[rules-users] Error : JAAS Authentication with Guvnor 5.5.0 and Authorization Error
Zahid Ahmed
zahid.ahmed at emirates.com
Wed May 15 08:28:54 EDT 2013
Hi Steve,
Thanks for replying promptly. I have fixed this issue by replacing the following jars in guvnor.war. I debugged the guvnor code and found out that username is null in org.jboss.seam.security.IdentityImpl..activeAuthenticator. This is a JAAS Authenticator in which user is coming null. I found it out in IdentityImpl.postAuthenticate() method.
1. seam-security-3.1.0.Final.jar with seam-security-3.2.0.Final.jar
and
2. seam-security-api-3.1.0.Final.jar with seam-security-api-3.2.0.Final.jar
It worked with all the below configurations. I have created a number of users and they are getting authenticated. But, all the users are logged in with admin rights. I have two users which have "package.developer" rights but still those users can update any process in other packages. Even those users can update their own user permissions.
Regards,
Zahid Ahmed
From: rules-users-bounces at lists.jboss.org [mailto:rules-users-bounces at lists.jboss.org] On Behalf Of Stephen Masters
Sent: 15 May 2013 13:01
To: Rules Users List
Subject: Re: [rules-users] Error : JAAS Authentication with Guvnor 5.5.0 and Authorization Error
I think you may have hit this bug:
https://issues.jboss.org/browse/GUVNOR-1976
I think it might be a duplicate of another, which I cant find. At root that was a Seam JAAS bug (5.5 introduced Guvnor to Seam 3), which prevented it from creating a security context. I'm not sure whether any solution was established though.
Steve
On 15 May 2013, at 09:27, Zahid Ahmed <zahid.ahmed at emirates.com<mailto:zahid.ahmed at emirates.com>> wrote:
Hi,
I have run into a set of errors configuring JAAS Authentication for Guvnor. I have searched a lot on jboss community and for all the solutions nothing is working for me. I am getting either the login popup or I am getting "This User has no permissions setup". The Guvnor Manual is referring to jboss eap 5 and I am trying to do this on Jboss AS 7.1.
Note : I am unable to find login-config.xml file mentioned in the following link.http://docs.jboss.org/drools/release/5.5.0.Final/drools-guvnor-docs/html/ch14.html . Is guvnor deployment targeted only for JBOSS EAP 5.0 ?
Environment:
1. Guvnor 5.5.0.Final
2. JBOSS AS 7.1.0
Files Configured (Only these files I configured):
1. Standalone.xml
2. Guvnor.war/WEB-INF/beans.xml
3. Created users using "add-user.sh"
4. standalone/configuration/application-users.properties (attached).
5. standalone/configuration/application-roles.properties (attached)
6. standalone/configuration/management-users.properties
Configurations
Standalone.xml :
Only configured below tags. There's nothing else I changed for the purpose of JAAS Authentication and Guvnor Authorization. Added <security-domain name="drools-guvnor" cache-type="default"> to check if "other" is not working.
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmUsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
<module-option name="realm" value="ApplicationRealm"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="drools-guvnor" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
<module-option name="realm" value="ApplicationRealm"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
Drools-guvnor.war.
1. beans.xml (Tried 4 different configs as suggested on community)
a. Config 1 (Attached "Config1 beans.xml" and Config1 error.txt) . Error "This User has no permission setup".
<security:IdentityImpl>
<s:modifies/>
<!-- JAAS based authentication -->
<security:authenticatorName>jaasAuthenticator</security:authenticatorName>
</security:IdentityImpl>
<security:jaas.JaasAuthenticator>
<s:modifies/>
<jaasConfigName>other</jaasConfigName>
</security:jaas.JaasAuthenticator>
<!-- SECURITY AUTHORIZATION CONFIGURATION -->
<!--
This is used to enable or disable role-based authorization. By default it is disabled.
-->
<guvnorSecurity:RoleBasedPermissionResolver>
<s:modifies/>
<guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization>
</guvnorSecurity:RoleBasedPermissionResolver>
b. Config 2 (Attached "Config2 beans.xml" and Config2 error.txt). Error "This User has no permission setup".
<security:IdentityImpl>
<s:modifies/>
<!-- JAAS based authentication -->
<security:authenticatorName>jaasAuthenticator</security:authenticatorName>
</security:IdentityImpl>
<security:jaas.JaasAuthenticator>
<s:modifies/>
<security:jaasConfigName>drools-guvnor</security:jaasConfigName>
</security:jaas.JaasAuthenticator>
<!-- SECURITY AUTHORIZATION CONFIGURATION -->
<!--
This is used to enable or disable role-based authorization. By default it is disabled.
-->
<guvnorSecurity:RoleBasedPermissionResolver>
<s:modifies/>
<guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization>
</guvnorSecurity:RoleBasedPermissionResolver>
c. Config 3 (Attached "Config3 beans.xml" and Config1 error.txt). Error (Same error as of Config 1) "This User has no permission setup".
<security:IdentityImpl>
<s:modifies/>
<!-- JAAS based authentication -->
<security:authenticatorName>jaasAuthenticator</security:authenticatorName>
</security:IdentityImpl>
<security:jaas.JaasAuthenticator>
<s:modifies/>
<jaasConfigName>other</jaasConfigName>
</security:jaas.JaasAuthenticator>
<guvnorSecurity:RoleBasedPermissionResolver>
<s:modifies/>
<guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization>
</guvnorSecurity:RoleBasedPermissionResolver>
<component name="org.jboss.seam.security.roleBasedPermissionResolver">
<s:modifies/>
<property name="enableRoleBasedAuthorization">true</property>
</component>
I HAVE ALSO ADDED THIS COMPONENT TAG found every where on forums to resolve this issue. I tried Tried without this also but at that time I get LOGIN screen which always says Incorrect User/Password.Is this required or <guvnorSecurity:RoleBasedPermissionResolver> is the only authorization config.
<component name="org.jboss.seam.security.roleBasedPermissionResolver">;
<s:modifies/>
<property name="enableRoleBasedAuthorization">true</property>
</component>
Kindly help me in this configuration. I can't find a single authentic document for my environment.
Regards,
Zahid
<standalone.xml><Guvnor User Permission tab.png><application-roles.properties><application-users.properties><mgmt-users.properties><Config1 beans.xml><Config1 error.txt><Config2 beans.xml><Config2 error.txt><Config3 beans.xml><Config3 error.txt>_______________________________________________
rules-users mailing list
rules-users at lists.jboss.org<mailto:rules-users at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/rules-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/rules-users/attachments/20130515/82845769/attachment-0001.html
More information about the rules-users
mailing list