8 Replies Latest reply on Nov 26, 2013 8:27 AM by Jim Knopf

    Disable guest users in Guvnor 5.5.0?

    Nicholas DiPiazza Novice

      Please excuse a somewhat simple question.

       

      I'm running Guvnor 5.5.0.Final on tomcat-7.0.42. I replaced seam-security-3.1.0.Final with seam-security-3.2.0.Final.

       

      Here is the XML snippets of which I set up a basic authenticator:

       

      guvnor/WEB-INF/beans.xml

      <security:IdentityImpl>
         <s:modifies/>
         <security:authenticatorName>jaasAuthenticator</security:authenticatorName>
        </security:IdentityImpl>
      
        <security:jaas.JaasAuthenticator>
               <s:modifies/>
               <security:jaasConfigName>drools-guvnor</security:jaasConfigName>
        </security:jaas.JaasAuthenticator>
      

      jaas.config

       

      drools-guvnor {
         com.ndipiazza.JaasGuvnor required debug=true;
      };
      

       

      See the attached ZIP file for the Guvnor JAAS login

       

      I did not enable Role-based Permissions. I'm fine with everyone having the same roles as long as there are no guest users.

       

      But when I use this configuration and then go to Guvnor, I see I'm already logged in Welcome: guest [Sign Out]

       

      I want it to go to a Form based login. How can I set this up? Am I missing something?

       

      When I enable the role based permissions with this:

       

        <guvnorSecurity:RoleBasedPermissionResolver>
         <s:modifies/>
         <guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization>
        </guvnorSecurity:RoleBasedPermissionResolver>
      

       

      I then get this error message (401 This user has no permissions setup.). And the stack trace below shows:

       

      INFO  03-08 12:53:23,517 (LoggingHelper.java:info:56)
      Service method 'public
      
      abstract org.drools.guvnor.client.rpc.UserSecurityContext org.drools.guvnor.clie
      nt.rpc.SecurityService.getCurrentUser()' threw an unexpected exception: org.jbos
      s.seam.security.AuthorizationException: This user has no permissions setup.
      com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstr
      act org.drools.guvnor.client.rpc.UserSecurityContext org.drools.guvnor.client.rp
      c.SecurityService.getCurrentUser()' threw an unexpected exception: org.jboss.sea
      m.security.AuthorizationException: This user has no permissions setup.
      
      
      at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:
      
      385)
      
      
      at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:5
      
      88)
      
      
      at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(Remot
      
      eServiceServlet.java:208)
      
      
      at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(Remot
      
      eServiceServlet.java:248)
      
      
      at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(Ab
      
      stractRemoteServiceServlet.java:62)
      
      
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
      
      
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
      
      
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
      
      icationFilterChain.java:305)
      
      
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
      
      ilterChain.java:210)
      
      
      at org.jboss.solder.servlet.exception.CatchExceptionFilter.doFilter(Catc
      
      hExceptionFilter.java:65)
      
      
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
      
      icationFilterChain.java:243)
      
      
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
      
      ilterChain.java:210)
      
      
      at org.jboss.solder.servlet.event.ServletEventBridgeFilter.doFilter(Serv
      
      letEventBridgeFilter.java:74)
      
      
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
      
      icationFilterChain.java:243)
      
      
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
      
      ilterChain.java:210)
      
      
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
      
      alve.java:222)
      
      
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
      
      alve.java:123)
      
      
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
      
      torBase.java:502)
      
      
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
      
      ava:171)
      
      
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
      
      ava:99)
      
      
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
      
      953)
      
      
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
      
      ve.java:118)
      
      
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
      
      a:408)
      
      
      at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp
      
      11Processor.java:1023)
      
      
      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
      
      AbstractProtocol.java:589)
      
      
      at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoin
      
      t.java:1852)
      
      
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
      
      java:1145)
      
      
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
      
      .java:615)
      
      
      at java.lang.Thread.run(Thread.java:722)
      
      Caused by: org.jboss.seam.security.AuthorizationException: This user has no perm
      issions setup.
      
      
      at org.drools.guvnor.server.security.SecurityServiceImpl.getUserCapabili
      
      ties(SecurityServiceImpl.java:128)
      
      
      at org.drools.guvnor.server.security.SecurityServiceImpl.getCurrentUser(
      
      SecurityServiceImpl.java:101)
      
      
      at org.drools.guvnor.server.security.SecurityServiceImpl$Proxy$_$$_WeldC
      
      lientProxy.getCurrentUser(SecurityServiceImpl$Proxy$_$$_WeldClientProxy.java)
      
      
      at org.drools.guvnor.server.SecurityServiceServlet.getCurrentUser(Securi
      
      tyServiceServlet.java:74)
      
      
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      
      
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
      
      java:57)
      
      
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
      
      sorImpl.java:43)
      
      
      at java.lang.reflect.Method.invoke(Method.java:601)
      
      
      at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:5
      
      69)
      
      
      ... 27 more
      
      

       

      Going in with a debugger i see the user ID is "guest".

       

      What step am I missing so that I can see a login screen?

        • 1. Re: Disable guest users in Guvnor 5.5.0?
          srikanth mallikarjuna Newbie

          Did you figure out how to enable the login screen?

          • 3. Re: Disable guest users in Guvnor 5.5.0?
            Rafael Soledade Newbie

            This solution was not tested with Tomcat, but with JBoss 7.1.1. Not sure if there's much difference, but anyway here it goes:

             

            First off, you have to create a new security domain in standalone.xml:

             

                            <security-domain name="your-security-domain-name" cache-type="default">

                                <authentication>

                                    <login-module code="LdapExtended" flag="required">

                                        <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                        <module-option name="java.naming.provider.url" value="your LDAP url/>

                                        <module-option name="baseCtxDN" value="ou=your_OU,dc=yourDC,dc=com"/>

                                        <module-option name="baseFilter" value="(uid={0})"/>

                                        <module-option name="rolesCtxDN" value="ou=your_Roles_OU, dc=yourDC,dc=com"/>

                                        <module-option name="roleFilter" value="(member={1})"/>

                                        <module-option name="roleAttributeID" value="cn"/>

                                        <module-option name="throwValidateError" value="true"/>

                                        <module-option name="searchScope" value="ONELEVEL_SCOPE"/>

                                    </login-module>

                                </authentication>

                            </security-domain>

             

            Next, configure the guvnor.war beans.xml file to use JAAS:

             

            (...)

            <security:IdentityImpl> <s:modifies/>
                <!-- JAAS based authentication -->

                  <security:authenticatorName>jaasAuthenticator</security:authenticatorName>

            </security:IdentityImpl>

            <security:jaas.JaasAuthenticator>
            <s:modifies/>
              <security:jaasConfigName>your-security-domain-name</security:jaasConfigName>
            </security:jaas.JaasAuthenticator>
            <!-- SECURITY AUTHORIZATION CONFIGURATION --> <!-- This is used to enable or disable role-based authorization. By default it is disabled. -->      
            <guvnorSecurity:RoleBasedPermissionResolver>
              <s:modifies/>
              <guvnorSecurity:enableRoleBasedAuthorization>false</guvnorSecurity:enableRoleBasedAuthorization>
            </guvnorSecurity:RoleBasedPermissionResolver>

             

              <weld:scan>

                <!-- Disable the seam-security by drools rules

                <weld:exclude name="org.jboss.seam.security.permission.RuleBasedPermissionResolver"/>-->

                <!-- TODO remove me when GUVNOR-1196 is fixed -->

                <weld:exclude name="org.drools.guvnor.gwtutil.**"/>

                <weld:exclude name="org.drools.guvnor.client.**"/>

              </weld:scan>

             

             

            </beans>

             

             

            Before setting this line here to true ->> <guvnorSecurity:enableRoleBasedAuthorization>false</guvnorSecurity:enableRoleBasedAuthorization>, you have to login first without roles so you can map a user to his permissions. Give admin right to at least one user or you won't be able to login at all.

             

            Also, don't forget to update both seam-security jars under WEB-INF/lib from version 3.1 to 3.2. This is very important or the login won't work.

             

            This solution got my login to authenticate users from my LDAP server, on Guvnor, without any hickups. If you have any more trouble, let me know.

             

            Rafael

            • 4. Re: Disable guest users in Guvnor 5.5.0?
              Jim Knopf Newbie

              Hi there,

               

              I followed your instructions (thanks for the verbose instructions). I already had upgraded the seam libs. to 3.2, but I still get the Error "401 This user has no permissions setup."

              I also observed a login error (user/password incorrect) upon fist calling the guvnor webapp before the login dialog is shown. Apparently, the  application tries to login with some kind of default user?

              I am running guvnor 5.5.0-Final on JBoss 7.

              Another question: In your instructions, you still have this line <weld:exclude name="org.jboss.seam.security.permission.RuleBasedPermissionResolver"/>

              commented out. Is that correct?

               

              best regards

              • 5. Re: Disable guest users in Guvnor 5.5.0?
                Rafael Soledade Newbie

                Jim,

                 

                1. What you said is true, as soon you start running Guvnor it attemps a default login and fails. I don't know why this happens and even though it's odd I don't think it's anything to be concerned about (unless it implies some security issues).

                 

                2. The line you mentioned is commented out, yes.

                 

                3. If your authentication is still not working try doing one of these things:

                   a) have you logged in to Guvnor with roles disabled and mapped a user with admin right? --->> <guvnorSecurity:enableRoleBasedAuthorization>false</guvnorSecurity:enableRoleBasedAuthorization>

                   b) Try using Guvnor 5.4.0 instead. I had some issues with 5.5.0 (even though it's working now). If option a) doesn't help you I'll try and remember what I did to get it working with v.5.5

                • 6. Re: Disable guest users in Guvnor 5.5.0?
                  Jim Knopf Newbie

                  Hi Rafael,

                   

                  thanks for the quick reply. I had already tried option a, i.e. in guvnor. I went to Administration/User permission clicked "Open" on a user, clicked the green plus icon, chose "admin" from the dropdown box and clicked "save changes". Is there a different thing to to when you say I need to have a user with admin right?

                  Here is some additional information on my configuration: I use a securitydomain configured in standalone.xml of JBoss consisting of two loginmodules; the first one uses property files (had to put it under WEB-INF/classes within the guvnor.war directory to get them available on the classpath), the second one is an ldap server authentication. Both work correctly when I have the RoleBasedAuthorization turned off.

                  When I turn it on, I get the message "401 This user has no permissions setup." upon calling the guvnor url.

                   

                  excerpt from standalone.xml:

                   

                  <security-domain name="guvnor" cache-type="default">

                    <authentication>

                    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"

                    flag="sufficient">

                    <module-option name="usersProperties" value="guvnor-users.properties" />

                    <module-option name="rolesProperties" value="guvnor-roles.properties" />

                    <module-option name="hashAlgorithm" value="MD5" />

                    <module-option name="hashEncoding" value="base64" />

                    <module-option name="unauthenticatedIdentity"

                    value="nobody" />

                    </login-module>

                    <login-module code="org.jboss.security.auth.spi.LdapLoginModule"

                    flag="sufficient">

                    <module-option name="java.naming.factory.initial"

                    value="com.sun.jndi.ldap.LdapCtxFactory" />

                    <module-option name="java.naming.provider.url"

                  ...

                    </login-module>

                    </authentication>

                    </security-domain>

                   

                  any ideas?

                  • 7. Re: Disable guest users in Guvnor 5.5.0?
                    Rafael Soledade Newbie

                    The only thing I can think of is that your mapping is incorrect: make sure the user you created in the guvnor page admin section is EXACTLY the same in your LDAP or .properties. And give the user full permissions for packages and everything. I can't really see what else could be your problem.

                    • 8. Re: Disable guest users in Guvnor 5.5.0?
                      Jim Knopf Newbie

                      Hi, I gave it another try and succeeded in activating the rolebases authorization. No I have two other problems:

                      1. I can't find any effects of the authorization: users without any permissions can still edit anything in guvnor.

                      2. i can login as any user even empty username and password are possible.

                      On the console, I get this (username replaced):

                       

                      14:01:09,224|INFO|http-localhost/127.0.0.1:8080-1|server.security.SecurityServiceImpl||Logging in user [<username>]

                      14:01:10,699|WARN|http-localhost/127.0.0.1:8080-1|security.permission.SecurityRuleLoader||No security rules configured - rule base permissions will be unavailable.

                      14:01:11,402|INFO|http-localhost/127.0.0.1:8080-1|jackrabbit.core.TransientRepository||Session opened

                      14:01:11,406|INFO|http-localhost/127.0.0.1:8080-1|stdout||=============== session-<username>-4

                       

                       

                      14:01:11,412|INFO|http-localhost/127.0.0.1:8080-6|jackrabbit.core.TransientRepository||Session opened

                      14:01:11,412|INFO|http-localhost/127.0.0.1:8080-6|stdout||=============== session-<username>-5

                       

                       

                      14:01:11,416|INFO|http-localhost/127.0.0.1:8080-4|jackrabbit.core.TransientRepository||Session opened

                      14:01:11,418|INFO|http-localhost/127.0.0.1:8080-4|stdout||=============== session-<username>-6

                       

                       

                      14:01:11,419|INFO|http-localhost/127.0.0.1:8080-3|jackrabbit.core.TransientRepository||Session opened

                      14:01:11,420|INFO|http-localhost/127.0.0.1:8080-3|stdout||=============== session-<username>-7

                       

                       

                      14:01:11,991|INFO|http-localhost/127.0.0.1:8080-6|jackrabbit.core.TransientRepository||Session closed

                      14:01:17,361|INFO|http-localhost/127.0.0.1:8080-3|jackrabbit.core.TransientRepository||Session closed

                      14:01:17,389|INFO|http-localhost/127.0.0.1:8080-1|jackrabbit.core.TransientRepository||Session closed

                      14:01:17,390|INFO|http-localhost/127.0.0.1:8080-4|jackrabbit.core.TransientRepository||Session closed

                      14:01:32,047|INFO|http-localhost/127.0.0.1:8080-1|jackrabbit.core.TransientRepository||Session opened

                      14:01:32,917|INFO|http-localhost/127.0.0.1:8080-1|jackrabbit.core.TransientRepository||Session closed

                       

                      more hints on my configuration: I am using a org.apache.jackrabbit.core.fs.db.OracleFileSystem repository  hosted on oracle 11 (which is working fine except for the authorization).

                      Any ideas?