8 Replies Latest reply on Nov 26, 2013 8:27 AM by jimknopf007

    Disable guest users in Guvnor 5.5.0?

    ndipiazza
    ndipiazza Aug 3, 2013 4:33 PM

      Please excuse a somewhat simple question.

       

      I'm running Guvnor 5.5.0.Final on tomcat-7.0.42. I replaced seam-security-3.1.0.Final with seam-security-3.2.0.Final.

       

      Here is the XML snippets of which I set up a basic authenticator:

       

      guvnor/WEB-INF/beans.xml 

      <security:IdentityImpl>
   <s:modifies/>
   <security:authenticatorName>jaasAuthenticator</security:authenticatorName>
  </security:IdentityImpl>

  <security:jaas.JaasAuthenticator>
         <s:modifies/>
         <security:jaasConfigName>drools-guvnor</security:jaasConfigName>
  </security:jaas.JaasAuthenticator>

      jaas.config

       

      drools-guvnor {
   com.ndipiazza.JaasGuvnor required debug=true;
};

       

      See the attached ZIP file for the Guvnor JAAS login

       

      I did not enable Role-based Permissions. I'm fine with everyone having the same roles as long as there are no guest users.

       

      But when I use this configuration and then go to Guvnor, I see I'm already logged in Welcome: guest [Sign Out]

       

      I want it to go to a Form based login. How can I set this up? Am I missing something?

       

      When I enable the role based permissions with this:

       

        <guvnorSecurity:RoleBasedPermissionResolver>
   <s:modifies/>
   <guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization>
  </guvnorSecurity:RoleBasedPermissionResolver>

       

      I then get this error message (401 This user has no permissions setup.). And the stack trace below shows:

       

      INFO  03-08 12:53:23,517 (LoggingHelper.java:info:56)
Service method 'public

abstract org.drools.guvnor.client.rpc.UserSecurityContext org.drools.guvnor.clie
nt.rpc.SecurityService.getCurrentUser()' threw an unexpected exception: org.jbos
s.seam.security.AuthorizationException: This user has no permissions setup.
com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstr
act org.drools.guvnor.client.rpc.UserSecurityContext org.drools.guvnor.client.rp
c.SecurityService.getCurrentUser()' threw an unexpected exception: org.jboss.sea
m.security.AuthorizationException: This user has no permissions setup.


at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:

385)


at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:5

88)


at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(Remot

eServiceServlet.java:208)


at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(Remot

eServiceServlet.java:248)


at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(Ab

stractRemoteServiceServlet.java:62)


at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)


at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)


at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl

icationFilterChain.java:305)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF

ilterChain.java:210)


at org.jboss.solder.servlet.exception.CatchExceptionFilter.doFilter(Catc

hExceptionFilter.java:65)


at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl

icationFilterChain.java:243)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF

ilterChain.java:210)


at org.jboss.solder.servlet.event.ServletEventBridgeFilter.doFilter(Serv

letEventBridgeFilter.java:74)


at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl

icationFilterChain.java:243)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF

ilterChain.java:210)


at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV

alve.java:222)


at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV

alve.java:123)


at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica

torBase.java:502)


at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j

ava:171)


at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j

ava:99)


at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:

953)


at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal

ve.java:118)


at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav

a:408)


at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp

11Processor.java:1023)


at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(

AbstractProtocol.java:589)


at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoin

t.java:1852)


at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.

java:1145)


at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor

.java:615)


at java.lang.Thread.run(Thread.java:722)

Caused by: org.jboss.seam.security.AuthorizationException: This user has no perm
issions setup.


at org.drools.guvnor.server.security.SecurityServiceImpl.getUserCapabili

ties(SecurityServiceImpl.java:128)


at org.drools.guvnor.server.security.SecurityServiceImpl.getCurrentUser(

SecurityServiceImpl.java:101)


at org.drools.guvnor.server.security.SecurityServiceImpl$Proxy$_$$_WeldC

lientProxy.getCurrentUser(SecurityServiceImpl$Proxy$_$$_WeldClientProxy.java)


at org.drools.guvnor.server.SecurityServiceServlet.getCurrentUser(Securi

tyServiceServlet.java:74)


at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)


at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.

java:57)


at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces

sorImpl.java:43)


at java.lang.reflect.Method.invoke(Method.java:601)


at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:5

69)


... 27 more

       

      Going in with a debugger i see the user ID is "guest".

       

      What step am I missing so that I can see a login screen?

        • 1. Re: Disable guest users in Guvnor 5.5.0?
          srikanthmalli
          srikanthmalli Aug 8, 2013 2:18 PM (in response to ndipiazza)

          Did you figure out how to enable the login screen?

            • Actions
          • 2. Re: Disable guest users in Guvnor 5.5.0?
            ndipiazza
            ndipiazza Aug 8, 2013 9:01 PM (in response to srikanthmalli)

            I think this is a bug. I attached the jira - https://issues.jboss.org/browse/GUVNOR-2038

              • Actions
            • 3. Re: Disable guest users in Guvnor 5.5.0?
              rafaelsoledadem
              rafaelsoledadem Oct 11, 2013 4:53 AM (in response to ndipiazza)

              This solution was not tested with Tomcat, but with JBoss 7.1.1. Not sure if there's much difference, but anyway here it goes:

               

              First off, you have to create a new security domain in standalone.xml:

               

                              <security-domain name="your-security-domain-name" cache-type="default">

                                  <authentication>

                                      <login-module code="LdapExtended" flag="required">

                                          <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                          <module-option name="java.naming.provider.url" value="your LDAP url/>

                                          <module-option name="baseCtxDN" value="ou=your_OU,dc=yourDC,dc=com"/>

                                          <module-option name="baseFilter" value="(uid={0})"/>

                                          <module-option name="rolesCtxDN" value="ou=your_Roles_OU, dc=yourDC,dc=com"/>

                                          <module-option name="roleFilter" value="(member={1})"/>

                                          <module-option name="roleAttributeID" value="cn"/>

                                          <module-option name="throwValidateError" value="true"/>

                                          <module-option name="searchScope" value="ONELEVEL_SCOPE"/>

                                      </login-module>

                                  </authentication>

                              </security-domain>

               

              Next, configure the guvnor.war beans.xml file to use JAAS:

               

              (...)

              <security:IdentityImpl> <s:modifies/>
                  <!-- JAAS based authentication -->

                    <security:authenticatorName>jaasAuthenticator</security:authenticatorName>

              </security:IdentityImpl>

              <security:jaas.JaasAuthenticator>
              <s:modifies/>
                <security:jaasConfigName>your-security-domain-name</security:jaasConfigName>
              </security:jaas.JaasAuthenticator>
              <!-- SECURITY AUTHORIZATION CONFIGURATION --> <!-- This is used to enable or disable role-based authorization. By default it is disabled. -->      
              <guvnorSecurity:RoleBasedPermissionResolver>
                <s:modifies/>
                <guvnorSecurity:enableRoleBasedAuthorization>false</guvnorSecurity:enableRoleBasedAuthorization>
              </guvnorSecurity:RoleBasedPermissionResolver>

               

                <weld:scan>

                  <!-- Disable the seam-security by drools rules

                  <weld:exclude name="org.jboss.seam.security.permission.RuleBasedPermissionResolver"/>-->

                  <!-- TODO remove me when GUVNOR-1196 is fixed -->

                  <weld:exclude name="org.drools.guvnor.gwtutil.**"/>

                  <weld:exclude name="org.drools.guvnor.client.**"/>

                </weld:scan>

               

               

              </beans>

               

               

              Before setting this line here to true ->> <guvnorSecurity:enableRoleBasedAuthorization>false</guvnorSecurity:enableRoleBasedAuthorization>, you have to login first without roles so you can map a user to his permissions. Give admin right to at least one user or you won't be able to login at all.

               

              Also, don't forget to update both seam-security jars under WEB-INF/lib from version 3.1 to 3.2. This is very important or the login won't work.

               

              This solution got my login to authenticate users from my LDAP server, on Guvnor, without any hickups. If you have any more trouble, let me know.

               

              Rafael

                • Actions
              • 4. Re: Disable guest users in Guvnor 5.5.0?
                jimknopf007
                jimknopf007 Nov 3, 2013 1:08 PM (in response to rafaelsoledadem)

                Hi there,

                 

                I followed your instructions (thanks for the verbose instructions). I already had upgraded the seam libs. to 3.2, but I still get the Error "401 This user has no permissions setup."

                I also observed a login error (user/password incorrect) upon fist calling the guvnor webapp before the login dialog is shown. Apparently, the  application tries to login with some kind of default user?

                I am running guvnor 5.5.0-Final on JBoss 7.

                Another question: In your instructions, you still have this line <weld:exclude name="org.jboss.seam.security.permission.RuleBasedPermissionResolver"/>

                commented out. Is that correct?

                 

                best regards

                  • Actions
                • 5. Re: Disable guest users in Guvnor 5.5.0?
                  rafaelsoledadem
                  rafaelsoledadem Nov 4, 2013 4:40 AM (in response to jimknopf007)

                  Jim,

                   

                  1. What you said is true, as soon you start running Guvnor it attemps a default login and fails. I don't know why this happens and even though it's odd I don't think it's anything to be concerned about (unless it implies some security issues).

                   

                  2. The line you mentioned is commented out, yes.

                   

                  3. If your authentication is still not working try doing one of these things:

                     a) have you logged in to Guvnor with roles disabled and mapped a user with admin right? --->> <guvnorSecurity:enableRoleBasedAuthorization>false</guvnorSecurity:enableRoleBasedAuthorization>

                     b) Try using Guvnor 5.4.0 instead. I had some issues with 5.5.0 (even though it's working now). If option a) doesn't help you I'll try and remember what I did to get it working with v.5.5

                    • Actions
                  • 6. Re: Disable guest users in Guvnor 5.5.0?
                    jimknopf007
                    jimknopf007 Nov 4, 2013 7:36 AM (in response to rafaelsoledadem)

                    Hi Rafael,

                     

                    thanks for the quick reply. I had already tried option a, i.e. in guvnor. I went to Administration/User permission clicked "Open" on a user, clicked the green plus icon, chose "admin" from the dropdown box and clicked "save changes". Is there a different thing to to when you say I need to have a user with admin right?

                    Here is some additional information on my configuration: I use a securitydomain configured in standalone.xml of JBoss consisting of two loginmodules; the first one uses property files (had to put it under WEB-INF/classes within the guvnor.war directory to get them available on the classpath), the second one is an ldap server authentication. Both work correctly when I have the RoleBasedAuthorization turned off.

                    When I turn it on, I get the message "401 This user has no permissions setup." upon calling the guvnor url.

                     

                    excerpt from standalone.xml:

                     

                    <security-domain name="guvnor" cache-type="default">

                      <authentication>

                      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"

                      flag="sufficient">

                      <module-option name="usersProperties" value="guvnor-users.properties" />

                      <module-option name="rolesProperties" value="guvnor-roles.properties" />

                      <module-option name="hashAlgorithm" value="MD5" />

                      <module-option name="hashEncoding" value="base64" />

                      <module-option name="unauthenticatedIdentity"

                      value="nobody" />

                      </login-module>

                      <login-module code="org.jboss.security.auth.spi.LdapLoginModule"

                      flag="sufficient">

                      <module-option name="java.naming.factory.initial"

                      value="com.sun.jndi.ldap.LdapCtxFactory" />

                      <module-option name="java.naming.provider.url"

                    ...

                      </login-module>

                      </authentication>

                      </security-domain>

                     

                    any ideas?

                      • Actions
                    • 7. Re: Disable guest users in Guvnor 5.5.0?
                      rafaelsoledadem
                      rafaelsoledadem Nov 4, 2013 12:38 PM (in response to jimknopf007)

                      The only thing I can think of is that your mapping is incorrect: make sure the user you created in the guvnor page admin section is EXACTLY the same in your LDAP or .properties. And give the user full permissions for packages and everything. I can't really see what else could be your problem.

                        • Actions
                      • 8. Re: Disable guest users in Guvnor 5.5.0?
                        jimknopf007
                        jimknopf007 Nov 26, 2013 8:27 AM (in response to ndipiazza)

                        Hi, I gave it another try and succeeded in activating the rolebases authorization. No I have two other problems:

                        1. I can't find any effects of the authorization: users without any permissions can still edit anything in guvnor.

                        2. i can login as any user even empty username and password are possible.

                        On the console, I get this (username replaced):

                         

                        14:01:09,224|INFO|http-localhost/127.0.0.1:8080-1|server.security.SecurityServiceImpl||Logging in user [<username>]

                        14:01:10,699|WARN|http-localhost/127.0.0.1:8080-1|security.permission.SecurityRuleLoader||No security rules configured - rule base permissions will be unavailable.

                        14:01:11,402|INFO|http-localhost/127.0.0.1:8080-1|jackrabbit.core.TransientRepository||Session opened

                        14:01:11,406|INFO|http-localhost/127.0.0.1:8080-1|stdout||=============== session-<username>-4

                         

                         

                        14:01:11,412|INFO|http-localhost/127.0.0.1:8080-6|jackrabbit.core.TransientRepository||Session opened

                        14:01:11,412|INFO|http-localhost/127.0.0.1:8080-6|stdout||=============== session-<username>-5

                         

                         

                        14:01:11,416|INFO|http-localhost/127.0.0.1:8080-4|jackrabbit.core.TransientRepository||Session opened

                        14:01:11,418|INFO|http-localhost/127.0.0.1:8080-4|stdout||=============== session-<username>-6

                         

                         

                        14:01:11,419|INFO|http-localhost/127.0.0.1:8080-3|jackrabbit.core.TransientRepository||Session opened

                        14:01:11,420|INFO|http-localhost/127.0.0.1:8080-3|stdout||=============== session-<username>-7

                         

                         

                        14:01:11,991|INFO|http-localhost/127.0.0.1:8080-6|jackrabbit.core.TransientRepository||Session closed

                        14:01:17,361|INFO|http-localhost/127.0.0.1:8080-3|jackrabbit.core.TransientRepository||Session closed

                        14:01:17,389|INFO|http-localhost/127.0.0.1:8080-1|jackrabbit.core.TransientRepository||Session closed

                        14:01:17,390|INFO|http-localhost/127.0.0.1:8080-4|jackrabbit.core.TransientRepository||Session closed

                        14:01:32,047|INFO|http-localhost/127.0.0.1:8080-1|jackrabbit.core.TransientRepository||Session opened

                        14:01:32,917|INFO|http-localhost/127.0.0.1:8080-1|jackrabbit.core.TransientRepository||Session closed

                         

                        more hints on my configuration: I am using a org.apache.jackrabbit.core.fs.db.OracleFileSystem repository  hosted on oracle 11 (which is working fine except for the authorization).

                        Any ideas?

                          • Actions