Authenticate a Deployed Web-App against an LDAP and enforce HTTPS on the Web-App

  • By Manisha Eleperuma
  • 31 Jul, 2012

Applies To

WSO2 Application Server - trunk revision 4.5.0

Contents

Configure WSO2 AS with external LDAP
Write the Web-app with LDAP Authentication
Enforce HTTPS when Accessing the Web-app

Configure WSO2 AS with external LDAP

  • Step 1

In order to implement authentication for the web-application, the 'web application container' needs to be connected with the particular user store. In this tutorial, I have discussed how to connect an external LDAP user store with the WSO2 Application Server, which will be the deployment environment for the web-app.

Download the latest version of AS from here. Extract the downloaded binary distribution to a preferred location of your file system. We will refer to it as AS_HOME.

  • Step 2

Open the user-mgt.xml in the Application Server (AS_HOME/repository/conf/user-mgt.xml). By default, it has an embedded internal JDBC user store.

In the previous releases of WSO2 AS, prior to Carbon 4.0.0, the default user management component was handled by the embedded ApacheDS LDAP store.

  • Step 3

Update the main User Manager Realm Configuration in user-mgt.xml with the relevant Admin role, Admin Username and the Admin Password as used in the LDAP server.

 

 <UserManager> 
   <Realm> 
      <Configuration> 
        <AdminRole>Admin role name as in LDAP server</AdminRole> 
        <AdminUser> 
             <UserName>Admin user name as in LDAP server</UserName> 
            <Password>Admin password as in LDAP server</Password> 
        </AdminUser> 
   .......................

 

  • Step 4

Modify the user-mgt.xml. Comment out the existing UserStoreManager segment. Then edit the configuration for the external LDAP as follows

<UserStoreManager class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager"> 
  <Property name="ReadOnly">true</Property> 
  <Property name="MaxUserNameListLength">100</Property> 
  <Property name="ConnectionURL">ldap://ip_address</Property> 
  <Property name="ConnectionName">uid=docrepo,ou=staff,dc=wso2,dc=com</Property> 
  <Property name="ConnectionPassword">password</Property> 
  <Property name="UserSearchBase">ou=staff,dc=wso2,dc=com</Property> 
  <Property name="UserNameListFilter">(objectClass=inetOrgPerson)</Property> 
  <Property name="UserNameAttribute">uid</Property> 
  <Property name="ReadLDAPGroups">false</Property> 
  <Property name="GroupSearchBase">dc=wso2,dc=com</Property> 
  <Property name="GroupNameListFilter">(objectClass=organizationalUnit)</Property> 
  <Property name="GroupNameAttribute">ou</Property> 
  <Property name="MembershipAttribute">member</Property> 
  <Property name="UserRolesCacheEnabled">true</Property> 
</UserStoreManager>

 

  • Step 5

Start the WSO2 AS, done by running sh wso2server.sh within the AS_HOME/bin directory in a terminal. If you have successfully configured the WSO2 AS with the LDAP, the server should be successfully started.

 

Write the Web-app with LDAP Authentication

  • Step 1

Now we will create a simple web-app that authenticates the users who access the web-app. The authentication will be done against the earlier configured LDAP. The web - app will have login.jsp (the login page), loginProcess.jsp (which actually holds the logic of authenticating against the LDAP) and the index.jsp

  • Step 2

The main login.jsp will contain a form where it performs a POST action and passes the Username and Password to loginProcess.jsp where the validation occurs. The user name and the password is captured from the HTTP request. From org.wso2.carbon.user.api.UserRealm's authenticate function, the authentication can be done with the captured user name and the password given as the arguments.

Refer the code segment below.

 try {
     CarbonContext context = CarbonContext.getCurrentContext();
     UserRealm realm = context.getUserRealm();
     status = realm.getUserStoreManager().authenticate(username, password);
} catch (UserStoreException e) {
     e.printStackTrace();
}

For the compiling and functioning of the web-app with login, the following jars need to be placed within the web-app's lib directory and should be added to the build path of the application.

  • javax.servlet-api-3.0.1.jar
  • org.wso2.carbon.context_4.0.0.SNAPSHOT.jar
  • org.wso2.carbon.user.api_4.0.0.SNAPSHOT.jar

The required Carbon jars can be found from AS_HOME/repository/components/plugins directory.

  • Step 3

Following the above validation, if the validation success, the logged-in attribute and the username attribute can be set into the session, so that it can be persisted throughout the web-app's life cycle.

    session.setAttribute("logged-in", "true");
    session.setAttribute("username", username);
  • Step 5

Now we will create look at how the index page is formed. We will enforce a validation in the index.jsp, in such a way that the page can be accessed if and only if the logged in user is authorized. This check can be performed as below.

  if (request.getParameter("logout") == null  && session.getAttribute("logged-in") != null) {

Likewise, for every page in the web-app this condition can be applied.

  • Step 6

Make sure no compile errors are there in the web-app and compile this to a deployable .WAR file. Since the WSO2 AS is up and running now, we will deploy the created web-app in AS. Login to AS with your LDAP admin credentials. Go to Main tab. Navigate to Web Applications menu and click on Add. Browse for the created .WAR file and upload it. Within a couple of seconds, the web-app will be deployed successfully in your AS. If you check the console, you will get a similar log as follows.

INFO {org.wso2.carbon.tomcat.internal.CarbonTomcat} -  web application context: StandardEngine[Catalina].StandardHost[localhost].StandardContext[/TestWebApp]
INFO {org.wso2.carbon.webapp.mgt.TomcatGenericWebappsDeployer} -  Deployed webapp: StandardEngine[Catalina].StandardHost[localhost].StandardContext[/TestWebApp].File[/home/manisha/trunkBuilds/AS/wso2as-4.5.0-SNAPSHOT/repository/deployment/server/webapps/TestWebApp.war]
  • Step 5

If you navigate to WSO2 AS's List option under Web Applications menu, you will see the deployed web app has been listed there. Now you can access the web-app via the URL https://localhost:9763/TestWebApp/ or by clicking on Go To URL Action that appears along with the deployed web-app in the list.

You can now login to the application using your user name and password as it appears in the LDAP server.

Enforce HTTPS when Accessing the Web-app

  • Step 1

Right now, the web-app is accessible via both HTTP and HTTPS (You can check this by accessing the web-app via https://localhost:9443/TestWebApp/ ). But in a production environment, Security is critical on web applications. Therefore to ensure secure transport, any application should be exposed only through HTTPS. With a simple configuration addition to the web-app's web.xml file, this requirement can be achieved.

<security-constraint> 
        <web-resource-collection> 
            <web-resource-name>Secured Resources</web-resource-name> 
            <url-pattern>/*</url-pattern> 
            <http-method>GET</http-method> 
            <http-method>POST</http-method> 
            <http-method>PUT</http-method> 
            <http-method>DELETE</http-method> 
        </web-resource-collection> 

        <user-data-constraint> 
            <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
        </user-data-constraint>
</security-constraint>

If we look in to the following elements in the above "security-constraint" element:

1. url-pattern : Here you need to specify for which url pattern you need to enforce https. Since we need to make it applicable for the entire web app, we should make it /*. Or else, according to the requirement, only the necessary resources that needs to be secured can be specified.

2. http-method : Here you can specify to which HTTP methods you need to enforce this security constraint.

3. transport-guarantee : There are three permitted values for this attribute namely NONE, INTEGRAL and CONFIDENTIAL.

i. NONE - Here, no transport guarantees are specified. This is the default if there is no user-data-constraint defined.

ii. CONFIDENTIAL - Data must be sent in a way that guarantees it canot be observed during transmission (ie: data is encrypted, SSL achieves this)

iii. INTEGRAL - Data is be sent in a way that guarantees it cannot be changed during transmission (ie: data is checksummed, SSL achieves this)

 

  • Step 2

With the above changes, re-deploy the web-app. Now you will be able to access the web-app only via the HTTPS transport by the URL https://localhost:9443/TestWebApp/

The source code for the sample web-app can be found here.

 

Author

Manisha Eleperuma

Software Engineer, WSO2 Inc.

[email protected]