How to specify Active Directory groups

Aug 6, 2010 at 3:19 PM

Using Waffle (Tomcat/JAAS), how do I limit access to a group. 

 

Say I have an AD  structure with a group named "LocalDevelopers"

 

How do I limit access to that group?

 

Thanks

 

Coordinator
Aug 6, 2010 at 6:20 PM
Edited Aug 6, 2010 at 6:20 PM

With a plain security-constraint. Waffle inserts every group name as a "role".

<security-constraint>
    <display-name>Waffle Security Constraint</display-name>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>LocalDevelopers</role-name>
    </auth-constraint>
  </security-constraint>

Aug 9, 2010 at 12:07 PM

Thanks for the reply.  In case someone encounters this in the future, my issue was that I needed to prefix the group with the domain name:

 

<security-constraint>
    <display-name>Waffle Security Constraint</display-name>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>MyDomain\LocalDevelopers</role-name>
    </auth-constraint>
  </security-constraint>

Nov 11, 2010 at 9:32 AM

@cwhiteside: thx, saved me lots of time :)

 

this is how it looks like in spring security config for Domain TESTDOMAIN:

 

	<sec:http entry-point-ref="negotiateSecurityFilterEntryPoint">
		<sec:intercept-url pattern="/testgroupaccess/**" 	access="ROLE_TESTDOMAIN\TESTGROUP" />
		<sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
		<sec:custom-filter ref="waffleNegotiateSecurityFilter"
			position="BASIC_AUTH_FILTER" />
	</sec:http>

Jan 27, 2011 at 2:54 AM
Edited Jan 27, 2011 at 2:56 AM

Hi dblock, Boris_S,

I tried the same configuration as mentioned in the Spring Security config above but I'm getting the error:

"Unsupported configuration attributes:  [TES_DOMAIN\TEST_GROUP]"

Any idea on what's causing it or am I missing some configuration settings?. I'd like to limit access to defined pages of a web application. It uses Spring Security v3.

My config as follows:

<security:http entry-point-ref="negotiateSecurityFilterEntryPoint">
       
        <security:intercept-url pattern="/resources/images/**" filters="none"/>
        <security:intercept-url pattern="/resources/css/**" filters="none"/>


        <security:intercept-url pattern="/sample_page.html*" access="TEST_DOMAIN\TEST_GROUP"/>

        <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />      

        <security:custom-filter ref="waffleNegotiateSecurityFilter" position="BASIC_AUTH_FILTER"/>

    </security:http>

 

Thank you.

 

 

Coordinator
Jan 27, 2011 at 1:48 PM
richie_balais wrote:

"Unsupported configuration attributes:  [TES_DOMAIN\TEST_GROUP]"

I think you have to prepend this with ROLE_, so ROLE_TES_DOMAIN\TEST_GROUP. Does this work? 

Feb 4, 2011 at 7:15 AM

Amazing! It did work.

Access value should be: ROLE_TEST_DOMAIN\ROLE_TEST_GROUP

 

Thank you!