5 Replies Latest reply on Dec 19, 2013 8:17 PM by Keith West

    Problem Configuring Guvnor with LDAP...

    Keith West Newbie

      My environment consists of Java 1.7, JBOSS AS 7.2, jBPM 5.4 (Drools guvnor 5.5).

       

      I have successfully setup LDAP for use with the jbpm-form-builder, and jbpm-console. WIth Guvnor, I have everything setup per numerous notes in this forum and elsewhere on the web, but when I attempt to login, it provides an error message "Incorrect username or password", although the server log indicates these were fine. So, following some other notes on the web, I changed out the seam-security-3.1.0.jar included with Guvnor due to a bug, with seam-security-3.2.0.Final.jar. When I did this, and then try to bring up the JBOSS apps server, the following is displayed in the server log, and guvnor doesn't start:

       

      2013-10-07 06:26:13,293 INFO  [org.jboss.solder.config.xml.bootstrap.XmlConfigExtension] (MSC service thread 1-4) Wrapping InjectionTarget to set field values: org.drools.guvnor.server.repository.GuvnorBootstrapConfiguration

      2013-10-07 06:26:13,763 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC00001: Failed to start service jboss.deployment.unit."drools-guvnor.war".WeldStartService: org.jboss.msc.service.StartException in service jboss.deployment.unit."drools-guvnor.war".WeldStartService: Failed to start service

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1767) [jboss-msc-1.0.4.GA.jar:1.0.4.GA]

              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_25]

              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_25]

              at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]

      Caused by: org.jboss.weld.exceptions.DefinitionException: Exception List with 2 exceptions:

      Exception 0 :

      java.lang.Exception: Could not resolve node IdentityImpl in namespace urn:java:org.jboss.seam.security at vfs:/content/drools-guvnor.war/WEB-INF/beans.xml:39

              at org.jboss.solder.config.xml.bootstrap.XmlConfigExtension.beforeBeanDiscovery(XmlConfigExtension.java:121)

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

              at java.lang.reflect.Method.invoke(Method.java:606)

              at org.jboss.weld.util.reflection.SecureReflections$13.work(SecureReflections.java:267)

              at org.jboss.weld.util.reflection.SecureReflectionAccess.run(SecureReflectionAccess.java:52)

              at org.jboss.weld.util.reflection.SecureReflectionAccess.runAsInvocation(SecureReflectionAccess.java:137)

              at org.jboss.weld.util.reflection.SecureReflections.invoke(SecureReflections.java:263)

              at org.jboss.weld.introspector.jlr.WeldMethodImpl.invokeOnInstance(WeldMethodImpl.java:170)

              at org.jboss.weld.introspector.ForwardingWeldMethod.invokeOnInstance(ForwardingWeldMethod.java:51)

              at org.jboss.weld.injection.MethodInjectionPoint.invokeOnInstanceWithSpecialValue(MethodInjectionPoint.java:154)

              at org.jboss.weld.event.ObserverMethodImpl.sendEvent(ObserverMethodImpl.java:245)

              at org.jboss.weld.event.ObserverMethodImpl.sendEvent(ObserverMethodImpl.java:233)

              at org.jboss.weld.event.ObserverMethodImpl.notify(ObserverMethodImpl.java:213)

              at org.jboss.weld.bootstrap.events.AbstractContainerEvent.fire(AbstractContainerEvent.java:75)

              at org.jboss.weld.bootstrap.events.AbstractDefinitionContainerEvent.fire(AbstractDefinitionContainerEvent.java:46)

              at org.jboss.weld.bootstrap.events.BeforeBeanDiscoveryImpl.fire(BeforeBeanDiscoveryImpl.java:46)

              at org.jboss.weld.bootstrap.WeldBootstrap.startInitialization(WeldBootstrap.java:335)

              at org.jboss.as.weld.WeldStartService.start(WeldStartService.java:62)

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811)

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746)

              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

              at java.lang.Thread.run(Thread.java:724)

      Exception 0 :

      java.lang.Exception: Could not resolve node jaas.JaasAuthenticator in namespace urn:java:org.jboss.seam.security at vfs:/content/drools-guvnor.war/WEB-INF/beans.xml:57
              at org.jboss.solder.config.xml.bootstrap.XmlConfigExtension.beforeBeanDiscovery(XmlConfigExtension.java:121)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:606)
              at org.jboss.weld.util.reflection.SecureReflections$13.work(SecureReflections.java:267)
              at org.jboss.weld.util.reflection.SecureReflectionAccess.run(SecureReflectionAccess.java:52)
              at org.jboss.weld.util.reflection.SecureReflectionAccess.runAsInvocation(SecureReflectionAccess.java:137)
              at org.jboss.weld.util.reflection.SecureReflections.invoke(SecureReflections.java:263)
              at org.jboss.weld.introspector.jlr.WeldMethodImpl.invokeOnInstance(WeldMethodImpl.java:170)
              at org.jboss.weld.introspector.ForwardingWeldMethod.invokeOnInstance(ForwardingWeldMethod.java:51)
              at org.jboss.weld.injection.MethodInjectionPoint.invokeOnInstanceWithSpecialValue(MethodInjectionPoint.java:154)
              at org.jboss.weld.event.ObserverMethodImpl.sendEvent(ObserverMethodImpl.java:245)
              at org.jboss.weld.event.ObserverMethodImpl.sendEvent(ObserverMethodImpl.java:233)
              at org.jboss.weld.event.ObserverMethodImpl.notify(ObserverMethodImpl.java:213)
              at org.jboss.weld.bootstrap.events.AbstractContainerEvent.fire(AbstractContainerEvent.java:75)
              at org.jboss.weld.bootstrap.events.AbstractDefinitionContainerEvent.fire(AbstractDefinitionContainerEvent.java:46)
              at org.jboss.weld.bootstrap.events.BeforeBeanDiscoveryImpl.fire(BeforeBeanDiscoveryImpl.java:46)
              at org.jboss.weld.bootstrap.WeldBootstrap.startInitialization(WeldBootstrap.java:335)
              at org.jboss.as.weld.WeldStartService.start(WeldStartService.java:62)
              at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811)
              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
              at java.lang.Thread.run(Thread.java:724)

              at org.jboss.weld.bootstrap.events.AbstractDefinitionContainerEvent.fire(AbstractDefinitionContainerEvent.java:48)
              at org.jboss.weld.bootstrap.events.AfterBeanDiscoveryImpl.fire(AfterBeanDiscoveryImpl.java:42)
              at org.jboss.weld.bootstrap.WeldBootstrap.deployBeans(WeldBootstrap.java:359)
              at org.jboss.as.weld.WeldStartService.start(WeldStartService.java:63)
              at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811) [jboss-msc-1.0.4.GA.jar:1.0.4.GA]

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746) [jboss-msc-1.0.4.GA.jar:1.0.4.GA]

              ... 3 more

       

      I have researched these exceptions, but can't seem to find anything that helps in determining the cause. I've attached my beans.xml file. Any ideas on why this is occurring would be appreciated.

       

      Thanks,

      Keith

        • 1. Re: Problem Configuring Guvnor with LDAP...
          Keith West Newbie

          Any suggestions/ideas on what might be causing this, or a workaround?

           

          THX

          Keith

          • 2. Re: Problem Configuring Guvnor with LDAP...
            Maciej Swiderski Master

            Keith, maybe try on Guvnor's forum or IRC chat. Unfortunately I don't know such details in guvnor so can't help much here. I assume you read this already.

            • 3. Re: Problem Configuring Guvnor with LDAP...
              Keith West Newbie

              FYI - I unzipped the seam-security-3.1.0.jar, and the seam-security-3.2.0.jar, and then copied the org/jboss/seam/security/jaas/JaasAuthenticator classes from 3.2 to 3.1, and then zipped 3.1 back up, and put it back into the drools-guvnor WEB-INF/lib folder. When I deployed guvnor at this point, I was able to access guvnor using my LDAP credentials.

               

              So, something in the seam-security-3.2.0.jar is preventing it from being used with Guvnor 5.5.

               

              THX

              Keith

              • 4. Re: Problem Configuring Guvnor with LDAP...
                Kishor G Newbie

                Hi Keith,

                Can you please tell me how did you give the ldap config in jboss/tomcat means which files we need to modify . I am also facing the problem and thinking its problem with my ldap config.

                Thanks, Kishor

                • 5. Re: Problem Configuring Guvnor with LDAP...
                  Keith West Newbie

                  There are a lot of things that need to be modified to get LDAP to work for all the various jBPM web components. I'll provide info below that worked for me - which covers all except the human task service. If you need that info, it's a bit more involved, but happy to provide if needed.

                   

                  -        standalone.xml

                  In the “<security-domains>” section, add the following to support LDAP:

                   

                                  <security-domain name="XXXXLdap" cache-type="default">

                                          <authentication>

                                          <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

                                                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />

                                                  <module-option name="java.naming.provider.url" value="ldaps://dirtest.corp.xxxxx.com:636/" />

                                                  <module-option name="java.naming.security.authentication" value="simple" />

                                                  <module-option name="baseCtxDN" value="ou=people, o=xxxxx, c=us" />

                                                  <module-option name="baseFilter" value="(uid={0})" />

                                                  <module-option name="rolesCtxDN" value="ou=groups, o=xxxxx, c=us" />

                                                  <module-option name="roleFilter" value="(uniqueMember=uid={0},ou=people,o=xxxxx,c=us)" />

                                                  <module-option name="roleAttributeID" value="cn" />

                                                  <module-option name="roleAttributeIsDN" value="false" />

                                                  <module-option name="throwValidateError" value="true" />

                                                  <module-option name="allowEmptyPasswords" value="true" />

                                          </login-module>

                                          <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">

                                                  <module-option name="rolesProperties" value="/opt/xxxxx/jbpm/auth/rolesMapping-roles.properties" />

                                          </login-module>

                                          </authentication>

                                  </security-domain>

                  -        rolesMapping-roles.properties

                  This config file is referenced in the standalone.xml definition above. It contains mapping between company-specific groups and jBPM 5.4 groups. It can be any name you want, and located wherever. The format of the file is “company role”=”jbpm role”.

                   

                  # jbpm-form-builder roles

                  jbpm-admin=admin

                  jbpm-webdesigner=webdesigner

                  jbpm-functionalanalyst=functionalanalyst

                   

                  # jbpm-console roles

                  jbpm-administrator=administrator,admin

                  jbpm-manager=manager

                  jbpm-user=user

                   

                  # drools-guvnor roles

                   

                   

                  -        jbpm-console

                  o   jboss-web.xml

                  Modified the security-domain to refer to the config in standalone.xml.

                   

                  <security-domain>java:/jaas/XXXXLdap</security-domain>

                   

                  -        form-builder

                  o   jboss-web.xml

                  Modified the security-domain to refer to the config in standalone.xml.

                   

                  <security-domain>java:/jaas/XXXXLdap</security-domain>

                   

                  -        designer

                  o   jbpm.xml

                  Modified the “externalloadurl” property to use a valid LDAP user/pass. Note that there are 2 startup cmd line properties one can use to

                  Set these as well – but they don’t work out of the box. You would have to modify the following 2 classes if you want to do this:

                   

                  UUIDBasedJbpmRepository

                  ServletUtil

                   

                  The cmd line parameters are:

                   

                  -Ddesigner.external.usr=<ldap id>

                  -Ddesigner.external.pwd=<ldap pwd>

                   

                  -        drools-guvnor

                  o   beans.xml

                  Made the following changes/additions to the beans.xml to enable LDAP…

                  <security:IdentityImpl>

                             <s:modifies/>

                   

                      <!-- No real authentication: demo authentication for demo purposes -->

                      <!-- KAW changes - added below per web comment to enable JAAS/LDAP. -->

                      <security:authenticatorClass>org.jboss.seam.security.jaas.JaasAuthenticator</security:authenticatorClass>

                   

                      <!-- JAAS based authentication -->

                      <security:authenticatorName>jaasAuthenticator</security:authenticatorName>

                   

                       </security:IdentityImpl>

                   

                  <!-- KAW changes - uncommented next section for ldap. -->

                             <security:jaas.JaasAuthenticator>

                             <s:modifies/>

                                  <security:jaasConfigName>XXXXLdap</security:jaasConfigName>

                             </security:jaas.JaasAuthenticator>

                   

                  <!-- KAW changes - per note on web, added next section for roles. -->

                  <component name="org.jboss.seam.security.roleBasedPermissionResolved">

                             <s:modifies/>

                                  <property name="enableRoleBaseAuthorization">true</property>

                  </component>

                  o   seam-security-3.2.0.Final.jar

                  Took the class JaasAuthenticator out of this jar and replaced the one in the seam-security-3.1.0.Final.jar with it.