Skip to end of metadata
Go to start of metadata

Apache Tomcat can do container managed security, where Tomcat connects to an identity data store for user authentication. The Apache Tomcat Realm Configuration HOW-TO explains generally how to set this up.

This article demonstrates how to setup Tomcat 7 to use OpenDJ with a JNDIRealm for a virtual host. The basic setup sidesteps some of the complexity by using a single OpenDJ server, though the JNDIRealm lets you set both connectionURLs and alternateURLs to allow for failover. The basic setup also does not cover securing the connection from Tomcat to OpenDJ. If you deploy OpenDJ as an identity store for Tomcat in production, then Tomcat should connect to OpenDJ using StartTLS or LDAPS to avoid sending passwords in clear text when users authenticate.

Users and Roles in OpenDJ

In order to have some test users, you can import Example.ldif into a dc=example,dc=com suffix in OpenDJ at installation time. (See the OpenDJ Installation Guide for help installing the latest nightly build of OpenDJ.) Here is a search on a famous example user:

$ /path/to/OpenDJ/bin/ldapsearch -p 1389 -b dc=example,dc=com uid=bjensen cn uid mail
dn: uid=bjensen,ou=People,dc=example,dc=com
uid: bjensen
cn: Barbara Jensen
cn: Babs Jensen
mail: bjensen@example.com

Roles in Apache Tomcat map to groups in OpenDJ. Therefore, define a couple of groups to use with Tomcat.

dn: cn=tomcat,ou=Groups,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
description: An entry for the "tomcat" role
cn: tomcat
uniqueMember: uid=kvaughan,ou=People,dc=example,dc=com
uniqueMember: uid=bjensen,ou=People,dc=example,dc=com

dn: cn=role1,ou=Groups,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
description: An entry for the "role1" Tomcat role
cn: role1
uniqueMember: uid=kvaughan,ou=People,dc=example,dc=com

Tomcat Configuration

For the Tomcat realm configuration, the following definition connects to OpenDJ on the local host, port 1389 (the default LDAP port when not running as root on Linux or UNIX), and lets users login by uid (for example, Babs Jensen logs in as bjensen).

<Realm   className="org.apache.catalina.realm.JNDIRealm"
     connectionURL="ldap://localhost:1389"
       userPattern="uid={0},ou=people,dc=example,dc=com"
      userRoleName="isMemberOf"
          roleBase="ou=groups,dc=example,dc=com"
          roleName="cn"
        roleSearch="(uniqueMember={0})"
/>

Group membership comes either from OpenDJ group lookup, or from the isMemberOf attribute on the user entry.

Add the definition to /path/to/tomcat/conf/server.xml, for example inside the <Host> element.

Make sure OpenDJ is running, and then restart Tomcat to be sure the changes take effect.

Smoke Test

Try the example application with form-based login shipped with Tomcat, http://localhost:8080/examples/jsp/security/protected/

Login as bjensen with password hifalutin.

At this point you can add your own protected applications.

  • No labels