Authenticating via LDAP: HTTP Status 403 - Access to the requested resource has been denied

[Pablo Pazos]

Good afternoon gentleman,

I'm trying to use an openDS LDAP to authenticate users on DCM4CHEE. I'm using DCM4CHEE MySQL 2.15.0.

When I login with a person that has a WebAdmin role, I get a 403 and DCM4CHEE web stucks on that error page. Maybe there's some redirection error?

When I login with a person that has a WebUser role, I can see the web management page with Folder and AE Management tabs.

I modeled users inside an organizational unit, (ou=usuariosPACS) and the DCM4CHEE role is in the *description* attribute of the person.

On the other hand, if I create a group for each role (WebUser, WebAdmin, JBossAdmin, ...) I don't know how to make

a mapping between those roles and the groups.

Also, with my model I don't know how to add multiple roles for a person, and that's a requirement I have.

I'm sure there are better ways of modeling this than mine, I'm just starting with LDAP. Any suggestions are very appreciated.

Is really difficult to find a complete example of how to configure DCM4CHEE to work with LDAP, and openDS specifically. Any thoughts are welcome!

Cheers,

Pablo.

Now some context:

1. When I try to access with this user:

dn: cn=bcardozo,ou=usuariosPACS,dc=example,dc=com

cn: bcardozo

description: WebAdmin

givenName: Barbara

mail: ba...@barby.com

objectClass: organizationalPerson

objectClass: person

objectClass: inetOrgPerson

objectClass: top

sn: Cardozo

telephoneNumber: 1234567

uid: bcardozo

userPassword:: e1NTSEF9U0NSRjZMcDRxak5LeGFuVzNBdVZPdGJqQTJpcW5jTEg4bW85Tmc9PQ==

2. The log looks good:

13:10:58,471 DEBUG org.jboss.security.plugins.JaasSecurityManagerService Added dcm4chee, org.jboss.security.plugins.SecurityDomainContext@88a2db to map

13:10:58,471 TRACE org.jboss.security.plugins.JaasSecurityManager.dcm4chee Begin isValid, principal:bcardozo, cache info: null

13:10:58,471 TRACE org.jboss.security.plugins.JaasSecurityManager.dcm4chee defaultLogin, principal=bcardozo

13:10:58,471 TRACE org.jboss.security.auth.login.XMLLoginConfigImpl Begin getAppConfigurationEntry(dcm4chee), size=10

13:10:58,471 TRACE org.jboss.security.auth.login.XMLLoginConfigImpl End getAppConfigurationEntry(dcm4chee), authInfo=AppConfigurationEntry[]:

[0]

LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule

ControlFlag: LoginModuleControlFlag: required

Options:name=baseFilter, value=(uid={0})

name=java.naming.security.authentication, value=simple

name=roleFilter, value=(uid={0})

name=allowEmptyPasswords, value=false

name=bindCredential, value=pab

name=bindDN, value=cn=Directory Manager

name=java.naming.provider.url, value=ldap://192.168.1.105:389

name=rolesCtxDN, value=ou=usuariosPACS,dc=example,dc=com

name=baseCtxDN, value=ou=usuariosPACS,dc=example,dc=com

name=roleAttributeID, value=description

13:10:58,473 TRACE org.jboss.security.auth.spi.LdapExtLoginModule initialize, instance=@30557505

13:10:58,473 TRACE org.jboss.security.auth.spi.LdapExtLoginModule Security domain: dcm4chee

13:10:58,473 TRACE org.jboss.security.auth.spi.LdapExtLoginModule login

13:10:58,496 TRACE org.jboss.security.auth.spi.LdapExtLoginModule Assign user to role WebAdmin

13:10:58,496 TRACE org.jboss.security.auth.spi.LdapExtLoginModule User 'bcardozo' authenticated, loginOk=true

13:10:58,496 TRACE org.jboss.security.auth.spi.LdapExtLoginModule commit, loginOk=true

13:10:58,496 TRACE org.jboss.security.plugins.JaasSecurityManager.dcm4chee defaultLogin, lc=javax.security.auth.login.LoginContext@14b85ae, subject=Subject(20283102).principals=org.jboss.security.SimplePrincipal@386451(bcardozo)org.jboss.security.SimpleGroup@19086300(Roles(members:WebAdmin))

13:10:58,497 TRACE org.jboss.security.plugins.JaasSecurityManager.dcm4chee updateCache, inputSubject=Subject(20283102).principals=org.jboss.security.SimplePrincipal@386451(bcardozo)org.jboss.security.SimpleGroup@19086300(Roles(members:WebAdmin)), cacheSubject=Subject(18628925).principals=org.jboss.security.SimplePrincipal@386451(bcardozo)org.jboss.security.SimpleGroup@19086300(Roles(members:WebAdmin))

13:10:58,497 TRACE org.jboss.security.plugins.JaasSecurityManager.dcm4chee Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@1ff3565[Subject(18628925).principals=org.jboss.security.SimplePrincipal@386451(bcardozo)org.jboss.security.SimpleGroup@19086300(Roles(members:WebAdmin)),credential.class=java.lang.String@9788629,expirationTime=1379176858471]

13:10:58,497 TRACE org.jboss.security.plugins.JaasSecurityManager.dcm4chee End isValid, true

13:10:58,503 TRACE org.jboss.security.SecurityAssociation pushSubjectContext, subject=Subject:

Principal: bcardozo

Principal: Roles(members:WebAdmin)

, sc=org.jboss.security.SecurityAssociation$SubjectContext@106173b{principal=bcardozo,subject=14630844}

13:10:58,503 TRACE org.jboss.security.plugins.JaasSecurityManager.dcm4chee getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@1ff3565[Subject(18628925).principals=org.jboss.security.SimplePrincipal@386451(bcardozo)org.jboss.security.SimpleGroup@19086300(Roles(members:WebAdmin)),credential.class=java.lang.String@9788629,expirationTime=1379176858471]

13:10:58,503 TRACE org.jboss.security.SecurityAssociation getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext@106173b{principal=bcardozo,subject=14630844}

13:10:58,503 TRACE org.jboss.security.plugins.JaasSecurityManager.dcm4chee getUserRoles, subject: Subject:

Principal: bcardozo

Principal: Roles(members:WebAdmin)

3. I get this message on the web browser: (the problem is I can't go back to the login page, instead DCM4CHEE Web is stuck here and need to restart the server)

HTTP Status 403 - Access to the requested resource has been denied

---

type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.

4. My config appears in the log but if you need it: (is the same for jmx-console, dcm4chee, dcm4chee-dicom and web-console)

<application-policy name="web-console">

       <authentication>

          <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

             <module-option name="java.naming.provider.url">ldap://192.168.1.105:389</module-option>

             <module-option name="java.naming.security.authentication">simple</module-option>

             <module-option name="bindDN">cn=Directory Manager</module-option>

             <module-option name="bindCredential">pab</module-option>

             <module-option name="baseCtxDN">ou=usuariosPACS,dc=example,dc=com</module-option>

             <module-option name="baseFilter">(uid={0})</module-option>

             <module-option name="allowEmptyPasswords">false</module-option>

             <module-option name="rolesCtxDN">ou=usuariosPACS,dc=example,dc=com</module-option>

             <module-option name="roleFilter">(uid={0})</module-option>

             <module-option name="roleAttributeID">description</module-option>

          </login-module>

       </authentication>

    </application-policy>

5. With this user, the login goes ok and I can see the management web page (Folder tag with the list of studies):

dn: uid=ppazos,ou=usuariosPACS,dc=example,dc=com

cn: ppazos

description: WebUser

givenName: Pablo

mail: pabl...@gmail.com

objectClass: organizationalPerson

objectClass: person

objectClass: inetOrgPerson

objectClass: top

sn: Pazos Gutierrez

telephoneNumber: 099043145

uid: ppazos

userPassword:: e1NTSEF9bmUvS2lxNDJwZnU5YTBCMlAxTzZ0OUMvYXlFZzV1TTdUVHdMSnc9PQ==

[Pablo Pazos]

Any ideas?