[rules-users] guvnor - role based auth enabled - cannot use backup URL anymore

Jervisliu jliu at redhat.com
Sun Jan 17 22:53:03 EST 2010 

The backup service is protected by role-based-authorization in Drools 5 
Guvnor (it was unprotected in Drools 4). Guvnor is using session cookies 
to track user authentication. In theory we could use wget to login 
first, once we get the session cookies we can use this session to access 
the backup service. I.e., sth like below:

1. wget --save-cookies cookies.txt --keep-session-cookies 
--post-data="user=foo&password=bar" 
http://localhost:8080/drools-guvnor/org.drools.guvnor.Guvnor/Guvnor.html

2. wget --keep-session-cookies --load-cookies cookies.txt -O 
repository_export.zip 
http://localhost:8080/drools-guvnor/org.drools.guvnor.Guvnor/backup

However this approach does not work in reality. Guvnor is based on  GWT. 
The Guvnor login screen takes user name and password then calls the 
server side login method using GWT RPC. There is no such entry point in 
Guvnor that takes a HTTP POST request to login thus there is no way to 
get a session cookie.

An alternative is to start a separate authentication in  
RepositoryBackupServlet. I am going to provide a fix on trunk using this 
approach. See https://jira.jboss.org/jira/browse/GUVNOR-496 for details.

Cheers,
Jervis Liu

 
John Walker wrote:
> All,
>
> I am using drools5 guvnor, and I have enabled the role based 
> permissions.  
>
> I have been using wget and this URL to get repository backups 
> - http://localhost:4980/guvnor/org.drools.guvnor.Guvnor/backup 
> <http://localhost:4980/guvnor/org.drools.guvnor.Guvnor/backup>
>
> Once I enabled role based permissions, I when I use the backup URL, I 
> get a http response code of 500.  In a browser, the backup URL 
> produces the 500 response with the message that the user is not logged in.
>
> How can I use the backup URL with role based permissions enabled?  I 
> can find something other than wget, but I don't know how to specify 
> the authorization credentials with the request or remove the access 
> restrictions on the URL.
>
> Does anyone know how to do this?
>
> Thanks,
> John
> ------------------------------------------------------------------------
>
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>

More information about the rules-users mailing list