groupes,DC=domain,DC=net
bindCredential=password
baseCtxDN=dc=domain,dc=net
rolesCtxDN=OU=Groupes,DC=domain,DC=net
roleFilter=(member={1})
roleAttributeID=memberOf
baseFilter=(sAMAccountName={0})
throwValidateError=true
searchScope=SUBTREE_SCOPE
distinguishedNameAttribute=distinguishedname
roleAttributeIsDN=true
roleNameAttributeID=cn
roleRecursion=1
Hint: the module options will be hidden after you submit this to your module
After a reload of the server runtime, you must have some similiar in your $JBOS_HOME/standalone/configuration/standalone.xml
file:
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
[...]
<security-domain name="LDAPAuth" cache-type="default">
<authentication>
<login-module name="LDAPAuth" code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://ldapserver:389"/>
<module-option name="bindDN" value="CN=Testuser,OU=Groupes,DC=domain,DC=net"/>
<module-option name="bindCredential" value="password"/>
<module-option name="baseCtxDN" value="dc=domain,dc=net"/>
<module-option name="rolesCtxDN" value="OU=Groupes,DC=domain,DC=net"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="distinguishedNameAttribute" value="distinguishedname"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="roleRecursion" value="1"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="test2322" cache-type="default"/>
</security-domains>
</subsystem>
Project environment
Add a ‘jboss-web.xml’ file with a connection to the wildfly module in your project
To connect your application to the ldap module you have to add your wildfly server, add a jboss-web.xml
file to your WEB-INF
dir:
<jboss-web>
<security-domain>java:/jaas/LDAPAuth</security-domain>
</jboss-web>
Add a login page in ‘.jsp’ format with a POST request included the username and password for ldap authentication
For a form like authentication method, you have to create some jsp
files in html
format to authenticate a user to the wildfly ldap module. Add this login.jsp
file to your WEBAPP
dir.
<form class="col s12" method="post" action="j_security_check">
<div class='row'>
<div class='input-field col s12'>
<input type='text' name='j_username' id='j_username' placeholder="Username" />
</div>
</div>
<div class='row'>
<div class='input-field col s12'>
<input type='password' name='j_password' id='j_password' placeholder="Password" />
</div>
</div>
<br />
<center>
<div class='row'>
<button type='submit' name='btn_login' class='col s12 btn btn-large waves-effect red'>Login</button>
</div>
</center>
</form>
Add a ‘web.xml’ to your project, if not exist, with some security contraints, like ldap group
To define some security constraints you have to add/create a web.xml
file in your WEB-INF
dir of your project with an similiar content:
<security-constraint>
<display-name>Login Form</display-name>
<web-resource-collection>
<web-resource-name>HTML-Auth</web-resource-name>
<description>application security constraints</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>LDAPGroup</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>LDAPAuth realm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<error-page>
<error-code>404</error-code>
<location>/404.html</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>/403.html</location>
</error-page>
<security-role>
<role-name>LDAPGroup</role-name>
</security-role>
Get user principal of ldap authorization
After all this configuration and a successfully login of a user, you could get the username from the vaadinRequest
in your UI
like (kotlin):
override fun init(vaadinRequest: VaadinRequest) {
vaadinRequest.userPrincipal.name