DEVHIDE
Login Or Sign up

Disable guest users in Guvnor 5.x?

862 Views Asked by At

I'm having trouble getting Authentication to work on Guvnor 5.4.0.Final on tomcat-7.0.42. I replaced seam-security-3.1.0.Final with seam-security-3.2.0.Final.

Here is the XML snippets of which I set up a basic authenticator:

guvnor/WEB-INF/beans.xml

<security:IdentityImpl>
   <s:modifies/>
   <security:authenticatorName>jaasAuthenticator</security:authenticatorName>
  </security:IdentityImpl>

  <security:jaas.JaasAuthenticator>
         <s:modifies/>
         <security:jaasConfigName>drools-guvnor</security:jaasConfigName>
  </security:jaas.JaasAuthenticator>

jaas.config

drools-guvnor {
   com.ndipiazza.JaasGuvnor required debug=true;
};

See this ZIP file for the Guvnor JAAS login: https://community.jboss.org/servlet/JiveServlet/download/831268-105978/guvnor-jaas.zip

I did not enable Role-based Permissions. I'm fine with everyone having the same roles as long as there are no guest users.

But when I use this configuration and then go to Guvnor, I see I'm already logged in Welcome: guest [Sign Out]

I want it to go to a Form based login. How can I set this up? Am I missing something?

When I enable the role based permissions with this:

  <guvnorSecurity:RoleBasedPermissionResolver>
   <s:modifies/>
   <guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization>
  </guvnorSecurity:RoleBasedPermissionResolver>

I then get this error message (401 This user has no permissions setup.). And the stack trace below shows:

INFO  03-08 12:53:23,517 (LoggingHelper.java:info:56)
Service method 'public

abstract org.drools.guvnor.client.rpc.UserSecurityContext org.drools.guvnor.clie
nt.rpc.SecurityService.getCurrentUser()' threw an unexpected exception: org.jbos
s.seam.security.AuthorizationException: This user has no permissions setup.
com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstr
act org.drools.guvnor.client.rpc.UserSecurityContext org.drools.guvnor.client.rp
c.SecurityService.getCurrentUser()' threw an unexpected exception: org.jboss.sea
m.security.AuthorizationException: This user has no permissions setup.


at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:

385)


at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:5

88)


at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(Remot

eServiceServlet.java:208)


at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(Remot

eServiceServlet.java:248)


at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(Ab

stractRemoteServiceServlet.java:62)


at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)


at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)


at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl

icationFilterChain.java:305)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF

ilterChain.java:210)


at org.jboss.solder.servlet.exception.CatchExceptionFilter.doFilter(Catc

hExceptionFilter.java:65)


at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl

icationFilterChain.java:243)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF

ilterChain.java:210)


at org.jboss.solder.servlet.event.ServletEventBridgeFilter.doFilter(Serv

letEventBridgeFilter.java:74)


at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl

icationFilterChain.java:243)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF

ilterChain.java:210)


at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV

alve.java:222)


at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV

alve.java:123)


at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica

torBase.java:502)


at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j

ava:171)


at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j

ava:99)


at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:

953)


at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal

ve.java:118)


at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav

a:408)


at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp

11Processor.java:1023)


at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(

AbstractProtocol.java:589)


at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoin

t.java:1852)


at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.

java:1145)


at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor

.java:615)


at java.lang.Thread.run(Thread.java:722)

Caused by: org.jboss.seam.security.AuthorizationException: This user has no perm
issions setup.


at org.drools.guvnor.server.security.SecurityServiceImpl.getUserCapabili

ties(SecurityServiceImpl.java:128)


at org.drools.guvnor.server.security.SecurityServiceImpl.getCurrentUser(

SecurityServiceImpl.java:101)


at org.drools.guvnor.server.security.SecurityServiceImpl$Proxy$_$$_WeldC

lientProxy.getCurrentUser(SecurityServiceImpl$Proxy$_$$_WeldClientProxy.java)


at org.drools.guvnor.server.SecurityServiceServlet.getCurrentUser(Securi

tyServiceServlet.java:74)


at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)


at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.

java:57)


at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces

sorImpl.java:43)


at java.lang.reflect.Method.invoke(Method.java:601)


at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:5

69)


... 27 more

Going in with a debugger i see the user ID is "guest".

What step am I missing so that I can see a login screen?

This ticket is also open on JBoss Community: https://community.jboss.org/message/831268#831268

authentication drools guvnor
Original Q&A
1

There are 1 best solutions below

0
On

This solution was not tested with Tomcat, but with JBoss 7.1.1. Not sure if there's much difference, but anyway here it goes:

First off, you have to create a new security domain in standalone.xml:

        <security-domain name="your-security-domain-name" cache-type="default">
            <authentication>
                <login-module code="LdapExtended" flag="required">
                    <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                    <module-option name="java.naming.provider.url" value="your LDAP url/>
                    <module-option name="baseCtxDN" value="ou=your_OU,dc=yourDC,dc=com"/>
                    <module-option name="baseFilter" value="(uid={0})"/>
                    <module-option name="rolesCtxDN" value="ou=your_Roles_OU, dc=yourDC,dc=com"/>
                    <module-option name="roleFilter" value="(member={1})"/>
                    <module-option name="roleAttributeID" value="cn"/>
                    <module-option name="throwValidateError" value="true"/>
                    <module-option name="searchScope" value="ONELEVEL_SCOPE"/>
                </login-module>
            </authentication>
        </security-domain>

Next, configure the guvnor.war beans.xml file to use JAAS:

(...)
<security:IdentityImpl> <s:modifies/>
    <!-- JAAS based authentication -->
      <security:authenticatorName>jaasAuthenticator</security:authenticatorName>
</security:IdentityImpl>
<security:jaas.JaasAuthenticator>
<s:modifies/>
  <security:jaasConfigName>your-security-domain-name</security:jaasConfigName>
</security:jaas.JaasAuthenticator>
<!-- SECURITY AUTHORIZATION CONFIGURATION --> <!-- This is used to enable or disable role-based authorization. By default it is disabled. -->      
<guvnorSecurity:RoleBasedPermissionResolver>
  <s:modifies/>
  <guvnorSecurity:enableRoleBasedAuthorization>false</guvnorSecurity:enableRoleBasedAuthorization>
</guvnorSecurity:RoleBasedPermissionResolver>

  <weld:scan>
    <!-- Disable the seam-security by drools rules
    <weld:exclude name="org.jboss.seam.security.permission.RuleBasedPermissionResolver"/>-->
    <!-- TODO remove me when GUVNOR-1196 is fixed -->
    <weld:exclude name="org.drools.guvnor.gwtutil.**"/>
    <weld:exclude name="org.drools.guvnor.client.**"/>
  </weld:scan>


</beans>

Before setting this line here to true

<guvnorSecurity:enableRoleBasedAuthorization>false</guvnorSecurity:enableRoleBasedAuthorization>

you have to login first without roles so you can map a user to his permissions. Give admin right to at least one user or you won't be able to login at all.

Also, don't forget to update both seam-security jars under WEB-INF/lib from version 3.1 to 3.2. This is very important or the login won't work.

This solution got my login to authenticate users from my LDAP server, on Guvnor, without any hickups. If you have any more trouble, let me know.

Rafael

Related Questions in AUTHENTICATION

Related Questions in DROOLS

Related Questions in GUVNOR

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.