[rules-users] Guvnor, Apache Tomcat, and Active directory

HALL, Ross Ross.HALL at suncorp.com.au
Mon May 2 17:37:17 EDT 2011 

This is the configuration I have used in components.xml in Guvnor 5.1.1 on Tomcat 6.x, linux server:

<!-- SECURITY IDENTITY CONFIGURATION -->
<security:ldap-identity-store name="ldapIdentityStore"

    server-address="xxx.xxx.xxx"
    server-port="389"

    bind-DN="CN=*******,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
    bind-credentials="*******"

    user-DN-prefix="CN="
    user-name-attribute="sAMAccountName"
    user-DN-suffix=",OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
    user-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"

    role-DN-prefix="CN="
    role-name-attribute="member"
    role-object-classes="group"
    role-DN-suffix=",OU=xxx,DC=xxx,DC=xxx,DC=xxx"
    role-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"

    user-role-attribute="memberOf"
    user-object-classes="user"
    role-attribute-is-DN="false" />
<security:identity-manager identity-store="#{ldapIdentityStore}" />
<!-- <security:identity authenticate-method="#{authenticator.authenticate}"/> -->

Note: The authenticate-method is commented out. This allows for a custom authentication method and is not required in this instance.

I also found that if a user authenticates with a blank or empty password, they are authenticated and given the role of anonymous. As Drools Guvnor only uses external authentication and manages authorisation internally, this allowed users to log in with a blank or empty password, essentially circumventing authentication.

This was addressed by modifying the SecurityServiceImpl with Guvnor to prevent this:

// Modified from original to ensure no empty or blank passwords
if ( password == null || password.trim().equals("")) {
    return false;
}

A further modification removed log.errors to improve the readability of log files.

// Changed log.error to log.warn with userName
log.warn( "Unable to login user [" + userName + "]" );

Autologin was also disabled. This is a feature of Guvnor to support out of the box use without security. However it caused multiple spurious logging errors.

// Disable autologin
return new UserSecurityContext( null );
//check to see if we can autologin
//return new UserSecurityContext( checkAutoLogin() );

Regards Ross


From: rules-users-bounces at lists.jboss.org [mailto:rules-users-bounces at lists.jboss.org] On Behalf Of Dean Whisnant
Sent: Monday, 2 May 2011 12:42 PM
To: rules-users at lists.jboss.org
Subject: [rules-users] Guvnor, Apache Tomcat, and Active directory

Has anyone connected Guvnor on Apache Tomcat to Active Directory?  I know the components.xml file is where we setup the security, but I haven't been able to find any examples of using active directory in my config.  I am using 5.1.1 of Guvnor, 7.x of Tomcat, on a windows server.

Any thoughts?

Thanks

Dean

This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system.

More information about the rules-users mailing list