Define the users who can access the Application Center console and the users who can log in with the mobile client by mapping Java™ Platform, Enterprise Edition roles to LDAP roles.
You configure the Apache Tomcat server for LDAP authentication and configure security (Java™ Platform, Enterprise Edition) in the web.xml file of theApplication Center Services web application (applicationcenter.war) and of the Application Center Console web application (appcenterconsole.war).
You must configure a JNDIRealm in the server.xml file in the <Host> element. For more information about configuring a realm, see the Realm Component on the Apache Tomcat website.
<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
...
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://bluepages.ibm.com:389"
userSubtree="true"
userBase="ou=bluepages,o=ibm.com"
userSearch="(emailAddress={0})"
roleBase="ou=ibmgroups,o=ibm.com"
roleName="cn"
roleSubtree="true"
roleSearch="(uniqueMember={0})"
allRolesMode="authOnly"
commonRole="appcenter"/>
...
</Host>
The value of connectionURL is the LDAP URL of your LDAP server.
The userSubtree, userBase, and userSearch attributes define how to use the name that is given to the Application Center in login form (in the browser message box) to match an LDAP user entry.
In the example, the definition of userSearch specifies that the user name is used to match the email address of an LDAP user entry.
The basis or scope of the search is defined by the value of the userBase attribute. In LDAP, an information tree is defined; the user base indicates a node in that tree.
Set the value of userSubtree to true; if it is set to false, the search runs only on the direct child nodes of the user base. It is important that the search penetrates the subtree and does not stop at the first level.
For authentication, you define only the userSubtree, userBase, and userSearch attributes. The Application Center also uses Java EE security roles. Therefore, you must map LDAP attributes to some Java EE roles. These attributes are used for mapping LDAP attributes to security roles:
After you define the LDAP request for the Java EE roles, you must change the web.xml file of the Application Center Services web application (applicationcenter.war) and of the Application Center Console web application (appcenterconsole.war) to map the Java EE roles of appcenteradmin and appcenteruser to the LDAP roles.
<servlet>
<servlet-name>...</servlet-name>
<servlet-class>...</servlet-class>
<init-param>
...
</init-param>
<load-on-startup>1</load-on-startup>
<security-role-ref>
<role-name>appcenteradmin</role-name>
<role-link>MyLdapAdmin</role-link>
</security-role-ref>
<security-role-ref>
<role-name>appcenteruser</role-name>
<role-link>MyLdapUser</role-link>
</security-role-ref>
</servlet>
<security-role>
<role-name>MyLdapAdmin</role-name>
</security-role>
<security-role>
<role-name>MyLdapUser</role-name>
</security-role>
<security-constraint>
<display-name>appcenteradminConstraint</display-name>
<web-resource-collection>
...
</web-resource-collection>
<auth-constraint>
<role-name>MyLdapAdmin</role-name>
</auth-constraint>
<user-data-constraint>
...
</user-data-constraint>
</security-constraint>
and<security-constraint>
<display-name>appcenteruserConstraint</display-name>
<web-resource-collection>
...
</web-resource-collection>
<auth-constraint>
<role-name>MyLdapUser</role-name>
</auth-constraint>
<user-data-constraint>
...
</user-data-constraint>
</security-constraint>