6 Replies Latest reply on Oct 10, 2008 6:01 AM by kukeltje

    replacing loginmodule in jBPM 3.2.3 / Tomcat 6

    fredv
    fredv Oct 8, 2008 5:43 AM

      Hi,

      I'm running JBPM in a plain Tomcat (Jbpm-jpdl-3.2.3 & Tomcat 6.0.18)
      I managed to get this work by following the wiki http://wiki.jboss.org/wiki/JbpmOnTomcat

      The next step is to make Tomcat and jbpm authenticate on an Active Directory.
      What I'm trying to achieve is to get the jbpm-console (not even talking about processes) authenticate on an AD.
      I changed my $TOMCAT_HOME/conf/Catalina/localhost/jbpm-console.xml to authenticate on an AD


      But, now when I try to authenticate on the jbpm-console, I get the following message. I know I'm missing something, but I can't figure out what...
      Any help would be greatly appreciated.
      "
      type : Status report
      message : Access to the requested resource has been denied
      description : Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
      "

      Thanks for your help.

      Fred

      • 615 Views
      • Tags:
        • 1. Re: replacing loginmodule in jBPM 3.2.3 / Tomcat 6
          kukeltje
          kukeltje Oct 8, 2008 8:22 AM (in response to fredv)

          the console itself or even jBPM do not authenticate. The console uses the credentials and roles provided by the container, and when starting a process, you have to set that id in the actor id when starting a process or retrieving a tasklist. For assignments there is a relation to the identity module though

            • Actions
          • 2. Re: replacing loginmodule in jBPM 3.2.3 / Tomcat 6
            fredv
            fredv Oct 8, 2008 8:34 AM (in response to fredv)

            Doesn't the console have a kind of "built-in" authentication module?
            The problem I'm facing here is that I've configured a Realm to get Tomcat authenticate me on an ActiveDir, but the console doesn't seem to appreciate it.
            I'm not even talking about actor's in processes : I haven't deployed any processes yet in the jbpm-console.
            When I login, Tomcat sends an error :
            "
            type : Status report
            message : Access to the requested resource has been denied
            description : Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
            "
            That's why I was asking myself if the "out-of-the-box" jbpm-console wasn't trying to challenge the AD login id with some internal database somewhere... :(
            It works fine if I follow the http://wiki.jboss.org/wiki/JbpmOnTomcat wiki step-by-step (I can log in, start processes, etc...).
            But since I change the $TOMCAT_HOME/conf/Catalina/localhost/jbpm-console.xml to :

            logging into the jbpm-console fails.... :(

            Any idea?

            Thanks.

            Fred

              • Actions
            • 3. Re: replacing loginmodule in jBPM 3.2.3 / Tomcat 6
              fredv
              fredv Oct 8, 2008 8:39 AM (in response to fredv)

              Sorry, the content of the jbpm-console.xml file didn't get displayed in my answer...
              Here it is:

              <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
 connectionURL="ldap://myldap.server:389"
 connectionName="MyAdmin"
 connectionPassword="MyPassword"
 userPattern="cn={0}, CN=Users, DC=iamverif, DC=dom"
 roleBase="CN=Users, DC=iamverif, DC=dom"
 roleName="cn"
 roleSearch="uniqueMember={0}" />


                • Actions
              • 4. Re: replacing loginmodule in jBPM 3.2.3 / Tomcat 6
                kukeltje
                kukeltje Oct 8, 2008 12:31 PM (in response to fredv)

                 

                Doesn't the console have a kind of "built-in" authentication module?


                That's what I stated in the first sentence of my previous post. Sure the console webapp has roles defined which are required, but that still is all container related

                  • Actions
                • 5. Re: replacing loginmodule in jBPM 3.2.3 / Tomcat 6
                  fredv
                  fredv Oct 9, 2008 3:12 AM (in response to fredv)

                  Ok, I understand that all the authentication thing is container related. By the way I did manage to make Tomcat authenticate on my Active Directory.
                  But, I think that, indeed, my problems come from the roles that are defined in the webapp console.
                  Have you (or anyone else I guess) ever managed to use the jbpm-console with an Active Directory authentication?
                  I so, could you please guide me to what I should do?

                  Thanks again.

                  Fred

                    • Actions
                  • 6. Re: replacing loginmodule in jBPM 3.2.3 / Tomcat 6
                    kukeltje
                    kukeltje Oct 10, 2008 6:01 AM (in response to fredv)

                    Not with AD, but with LDAP. Did nothing special, just made sure al correct roles are in the AD/LDAP and your loginmodule can retrieve them

                      • Actions