2 Replies Latest reply on Jun 7, 2013 6:00 PM by manukyanv07

    Integrationg JAAS authentication and drools fine grained authorization.

    manukyanv07
    manukyanv07 May 23, 2013 9:34 AM

      Hi,

      When i enable fine grained authorization all my users become non-admin, i am using tomcat 6 Drools Guvnor 5.5.0.Finali

      I am not using authorization in my login module i only set one principal in my subject

       

      there is no exceptions. everything works fine, user is authenticated has the admin role set from drools guvnor UI, but when i enable authorization, user stops being admin, in fact every user turns non-admin.

       

      Any sugestions would be apreciated

       

      Tahnx

       

      beans.xml

       <security:jaas.JaasAuthenticator>
    <s:modifies/>
    <security:jaasConfigName>drools-guvnor550-final</security:jaasConfigName>
  </security:jaas.JaasAuthenticator>

  <!-- SECURITY AUTHORIZATION CONFIGURATION -->  
  <guvnorSecurity:RoleBasedPermissionResolver>
    <s:modifies/>
   <guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization>
  </guvnorSecurity:RoleBasedPermissionResolver>

       

      My login module

       

      public boolean login() throws LoginException {

        if (callbackHandler == null) {
            throw new LoginException("Error: no CallbackHandler available " + "to garner authentication information from the user");
        }
        Callback[] callbacks = new Callback[2];
        callbacks[0] = new NameCallback("user name: ");
        callbacks[1] = new PasswordCallback("password: ", false);

        try {
            callbackHandler.handle(callbacks);
            username = ((NameCallback) callbacks[0]).getName();
            char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
            if (tmpPassword == null) {
                // treat a NULL password as an empty password
                tmpPassword = new char[0];
            }
            password = new char[tmpPassword.length];
            System.arraycopy(tmpPassword, 0, password, 0, tmpPassword.length);
            ((PasswordCallback) callbacks[1]).clearPassword();

        } catch (java.io.IOException ioe) {
            throw new LoginException(ioe.toString());
        } catch (UnsupportedCallbackException uce) {
            throw new LoginException("Error: " + uce.getCallback().toString() + " not available to garner authentication information " + "from the user");
        }

        String passStr = "";
        for (char p : password) {
            passStr = passStr + p;
        }

        // verify the username/password
        boolean usernameCorrect = false;
        boolean passwordCorrect = false;

        Properties props = new Properties();
        try {
            props.load(this.getClass().getClassLoader().getResourceAsStream("conf/guvnor-users.properties"));
        } catch (IOException e) {
            e.printStackTrace();
        }

        if (props.containsKey(username)) {
            usernameCorrect = true;
        }
        if (usernameCorrect && props.getProperty(username).equals(passStr)) {

            // authentication succeeded!!!
            passwordCorrect = true;
            if (debug) {
                System.out.println("\t\t[SampleLoginModule] " + "authentication succeeded");
            }
            succeeded = true;
            return true;
        } else {
            succeeded = false;
            username = null;
            for (int i = 0; i < password.length; i++)
                password[i] = ' ';
            password = null;
            if (!usernameCorrect) {
                return false;
            } else {
                throw new FailedLoginException("Password Incorrect");
            }
        }
    }
    public boolean commit() throws LoginException {
        try {
            if (succeeded == false) {
                return false;
            } else {
                // add a Principal (authenticated identity)
                // to the Subject

                // assume the user we authenticated is the SamplePrincipal
                userPrincipal = new User(username);
                System.out.println("USERNAME: " + username);
                if (!subject.getPrincipals().contains(userPrincipal)) {
                    subject.getPrincipals().add(userPrincipal);
                }
                // in any case, clean out state
                username = null;
                for (int i = 0; i < password.length; i++)
                    password[i] = ' ';
                password = null;

                commitSucceeded = true;
                return true;
            }
        } catch (Exception x) {
            x.printStackTrace();
            if (x instanceof LoginException) {
                throw (LoginException) x;
            }
        }
        return commitSucceeded;
    }

       

       

      My guvnor/META-INF/context.xml

       

       

      <Context>
  <Resource name="BeanManager"
            auth="Container"
            type="javax.enterprise.inject.spi.BeanManager"
            factory="org.jboss.weld.resources.ManagerObjectFactory"/>
<Realm className="org.apache.catalina.realm.JAASRealm" appName="drools-guvnor550-final" userClassNames="com.termmed.User"  />
</Context>

       

      tomcat jaas.config file

       

      drools-guvnor550-final {
        com.termmed.GuvnorLoginModule required debug=true;
};

       

       

      I enabled debug and this was the result of the log

       

      USERNAME: adminuser
        [LdapLoginModule] added UserPrincipal "Principal:  adminuser" to Subject
=============== session-adminuser-5
=============== session-adminuser-6
=============== session-adminuser-7
DEBUG 23-05 06:29:44,600 (LoggingHelper.java:debug:63)      Requested permission: admin, Permission granted: No
DEBUG 23-05 06:29:44,602 (LoggingHelper.java:debug:63)      Requested permission: package.readonly, Requested object: defaultPackage , Permission granted: Yes
DEBUG 23-05 06:29:44,623 (LoggingHelper.java:debug:63)      Requested permission: admin, Permission granted: No
DEBUG 23-05 06:29:44,624 (LoggingHelper.java:debug:63)      Requested permission: package.readonly, Requested object: ihtsdo-qa , Permission granted: No
DEBUG 23-05 06:29:44,607 (LoggingHelper.java:debug:63)      Requested permission: admin, Permission granted: No
DEBUG 23-05 06:29:44,628 (LoggingHelper.java:debug:63)      Requested permission: package.readonly, Requested object: defaultPackage , Permission granted: Yes
DEBUG 23-05 06:29:44,633 (LoggingHelper.java:debug:63)      Requested permission: admin, Permission granted: No
      • 1052 Views
      • Tags:
        • 1. Re: Integrationg JAAS authentication and drools fine grained authorization.
          swiderski.maciej
          swiderski.maciej May 23, 2013 12:31 PM (in response to manukyanv07)

          What I think could be the cause of this is that you ask the server to authorize access to the functionality but all your users are just authenticated meaning you don't give them any roles. I think that you miss roles configuration where in tomcat JAAS config you should provide

           

           

          <Context>
  <Resource name="BeanManager"
            auth="Container"
            type="javax.enterprise.inject.spi.BeanManager"
            factory="org.jboss.weld.resources.ManagerObjectFactory"/>
<Realm className="org.apache.catalina.realm.JAASRealm" appName="drools-guvnor550-final" userClassNames="com.termmed.User" roleClassNames="YOUR_ROLE_CLASS_NAME" />
</Context>

          added part marked in green.

           

          Then when you commit on login module you should add all the roles youse has:

           

           

          userPrincipal = new User(username);
System.out.println("USERNAME: " + username);
if (!subject.getPrincipals().contains(userPrincipal)) {
  subject.getPrincipals().add(userPrincipal);
  // add roles
  subject.getPrincipals().add(new Role("admin"));
  // add more roles if needed
}

           

          then I believe your module will provide complete information for the authorization mechanism.

           

          HTH

            • Actions
          • 2. Re: Integrationg JAAS authentication and drools fine grained authorization.
            manukyanv07
            manukyanv07 Jun 7, 2013 6:00 PM (in response to swiderski.maciej)

            I added the role principal, but still got nothing, when I enable RoleBasedAuthorization in my beans.xml file I have no permissions for any user, users configured as admin in guvnors Users permission mapping have authorization at all.

            at first when govnor try's to loggin with guest I throw a faildLogginException in my login module. after that exception I see this strange log lines marked with red

             

            [SampleLoginModule] user entered user name: guest

                    [SampleLoginModule] user entered password:

                    [SampleLoginModule] authentication failed

            ERROR 07-06 14:50:25,781 (Logger.java:error:1092)      JAAS authentication failed

            javax.security.auth.login.FailedLoginException: Password Incorrect

                at com.termmed.GuvnorLoginModule.login(GuvnorLoginModule.java:217)

                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

              .........

            WARN  07-06 14:50:25,867 (RulesRepositoryManager.java:getRulesRepository:70)      Creating RulesRepository with default username.

            INFO  07-06 14:50:25,881 (RulesRepositoryConfigurator.java:getInstance:46)      Creating an instance of the RulesRepositoryConfigurator.

             

            DEBUG 07-06 14:50:25,933 (GuvnorBootstrapConfiguration.java:extractAdminPassword:76)      Could not find property org.drools.repository.admin.password for user admin

             

            could that be the problem? what does it means

              • Actions