4

I have a weblogic server using an external LDAP as Provider for authentication. I than need to recover the groups that a specific user has associated with in an LDAP repository.

The login uses standard java notation: 

<form method="POST" action="j_security_check">
<p>Username: <input type="text" name="j_username"/></p>
<p>Password: <input type="password" name="j_password"/></p>
<input type="submit" value="Login"/>
</form>

And after the login I can recover the Princial using: <%= request.getUserPrincipal() %>

But What I need now is to recover all associated groups for this principal from LDAP? Is it possible?

[]s

groo
  • 4,213
  • 6
  • 45
  • 69

3 Answers3

2

It may not be possible to get a list of all groups without using LDAP. JAAS APIs generally give you a way to ask whether the user belongs to a certain group but not to get all groups at once.

The best you may be able to do without accessing LDAP directly is something like

for (String group : allGroups) { 
  if (request.isUserInRole(group)) { 
    userGroups.add(group);
  }
}

The performance hit should not be too bad if you do it once on session creation and then make userGroups session-scoped. (The container may well get all the groups on login.)

wrschneider
  • 17,913
  • 16
  • 96
  • 176
  • Hi, after researching for a while I do agree with you. My final solution for this problem actually had to use request.isUserInRole and the workaround to get the groups required me to use a proprietary internal weblogic class. – groo Aug 16 '11 at 13:56
  • Oh, complementing, but I did not actually had to loop through all groups after a successfully log in using standard Form mehtod I was able to just check request.isUserInRole to solve my problem. – groo Aug 16 '11 at 13:57
1

I had the same problem. Looking in google i found this: http://buttso.blogspot.com/2011/06/weblogic-server-listing-groups-of.html

I hope this help you!

SethMMorton
  • 45,752
  • 12
  • 65
  • 86
user1214052
  • 31
  • 1
  • 1
  • 4
1

There might be many answers. One possible answer is to construct a base DN using the principal and query the directory server using a scope of base, a filter '(&)' and request the isMemberOf attribute. For example, on my test system using a modern ldapsearch command line tool and a principal of user.0:

ldapsearch --hostname localhost --port 1389 \
    --bindDN 'cn=directory manager' --baseDn \
    'uid=user.0,ou=people,dc=example,dc=com' \
    --searchScope base '(&)' isMemberOf
Password for user 'cn=directory manager':
dn: uid=user.0,ou=people,dc=example,dc=com
isMemberOf: cn=shadow entries,ou=groups,dc=example,dc=com
isMemberOf: cn=persons,ou=groups,dc=example,dc=com

This method requires knowledge of the namingContext, in this case dc=example,dc=com, and where the users are located in the tree. Another, similar method when the location of the user is not known would be be to first search for the user, then use the distinguished name from the search results to perform the above query. If the namingContext is not known, it might be possible to discover the namingContext from the root DSE. To recover the namingContext from the root DSE, see this article.

There are some widely used directory servers that do not correctly support the LDAP standard and will reject the filter '(&)', if your directory server is one of these, simply substitute the presence filter '(objectClass=*)'. There are many LDAP SDKs for Java, the one I prefer is the one from UnboundID.

Terry Gardner
  • 10,957
  • 2
  • 28
  • 38
  • Hi Terry, but in my understanding this would require a direct access to the ldap server, my point would be using the JAAS API to query the LDAP. Any ideas? – groo Aug 09 '11 at 14:02