Monday, 30 May 2011

sMash: Configure LDAP security

The lines below are extracts from zero.config file showing how to enable security with IBM LDAP.
Comments:
  • You need to generate a key for your application using the command zero secretkey
  • You need to set your own LDAP user principal and password and take care that the user principal should be in DN format
  • It is important to properly set the ldapGroupSearchFilterPattern so you can extract the groups a user is member of and thus control security based on group membership
  • The security/authorization.config defines which URL patterns are secured and which group can access them. In example below any URL which has has the pattern /editor or /resources (which is for REST service) or /test are secured and are available to members of GROUP1 only
  • Then those URL patterns can be further controlled by either basic authentication or form based authentication. In the example below, /resources URL pattern is authenticated using basic scheme while /editor and /test uses form based scheme.
  • The last stanza security/formLoginURL.config defines the location of the login form (which is login.gt)
  • A sample content is provided for login.gt
  • Make sure login.gt is directly under /public folder and don't put security constraints directly under /public folder

#Ahmed Fadel: Commenting the line which starts with @include
#will disable security
@include "security/enableSecurity.config"
#Ahmed Fadel: this is used in case of Basic Authentication only
/config/security/realm="myrelam"
#Ahmed Fadel: cd to the project folder and run the command
#zero secretKey
#copy the generated encrypted value to the stanza below
#The secret key will change during deployment
/config/security/secretKey="<you_secret_key>"
#Ahmed Fadel: The configuration below will work for IBM blue pages
#The security principal is currently set using ccspadmn@us.ibm.com
#which has non-expiring password
/config/security/userservice/registryType="ldap"
/config/security/userservice/ldap += {
"jndiProviderUrl" : "ldap://bluepages.ibm.com:389/",
"jndiSecurityPrincipal" : "<your_userid>,
"jndiSecurityCredentials" : “<your_passowrd>",
"ldapUserIdSearchFilterPattern" : "(&(|(mail={0}))(objectclass=ibmPerson))",
"ldapUserIdAttributeType" : "mail",
"ldapUserIdBaseDn" : "ou=bluepages,o=ibm.com",
"ldapGroupBaseDn" : "o=ibm.com",
"ldapGroupSearchFilterPattern" : "(&(uniqueMember={0}) (objectclass=groupOfUniqueNames))"
}
#-- Bluepages LDAP Auth
#-- Conditions define what path(s) are to be protected (req login)
#-- Groups list the groups that are allowed access to this url path
#Ahmed Fadel security is controlled for all paths which starts with /editor or /test or /resources
#Members of the blue group SERVICE_WORKS_EDITOR are allowed to access those resources
#Any file put directly under /public will not be available for everyone
@include "security/authorization.config" {
"conditions": "(/request/path =~ /editor(/.*)?) || (/request/path =~ /resources(/.*)?) || (/request/path =~ /test(/.*)?)",
"groups" : ["GROUP1"]
}
#Form based authentication is enabled for /editor or /test paths only
@include "security/formAuthentication.config" {
"conditions": "(/request/path =~ /editor(/.*)?) || (/request/path =~ /test(/.*)?)"
}
#Basic authentication is enabled for /resources only. This is used to protect service in case someone tried
#to connect directly to REST service without using the editor
@include "security/basicAuthentication.config" {
"conditions": "/request/path =~ /resources(/.*)?"
}
#-- Login form
@include "security/formLoginURL.config"{
"formLoginPage" : "/login.gt"
}

Sample content for login.gt
<html>
<head>
<title>Login Test</title>
<style>
@import "<%=getRelativeUri('/theme.css')%>";
</style>
</head>
<body>
<% if( zget("/request/headers/in/Referer") =~ zget("/request/uri") ){ %>
<div class='error'>
<h2>Invalid user ID or password</h2>
Please verify your ID and password and try again.
</div>
<% } %>
<p>Login using your normal user ID and password:</p>
<form method="POST" action="" name="loginForm">
<!-- optional hidden field to force the target redirect
after login -->
<!--
<input type="hidden" name="postLoginTargetURI" value="/my">
-->
<label for="zeroUserName">User ID:</label><br/>
<input type="text" name="zeroUserName" size='20' /><br/>
<label for="zeroPassword">Password:</label><br/>
<input type="password" name="zeroPassword" size='12' /><br/><br/>
<input type="submit" value="Submit" />
</form>
</body>
</html>
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)