How to configure FTL JAAS LoginModule for authentication and authorization?
Article ID: KB0084728
Updated On:
| Products | Versions |
|---|---|
| TIBCO FTL | - |
| Not Applicable | - |
Description
Resolution:
EMSCA and FTL is fully integrated in JAAS though Property Files and JDBC through a JDBC driver, JDBC through a DataSource, JNDI lookup and LDAP. FTL can be configured without any customized code to use Jetty's sample LoginModule implementations. The Jetty loginModules (JAR file) are installed under the FTL bin directory. They are set within the FTL start up script. To configure a JAAS LoginModule, you need to create a JAAS configuration file. For example: a JAAS LDAP LoginModule:
tibrealmserver {
org.eclipse.jetty.jaas.spi.LdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
hostname="hostname"
port="389"
bindDn="cn=Administrator,cn=Users,DC=test,DC=na,DC=tibco,DC=com"
bindPassword="Tibco123"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="cn=Users,DC=test,DC=na,DC=tibco,DC=com"
userRdnAttribute="cn"
userIdAttribute="cn"
userPasswordAttribute="userPassword"
userObjectClass="person"
roleBaseDn="cn=Users,DC=test,DC=na,DC=tibco,DC=com"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="group";
};
If you want to utilize different authorization groups (also known as roles), you need to create the following LDAP groups in your LDAP server:
===============
ftl --- The members in this group can be used to login realm server to publish/subscribe messages. This group has the permission for normal FTL clients.
ftl-admin ---the members in this group can be used to login realm server HTTP GUI to view realm definition and monitoring pages, they can also modify the realm definition and execute administrative operations.
ftl-guest --- Authenticated users in the authorization group ftl-guest can view realm definition and monitoring pages. However, they cannot modify the realm definition nor execute administrative operations.
ftl-primary --- Affiliated realm servers require the primary server to authenticate with a user name in the authorization group ftl-primary.
ftl-satellite --- The primary realm server requires its satellite servers to authenticate with user names in the authorization group ftl-satellite.
ftl-backup --- Each realm server requires its backup realm server to authenticate with a user name in the authorization group ft
===============
You also need to create new LDAP users or use existing LDAP users. Add those users to the corresponding LDAP groups. Then start the FTL realm server using the "--jaas" or "--j" option to specify the JAAS config file. Note that you can suppress the requirements on group membership by specifying the flag "--disable.jaas.groups".
EMSCA and FTL is fully integrated in JAAS though Property Files and JDBC through a JDBC driver, JDBC through a DataSource, JNDI lookup and LDAP. FTL can be configured without any customized code to use Jetty's sample LoginModule implementations. The Jetty loginModules (JAR file) are installed under the FTL bin directory. They are set within the FTL start up script. To configure a JAAS LoginModule, you need to create a JAAS configuration file. For example: a JAAS LDAP LoginModule:
tibrealmserver {
org.eclipse.jetty.jaas.spi.LdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
hostname="hostname"
port="389"
bindDn="cn=Administrator,cn=Users,DC=test,DC=na,DC=tibco,DC=com"
bindPassword="Tibco123"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="cn=Users,DC=test,DC=na,DC=tibco,DC=com"
userRdnAttribute="cn"
userIdAttribute="cn"
userPasswordAttribute="userPassword"
userObjectClass="person"
roleBaseDn="cn=Users,DC=test,DC=na,DC=tibco,DC=com"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="group";
};
If you want to utilize different authorization groups (also known as roles), you need to create the following LDAP groups in your LDAP server:
===============
ftl --- The members in this group can be used to login realm server to publish/subscribe messages. This group has the permission for normal FTL clients.
ftl-admin ---the members in this group can be used to login realm server HTTP GUI to view realm definition and monitoring pages, they can also modify the realm definition and execute administrative operations.
ftl-guest --- Authenticated users in the authorization group ftl-guest can view realm definition and monitoring pages. However, they cannot modify the realm definition nor execute administrative operations.
ftl-primary --- Affiliated realm servers require the primary server to authenticate with a user name in the authorization group ftl-primary.
ftl-satellite --- The primary realm server requires its satellite servers to authenticate with user names in the authorization group ftl-satellite.
ftl-backup --- Each realm server requires its backup realm server to authenticate with a user name in the authorization group ft
===============
You also need to create new LDAP users or use existing LDAP users. Add those users to the corresponding LDAP groups. Then start the FTL realm server using the "--jaas" or "--j" option to specify the JAAS config file. Note that you can suppress the requirements on group membership by specifying the flag "--disable.jaas.groups".
Issue/Introduction
How to configure FTL JAAS LoginModule for authentication and authorization?
Feedback
Yes
No
Powered by
