[rules-users] Guvnor, Apache Tomcat, and Active directory
Ross H
rossh00 at gmail.com
Sat Jun 18 19:29:01 EDT 2011
Hi Ron/Dean,
The approach I used was not to build guvnor from source but use a maven war
overload, that way you can separately manage any changes from the original
source.
There is one tricky bit I found though. You must use the guvnor war from the
download distribution, not the one that's in the jboss mvn repo. For some
reason they are different, and you will see GWT warnings about serialization
if you get the wrong one.
Regards Ross
On Sat, Jun 18, 2011 at 7:50 AM, Ron Rock <ronr at basys.com> wrote:
> Ross,
>
> As Dean indicated, we have our Guvnor/ActiveDirectory implementation
> working and we know how to remediate the null password issue, but cannot get
> a 5.1.1 version to compile. If you can return us a .jar or .class file for
> the source noted below that would be great. If you can also give us any
> guidance on how to get a build configuration working properly that is also
> appreciated as we would like to be able to make modifications (if the need
> arises).
>
> Thanks in advance,
>
> - Ron Rock.
> Vice President, Technology
> basys inc.
>
> -----Original Message-----
> From: rules-users-bounces at lists.jboss.org [mailto:
> rules-users-bounces at lists.jboss.org] On Behalf Of Dean Whisnant
> Sent: Friday, June 17, 2011 5:40 PM
> To: Rules Users List
> Subject: Re: [rules-users] Guvnor, Apache Tomcat, and Active directory
>
> Ross,
>
> Thank you for the detailed recommendation. We've been working to get this
> straightened out and finally have our authentication worked out except for
> the null password issue. Do you have a compiled version of that jar for
> 5.1.1? We've been trying to compile this through the guvnor project, but
> keep having issues with dependencies. Any suggestions?
>
> The manipulated .java file looks like:
>
> /**
> * Copyright 2010 JBoss Inc
> *
> * Licensed under the Apache License, Version 2.0 (the "License");
> * you may not use this file except in compliance with the License.
> * You may obtain a copy of the License at
> *
> * http://www.apache.org/licenses/LICENSE-2.0
> *
> * Unless required by applicable law or agreed to in writing, software
> * distributed under the License is distributed on an "AS IS" BASIS,
> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> * See the License for the specific language governing permissions and
> * limitations under the License.
> */
>
> package org.drools.guvnor.server.security;
>
> /*
> * Copyright 2005 JBoss Inc
> *
> * Licensed under the Apache License, Version 2.0 (the "License");
> * you may not use this file except in compliance with the License.
> * You may obtain a copy of the License at
> *
> * http://www.apache.org/licenses/LICENSE-2.0
> *
> * Unless required by applicable law or agreed to in writing, software
> * distributed under the License is distributed on an "AS IS" BASIS,
> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> * See the License for the specific language governing permissions and
> * limitations under the License.
> */
>
> import java.io.IOException;
> import java.util.HashMap;
> import java.util.HashSet;
> import java.util.List;
> import java.util.Map;
> import java.util.Properties;
>
> import javax.security.auth.login.LoginException;
>
> import org.slf4j.Logger;
> import org.slf4j.LoggerFactory;
> import org.drools.core.util.DateUtils;
> import org.drools.guvnor.client.rpc.SecurityService;
> import org.drools.guvnor.client.rpc.UserSecurityContext;
> import org.drools.guvnor.client.security.Capabilities;
> import org.jboss.seam.Component;
> import org.jboss.seam.contexts.Contexts; import
> org.jboss.seam.security.AuthorizationException;
> import org.jboss.seam.security.Identity; import
> org.jboss.seam.security.permission.RoleBasedPermissionResolver;
>
> /**
> * This implements security related services.
> * @author Michael Neale
> */
> public class SecurityServiceImpl
> implements
> SecurityService {
>
> public static final String GUEST_LOGIN = "guest";
> private static final Logger log = LoggerFactory.getLogger(
> SecurityServiceImpl.class );
> static final Map<String, String> PREFERENCES = loadPrefs();
>
> public boolean login(String userName,
> String password) {
>
> // if ( userName == null || userName.trim().equals( "" ) ) {
> // userName = "admin";
> // }
>
> if ( userName == null || userName.trim().equals( "" ) ) {
> return false;
> }
>
> if ( password == null || password.trim().equals( "" ) ) {
> return false;
> }
>
> log.info( "Logging in user [" + userName + "]" );
> if ( Contexts.isApplicationContextActive() ) {
>
> // Check for banned characters in user name
> // These will cause the session to jam if you let them go
> further
> char[] bannedChars = {'\'', '*', '[', ']'};
> for ( int i = 0; i < bannedChars.length; i++ ) {
> char c = bannedChars[i];
> if ( userName.indexOf( c ) >= 0 ) {
> log.error( "Not a valid name character " + c );
> return false;
> }
> }
>
> Identity.instance().getCredentials().setUsername( userName );
> Identity.instance().getCredentials().setPassword( password );
>
> try {
> Identity.instance().authenticate();
> } catch ( LoginException e ) {
> log.error( "Unable to login.", e );
> return false;
> }
> return Identity.instance().isLoggedIn();
> } else {
> return true;
> }
>
> }
>
> public UserSecurityContext getCurrentUser() {
> if ( Contexts.isApplicationContextActive() ) {
> if ( !Identity.instance().isLoggedIn() ) {
> //check to see if we can autologin
> return new UserSecurityContext( checkAutoLogin() );
> }
> return new UserSecurityContext(
> Identity.instance().getCredentials().getUsername() );
> } else {
> // HashSet<String> disabled = new HashSet<String>();
> //return new UserSecurityContext(null);
> return new UserSecurityContext( "SINGLE USER MODE (DEBUG) USE
> ONLY" );
> }
> }
>
> /**
> * This will return a auto login user name if it has been configured.
> * Autologin means that its not really logged in, but a generic username
> will be used.
> * Basically means security is bypassed.
> *
> */
> private String checkAutoLogin() {
> Identity id = Identity.instance();
> id.getCredentials().setUsername( GUEST_LOGIN );
> try {
> id.authenticate();
> } catch ( LoginException e ) {
> return null;
> }
> if ( id.isLoggedIn() ) {
> return id.getCredentials().getUsername();
> } else {
> return null;
> }
>
> }
>
> public Capabilities getUserCapabilities() {
>
> if ( Contexts.isApplicationContextActive() ) {
> if ( Identity.instance().hasRole( RoleTypes.ADMIN ) ) {
> return Capabilities.all( PREFERENCES );
> }
>
> RoleBasedPermissionResolver resolver =
> (RoleBasedPermissionResolver) Component.getInstance(
> "org.jboss.seam.security.roleBasedPermissionResolver" );
> if ( !resolver.isEnableRoleBasedAuthorization() ) {
> return Capabilities.all( PREFERENCES );
> }
>
> CapabilityCalculator c = new CapabilityCalculator();
> RoleBasedPermissionManager permManager =
> (RoleBasedPermissionManager) Component.getInstance(
> "roleBasedPermissionManager" );
>
> List<RoleBasedPermission> permissions =
> permManager.getRoleBasedPermission();
> if ( permissions.size() == 0 ) {
> Identity.instance().logout();
> throw new AuthorizationException( "This user has no
> permissions setup." );
> }
> return c.calcCapabilities( permissions,
> PREFERENCES );
> } else {
> return Capabilities.all( PREFERENCES );
> }
> }
>
> private static Map<String, String> loadPrefs() {
> Properties ps = new Properties();
> try {
> ps.load( SecurityServiceImpl.class.getResourceAsStream(
> "/preferences.properties" ) );
> Map<String, String> prefs = new HashMap<String, String>();
> for ( Object o : ps.keySet() ) {
> String feature = (String) o;
>
> prefs.put( feature,
> ps.getProperty( feature ) );
> }
>
> setSystemProperties( prefs );
>
> return prefs;
> } catch ( IOException e ) {
> log.info( "Couldn't find preferences.properties - using
> defaults" );
> return new HashMap<String, String>();
> }
> }
>
> /**
> * Set system properties.
> * If the system properties were not set, set them to Preferences so we
> can access them in client side.
> * @param prefs
> */
> private static void setSystemProperties(Map<String, String> prefs) {
> final String dateFormat = "drools.dateformat";
> final String defaultLanguage = "drools.defaultlanguage";
> final String defaultCountry = "drools.defaultcountry";
>
> // Set properties that were specified in the properties file
> if ( prefs.containsKey( dateFormat ) ) {
> System.setProperty( dateFormat,
> prefs.get( dateFormat ) );
> }
> if ( prefs.containsKey( defaultLanguage ) ) {
> System.setProperty( defaultLanguage,
> prefs.get( defaultLanguage ) );
> }
> if ( prefs.containsKey( defaultCountry ) ) {
> System.setProperty( defaultCountry,
> prefs.get( defaultCountry ) );
> }
>
> // If properties were not set in the file, use the defaults
> if ( !prefs.containsKey( dateFormat ) ) {
> prefs.put( dateFormat,
> DateUtils.getDateFormatMask() );
> }
> if ( !prefs.containsKey( defaultLanguage ) ) {
> prefs.put( defaultLanguage,
> System.getProperty( defaultLanguage ) );
> }
> if ( !prefs.containsKey( defaultCountry ) ) {
> prefs.put( defaultCountry,
> System.getProperty( defaultCountry ) );
> }
> }
> }
>
>
> Thanks
>
> Dean
>
> -----Original Message-----
> From: rules-users-bounces at lists.jboss.org [mailto:
> rules-users-bounces at lists.jboss.org] On Behalf Of HALL, Ross
> Sent: Monday, May 02, 2011 5:37 PM
> To: 'Rules Users List'
> Subject: Re: [rules-users] Guvnor, Apache Tomcat, and Active directory
>
> This is the configuration I have used in components.xml in Guvnor 5.1.1 on
> Tomcat 6.x, linux server:
>
> <!-- SECURITY IDENTITY CONFIGURATION --> <security:ldap-identity-store
> name="ldapIdentityStore"
>
> server-address="xxx.xxx.xxx"
> server-port="389"
>
> bind-DN="CN=*******,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
> bind-credentials="*******"
>
> user-DN-prefix="CN="
> user-name-attribute="sAMAccountName"
> user-DN-suffix=",OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
> user-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"
>
> role-DN-prefix="CN="
> role-name-attribute="member"
> role-object-classes="group"
> role-DN-suffix=",OU=xxx,DC=xxx,DC=xxx,DC=xxx"
> role-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"
>
> user-role-attribute="memberOf"
> user-object-classes="user"
> role-attribute-is-DN="false" />
> <security:identity-manager identity-store="#{ldapIdentityStore}" />
> <!-- <security:identity
> authenticate-method="#{authenticator.authenticate}"/> -->
>
> Note: The authenticate-method is commented out. This allows for a custom
> authentication method and is not required in this instance.
>
> I also found that if a user authenticates with a blank or empty password,
> they are authenticated and given the role of anonymous. As Drools Guvnor
> only uses external authentication and manages authorisation internally, this
> allowed users to log in with a blank or empty password, essentially
> circumventing authentication.
>
> This was addressed by modifying the SecurityServiceImpl with Guvnor to
> prevent this:
>
> // Modified from original to ensure no empty or blank passwords if (
> password == null || password.trim().equals("")) {
> return false;
> }
>
> A further modification removed log.errors to improve the readability of log
> files.
>
> // Changed log.error to log.warn with userName log.warn( "Unable to login
> user [" + userName + "]" );
>
> Autologin was also disabled. This is a feature of Guvnor to support out of
> the box use without security. However it caused multiple spurious logging
> errors.
>
> // Disable autologin
> return new UserSecurityContext( null );
> //check to see if we can autologin
> //return new UserSecurityContext( checkAutoLogin() );
>
> Regards Ross
>
>
> From: rules-users-bounces at lists.jboss.org [mailto:
> rules-users-bounces at lists.jboss.org] On Behalf Of Dean Whisnant
> Sent: Monday, 2 May 2011 12:42 PM
> To: rules-users at lists.jboss.org
> Subject: [rules-users] Guvnor, Apache Tomcat, and Active directory
>
> Has anyone connected Guvnor on Apache Tomcat to Active Directory? I know
> the components.xml file is where we setup the security, but I haven't been
> able to find any examples of using active directory in my config. I am
> using 5.1.1 of Guvnor, 7.x of Tomcat, on a windows server.
>
> Any thoughts?
>
> Thanks
>
> Dean
>
> This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of
> its related entities "Suncorp".
> Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13
> 11 55 or at suncorp.com.au.
> The content of this e-mail is the view of the sender or stated author and
> does not necessarily reflect the view of Suncorp. The content, including
> attachments, is a confidential communication between Suncorp and the
> intended recipient. If you are not the intended recipient, any use,
> interference with, disclosure or copying of this e-mail, including
> attachments, is unauthorised and expressly prohibited. If you have received
> this e-mail in error please contact the sender immediately and delete the
> e-mail and any attachments from your system.
>
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/rules-users/attachments/20110619/e93349fa/attachment.html
More information about the rules-users
mailing list