Hi Ron/Dean,
The approach I used was not to build guvnor from source but use a maven war overload, that way you can separately manage any changes from the original source.
There is one tricky bit I found though. You must use the guvnor war from the download distribution, not the one that's in the jboss mvn repo. For some reason they are different, and you will see GWT warnings about serialization if you get the wrong one.
Regards Ross
Ross,
As Dean indicated, we have our Guvnor/ActiveDirectory implementation working and we know how to remediate the null password issue, but cannot get a 5.1.1 version to compile. If you can return us a .jar or .class file for the source noted below that would be great. If you can also give us any guidance on how to get a build configuration working properly that is also appreciated as we would like to be able to make modifications (if the need arises).
Thanks in advance,
- Ron Rock.
Vice President, Technology
basys inc.
-----Original Message-----
From: rules-users-bounces@lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On Behalf Of Dean Whisnant
Sent: Friday, June 17, 2011 5:40 PM
To: Rules Users List
Subject: Re: [rules-users] Guvnor, Apache Tomcat, and Active directory
Ross,
Thank you for the detailed recommendation. We've been working to get this straightened out and finally have our authentication worked out except for the null password issue. Do you have a compiled version of that jar for 5.1.1? We've been trying to compile this through the guvnor project, but keep having issues with dependencies. Any suggestions?
The manipulated .java file looks like:
/**
* Copyright 2010 JBoss Inc
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.drools.guvnor.server.security;
/*
* Copyright 2005 JBoss Inc
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
import java.io.IOException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import javax.security.auth.login.LoginException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.drools.core.util.DateUtils;
import org.drools.guvnor.client.rpc.SecurityService;
import org.drools.guvnor.client.rpc.UserSecurityContext;
import org.drools.guvnor.client.security.Capabilities;
import org.jboss.seam.Component;
import org.jboss.seam.contexts.Contexts; import org.jboss.seam.security.AuthorizationException;
import org.jboss.seam.security.Identity; import org.jboss.seam.security.permission.RoleBasedPermissionResolver;
/**
* This implements security related services.
* @author Michael Neale
*/
public class SecurityServiceImpl
implements
SecurityService {
public static final String GUEST_LOGIN = "guest";
private static final Logger log = LoggerFactory.getLogger( SecurityServiceImpl.class );
static final Map<String, String> PREFERENCES = loadPrefs();
public boolean login(String userName,
String password) {
// if ( userName == null || userName.trim().equals( "" ) ) {
// userName = "admin";
// }
if ( userName == null || userName.trim().equals( "" ) ) {
return false;
}
if ( password == null || password.trim().equals( "" ) ) {
return false;
}
log.info( "Logging in user [" + userName + "]" );
if ( Contexts.isApplicationContextActive() ) {
// Check for banned characters in user name
// These will cause the session to jam if you let them go further
char[] bannedChars = {'\'', '*', '[', ']'};
for ( int i = 0; i < bannedChars.length; i++ ) {
char c = bannedChars[i];
if ( userName.indexOf( c ) >= 0 ) {
log.error( "Not a valid name character " + c );
return false;
}
}
Identity.instance().getCredentials().setUsername( userName );
Identity.instance().getCredentials().setPassword( password );
try {
Identity.instance().authenticate();
} catch ( LoginException e ) {
log.error( "Unable to login.", e );
return false;
}
return Identity.instance().isLoggedIn();
} else {
return true;
}
}
public UserSecurityContext getCurrentUser() {
if ( Contexts.isApplicationContextActive() ) {
if ( !Identity.instance().isLoggedIn() ) {
//check to see if we can autologin
return new UserSecurityContext( checkAutoLogin() );
}
return new UserSecurityContext( Identity.instance().getCredentials().getUsername() );
} else {
// HashSet<String> disabled = new HashSet<String>();
//return new UserSecurityContext(null);
return new UserSecurityContext( "SINGLE USER MODE (DEBUG) USE ONLY" );
}
}
/**
* This will return a auto login user name if it has been configured.
* Autologin means that its not really logged in, but a generic username will be used.
* Basically means security is bypassed.
*
*/
private String checkAutoLogin() {
Identity id = Identity.instance();
id.getCredentials().setUsername( GUEST_LOGIN );
try {
id.authenticate();
} catch ( LoginException e ) {
return null;
}
if ( id.isLoggedIn() ) {
return id.getCredentials().getUsername();
} else {
return null;
}
}
public Capabilities getUserCapabilities() {
if ( Contexts.isApplicationContextActive() ) {
if ( Identity.instance().hasRole( RoleTypes.ADMIN ) ) {
return Capabilities.all( PREFERENCES );
}
RoleBasedPermissionResolver resolver = (RoleBasedPermissionResolver) Component.getInstance( "org.jboss.seam.security.roleBasedPermissionResolver" );
if ( !resolver.isEnableRoleBasedAuthorization() ) {
return Capabilities.all( PREFERENCES );
}
CapabilityCalculator c = new CapabilityCalculator();
RoleBasedPermissionManager permManager = (RoleBasedPermissionManager) Component.getInstance( "roleBasedPermissionManager" );
List<RoleBasedPermission> permissions = permManager.getRoleBasedPermission();
if ( permissions.size() == 0 ) {
Identity.instance().logout();
throw new AuthorizationException( "This user has no permissions setup." );
}
return c.calcCapabilities( permissions,
PREFERENCES );
} else {
return Capabilities.all( PREFERENCES );
}
}
private static Map<String, String> loadPrefs() {
Properties ps = new Properties();
try {
ps.load( SecurityServiceImpl.class.getResourceAsStream( "/preferences.properties" ) );
Map<String, String> prefs = new HashMap<String, String>();
for ( Object o : ps.keySet() ) {
String feature = (String) o;
prefs.put( feature,
ps.getProperty( feature ) );
}
setSystemProperties( prefs );
return prefs;
} catch ( IOException e ) {
log.info( "Couldn't find preferences.properties - using defaults" );
return new HashMap<String, String>();
}
}
/**
* Set system properties.
* If the system properties were not set, set them to Preferences so we can access them in client side.
* @param prefs
*/
private static void setSystemProperties(Map<String, String> prefs) {
final String dateFormat = "drools.dateformat";
final String defaultLanguage = "drools.defaultlanguage";
final String defaultCountry = "drools.defaultcountry";
// Set properties that were specified in the properties file
if ( prefs.containsKey( dateFormat ) ) {
System.setProperty( dateFormat,
prefs.get( dateFormat ) );
}
if ( prefs.containsKey( defaultLanguage ) ) {
System.setProperty( defaultLanguage,
prefs.get( defaultLanguage ) );
}
if ( prefs.containsKey( defaultCountry ) ) {
System.setProperty( defaultCountry,
prefs.get( defaultCountry ) );
}
// If properties were not set in the file, use the defaults
if ( !prefs.containsKey( dateFormat ) ) {
prefs.put( dateFormat,
DateUtils.getDateFormatMask() );
}
if ( !prefs.containsKey( defaultLanguage ) ) {
prefs.put( defaultLanguage,
System.getProperty( defaultLanguage ) );
}
if ( !prefs.containsKey( defaultCountry ) ) {
prefs.put( defaultCountry,
System.getProperty( defaultCountry ) );
}
}
}
Thanks
Dean
-----Original Message-----
From: rules-users-bounces@lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On Behalf Of HALL, Ross
Sent: Monday, May 02, 2011 5:37 PM
To: 'Rules Users List'
Subject: Re: [rules-users] Guvnor, Apache Tomcat, and Active directory
This is the configuration I have used in components.xml in Guvnor 5.1.1 on Tomcat 6.x, linux server:
<!-- SECURITY IDENTITY CONFIGURATION --> <security:ldap-identity-store name="ldapIdentityStore"
server-address="xxx.xxx.xxx"
server-port="389"
bind-DN="CN=*******,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
bind-credentials="*******"
user-DN-prefix="CN="
user-name-attribute="sAMAccountName"
user-DN-suffix=",OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
user-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"
role-DN-prefix="CN="
role-name-attribute="member"
role-object-classes="group"
role-DN-suffix=",OU=xxx,DC=xxx,DC=xxx,DC=xxx"
role-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"
user-role-attribute="memberOf"
user-object-classes="user"
role-attribute-is-DN="false" />
<security:identity-manager identity-store="#{ldapIdentityStore}" />
<!-- <security:identity authenticate-method="#{authenticator.authenticate}"/> -->
Note: The authenticate-method is commented out. This allows for a custom authentication method and is not required in this instance.
I also found that if a user authenticates with a blank or empty password, they are authenticated and given the role of anonymous. As Drools Guvnor only uses external authentication and manages authorisation internally, this allowed users to log in with a blank or empty password, essentially circumventing authentication.
This was addressed by modifying the SecurityServiceImpl with Guvnor to prevent this:
// Modified from original to ensure no empty or blank passwords if ( password == null || password.trim().equals("")) {
return false;
}
A further modification removed log.errors to improve the readability of log files.
// Changed log.error to log.warn with userName log.warn( "Unable to login user [" + userName + "]" );
Autologin was also disabled. This is a feature of Guvnor to support out of the box use without security. However it caused multiple spurious logging errors.
// Disable autologin
return new UserSecurityContext( null );
//check to see if we can autologin
//return new UserSecurityContext( checkAutoLogin() );
Regards Ross
From: rules-users-bounces@lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On Behalf Of Dean Whisnant
Sent: Monday, 2 May 2011 12:42 PM
To: rules-users@lists.jboss.org
Subject: [rules-users] Guvnor, Apache Tomcat, and Active directory
Has anyone connected Guvnor on Apache Tomcat to Active Directory? I know the components.xml file is where we setup the security, but I haven't been able to find any examples of using active directory in my config. I am using 5.1.1 of Guvnor, 7.x of Tomcat, on a windows server.
Any thoughts?
Thanks
Dean
This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system.
_______________________________________________
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
_______________________________________________
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
_______________________________________________
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users