Re: [rules-users] Guvnor, Apache Tomcat, and Active directory

Ross, Thank you for the detailed recommendation. We've been working to get this straightened out and finally have our authentication worked out except for the null password issue. Do you have a compiled version of that jar for 5.1.1? We've been trying to compile this through the guvnor project, but keep having issues with dependencies. Any suggestions? The manipulated .java file looks like: /** * Copyright 2010 JBoss Inc * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.drools.guvnor.server.security; /* * Copyright 2005 JBoss Inc * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ import java.io.IOException; import java.util.HashMap; import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Properties; import javax.security.auth.login.LoginException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.drools.core.util.DateUtils; import org.drools.guvnor.client.rpc.SecurityService; import org.drools.guvnor.client.rpc.UserSecurityContext; import org.drools.guvnor.client.security.Capabilities; import org.jboss.seam.Component; import org.jboss.seam.contexts.Contexts; import org.jboss.seam.security.AuthorizationException; import org.jboss.seam.security.Identity; import org.jboss.seam.security.permission.RoleBasedPermissionResolver; /** * This implements security related services. * @author Michael Neale */ public class SecurityServiceImpl implements SecurityService { public static final String GUEST_LOGIN = "guest"; private static final Logger log = LoggerFactory.getLogger( SecurityServiceImpl.class ); static final Map<String, String> PREFERENCES = loadPrefs(); public boolean login(String userName, String password) { // if ( userName == null || userName.trim().equals( "" ) ) { // userName = "admin"; // } if ( userName == null || userName.trim().equals( "" ) ) { return false; } if ( password == null || password.trim().equals( "" ) ) { return false; } log.info( "Logging in user [" + userName + "]" ); if ( Contexts.isApplicationContextActive() ) { // Check for banned characters in user name // These will cause the session to jam if you let them go further char[] bannedChars = {'\'', '*', '[', ']'}; for ( int i = 0; i < bannedChars.length; i++ ) { char c = bannedChars[i]; if ( userName.indexOf( c ) >= 0 ) { log.error( "Not a valid name character " + c ); return false; } } Identity.instance().getCredentials().setUsername( userName ); Identity.instance().getCredentials().setPassword( password ); try { Identity.instance().authenticate(); } catch ( LoginException e ) { log.error( "Unable to login.", e ); return false; } return Identity.instance().isLoggedIn(); } else { return true; } } public UserSecurityContext getCurrentUser() { if ( Contexts.isApplicationContextActive() ) { if ( !Identity.instance().isLoggedIn() ) { //check to see if we can autologin return new UserSecurityContext( checkAutoLogin() ); } return new UserSecurityContext( Identity.instance().getCredentials().getUsername() ); } else { // HashSet<String> disabled = new HashSet<String>(); //return new UserSecurityContext(null); return new UserSecurityContext( "SINGLE USER MODE (DEBUG) USE ONLY" ); } } /** * This will return a auto login user name if it has been configured. * Autologin means that its not really logged in, but a generic username will be used. * Basically means security is bypassed. * */ private String checkAutoLogin() { Identity id = Identity.instance(); id.getCredentials().setUsername( GUEST_LOGIN ); try { id.authenticate(); } catch ( LoginException e ) { return null; } if ( id.isLoggedIn() ) { return id.getCredentials().getUsername(); } else { return null; } } public Capabilities getUserCapabilities() { if ( Contexts.isApplicationContextActive() ) { if ( Identity.instance().hasRole( RoleTypes.ADMIN ) ) { return Capabilities.all( PREFERENCES ); } RoleBasedPermissionResolver resolver = (RoleBasedPermissionResolver) Component.getInstance( "org.jboss.seam.security.roleBasedPermissionResolver" ); if ( !resolver.isEnableRoleBasedAuthorization() ) { return Capabilities.all( PREFERENCES ); } CapabilityCalculator c = new CapabilityCalculator(); RoleBasedPermissionManager permManager = (RoleBasedPermissionManager) Component.getInstance( "roleBasedPermissionManager" ); List<RoleBasedPermission> permissions = permManager.getRoleBasedPermission(); if ( permissions.size() == 0 ) { Identity.instance().logout(); throw new AuthorizationException( "This user has no permissions setup." ); } return c.calcCapabilities( permissions, PREFERENCES ); } else { return Capabilities.all( PREFERENCES ); } } private static Map<String, String> loadPrefs() { Properties ps = new Properties(); try { ps.load( SecurityServiceImpl.class.getResourceAsStream( "/preferences.properties" ) ); Map<String, String> prefs = new HashMap<String, String>(); for ( Object o : ps.keySet() ) { String feature = (String) o; prefs.put( feature, ps.getProperty( feature ) ); } setSystemProperties( prefs ); return prefs; } catch ( IOException e ) { log.info( "Couldn't find preferences.properties - using defaults" ); return new HashMap<String, String>(); } } /** * Set system properties. * If the system properties were not set, set them to Preferences so we can access them in client side. * @param prefs */ private static void setSystemProperties(Map<String, String> prefs) { final String dateFormat = "drools.dateformat"; final String defaultLanguage = "drools.defaultlanguage"; final String defaultCountry = "drools.defaultcountry"; // Set properties that were specified in the properties file if ( prefs.containsKey( dateFormat ) ) { System.setProperty( dateFormat, prefs.get( dateFormat ) ); } if ( prefs.containsKey( defaultLanguage ) ) { System.setProperty( defaultLanguage, prefs.get( defaultLanguage ) ); } if ( prefs.containsKey( defaultCountry ) ) { System.setProperty( defaultCountry, prefs.get( defaultCountry ) ); } // If properties were not set in the file, use the defaults if ( !prefs.containsKey( dateFormat ) ) { prefs.put( dateFormat, DateUtils.getDateFormatMask() ); } if ( !prefs.containsKey( defaultLanguage ) ) { prefs.put( defaultLanguage, System.getProperty( defaultLanguage ) ); } if ( !prefs.containsKey( defaultCountry ) ) { prefs.put( defaultCountry, System.getProperty( defaultCountry ) ); } } } Thanks Dean -----Original Message----- From: rules-users-bounces(a)lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On Behalf Of HALL, Ross Sent: Monday, May 02, 2011 5:37 PM To: 'Rules Users List' Subject: Re: [rules-users] Guvnor, Apache Tomcat, and Active directory This is the configuration I have used in components.xml in Guvnor 5.1.1 on Tomcat 6.x, linux server: <!-- SECURITY IDENTITY CONFIGURATION --> <security:ldap-identity-store name="ldapIdentityStore" server-address="xxx.xxx.xxx" server-port="389" bind-DN="CN=*******,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx" bind-credentials="*******" user-DN-prefix="CN=" user-name-attribute="sAMAccountName" user-DN-suffix=",OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx" user-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx" role-DN-prefix="CN=" role-name-attribute="member" role-object-classes="group" role-DN-suffix=",OU=xxx,DC=xxx,DC=xxx,DC=xxx" role-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx" user-role-attribute="memberOf" user-object-classes="user" role-attribute-is-DN="false" /> <security:identity-manager identity-store="#{ldapIdentityStore}" /> <!-- <security:identity authenticate-method="#{authenticator.authenticate}"/> --> Note: The authenticate-method is commented out. This allows for a custom authentication method and is not required in this instance. I also found that if a user authenticates with a blank or empty password, they are authenticated and given the role of anonymous. As Drools Guvnor only uses external authentication and manages authorisation internally, this allowed users to log in with a blank or empty password, essentially circumventing authentication. This was addressed by modifying the SecurityServiceImpl with Guvnor to prevent this: // Modified from original to ensure no empty or blank passwords if ( password == null || password.trim().equals("")) { return false; } A further modification removed log.errors to improve the readability of log files. // Changed log.error to log.warn with userName log.warn( "Unable to login user [" + userName + "]" ); Autologin was also disabled. This is a feature of Guvnor to support out of the box use without security. However it caused multiple spurious logging errors. // Disable autologin return new UserSecurityContext( null ); //check to see if we can autologin //return new UserSecurityContext( checkAutoLogin() ); Regards Ross From: rules-users-bounces(a)lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On Behalf Of Dean Whisnant Sent: Monday, 2 May 2011 12:42 PM To: rules-users(a)lists.jboss.org Subject: [rules-users] Guvnor, Apache Tomcat, and Active directory Has anyone connected Guvnor on Apache Tomcat to Active Directory? I know the components.xml file is where we setup the security, but I haven't been able to find any examples of using active directory in my config. I am using 5.1.1 of Guvnor, 7.x of Tomcat, on a windows server. Any thoughts? Thanks Dean This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related entities "Suncorp". Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at suncorp.com.au. The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system. _______________________________________________ rules-users mailing list rules-users(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users