Waffle tomcat role-name and Active directory
431 views
Skip to first unread message
Ilan Schwarts
Feb 3, 2016, 1:50:19 AM2/3/16
to waffle
Hi, I integrated waffle and now I apply the constraint to the website security. I want users from certain AD group to be able to access the site.
This is an intranet website. it is private site on a domain.
I have created an active directory group "workflowusers":
Then I added a user to the group (the user is member of the group now), finally I defined the following in web.xml:
<security-constraint>
<display-name>not relevant</display-name>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>workflowusers</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>not relevant</description>
<role-name>workflowusers</role-name>
</security-role>
This gives me error 403 access denied.
WHEN I replace the role-name in "Everyone" or "*" it works - but all domain users can visit the address.. I need to restrict it for a perople of certain group.
<role-name>Everyone<role-name> OR <role-name>*</role-name>
How can i do it ?
Did i define it wrong in active directory ?
Thanks
Daniel Doubrovkine
Feb 3, 2016, 6:56:30 AM2/3/16
to waffle...@googlegroups.com
I think you need a domain name, like DOMAIN\workflowusers.
--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Ilan Schwarts
Feb 3, 2016, 7:00:54 AM2/3/16
to waffle
Do i need to map between the active directory group to role names? Using a jndirealm or something like that? I tried with domain name, it did not help. How does tomcat knows what is role-name? In active directory. Should i create a mapping between tomcat users and group to active directory users and group?
Daniel Doubrovkine
Feb 3, 2016, 7:07:34 AM2/3/16
to waffle...@googlegroups.com
These are mapped 1:1, that is "role" = "security group". Look in the Tomcat logs or use a JSP to list all the user's group memberships, the name must match exactly.
On Wed, Feb 3, 2016 at 7:00 AM, Ilan Schwarts <ila...@gmail.com> wrote:
Do i need to map between the active directory group to role names? Using a jndirealm or something like that? I tried with domain name, it did not help. How does tomcat knows what is role-name? In active directory. Should i create a mapping between tomcat users and group to active directory users and group?
--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Ilan Schwarts
Feb 3, 2016, 9:34:49 AM2/3/16
to waffle
Ok, I have successfully solved this issue as you said, I had to use the textbox input to check if user is granted the roles, until i got it.
Daniel Doubrovkine
Feb 3, 2016, 11:35:35 AM2/3/16
to waffle...@googlegroups.com
It would be amazing if you could contribute to the documentation on https://github.com/dblock/waffle, possible in an FAQ form!
Ram K
Aug 17, 2023, 3:51:18 PM8/17/23
to waffle
hi Ilan Schwarts, could you please provide some info on how did you fix the issue.
I have the same error/issue now, I am trying to fix it.
Thank you,
Ram K
Reply all
Reply to author
Forward
0 new messages