GateIn Identity and Security FAQ

Version 12

    Q1) How to cleanup default embedded HSQL database to start with the clean state?
    A1) Remove following directories:

    • 'temp' and 'work' in Tomcat
    • 'data', 'tmp' and 'work' under server/default in JBoss AS

     

    Q2) GateIn is recreating default users and groups in database even if I don't want them.
    A2) Default identity store content is defined in WEB-INF/conf/organization/organization-configuration.xml. "OrganizationDatabaseInitializer" component plugin has "checkDatabaseAlgorithm". With "entry" value initializer will always check and recreate users and groups defined in the configuration. With "empty" value it will create them only when portal identity store doesn't contain any users.

     

    <component-plugin>
          <name>init.service.listener</name>
          <set-method>addListenerPlugin</set-method>
          <type>org.exoplatform.services.organization.OrganizationDatabaseInitializer</type>
          <description>this listener populate organization data for the first launch</description>
          <init-params>     
            <value-param>
              <name>checkDatabaseAlgorithm</name>
              <description>check database</description>
              <value>entry</value>
            </value-param>

     

    Q3) When I try to login I get "HTTP Status 403" response.
    A3) Access permissions are checked on two levels. Portal itself has a range of different permission defined for pages and etc that can be configured using Portal UI. Portal web application (servlet) relies on the JAAS and standard JEE authentication mechanisms that are configured in web.xml. By default all users that belong to "/platform/users" group can login. For users belonging to different group web.xml needs to contain additional <security-role> definition and proper "<auth-constraint><role-name>" under "<security-constraint>" element. Additionally in GateIn JAAS LoginModule stack the "RolesExtractor" service is used to obtain user JEE roles. Default implementation "DefaultRolesExtractorImpl" is configured to always return the root group with the exception for group configured with "user.role.parent.group" service option which by default is "platform". For example user belonging to groups "/platform/users" "/platform/administrators" and "/acme/roles/employees" will have following JEE roles: "users", "administrators" and "acme"

     

      <security-constraint>
        <web-resource-collection>
          <web-resource-name>user authentication</web-resource-name>
          <url-pattern>/private/*</url-pattern>
          <http-method>POST</http-method>
          <http-method>GET</http-method>
        </web-resource-collection>
        <auth-constraint>
          <role-name>users</role-name>
        </auth-constraint>
        <user-data-constraint>
          <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
      </security-constraint>
        <security-constraint>
          <web-resource-collection>
              <web-resource-name>admin authentication</web-resource-name>
              <url-pattern>/admin/*</url-pattern>
              <http-method>POST</http-method>
              <http-method>GET</http-method>
          </web-resource-collection>
          <auth-constraint>
              <role-name>admin</role-name>
          </auth-constraint>
          <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
        </security-constraint>
        <login-config>
          <auth-method>FORM</auth-method>
          <realm-name>gatein-domain</realm-name>
          <form-login-config>
             <form-login-page>/initiatelogin</form-login-page>
             <form-error-page>/errorlogin</form-error-page>
          </form-login-config>
        </login-config>
        <security-role>
          <description>a simple user role</description>
          <role-name>users</role-name>
        </security-role>

        <security-role>
          <description>the admin role</description>
          <role-name>admin</role-name>
        </security-role>

     

    This issue is also being addressed by https://jira.jboss.org/browse/GTNPORTAL-1347

     

    Q4) I added group in LDAP but cannot create portal page for this group in Portal UI.
    A4) When groups and are added using GateIn Identity API then create listeners are triggered. "UserPortalConfigListener" and "GroupPortalConfigListener" are defined in WEB-INF/conf/portal/portal-configuration.xml. In those listeners additional portal objects are created. If missing then some operations cannot be done - first proper portal objects need to be created using Portal UI. In this particular case group navigation should be created first.

     

    Q5) How can I mask LDAP password in configuration files.

    A5)

    1) Configuration for older GateIn versions on JBoss AS5 (or JBoss EPP5)

    GateIn supports integration with JBoss Application Server feature called JAAS SecurityDomain (http://community.jboss.org/wiki/encryptingdatasourcepasswords). PicketLink IDM jars version 1.1.8.CR01 or above need to be used.

     

    • Edit <jboss-instance>/deploy/gatein.ear/META-INF/gatein-jboss-beans.xml and add the following <bean>...</bean> declaration:

     

    <deployment xmlns="urn:jboss:bean-deployer:2.0">

     

      <application-policy xmlns="urn:jboss:security-beans:1.0" name="gatein-domain">

        <!-- existing JAAS configuration -->   

      </application-policy>

     

      <!-- New for LDAP password masking -->

      <bean name="JaasSecurityDomain:ldap-password" class="org.jboss.security.plugins.JaasSecurityDomain">

                   <constructor>

                        <parameter>ldap-password</parameter>

                   </constructor>

                   <property name="keyStorePass">password</property>

                   <property name="salt">abcdefgh</property>

                   <property name="iterationCount">66</property>

      <annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.security:service=JaasSecurityDomain,domain=ldap-password",exposedInterface=org.jboss.security.plugins.JaasSecurityDomainMBean.class)</annotation>

      </bean>

     

    </deployment>


     

     

    • Run JBoss AS and open jmx-console (http://localhost:8080/jmx-console). If it is secured by default access can be enabled in file <server-instance>/conf/props/jmx-console-users.properties
    • Find proper mbean that mach the one that was created (eg. domain=ldap-password,service=JaasSecurityDomain) and invoke "encode64" operation with LDAP password as a parameter. Remember returned value.
    • Picketlink configuration file should contain following options:

     

             <option>

                <name>adminPassword</name>

                <value>2M6SQs3qOIRmXhwloWTPZ1</value>

              </option>

              <option>

                <name>jaasSecurityDomain</name>

                <value>jboss.security:service=JaasSecurityDomain,domain=ldap-password</value>

              </option>

     

            where "adminPassword" value is the one returned from mbean "encode64" operation.

     

    2) Configuration on GateIn 3.6.0.Beta02 or newer (or JPP 6.1 or newer)

     

    In newer GateIn versions, we use solution, which is not specific to JBoss AS5 because we don't support JBoss AS5 anymore. Password masking is still based on PBE (Password Based Encryption) like before, but now configuration is independent on AS and should work on both JBoss AS7 and Tomcat7.

     

    So with newer version, you need to do this:

    • Run GateIn for the first time. Once started, run jconsole (or other JMX tool) from command line. Find mbean with objectName exo:portal=portal,service=EncoderService,name=encoderService and trigger operation encode64 with your LDAP password in plain-text as argument. Result of this operation is masked password, which you will use later in LDAP configuration file
    • Now you need to change your Picketlink configuration file. You need to add 3 new options encodingCipherAlgorithm, encodingSalt and encodingIterationCount and change option adminPassword to contain masked password value returned by encode64 operation. So your configuration can look like:
    <option>
      <name>encodingCipherAlgorithm</name>
      <value>PBEwithMD5andDES</value>
    </option>
    <option>
      <name>encodingSalt</name>
      <value>unodostrescuatro</value>
    </option>
    <option>
      <name>encodingIterationCount</name>
      <value>9</value>
    </option>
    <option>
      <name>adminPassword</name>
      <value>IAaDVuKmc/0GRaRNKPORqA==</value>
    </option>
    

     

    • Restart server and verify that it works

     

    NOTE: You may use different values for encodingCipherAlgorithm, encodingSalt and encodingIterationCount . But in that case, you also need to change configuration of EncoderService MBean, so it uses same salt, iterationCount and algorithm like LDAP configuration. Configuration of EncoderService is in GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/common/encoder-configuration.xml (On JBoss AS7). So before you start this procedure, make sure that configuration of encoder-service.xml and Picketlink IDM configuration file are in sync.

     

    Q6) I have Group "myGroup" and I am trying to create group "MYGROUP" but it's failing and throwing exception in server log.

    A6) Picketlink IDM is doing case-sensitive comparison of group names by default. But it seems that your database is not case-sensitive, so it treats "myGroup" and "MYGROUP" as same group and that's why it is failing. It's usual case for example with MySQL, which is not case-sensitive by default. To fix it and disable strict case-sensitive comparison in Picketlink IDM, you will need to use option allowNotCaseSensitiveSearch of "HibernateStore" and switch it to "true" in Picketlink IDM configuration (It's in file WEB-INF/conf/organization/picketlink-idm/picketlink-idm-config.xml by default)

     

        <identity-stores>
          <identity-store>
            <id>HibernateStore</id>
            <class>org.picketlink.idm.impl.store.hibernate.HibernateIdentityStoreImpl</class>
        ...
            <options>
          ...
              <option>
                <name>allowNotCaseSensitiveSearch</name>
                <value>true</value>
              </option>
            </options>
          </identity-store>
        </identity-stores>
    

     

    Same problem can also happen for some LDAP servers, which are not case-sensitive (like OpenDS 2.0). You can use the option for LDAP in same way, you just need to add the option into "PortalLDAPStore" section.