This is the configuration I have used in components.xml in Guvnor 5.1.1 on
Tomcat 6.x, linux server:
<!-- SECURITY IDENTITY CONFIGURATION -->
<security:ldap-identity-store name="ldapIdentityStore"
server-address="xxx.xxx.xxx"
server-port="389"
bind-DN="CN=*******,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
bind-credentials="*******"
user-DN-prefix="CN="
user-name-attribute="sAMAccountName"
user-DN-suffix=",OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
user-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"
role-DN-prefix="CN="
role-name-attribute="member"
role-object-classes="group"
role-DN-suffix=",OU=xxx,DC=xxx,DC=xxx,DC=xxx"
role-context-DN="OU=xxx,DC=xxx,DC=xxx,DC=xxx"
user-role-attribute="memberOf"
user-object-classes="user"
role-attribute-is-DN="false" />
<security:identity-manager identity-store="#{ldapIdentityStore}" />
<!-- <security:identity authenticate-method="#{authenticator.authenticate}"/>
-->
Note: The authenticate-method is commented out. This allows for a custom
authentication method and is not required in this instance.
I also found that if a user authenticates with a blank or empty password, they
are authenticated and given the role of anonymous. As Drools Guvnor only uses
external authentication and manages authorisation internally, this allowed
users to log in with a blank or empty password, essentially circumventing
authentication.
This was addressed by modifying the SecurityServiceImpl with Guvnor to prevent
this:
// Modified from original to ensure no empty or blank passwords
if ( password == null || password.trim().equals("")) {
return false;
}
A further modification removed log.errors to improve the readability of log
files.
// Changed log.error to log.warn with userName
log.warn( "Unable to login user [" + userName + "]" );
Autologin was also disabled. This is a feature of Guvnor to support out of the
box use without security. However it caused multiple spurious logging errors.
// Disable autologin
return new UserSecurityContext( null );
//check to see if we can autologin
//return new UserSecurityContext( checkAutoLogin() );
Regards Ross
From: [email protected]
[mailto:[email protected]] On Behalf Of Dean Whisnant
Sent: Monday, 2 May 2011 12:42 PM
To: [email protected]
Subject: [rules-users] Guvnor, Apache Tomcat, and Active directory
Has anyone connected Guvnor on Apache Tomcat to Active Directory? I know the
components.xml file is where we setup the security, but I haven't been able to
find any examples of using active directory in my config. I am using 5.1.1 of
Guvnor, 7.x of Tomcat, on a windows server.
Any thoughts?
Thanks
Dean
This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its
related entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11
55 or at suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does
not necessarily reflect the view of Suncorp. The content, including
attachments, is a confidential communication between Suncorp and the intended
recipient. If you are not the intended recipient, any use, interference with,
disclosure or copying of this e-mail, including attachments, is unauthorised
and expressly prohibited. If you have received this e-mail in error please
contact the sender immediately and delete the e-mail and any attachments from
your system.
_______________________________________________
rules-users mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/rules-users
