9:41 p.m.
Has anyone connected Guvnor on Apache Tomcat to Active Directory? I know the
components.xml file is where we setup the security, but I haven't been able to find
any examples of using active directory in my config. I am using 5.1.1 of Guvnor, 7.x of
Tomcat, on a windows server.
Any thoughts?
Thanks
Dean
4:37 p.m.
This is the configuration I have used in components.xml in Guvnor 5.1.1 on Tomcat 6.x,
linux server:
<!-- SECURITY IDENTITY CONFIGURATION -->
<security:ldap-identity-store name="ldapIdentityStore"
server-address="xxx.xxx.xxx"
server-port="389"
bind-DN="CN=*******,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
bind-credentials="*******"
user-DN-prefix="CN="
user-name-attribute="sAMAccountName"
user-DN-suffix=",OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
user-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"
role-DN-prefix="CN="
role-name-attribute="member"
role-object-classes="group"
role-DN-suffix=",OU=xxx,DC=xxx,DC=xxx,DC=xxx"
role-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"
user-role-attribute="memberOf"
user-object-classes="user"
role-attribute-is-DN="false" />
<security:identity-manager identity-store="#{ldapIdentityStore}" />
<!-- <security:identity
authenticate-method="#{authenticator.authenticate}"/> -->
Note: The authenticate-method is commented out. This allows for a custom authentication
method and is not required in this instance.
I also found that if a user authenticates with a blank or empty password, they are
authenticated and given the role of anonymous. As Drools Guvnor only uses external
authentication and manages authorisation internally, this allowed users to log in with a
blank or empty password, essentially circumventing authentication.
This was addressed by modifying the SecurityServiceImpl with Guvnor to prevent this:
// Modified from original to ensure no empty or blank passwords
if ( password == null || password.trim().equals("")) {
return false;
}
A further modification removed log.errors to improve the readability of log files.
// Changed log.error to log.warn with userName
log.warn( "Unable to login user [" + userName + "]" );
Autologin was also disabled. This is a feature of Guvnor to support out of the box use
without security. However it caused multiple spurious logging errors.
// Disable autologin
return new UserSecurityContext( null );
//check to see if we can autologin
//return new UserSecurityContext( checkAutoLogin() );
Regards Ross
From: rules-users-bounces(a)lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On
Behalf Of Dean Whisnant
Sent: Monday, 2 May 2011 12:42 PM
To: rules-users(a)lists.jboss.org
Subject: [rules-users] Guvnor, Apache Tomcat, and Active directory
Has anyone connected Guvnor on Apache Tomcat to Active Directory? I know the
components.xml file is where we setup the security, but I haven't been able to find
any examples of using active directory in my config. I am using 5.1.1 of Guvnor, 7.x of
Tomcat, on a windows server.
Any thoughts?
Thanks
Dean
This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related
entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at
suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not
necessarily reflect the view of Suncorp. The content, including attachments, is a
confidential communication between Suncorp and the intended recipient. If you are not the
intended recipient, any use, interference with, disclosure or copying of this e-mail,
including attachments, is unauthorised and expressly prohibited. If you have received this
e-mail in error please contact the sender immediately and delete the e-mail and any
attachments from your system.
4:40 p.m.
Ross,
Thank you for the detailed recommendation. We've been working to get this
straightened out and finally have our authentication worked out except for the null
password issue. Do you have a compiled version of that jar for 5.1.1? We've been
trying to compile this through the guvnor project, but keep having issues with
dependencies. Any suggestions?
The manipulated .java file looks like:
/**
* Copyright 2010 JBoss Inc
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.drools.guvnor.server.security;
/*
* Copyright 2005 JBoss Inc
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
import java.io.IOException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import javax.security.auth.login.LoginException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.drools.core.util.DateUtils;
import org.drools.guvnor.client.rpc.SecurityService;
import org.drools.guvnor.client.rpc.UserSecurityContext;
import org.drools.guvnor.client.security.Capabilities;
import org.jboss.seam.Component;
import org.jboss.seam.contexts.Contexts;
import org.jboss.seam.security.AuthorizationException;
import org.jboss.seam.security.Identity;
import org.jboss.seam.security.permission.RoleBasedPermissionResolver;
/**
* This implements security related services.
* @author Michael Neale
*/
public class SecurityServiceImpl
implements
SecurityService {
public static final String GUEST_LOGIN = "guest";
private static final Logger log = LoggerFactory.getLogger(
SecurityServiceImpl.class );
static final Map<String, String> PREFERENCES = loadPrefs();
public boolean login(String userName,
String password) {
// if ( userName == null || userName.trim().equals( "" ) ) {
// userName = "admin";
// }
if ( userName == null || userName.trim().equals( "" ) ) {
return false;
}
if ( password == null || password.trim().equals( "" ) ) {
return false;
}
log.info( "Logging in user [" + userName + "]" );
if ( Contexts.isApplicationContextActive() ) {
// Check for banned characters in user name
// These will cause the session to jam if you let them go further
char[] bannedChars = {'\'', '*', '[',
']'};
for ( int i = 0; i < bannedChars.length; i++ ) {
char c = bannedChars[i];
if ( userName.indexOf( c ) >= 0 ) {
log.error( "Not a valid name character " + c );
return false;
}
}
Identity.instance().getCredentials().setUsername( userName );
Identity.instance().getCredentials().setPassword( password );
try {
Identity.instance().authenticate();
} catch ( LoginException e ) {
log.error( "Unable to login.", e );
return false;
}
return Identity.instance().isLoggedIn();
} else {
return true;
}
}
public UserSecurityContext getCurrentUser() {
if ( Contexts.isApplicationContextActive() ) {
if ( !Identity.instance().isLoggedIn() ) {
//check to see if we can autologin
return new UserSecurityContext( checkAutoLogin() );
}
return new UserSecurityContext(
Identity.instance().getCredentials().getUsername() );
} else {
// HashSet<String> disabled = new HashSet<String>();
//return new UserSecurityContext(null);
return new UserSecurityContext( "SINGLE USER MODE (DEBUG) USE ONLY"
);
}
}
/**
* This will return a auto login user name if it has been configured.
* Autologin means that its not really logged in, but a generic username will be
used.
* Basically means security is bypassed.
*
*/
private String checkAutoLogin() {
Identity id = Identity.instance();
id.getCredentials().setUsername( GUEST_LOGIN );
try {
id.authenticate();
} catch ( LoginException e ) {
return null;
}
if ( id.isLoggedIn() ) {
return id.getCredentials().getUsername();
} else {
return null;
}
}
public Capabilities getUserCapabilities() {
if ( Contexts.isApplicationContextActive() ) {
if ( Identity.instance().hasRole( RoleTypes.ADMIN ) ) {
return Capabilities.all( PREFERENCES );
}
RoleBasedPermissionResolver resolver = (RoleBasedPermissionResolver)
Component.getInstance( "org.jboss.seam.security.roleBasedPermissionResolver" );
if ( !resolver.isEnableRoleBasedAuthorization() ) {
return Capabilities.all( PREFERENCES );
}
CapabilityCalculator c = new CapabilityCalculator();
RoleBasedPermissionManager permManager = (RoleBasedPermissionManager)
Component.getInstance( "roleBasedPermissionManager" );
List<RoleBasedPermission> permissions =
permManager.getRoleBasedPermission();
if ( permissions.size() == 0 ) {
Identity.instance().logout();
throw new AuthorizationException( "This user has no permissions
setup." );
}
return c.calcCapabilities( permissions,
PREFERENCES );
} else {
return Capabilities.all( PREFERENCES );
}
}
private static Map<String, String> loadPrefs() {
Properties ps = new Properties();
try {
ps.load( SecurityServiceImpl.class.getResourceAsStream(
"/preferences.properties" ) );
Map<String, String> prefs = new HashMap<String, String>();
for ( Object o : ps.keySet() ) {
String feature = (String) o;
prefs.put( feature,
ps.getProperty( feature ) );
}
setSystemProperties( prefs );
return prefs;
} catch ( IOException e ) {
log.info( "Couldn't find preferences.properties - using
defaults" );
return new HashMap<String, String>();
}
}
/**
* Set system properties.
* If the system properties were not set, set them to Preferences so we can access
them in client side.
* @param prefs
*/
private static void setSystemProperties(Map<String, String> prefs) {
final String dateFormat = "drools.dateformat";
final String defaultLanguage = "drools.defaultlanguage";
final String defaultCountry = "drools.defaultcountry";
// Set properties that were specified in the properties file
if ( prefs.containsKey( dateFormat ) ) {
System.setProperty( dateFormat,
prefs.get( dateFormat ) );
}
if ( prefs.containsKey( defaultLanguage ) ) {
System.setProperty( defaultLanguage,
prefs.get( defaultLanguage ) );
}
if ( prefs.containsKey( defaultCountry ) ) {
System.setProperty( defaultCountry,
prefs.get( defaultCountry ) );
}
// If properties were not set in the file, use the defaults
if ( !prefs.containsKey( dateFormat ) ) {
prefs.put( dateFormat,
DateUtils.getDateFormatMask() );
}
if ( !prefs.containsKey( defaultLanguage ) ) {
prefs.put( defaultLanguage,
System.getProperty( defaultLanguage ) );
}
if ( !prefs.containsKey( defaultCountry ) ) {
prefs.put( defaultCountry,
System.getProperty( defaultCountry ) );
}
}
}
Thanks
Dean
-----Original Message-----
From: rules-users-bounces(a)lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On
Behalf Of HALL, Ross
Sent: Monday, May 02, 2011 5:37 PM
To: 'Rules Users List'
Subject: Re: [rules-users] Guvnor, Apache Tomcat, and Active directory
This is the configuration I have used in components.xml in Guvnor 5.1.1 on Tomcat 6.x,
linux server:
<!-- SECURITY IDENTITY CONFIGURATION --> <security:ldap-identity-store
name="ldapIdentityStore"
server-address="xxx.xxx.xxx"
server-port="389"
bind-DN="CN=*******,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
bind-credentials="*******"
user-DN-prefix="CN="
user-name-attribute="sAMAccountName"
user-DN-suffix=",OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
user-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"
role-DN-prefix="CN="
role-name-attribute="member"
role-object-classes="group"
role-DN-suffix=",OU=xxx,DC=xxx,DC=xxx,DC=xxx"
role-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"
user-role-attribute="memberOf"
user-object-classes="user"
role-attribute-is-DN="false" />
<security:identity-manager identity-store="#{ldapIdentityStore}" />
<!-- <security:identity
authenticate-method="#{authenticator.authenticate}"/> -->
Note: The authenticate-method is commented out. This allows for a custom authentication
method and is not required in this instance.
I also found that if a user authenticates with a blank or empty password, they are
authenticated and given the role of anonymous. As Drools Guvnor only uses external
authentication and manages authorisation internally, this allowed users to log in with a
blank or empty password, essentially circumventing authentication.
This was addressed by modifying the SecurityServiceImpl with Guvnor to prevent this:
// Modified from original to ensure no empty or blank passwords if ( password == null ||
password.trim().equals("")) {
return false;
}
A further modification removed log.errors to improve the readability of log files.
// Changed log.error to log.warn with userName log.warn( "Unable to login user
[" + userName + "]" );
Autologin was also disabled. This is a feature of Guvnor to support out of the box use
without security. However it caused multiple spurious logging errors.
// Disable autologin
return new UserSecurityContext( null );
//check to see if we can autologin
//return new UserSecurityContext( checkAutoLogin() );
Regards Ross
From: rules-users-bounces(a)lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On
Behalf Of Dean Whisnant
Sent: Monday, 2 May 2011 12:42 PM
To: rules-users(a)lists.jboss.org
Subject: [rules-users] Guvnor, Apache Tomcat, and Active directory
Has anyone connected Guvnor on Apache Tomcat to Active Directory? I know the
components.xml file is where we setup the security, but I haven't been able to find
any examples of using active directory in my config. I am using 5.1.1 of Guvnor, 7.x of
Tomcat, on a windows server.
Any thoughts?
Thanks
Dean
This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related
entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at
suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not
necessarily reflect the view of Suncorp. The content, including attachments, is a
confidential communication between Suncorp and the intended recipient. If you are not the
intended recipient, any use, interference with, disclosure or copying of this e-mail,
including attachments, is unauthorised and expressly prohibited. If you have received this
e-mail in error please contact the sender immediately and delete the e-mail and any
attachments from your system.
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
4:50 p.m.
Ross,
As Dean indicated, we have our Guvnor/ActiveDirectory implementation working and we know
how to remediate the null password issue, but cannot get a 5.1.1 version to compile. If
you can return us a .jar or .class file for the source noted below that would be great.
If you can also give us any guidance on how to get a build configuration working properly
that is also appreciated as we would like to be able to make modifications (if the need
arises).
Thanks in advance,
- Ron Rock.
Vice President, Technology
basys inc.
-----Original Message-----
From: rules-users-bounces(a)lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On
Behalf Of Dean Whisnant
Sent: Friday, June 17, 2011 5:40 PM
To: Rules Users List
Subject: Re: [rules-users] Guvnor, Apache Tomcat, and Active directory
Ross,
Thank you for the detailed recommendation. We've been working to get this
straightened out and finally have our authentication worked out except for the null
password issue. Do you have a compiled version of that jar for 5.1.1? We've been
trying to compile this through the guvnor project, but keep having issues with
dependencies. Any suggestions?
The manipulated .java file looks like:
/**
* Copyright 2010 JBoss Inc
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.drools.guvnor.server.security;
/*
* Copyright 2005 JBoss Inc
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
import java.io.IOException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import javax.security.auth.login.LoginException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.drools.core.util.DateUtils;
import org.drools.guvnor.client.rpc.SecurityService;
import org.drools.guvnor.client.rpc.UserSecurityContext;
import org.drools.guvnor.client.security.Capabilities;
import org.jboss.seam.Component;
import org.jboss.seam.contexts.Contexts; import
org.jboss.seam.security.AuthorizationException;
import org.jboss.seam.security.Identity; import
org.jboss.seam.security.permission.RoleBasedPermissionResolver;
/**
* This implements security related services.
* @author Michael Neale
*/
public class SecurityServiceImpl
implements
SecurityService {
public static final String GUEST_LOGIN = "guest";
private static final Logger log = LoggerFactory.getLogger(
SecurityServiceImpl.class );
static final Map<String, String> PREFERENCES = loadPrefs();
public boolean login(String userName,
String password) {
// if ( userName == null || userName.trim().equals( "" ) ) {
// userName = "admin";
// }
if ( userName == null || userName.trim().equals( "" ) ) {
return false;
}
if ( password == null || password.trim().equals( "" ) ) {
return false;
}
log.info( "Logging in user [" + userName + "]" );
if ( Contexts.isApplicationContextActive() ) {
// Check for banned characters in user name
// These will cause the session to jam if you let them go further
char[] bannedChars = {'\'', '*', '[',
']'};
for ( int i = 0; i < bannedChars.length; i++ ) {
char c = bannedChars[i];
if ( userName.indexOf( c ) >= 0 ) {
log.error( "Not a valid name character " + c );
return false;
}
}
Identity.instance().getCredentials().setUsername( userName );
Identity.instance().getCredentials().setPassword( password );
try {
Identity.instance().authenticate();
} catch ( LoginException e ) {
log.error( "Unable to login.", e );
return false;
}
return Identity.instance().isLoggedIn();
} else {
return true;
}
}
public UserSecurityContext getCurrentUser() {
if ( Contexts.isApplicationContextActive() ) {
if ( !Identity.instance().isLoggedIn() ) {
//check to see if we can autologin
return new UserSecurityContext( checkAutoLogin() );
}
return new UserSecurityContext(
Identity.instance().getCredentials().getUsername() );
} else {
// HashSet<String> disabled = new HashSet<String>();
//return new UserSecurityContext(null);
return new UserSecurityContext( "SINGLE USER MODE (DEBUG) USE ONLY"
);
}
}
/**
* This will return a auto login user name if it has been configured.
* Autologin means that its not really logged in, but a generic username will be
used.
* Basically means security is bypassed.
*
*/
private String checkAutoLogin() {
Identity id = Identity.instance();
id.getCredentials().setUsername( GUEST_LOGIN );
try {
id.authenticate();
} catch ( LoginException e ) {
return null;
}
if ( id.isLoggedIn() ) {
return id.getCredentials().getUsername();
} else {
return null;
}
}
public Capabilities getUserCapabilities() {
if ( Contexts.isApplicationContextActive() ) {
if ( Identity.instance().hasRole( RoleTypes.ADMIN ) ) {
return Capabilities.all( PREFERENCES );
}
RoleBasedPermissionResolver resolver = (RoleBasedPermissionResolver)
Component.getInstance( "org.jboss.seam.security.roleBasedPermissionResolver" );
if ( !resolver.isEnableRoleBasedAuthorization() ) {
return Capabilities.all( PREFERENCES );
}
CapabilityCalculator c = new CapabilityCalculator();
RoleBasedPermissionManager permManager = (RoleBasedPermissionManager)
Component.getInstance( "roleBasedPermissionManager" );
List<RoleBasedPermission> permissions =
permManager.getRoleBasedPermission();
if ( permissions.size() == 0 ) {
Identity.instance().logout();
throw new AuthorizationException( "This user has no permissions
setup." );
}
return c.calcCapabilities( permissions,
PREFERENCES );
} else {
return Capabilities.all( PREFERENCES );
}
}
private static Map<String, String> loadPrefs() {
Properties ps = new Properties();
try {
ps.load( SecurityServiceImpl.class.getResourceAsStream(
"/preferences.properties" ) );
Map<String, String> prefs = new HashMap<String, String>();
for ( Object o : ps.keySet() ) {
String feature = (String) o;
prefs.put( feature,
ps.getProperty( feature ) );
}
setSystemProperties( prefs );
return prefs;
} catch ( IOException e ) {
log.info( "Couldn't find preferences.properties - using
defaults" );
return new HashMap<String, String>();
}
}
/**
* Set system properties.
* If the system properties were not set, set them to Preferences so we can access
them in client side.
* @param prefs
*/
private static void setSystemProperties(Map<String, String> prefs) {
final String dateFormat = "drools.dateformat";
final String defaultLanguage = "drools.defaultlanguage";
final String defaultCountry = "drools.defaultcountry";
// Set properties that were specified in the properties file
if ( prefs.containsKey( dateFormat ) ) {
System.setProperty( dateFormat,
prefs.get( dateFormat ) );
}
if ( prefs.containsKey( defaultLanguage ) ) {
System.setProperty( defaultLanguage,
prefs.get( defaultLanguage ) );
}
if ( prefs.containsKey( defaultCountry ) ) {
System.setProperty( defaultCountry,
prefs.get( defaultCountry ) );
}
// If properties were not set in the file, use the defaults
if ( !prefs.containsKey( dateFormat ) ) {
prefs.put( dateFormat,
DateUtils.getDateFormatMask() );
}
if ( !prefs.containsKey( defaultLanguage ) ) {
prefs.put( defaultLanguage,
System.getProperty( defaultLanguage ) );
}
if ( !prefs.containsKey( defaultCountry ) ) {
prefs.put( defaultCountry,
System.getProperty( defaultCountry ) );
}
}
}
Thanks
Dean
-----Original Message-----
From: rules-users-bounces(a)lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On
Behalf Of HALL, Ross
Sent: Monday, May 02, 2011 5:37 PM
To: 'Rules Users List'
Subject: Re: [rules-users] Guvnor, Apache Tomcat, and Active directory
This is the configuration I have used in components.xml in Guvnor 5.1.1 on Tomcat 6.x,
linux server:
<!-- SECURITY IDENTITY CONFIGURATION --> <security:ldap-identity-store
name="ldapIdentityStore"
server-address="xxx.xxx.xxx"
server-port="389"
bind-DN="CN=*******,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
bind-credentials="*******"
user-DN-prefix="CN="
user-name-attribute="sAMAccountName"
user-DN-suffix=",OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
user-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"
role-DN-prefix="CN="
role-name-attribute="member"
role-object-classes="group"
role-DN-suffix=",OU=xxx,DC=xxx,DC=xxx,DC=xxx"
role-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"
user-role-attribute="memberOf"
user-object-classes="user"
role-attribute-is-DN="false" />
<security:identity-manager identity-store="#{ldapIdentityStore}" />
<!-- <security:identity
authenticate-method="#{authenticator.authenticate}"/> -->
Note: The authenticate-method is commented out. This allows for a custom authentication
method and is not required in this instance.
I also found that if a user authenticates with a blank or empty password, they are
authenticated and given the role of anonymous. As Drools Guvnor only uses external
authentication and manages authorisation internally, this allowed users to log in with a
blank or empty password, essentially circumventing authentication.
This was addressed by modifying the SecurityServiceImpl with Guvnor to prevent this:
// Modified from original to ensure no empty or blank passwords if ( password == null ||
password.trim().equals("")) {
return false;
}
A further modification removed log.errors to improve the readability of log files.
// Changed log.error to log.warn with userName log.warn( "Unable to login user
[" + userName + "]" );
Autologin was also disabled. This is a feature of Guvnor to support out of the box use
without security. However it caused multiple spurious logging errors.
// Disable autologin
return new UserSecurityContext( null );
//check to see if we can autologin
//return new UserSecurityContext( checkAutoLogin() );
Regards Ross
From: rules-users-bounces(a)lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On
Behalf Of Dean Whisnant
Sent: Monday, 2 May 2011 12:42 PM
To: rules-users(a)lists.jboss.org
Subject: [rules-users] Guvnor, Apache Tomcat, and Active directory
Has anyone connected Guvnor on Apache Tomcat to Active Directory? I know the
components.xml file is where we setup the security, but I haven't been able to find
any examples of using active directory in my config. I am using 5.1.1 of Guvnor, 7.x of
Tomcat, on a windows server.
Any thoughts?
Thanks
Dean
This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related
entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at
suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not
necessarily reflect the view of Suncorp. The content, including attachments, is a
confidential communication between Suncorp and the intended recipient. If you are not the
intended recipient, any use, interference with, disclosure or copying of this e-mail,
including attachments, is unauthorised and expressly prohibited. If you have received this
e-mail in error please contact the sender immediately and delete the e-mail and any
attachments from your system.
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
6:29 p.m.
Hi Ron/Dean,
The approach I used was not to build guvnor from source but use a maven war
overload, that way you can separately manage any changes from the original
source.
There is one tricky bit I found though. You must use the guvnor war from the
download distribution, not the one that's in the jboss mvn repo. For some
reason they are different, and you will see GWT warnings about serialization
if you get the wrong one.
Regards Ross
On Sat, Jun 18, 2011 at 7:50 AM, Ron Rock <ronr(a)basys.com> wrote:
Ross,
As Dean indicated, we have our Guvnor/ActiveDirectory implementation
working and we know how to remediate the null password issue, but cannot get
a 5.1.1 version to compile. If you can return us a .jar or .class file for
the source noted below that would be great. If you can also give us any
guidance on how to get a build configuration working properly that is also
appreciated as we would like to be able to make modifications (if the need
arises).
Thanks in advance,
- Ron Rock.
Vice President, Technology
basys inc.
-----Original Message-----
From: rules-users-bounces(a)lists.jboss.org [mailto:
rules-users-bounces(a)lists.jboss.org] On Behalf Of Dean Whisnant
Sent: Friday, June 17, 2011 5:40 PM
To: Rules Users List
Subject: Re: [rules-users] Guvnor, Apache Tomcat, and Active directory
Ross,
Thank you for the detailed recommendation. We've been working to get this
straightened out and finally have our authentication worked out except for
the null password issue. Do you have a compiled version of that jar for
5.1.1? We've been trying to compile this through the guvnor project, but
keep having issues with dependencies. Any suggestions?
The manipulated .java file looks like:
/**
* Copyright 2010 JBoss Inc
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.drools.guvnor.server.security;
/*
* Copyright 2005 JBoss Inc
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
import java.io.IOException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import javax.security.auth.login.LoginException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.drools.core.util.DateUtils;
import org.drools.guvnor.client.rpc.SecurityService;
import org.drools.guvnor.client.rpc.UserSecurityContext;
import org.drools.guvnor.client.security.Capabilities;
import org.jboss.seam.Component;
import org.jboss.seam.contexts.Contexts; import
org.jboss.seam.security.AuthorizationException;
import org.jboss.seam.security.Identity; import
org.jboss.seam.security.permission.RoleBasedPermissionResolver;
/**
* This implements security related services.
* @author Michael Neale
*/
public class SecurityServiceImpl
implements
SecurityService {
public static final String GUEST_LOGIN = "guest";
private static final Logger log = LoggerFactory.getLogger(
SecurityServiceImpl.class );
static final Map<String, String> PREFERENCES = loadPrefs();
public boolean login(String userName,
String password) {
// if ( userName == null || userName.trim().equals( "" ) ) {
// userName = "admin";
// }
if ( userName == null || userName.trim().equals( "" ) ) {
return false;
}
if ( password == null || password.trim().equals( "" ) ) {
return false;
}
log.info( "Logging in user [" + userName + "]" );
if ( Contexts.isApplicationContextActive() ) {
// Check for banned characters in user name
// These will cause the session to jam if you let them go
further
char[] bannedChars = {'\'', '*', '[',
']'};
for ( int i = 0; i < bannedChars.length; i++ ) {
char c = bannedChars[i];
if ( userName.indexOf( c ) >= 0 ) {
log.error( "Not a valid name character " + c );
return false;
}
}
Identity.instance().getCredentials().setUsername( userName );
Identity.instance().getCredentials().setPassword( password );
try {
Identity.instance().authenticate();
} catch ( LoginException e ) {
log.error( "Unable to login.", e );
return false;
}
return Identity.instance().isLoggedIn();
} else {
return true;
}
}
public UserSecurityContext getCurrentUser() {
if ( Contexts.isApplicationContextActive() ) {
if ( !Identity.instance().isLoggedIn() ) {
//check to see if we can autologin
return new UserSecurityContext( checkAutoLogin() );
}
return new UserSecurityContext(
Identity.instance().getCredentials().getUsername() );
} else {
// HashSet<String> disabled = new HashSet<String>();
//return new UserSecurityContext(null);
return new UserSecurityContext( "SINGLE USER MODE (DEBUG) USE
ONLY" );
}
}
/**
* This will return a auto login user name if it has been configured.
* Autologin means that its not really logged in, but a generic username
will be used.
* Basically means security is bypassed.
*
*/
private String checkAutoLogin() {
Identity id = Identity.instance();
id.getCredentials().setUsername( GUEST_LOGIN );
try {
id.authenticate();
} catch ( LoginException e ) {
return null;
}
if ( id.isLoggedIn() ) {
return id.getCredentials().getUsername();
} else {
return null;
}
}
public Capabilities getUserCapabilities() {
if ( Contexts.isApplicationContextActive() ) {
if ( Identity.instance().hasRole( RoleTypes.ADMIN ) ) {
return Capabilities.all( PREFERENCES );
}
RoleBasedPermissionResolver resolver =
(RoleBasedPermissionResolver) Component.getInstance(
"org.jboss.seam.security.roleBasedPermissionResolver" );
if ( !resolver.isEnableRoleBasedAuthorization() ) {
return Capabilities.all( PREFERENCES );
}
CapabilityCalculator c = new CapabilityCalculator();
RoleBasedPermissionManager permManager =
(RoleBasedPermissionManager) Component.getInstance(
"roleBasedPermissionManager" );
List<RoleBasedPermission> permissions =
permManager.getRoleBasedPermission();
if ( permissions.size() == 0 ) {
Identity.instance().logout();
throw new AuthorizationException( "This user has no
permissions setup." );
}
return c.calcCapabilities( permissions,
PREFERENCES );
} else {
return Capabilities.all( PREFERENCES );
}
}
private static Map<String, String> loadPrefs() {
Properties ps = new Properties();
try {
ps.load( SecurityServiceImpl.class.getResourceAsStream(
"/preferences.properties" ) );
Map<String, String> prefs = new HashMap<String, String>();
for ( Object o : ps.keySet() ) {
String feature = (String) o;
prefs.put( feature,
ps.getProperty( feature ) );
}
setSystemProperties( prefs );
return prefs;
} catch ( IOException e ) {
log.info( "Couldn't find preferences.properties - using
defaults" );
return new HashMap<String, String>();
}
}
/**
* Set system properties.
* If the system properties were not set, set them to Preferences so we
can access them in client side.
* @param prefs
*/
private static void setSystemProperties(Map<String, String> prefs) {
final String dateFormat = "drools.dateformat";
final String defaultLanguage = "drools.defaultlanguage";
final String defaultCountry = "drools.defaultcountry";
// Set properties that were specified in the properties file
if ( prefs.containsKey( dateFormat ) ) {
System.setProperty( dateFormat,
prefs.get( dateFormat ) );
}
if ( prefs.containsKey( defaultLanguage ) ) {
System.setProperty( defaultLanguage,
prefs.get( defaultLanguage ) );
}
if ( prefs.containsKey( defaultCountry ) ) {
System.setProperty( defaultCountry,
prefs.get( defaultCountry ) );
}
// If properties were not set in the file, use the defaults
if ( !prefs.containsKey( dateFormat ) ) {
prefs.put( dateFormat,
DateUtils.getDateFormatMask() );
}
if ( !prefs.containsKey( defaultLanguage ) ) {
prefs.put( defaultLanguage,
System.getProperty( defaultLanguage ) );
}
if ( !prefs.containsKey( defaultCountry ) ) {
prefs.put( defaultCountry,
System.getProperty( defaultCountry ) );
}
}
}
Thanks
Dean
-----Original Message-----
From: rules-users-bounces(a)lists.jboss.org [mailto:
rules-users-bounces(a)lists.jboss.org] On Behalf Of HALL, Ross
Sent: Monday, May 02, 2011 5:37 PM
To: 'Rules Users List'
Subject: Re: [rules-users] Guvnor, Apache Tomcat, and Active directory
This is the configuration I have used in components.xml in Guvnor 5.1.1 on
Tomcat 6.x, linux server:
<!-- SECURITY IDENTITY CONFIGURATION --> <security:ldap-identity-store
name="ldapIdentityStore"
server-address="xxx.xxx.xxx"
server-port="389"
bind-DN="CN=*******,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
bind-credentials="*******"
user-DN-prefix="CN="
user-name-attribute="sAMAccountName"
user-DN-suffix=",OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
user-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"
role-DN-prefix="CN="
role-name-attribute="member"
role-object-classes="group"
role-DN-suffix=",OU=xxx,DC=xxx,DC=xxx,DC=xxx"
role-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"
user-role-attribute="memberOf"
user-object-classes="user"
role-attribute-is-DN="false" />
<security:identity-manager identity-store="#{ldapIdentityStore}" />
<!-- <security:identity
authenticate-method="#{authenticator.authenticate}"/> -->
Note: The authenticate-method is commented out. This allows for a custom
authentication method and is not required in this instance.
I also found that if a user authenticates with a blank or empty password,
they are authenticated and given the role of anonymous. As Drools Guvnor
only uses external authentication and manages authorisation internally, this
allowed users to log in with a blank or empty password, essentially
circumventing authentication.
This was addressed by modifying the SecurityServiceImpl with Guvnor to
prevent this:
// Modified from original to ensure no empty or blank passwords if (
password == null || password.trim().equals("")) {
return false;
}
A further modification removed log.errors to improve the readability of log
files.
// Changed log.error to log.warn with userName log.warn( "Unable to login
user [" + userName + "]" );
Autologin was also disabled. This is a feature of Guvnor to support out of
the box use without security. However it caused multiple spurious logging
errors.
// Disable autologin
return new UserSecurityContext( null );
//check to see if we can autologin
//return new UserSecurityContext( checkAutoLogin() );
Regards Ross
From: rules-users-bounces(a)lists.jboss.org [mailto:
rules-users-bounces(a)lists.jboss.org] On Behalf Of Dean Whisnant
Sent: Monday, 2 May 2011 12:42 PM
To: rules-users(a)lists.jboss.org
Subject: [rules-users] Guvnor, Apache Tomcat, and Active directory
Has anyone connected Guvnor on Apache Tomcat to Active Directory? I know
the components.xml file is where we setup the security, but I haven't been
able to find any examples of using active directory in my config. I am
using 5.1.1 of Guvnor, 7.x of Tomcat, on a windows server.
Any thoughts?
Thanks
Dean
This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of
its related entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13
11 55 or at suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and
does not necessarily reflect the view of Suncorp. The content, including
attachments, is a confidential communication between Suncorp and the
intended recipient. If you are not the intended recipient, any use,
interference with, disclosure or copying of this e-mail, including
attachments, is unauthorised and expressly prohibited. If you have received
this e-mail in error please contact the sender immediately and delete the
e-mail and any attachments from your system.
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
4910
days inactive
4957
days old
4 comments
4 participants
participants (4)
-
Dean Whisnant -
HALL, Ross -
Ron Rock -
Ross H