Quantcast

[rules-users] Guvnor, Apache Tomcat, and Active directory

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[rules-users] Guvnor, Apache Tomcat, and Active directory

Dean Whisnant

Has anyone connected Guvnor on Apache Tomcat to Active Directory?  I know the components.xml file is where we setup the security, but I haven’t been able to find any examples of using active directory in my config.  I am using 5.1.1 of Guvnor, 7.x of Tomcat, on a windows server.

 

Any thoughts?

 

Thanks

 

Dean


_______________________________________________
rules-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/rules-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [rules-users] Guvnor, Apache Tomcat, and Active directory

HALL, Ross
This is the configuration I have used in components.xml in Guvnor 5.1.1 on Tomcat 6.x, linux server:

<!-- SECURITY IDENTITY CONFIGURATION -->
<security:ldap-identity-store name="ldapIdentityStore"

    server-address="xxx.xxx.xxx"
    server-port="389"

    bind-DN="CN=*******,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
    bind-credentials="*******"

    user-DN-prefix="CN="
    user-name-attribute="sAMAccountName"
    user-DN-suffix=",OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
    user-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"

    role-DN-prefix="CN="
    role-name-attribute="member"
    role-object-classes="group"
    role-DN-suffix=",OU=xxx,DC=xxx,DC=xxx,DC=xxx"
    role-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"

    user-role-attribute="memberOf"
    user-object-classes="user"
    role-attribute-is-DN="false" />
<security:identity-manager identity-store="#{ldapIdentityStore}" />
<!-- <security:identity authenticate-method="#{authenticator.authenticate}"/> -->

Note: The authenticate-method is commented out. This allows for a custom authentication method and is not required in this instance.

I also found that if a user authenticates with a blank or empty password, they are authenticated and given the role of anonymous. As Drools Guvnor only uses external authentication and manages authorisation internally, this allowed users to log in with a blank or empty password, essentially circumventing authentication.

This was addressed by modifying the SecurityServiceImpl with Guvnor to prevent this:

// Modified from original to ensure no empty or blank passwords
if ( password == null || password.trim().equals("")) {
    return false;
}

A further modification removed log.errors to improve the readability of log files.

// Changed log.error to log.warn with userName
log.warn( "Unable to login user [" + userName + "]" );

Autologin was also disabled. This is a feature of Guvnor to support out of the box use without security. However it caused multiple spurious logging errors.

// Disable autologin
return new UserSecurityContext( null );
//check to see if we can autologin
//return new UserSecurityContext( checkAutoLogin() );

Regards Ross


From: [hidden email] [mailto:[hidden email]] On Behalf Of Dean Whisnant
Sent: Monday, 2 May 2011 12:42 PM
To: [hidden email]
Subject: [rules-users] Guvnor, Apache Tomcat, and Active directory

Has anyone connected Guvnor on Apache Tomcat to Active Directory?  I know the components.xml file is where we setup the security, but I haven't been able to find any examples of using active directory in my config.  I am using 5.1.1 of Guvnor, 7.x of Tomcat, on a windows server.

Any thoughts?

Thanks

Dean

This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system.

_______________________________________________
rules-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/rules-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [rules-users] Guvnor, Apache Tomcat, and Active directory

Dean Whisnant
Ross,

Thank you for the detailed recommendation.  We've been working to get this straightened out and finally have our authentication worked out except for the null password issue.  Do you have a compiled version of that jar for 5.1.1?  We've been trying to compile this through the guvnor project, but keep having issues with dependencies.  Any suggestions?

The manipulated .java file looks like:

/**
 * Copyright 2010 JBoss Inc
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.drools.guvnor.server.security;

/*
 * Copyright 2005 JBoss Inc
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

import java.io.IOException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Properties;

import javax.security.auth.login.LoginException;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.drools.core.util.DateUtils;
import org.drools.guvnor.client.rpc.SecurityService;
import org.drools.guvnor.client.rpc.UserSecurityContext;
import org.drools.guvnor.client.security.Capabilities;
import org.jboss.seam.Component;
import org.jboss.seam.contexts.Contexts;
import org.jboss.seam.security.AuthorizationException;
import org.jboss.seam.security.Identity;
import org.jboss.seam.security.permission.RoleBasedPermissionResolver;

/**
 * This implements security related services.
 * @author Michael Neale
 */
public class SecurityServiceImpl
    implements
    SecurityService {

    public static final String       GUEST_LOGIN = "guest";
    private static final Logger      log         = LoggerFactory.getLogger( SecurityServiceImpl.class );
    static final Map<String, String> PREFERENCES = loadPrefs();

    public boolean login(String userName,
                         String password) {  

// if ( userName == null || userName.trim().equals( "" ) ) {
//            userName = "admin";
// }

        if ( userName == null || userName.trim().equals( "" ) ) {
             return false;
  }

        if ( password == null || password.trim().equals( "" ) ) {
             return false;
  }
 
        log.info( "Logging in user [" + userName + "]" );
        if ( Contexts.isApplicationContextActive() ) {

            // Check for banned characters in user name
            // These will cause the session to jam if you let them go further
            char[] bannedChars = {'\'', '*', '[', ']'};
            for ( int i = 0; i < bannedChars.length; i++ ) {
                char c = bannedChars[i];
                if ( userName.indexOf( c ) >= 0 ) {
                    log.error( "Not a valid name character " + c );
                    return false;
                }
            }

            Identity.instance().getCredentials().setUsername( userName );
            Identity.instance().getCredentials().setPassword( password );

            try {
                Identity.instance().authenticate();
            } catch ( LoginException e ) {
                log.error( "Unable to login.", e );
                return false;
            }
            return Identity.instance().isLoggedIn();
        } else {
            return true;
        }

    }

    public UserSecurityContext getCurrentUser() {
        if ( Contexts.isApplicationContextActive() ) {
            if ( !Identity.instance().isLoggedIn() ) {
                //check to see if we can autologin
                return new UserSecurityContext( checkAutoLogin() );
            }
            return new UserSecurityContext( Identity.instance().getCredentials().getUsername() );
        } else {
//            HashSet<String> disabled = new HashSet<String>();
            //return new UserSecurityContext(null);
            return new UserSecurityContext( "SINGLE USER MODE (DEBUG) USE ONLY" );
        }
    }

    /**
     * This will return a auto login user name if it has been configured.
     * Autologin means that its not really logged in, but a generic username will be used.
     * Basically means security is bypassed.
     *
     */
    private String checkAutoLogin() {
        Identity id = Identity.instance();
        id.getCredentials().setUsername( GUEST_LOGIN );
        try {
            id.authenticate();
        } catch ( LoginException e ) {
            return null;
        }
        if ( id.isLoggedIn() ) {
            return id.getCredentials().getUsername();
        } else {
            return null;
        }

    }

    public Capabilities getUserCapabilities() {

        if ( Contexts.isApplicationContextActive() ) {
            if ( Identity.instance().hasRole( RoleTypes.ADMIN ) ) {
                return Capabilities.all( PREFERENCES );
            }
           
            RoleBasedPermissionResolver resolver = (RoleBasedPermissionResolver) Component.getInstance( "org.jboss.seam.security.roleBasedPermissionResolver" );
            if ( !resolver.isEnableRoleBasedAuthorization() ) {
                return Capabilities.all( PREFERENCES );
            }
           
            CapabilityCalculator c = new CapabilityCalculator();
            RoleBasedPermissionManager permManager = (RoleBasedPermissionManager) Component.getInstance( "roleBasedPermissionManager" );

            List<RoleBasedPermission> permissions = permManager.getRoleBasedPermission();
            if ( permissions.size() == 0 ) {
                    Identity.instance().logout();
                    throw new AuthorizationException( "This user has no permissions setup." );
            }
            return c.calcCapabilities( permissions,
                                       PREFERENCES );
        } else {
            return Capabilities.all( PREFERENCES );
        }
    }

    private static Map<String, String> loadPrefs() {
        Properties ps = new Properties();
        try {
            ps.load( SecurityServiceImpl.class.getResourceAsStream( "/preferences.properties" ) );
            Map<String, String> prefs = new HashMap<String, String>();
            for ( Object o : ps.keySet() ) {
                String feature = (String) o;

                prefs.put( feature,
                           ps.getProperty( feature ) );
            }

            setSystemProperties( prefs );

            return prefs;
        } catch ( IOException e ) {
            log.info( "Couldn't find preferences.properties - using defaults" );
            return new HashMap<String, String>();
        }
    }

    /**
     * Set system properties.
     * If the system properties were not set, set them to Preferences so we can access them in client side.
     * @param prefs
     */
    private static void setSystemProperties(Map<String, String> prefs) {
        final String dateFormat = "drools.dateformat";
        final String defaultLanguage = "drools.defaultlanguage";
        final String defaultCountry = "drools.defaultcountry";

        // Set properties that were specified in the properties file
        if ( prefs.containsKey( dateFormat ) ) {
            System.setProperty( dateFormat,
                                prefs.get( dateFormat ) );
        }
        if ( prefs.containsKey( defaultLanguage ) ) {
            System.setProperty( defaultLanguage,
                                prefs.get( defaultLanguage ) );
        }
        if ( prefs.containsKey( defaultCountry ) ) {
            System.setProperty( defaultCountry,
                                prefs.get( defaultCountry ) );
        }

        // If properties were not set in the file, use the defaults
        if ( !prefs.containsKey( dateFormat ) ) {
            prefs.put( dateFormat,
                       DateUtils.getDateFormatMask() );
        }
        if ( !prefs.containsKey( defaultLanguage ) ) {
            prefs.put( defaultLanguage,
                       System.getProperty( defaultLanguage ) );
        }
        if ( !prefs.containsKey( defaultCountry ) ) {
            prefs.put( defaultCountry,
                       System.getProperty( defaultCountry ) );
        }
    }
}


Thanks

Dean

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of HALL, Ross
Sent: Monday, May 02, 2011 5:37 PM
To: 'Rules Users List'
Subject: Re: [rules-users] Guvnor, Apache Tomcat, and Active directory

This is the configuration I have used in components.xml in Guvnor 5.1.1 on Tomcat 6.x, linux server:

<!-- SECURITY IDENTITY CONFIGURATION --> <security:ldap-identity-store name="ldapIdentityStore"

    server-address="xxx.xxx.xxx"
    server-port="389"

    bind-DN="CN=*******,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
    bind-credentials="*******"

    user-DN-prefix="CN="
    user-name-attribute="sAMAccountName"
    user-DN-suffix=",OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
    user-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"

    role-DN-prefix="CN="
    role-name-attribute="member"
    role-object-classes="group"
    role-DN-suffix=",OU=xxx,DC=xxx,DC=xxx,DC=xxx"
    role-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"

    user-role-attribute="memberOf"
    user-object-classes="user"
    role-attribute-is-DN="false" />
<security:identity-manager identity-store="#{ldapIdentityStore}" />
<!-- <security:identity authenticate-method="#{authenticator.authenticate}"/> -->

Note: The authenticate-method is commented out. This allows for a custom authentication method and is not required in this instance.

I also found that if a user authenticates with a blank or empty password, they are authenticated and given the role of anonymous. As Drools Guvnor only uses external authentication and manages authorisation internally, this allowed users to log in with a blank or empty password, essentially circumventing authentication.

This was addressed by modifying the SecurityServiceImpl with Guvnor to prevent this:

// Modified from original to ensure no empty or blank passwords if ( password == null || password.trim().equals("")) {
    return false;
}

A further modification removed log.errors to improve the readability of log files.

// Changed log.error to log.warn with userName log.warn( "Unable to login user [" + userName + "]" );

Autologin was also disabled. This is a feature of Guvnor to support out of the box use without security. However it caused multiple spurious logging errors.

// Disable autologin
return new UserSecurityContext( null );
//check to see if we can autologin
//return new UserSecurityContext( checkAutoLogin() );

Regards Ross


From: [hidden email] [mailto:[hidden email]] On Behalf Of Dean Whisnant
Sent: Monday, 2 May 2011 12:42 PM
To: [hidden email]
Subject: [rules-users] Guvnor, Apache Tomcat, and Active directory

Has anyone connected Guvnor on Apache Tomcat to Active Directory?  I know the components.xml file is where we setup the security, but I haven't been able to find any examples of using active directory in my config.  I am using 5.1.1 of Guvnor, 7.x of Tomcat, on a windows server.

Any thoughts?

Thanks

Dean

This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system.

_______________________________________________
rules-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/rules-users

_______________________________________________
rules-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/rules-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [rules-users] Guvnor, Apache Tomcat, and Active directory

ronr
Ross,

As Dean indicated, we have our Guvnor/ActiveDirectory implementation working and we know how to remediate the null password issue, but cannot get a 5.1.1 version to compile.  If you can return us a .jar or .class file for the source noted below that would be great.  If you can also give us any guidance on how to get a build configuration working properly that is also appreciated as we would like to be able to make modifications (if the need arises).

Thanks in advance,

- Ron Rock.
Vice President, Technology
basys inc.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Dean Whisnant
Sent: Friday, June 17, 2011 5:40 PM
To: Rules Users List
Subject: Re: [rules-users] Guvnor, Apache Tomcat, and Active directory

Ross,

Thank you for the detailed recommendation.  We've been working to get this straightened out and finally have our authentication worked out except for the null password issue.  Do you have a compiled version of that jar for 5.1.1?  We've been trying to compile this through the guvnor project, but keep having issues with dependencies.  Any suggestions?

The manipulated .java file looks like:

/**
 * Copyright 2010 JBoss Inc
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.drools.guvnor.server.security;

/*
 * Copyright 2005 JBoss Inc
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

import java.io.IOException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Properties;

import javax.security.auth.login.LoginException;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.drools.core.util.DateUtils;
import org.drools.guvnor.client.rpc.SecurityService;
import org.drools.guvnor.client.rpc.UserSecurityContext;
import org.drools.guvnor.client.security.Capabilities;
import org.jboss.seam.Component;
import org.jboss.seam.contexts.Contexts; import org.jboss.seam.security.AuthorizationException;
import org.jboss.seam.security.Identity; import org.jboss.seam.security.permission.RoleBasedPermissionResolver;

/**
 * This implements security related services.
 * @author Michael Neale
 */
public class SecurityServiceImpl
    implements
    SecurityService {

    public static final String       GUEST_LOGIN = "guest";
    private static final Logger      log         = LoggerFactory.getLogger( SecurityServiceImpl.class );
    static final Map<String, String> PREFERENCES = loadPrefs();

    public boolean login(String userName,
                         String password) {  

// if ( userName == null || userName.trim().equals( "" ) ) {
//            userName = "admin";
// }

        if ( userName == null || userName.trim().equals( "" ) ) {
             return false;
  }

        if ( password == null || password.trim().equals( "" ) ) {
             return false;
  }
 
        log.info( "Logging in user [" + userName + "]" );
        if ( Contexts.isApplicationContextActive() ) {

            // Check for banned characters in user name
            // These will cause the session to jam if you let them go further
            char[] bannedChars = {'\'', '*', '[', ']'};
            for ( int i = 0; i < bannedChars.length; i++ ) {
                char c = bannedChars[i];
                if ( userName.indexOf( c ) >= 0 ) {
                    log.error( "Not a valid name character " + c );
                    return false;
                }
            }

            Identity.instance().getCredentials().setUsername( userName );
            Identity.instance().getCredentials().setPassword( password );

            try {
                Identity.instance().authenticate();
            } catch ( LoginException e ) {
                log.error( "Unable to login.", e );
                return false;
            }
            return Identity.instance().isLoggedIn();
        } else {
            return true;
        }

    }

    public UserSecurityContext getCurrentUser() {
        if ( Contexts.isApplicationContextActive() ) {
            if ( !Identity.instance().isLoggedIn() ) {
                //check to see if we can autologin
                return new UserSecurityContext( checkAutoLogin() );
            }
            return new UserSecurityContext( Identity.instance().getCredentials().getUsername() );
        } else {
//            HashSet<String> disabled = new HashSet<String>();
            //return new UserSecurityContext(null);
            return new UserSecurityContext( "SINGLE USER MODE (DEBUG) USE ONLY" );
        }
    }

    /**
     * This will return a auto login user name if it has been configured.
     * Autologin means that its not really logged in, but a generic username will be used.
     * Basically means security is bypassed.
     *
     */
    private String checkAutoLogin() {
        Identity id = Identity.instance();
        id.getCredentials().setUsername( GUEST_LOGIN );
        try {
            id.authenticate();
        } catch ( LoginException e ) {
            return null;
        }
        if ( id.isLoggedIn() ) {
            return id.getCredentials().getUsername();
        } else {
            return null;
        }

    }

    public Capabilities getUserCapabilities() {

        if ( Contexts.isApplicationContextActive() ) {
            if ( Identity.instance().hasRole( RoleTypes.ADMIN ) ) {
                return Capabilities.all( PREFERENCES );
            }
           
            RoleBasedPermissionResolver resolver = (RoleBasedPermissionResolver) Component.getInstance( "org.jboss.seam.security.roleBasedPermissionResolver" );
            if ( !resolver.isEnableRoleBasedAuthorization() ) {
                return Capabilities.all( PREFERENCES );
            }
           
            CapabilityCalculator c = new CapabilityCalculator();
            RoleBasedPermissionManager permManager = (RoleBasedPermissionManager) Component.getInstance( "roleBasedPermissionManager" );

            List<RoleBasedPermission> permissions = permManager.getRoleBasedPermission();
            if ( permissions.size() == 0 ) {
                    Identity.instance().logout();
                    throw new AuthorizationException( "This user has no permissions setup." );
            }
            return c.calcCapabilities( permissions,
                                       PREFERENCES );
        } else {
            return Capabilities.all( PREFERENCES );
        }
    }

    private static Map<String, String> loadPrefs() {
        Properties ps = new Properties();
        try {
            ps.load( SecurityServiceImpl.class.getResourceAsStream( "/preferences.properties" ) );
            Map<String, String> prefs = new HashMap<String, String>();
            for ( Object o : ps.keySet() ) {
                String feature = (String) o;

                prefs.put( feature,
                           ps.getProperty( feature ) );
            }

            setSystemProperties( prefs );

            return prefs;
        } catch ( IOException e ) {
            log.info( "Couldn't find preferences.properties - using defaults" );
            return new HashMap<String, String>();
        }
    }

    /**
     * Set system properties.
     * If the system properties were not set, set them to Preferences so we can access them in client side.
     * @param prefs
     */
    private static void setSystemProperties(Map<String, String> prefs) {
        final String dateFormat = "drools.dateformat";
        final String defaultLanguage = "drools.defaultlanguage";
        final String defaultCountry = "drools.defaultcountry";

        // Set properties that were specified in the properties file
        if ( prefs.containsKey( dateFormat ) ) {
            System.setProperty( dateFormat,
                                prefs.get( dateFormat ) );
        }
        if ( prefs.containsKey( defaultLanguage ) ) {
            System.setProperty( defaultLanguage,
                                prefs.get( defaultLanguage ) );
        }
        if ( prefs.containsKey( defaultCountry ) ) {
            System.setProperty( defaultCountry,
                                prefs.get( defaultCountry ) );
        }

        // If properties were not set in the file, use the defaults
        if ( !prefs.containsKey( dateFormat ) ) {
            prefs.put( dateFormat,
                       DateUtils.getDateFormatMask() );
        }
        if ( !prefs.containsKey( defaultLanguage ) ) {
            prefs.put( defaultLanguage,
                       System.getProperty( defaultLanguage ) );
        }
        if ( !prefs.containsKey( defaultCountry ) ) {
            prefs.put( defaultCountry,
                       System.getProperty( defaultCountry ) );
        }
    }
}


Thanks

Dean

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of HALL, Ross
Sent: Monday, May 02, 2011 5:37 PM
To: 'Rules Users List'
Subject: Re: [rules-users] Guvnor, Apache Tomcat, and Active directory

This is the configuration I have used in components.xml in Guvnor 5.1.1 on Tomcat 6.x, linux server:

<!-- SECURITY IDENTITY CONFIGURATION --> <security:ldap-identity-store name="ldapIdentityStore"

    server-address="xxx.xxx.xxx"
    server-port="389"

    bind-DN="CN=*******,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
    bind-credentials="*******"

    user-DN-prefix="CN="
    user-name-attribute="sAMAccountName"
    user-DN-suffix=",OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
    user-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"

    role-DN-prefix="CN="
    role-name-attribute="member"
    role-object-classes="group"
    role-DN-suffix=",OU=xxx,DC=xxx,DC=xxx,DC=xxx"
    role-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"

    user-role-attribute="memberOf"
    user-object-classes="user"
    role-attribute-is-DN="false" />
<security:identity-manager identity-store="#{ldapIdentityStore}" />
<!-- <security:identity authenticate-method="#{authenticator.authenticate}"/> -->

Note: The authenticate-method is commented out. This allows for a custom authentication method and is not required in this instance.

I also found that if a user authenticates with a blank or empty password, they are authenticated and given the role of anonymous. As Drools Guvnor only uses external authentication and manages authorisation internally, this allowed users to log in with a blank or empty password, essentially circumventing authentication.

This was addressed by modifying the SecurityServiceImpl with Guvnor to prevent this:

// Modified from original to ensure no empty or blank passwords if ( password == null || password.trim().equals("")) {
    return false;
}

A further modification removed log.errors to improve the readability of log files.

// Changed log.error to log.warn with userName log.warn( "Unable to login user [" + userName + "]" );

Autologin was also disabled. This is a feature of Guvnor to support out of the box use without security. However it caused multiple spurious logging errors.

// Disable autologin
return new UserSecurityContext( null );
//check to see if we can autologin
//return new UserSecurityContext( checkAutoLogin() );

Regards Ross


From: [hidden email] [mailto:[hidden email]] On Behalf Of Dean Whisnant
Sent: Monday, 2 May 2011 12:42 PM
To: [hidden email]
Subject: [rules-users] Guvnor, Apache Tomcat, and Active directory

Has anyone connected Guvnor on Apache Tomcat to Active Directory?  I know the components.xml file is where we setup the security, but I haven't been able to find any examples of using active directory in my config.  I am using 5.1.1 of Guvnor, 7.x of Tomcat, on a windows server.

Any thoughts?

Thanks

Dean

This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system.

_______________________________________________
rules-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/rules-users

_______________________________________________
rules-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/rules-users

_______________________________________________
rules-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/rules-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [rules-users] Guvnor, Apache Tomcat, and Active directory

Ross H
Hi Ron/Dean,

The approach I used was not to build guvnor from source but use a maven war overload, that way you can separately manage any changes from the original source.

There is one tricky bit I found though. You must use the guvnor war from the download distribution, not the one that's in the jboss mvn repo. For some reason they are different, and you will see GWT warnings about serialization if you get the wrong one.

Regards Ross

On Sat, Jun 18, 2011 at 7:50 AM, Ron Rock <[hidden email]> wrote:
Ross,

As Dean indicated, we have our Guvnor/ActiveDirectory implementation working and we know how to remediate the null password issue, but cannot get a 5.1.1 version to compile.  If you can return us a .jar or .class file for the source noted below that would be great.  If you can also give us any guidance on how to get a build configuration working properly that is also appreciated as we would like to be able to make modifications (if the need arises).

Thanks in advance,

- Ron Rock.
Vice President, Technology
basys inc.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Dean Whisnant
Sent: Friday, June 17, 2011 5:40 PM
To: Rules Users List
Subject: Re: [rules-users] Guvnor, Apache Tomcat, and Active directory

Ross,

Thank you for the detailed recommendation.  We've been working to get this straightened out and finally have our authentication worked out except for the null password issue.  Do you have a compiled version of that jar for 5.1.1?  We've been trying to compile this through the guvnor project, but keep having issues with dependencies.  Any suggestions?

The manipulated .java file looks like:

/**
 * Copyright 2010 JBoss Inc
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.drools.guvnor.server.security;

/*
 * Copyright 2005 JBoss Inc
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

import java.io.IOException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Properties;

import javax.security.auth.login.LoginException;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.drools.core.util.DateUtils;
import org.drools.guvnor.client.rpc.SecurityService;
import org.drools.guvnor.client.rpc.UserSecurityContext;
import org.drools.guvnor.client.security.Capabilities;
import org.jboss.seam.Component;
import org.jboss.seam.contexts.Contexts; import org.jboss.seam.security.AuthorizationException;
import org.jboss.seam.security.Identity; import org.jboss.seam.security.permission.RoleBasedPermissionResolver;

/**
 * This implements security related services.
 * @author Michael Neale
 */
public class SecurityServiceImpl
   implements
   SecurityService {

   public static final String       GUEST_LOGIN = "guest";
   private static final Logger      log         = LoggerFactory.getLogger( SecurityServiceImpl.class );
   static final Map<String, String> PREFERENCES = loadPrefs();

   public boolean login(String userName,
                        String password) {

//      if ( userName == null || userName.trim().equals( "" ) ) {
//                          userName = "admin";
//      }

       if ( userName == null || userName.trim().equals( "" ) ) {
                           return false;
       }

       if ( password == null || password.trim().equals( "" ) ) {
                           return false;
       }

       log.info( "Logging in user [" + userName + "]" );
       if ( Contexts.isApplicationContextActive() ) {

           // Check for banned characters in user name
           // These will cause the session to jam if you let them go further
           char[] bannedChars = {'\'', '*', '[', ']'};
           for ( int i = 0; i < bannedChars.length; i++ ) {
               char c = bannedChars[i];
               if ( userName.indexOf( c ) >= 0 ) {
                   log.error( "Not a valid name character " + c );
                   return false;
               }
           }

           Identity.instance().getCredentials().setUsername( userName );
           Identity.instance().getCredentials().setPassword( password );

           try {
               Identity.instance().authenticate();
           } catch ( LoginException e ) {
               log.error( "Unable to login.", e );
               return false;
           }
           return Identity.instance().isLoggedIn();
       } else {
           return true;
       }

   }

   public UserSecurityContext getCurrentUser() {
       if ( Contexts.isApplicationContextActive() ) {
           if ( !Identity.instance().isLoggedIn() ) {
               //check to see if we can autologin
               return new UserSecurityContext( checkAutoLogin() );
           }
           return new UserSecurityContext( Identity.instance().getCredentials().getUsername() );
       } else {
//            HashSet<String> disabled = new HashSet<String>();
           //return new UserSecurityContext(null);
           return new UserSecurityContext( "SINGLE USER MODE (DEBUG) USE ONLY" );
       }
   }

   /**
    * This will return a auto login user name if it has been configured.
    * Autologin means that its not really logged in, but a generic username will be used.
    * Basically means security is bypassed.
    *
    */
   private String checkAutoLogin() {
       Identity id = Identity.instance();
       id.getCredentials().setUsername( GUEST_LOGIN );
       try {
           id.authenticate();
       } catch ( LoginException e ) {
           return null;
       }
       if ( id.isLoggedIn() ) {
           return id.getCredentials().getUsername();
       } else {
           return null;
       }

   }

   public Capabilities getUserCapabilities() {

       if ( Contexts.isApplicationContextActive() ) {
           if ( Identity.instance().hasRole( RoleTypes.ADMIN ) ) {
               return Capabilities.all( PREFERENCES );
           }

           RoleBasedPermissionResolver resolver = (RoleBasedPermissionResolver) Component.getInstance( "org.jboss.seam.security.roleBasedPermissionResolver" );
           if ( !resolver.isEnableRoleBasedAuthorization() ) {
               return Capabilities.all( PREFERENCES );
           }

           CapabilityCalculator c = new CapabilityCalculator();
           RoleBasedPermissionManager permManager = (RoleBasedPermissionManager) Component.getInstance( "roleBasedPermissionManager" );

           List<RoleBasedPermission> permissions = permManager.getRoleBasedPermission();
           if ( permissions.size() == 0 ) {
                   Identity.instance().logout();
                   throw new AuthorizationException( "This user has no permissions setup." );
           }
           return c.calcCapabilities( permissions,
                                      PREFERENCES );
       } else {
           return Capabilities.all( PREFERENCES );
       }
   }

   private static Map<String, String> loadPrefs() {
       Properties ps = new Properties();
       try {
           ps.load( SecurityServiceImpl.class.getResourceAsStream( "/preferences.properties" ) );
           Map<String, String> prefs = new HashMap<String, String>();
           for ( Object o : ps.keySet() ) {
               String feature = (String) o;

               prefs.put( feature,
                          ps.getProperty( feature ) );
           }

           setSystemProperties( prefs );

           return prefs;
       } catch ( IOException e ) {
           log.info( "Couldn't find preferences.properties - using defaults" );
           return new HashMap<String, String>();
       }
   }

   /**
    * Set system properties.
    * If the system properties were not set, set them to Preferences so we can access them in client side.
    * @param prefs
    */
   private static void setSystemProperties(Map<String, String> prefs) {
       final String dateFormat = "drools.dateformat";
       final String defaultLanguage = "drools.defaultlanguage";
       final String defaultCountry = "drools.defaultcountry";

       // Set properties that were specified in the properties file
       if ( prefs.containsKey( dateFormat ) ) {
           System.setProperty( dateFormat,
                               prefs.get( dateFormat ) );
       }
       if ( prefs.containsKey( defaultLanguage ) ) {
           System.setProperty( defaultLanguage,
                               prefs.get( defaultLanguage ) );
       }
       if ( prefs.containsKey( defaultCountry ) ) {
           System.setProperty( defaultCountry,
                               prefs.get( defaultCountry ) );
       }

       // If properties were not set in the file, use the defaults
       if ( !prefs.containsKey( dateFormat ) ) {
           prefs.put( dateFormat,
                      DateUtils.getDateFormatMask() );
       }
       if ( !prefs.containsKey( defaultLanguage ) ) {
           prefs.put( defaultLanguage,
                      System.getProperty( defaultLanguage ) );
       }
       if ( !prefs.containsKey( defaultCountry ) ) {
           prefs.put( defaultCountry,
                      System.getProperty( defaultCountry ) );
       }
   }
}


Thanks

Dean

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of HALL, Ross
Sent: Monday, May 02, 2011 5:37 PM
To: 'Rules Users List'
Subject: Re: [rules-users] Guvnor, Apache Tomcat, and Active directory

This is the configuration I have used in components.xml in Guvnor 5.1.1 on Tomcat 6.x, linux server:

<!-- SECURITY IDENTITY CONFIGURATION --> <security:ldap-identity-store name="ldapIdentityStore"

   server-address="xxx.xxx.xxx"
   server-port="389"

   bind-DN="CN=*******,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
   bind-credentials="*******"

   user-DN-prefix="CN="
   user-name-attribute="sAMAccountName"
   user-DN-suffix=",OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
   user-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"

   role-DN-prefix="CN="
   role-name-attribute="member"
   role-object-classes="group"
   role-DN-suffix=",OU=xxx,DC=xxx,DC=xxx,DC=xxx"
   role-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"

   user-role-attribute="memberOf"
   user-object-classes="user"
   role-attribute-is-DN="false" />
<security:identity-manager identity-store="#{ldapIdentityStore}" />
<!-- <security:identity authenticate-method="#{authenticator.authenticate}"/> -->

Note: The authenticate-method is commented out. This allows for a custom authentication method and is not required in this instance.

I also found that if a user authenticates with a blank or empty password, they are authenticated and given the role of anonymous. As Drools Guvnor only uses external authentication and manages authorisation internally, this allowed users to log in with a blank or empty password, essentially circumventing authentication.

This was addressed by modifying the SecurityServiceImpl with Guvnor to prevent this:

// Modified from original to ensure no empty or blank passwords if ( password == null || password.trim().equals("")) {
   return false;
}

A further modification removed log.errors to improve the readability of log files.

// Changed log.error to log.warn with userName log.warn( "Unable to login user [" + userName + "]" );

Autologin was also disabled. This is a feature of Guvnor to support out of the box use without security. However it caused multiple spurious logging errors.

// Disable autologin
return new UserSecurityContext( null );
//check to see if we can autologin
//return new UserSecurityContext( checkAutoLogin() );

Regards Ross


From: [hidden email] [mailto:[hidden email]] On Behalf Of Dean Whisnant
Sent: Monday, 2 May 2011 12:42 PM
To: [hidden email]
Subject: [rules-users] Guvnor, Apache Tomcat, and Active directory

Has anyone connected Guvnor on Apache Tomcat to Active Directory?  I know the components.xml file is where we setup the security, but I haven't been able to find any examples of using active directory in my config.  I am using 5.1.1 of Guvnor, 7.x of Tomcat, on a windows server.

Any thoughts?

Thanks

Dean

This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system.

_______________________________________________
rules-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/rules-users

_______________________________________________
rules-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/rules-users

_______________________________________________
rules-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/rules-users


_______________________________________________
rules-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/rules-users
Loading...