Fred's blog

Archive for March, 2010

Workaround for eclipse buggy button behavior

by Fred on Mar.12, 2010, under Uncategorized

If you have issues with eclipse or eclipse-based applications, such as clicking on a button doesn’t work, or weird focus behavior, then try the following.

export GDK_NATIVE_WINDOWS=true

Then launch the application from that same terminal. Hopefully, this should make things a little better.

1 Comment more...

HOWTO: Bonita and LDAP authentication

by Fred on Mar.04, 2010, under Uncategorized

This how-to is written in the hope that it will help souls in achieving basic LDAP login with Bonita User Experience, using EJB3. This how-to is written based on the thread at http://www.bonitasoft.org/forum/viewtopic.php?id=2397.

It is working for me, but it may not for you. Please post your questions on the Bonita forums, many eyes will look at your issue and try to help you.

Here is a dirty PDF for those who wants. However, if you do use this howto, always refer to the online version for updates and up-to-date content.
Bonita LDAP howto

It may not render well in this blog, so I’d advise in pasting the code in your favorite editor to see clearly.

My environment at this time is:

  • Centos 5.4 latest updates
  • Jboss 5.1 GA
  • BOS 5.0.1
  • Java JDK 1.6.0 update 18
  • Active Directory 2003

To give a reference, here is how my base directory look like. I will refer to it when editing some files.

Under /opt:


lrwxrwxrwx  1 root root    9 Feb 23 11:39 BOS -> BOS-5.0.1
drwxr-xr-x  5 root root 4096 Feb 15 19:33 BOS-5.0.1
lrwxrwxrwx  1 root root   11 Feb 23 13:58 java-jdk-6 -> jdk1.6.0_18
lrwxrwxrwx  1 root root   14 Feb 23 16:19 jboss -> jboss-5.1.0.GA
drwxr-xr-x  9 root root 4096 Mar  4 09:57 jboss-5.1.0.GA
drwxr-xr-x 10 root root 4096 Feb 23 13:57 jdk1.6.0_18

We will use the org.jboss.security.auth.spi.LdapExtLoginModule, as it will allow us to bind to the ActiveDirectory server. If you can allow for anonymous LDAP requests, then you may also try the Sun LDAPLoginModule.

jBoss configuration and EAR generation

JAVA_OPTS

In the run.sh file of jboss /opt/jboss/bin/run.sh) , edit it to configure your JAVA_OPTS:

JAVA_OPTS="-Dorg.ow2.bonita.api-type=EJB3 -server -Xms256m -Xmx512m -XX:PermSize=128m -XX:MaxPermSize=256m"

Alongside specifying the EJB3 for Bonita, I am setting reasonable settings for jBoss java memory, and possible avoid Permgen out of memory errors.

Extra: For quick and unsecure monitoring using jconsole, also add the following.

JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=10001 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"

bonita-environment.xml

… under the /opt/BOS/runtime/conf directory directly. It will be used when building the EAR file.

So, we can already specify the implementation of the AuthenticationService interface, which we will call SimpleLdapAuth.
Edit the file /opt/BOS/runtime/bonita-environment.xml. It should look like the following:

      <!-- Description: Implementation of the authentication service. -->

      <!-- <authentication-service name='authentication-service' class='org.ow2.bonita.services.impl.DbAuthentication'> -->

      <authentication-service name='authentication-service' class='com.domain.bonita.auth.SimpleLdapAuth'>

        <arg><string value='bonita-session:core' /></arg>

      </authentication-service>

Of course, your package path will vary.
A sample, simple, implementation of the interface follows later on.

Generating bonita.ear

We now need to go ahead and generate our bonita.ear file, which will then be used by jBoss.

cd/opt/BOS/runtime

Now, build your ejb3.

ant ear.ejb3

You should get something like this:

[root@bonita-test runtime]# ant ear.ejb3

Buildfile: build.xml

ear.genBonitaConfJar:

ear.ejb3:

ear:

    [mkdir] Created dir: /opt/BOS-5.0.1/runtime/ear/tmp

    [unjar] Expanding: /opt/BOS-5.0.1/runtime/lib/server/bonita-server-5.0.1.jar into /opt/BOS-5.0.1/runtime/ear/tmp

     [copy] Copying 1 file to /opt/BOS-5.0.1/runtime/ear/tmp/META-INF

ear.copyJeeDD:

     [copy] Copying 1 file to /opt/BOS-5.0.1/runtime/ear/tmp/META-INF

      [jar] Building jar: /opt/BOS-5.0.1/runtime/ear/ejb3/bonita-ejbjar.jar

   [delete] Deleting directory /opt/BOS-5.0.1/runtime/ear/tmp

      [ear] Building ear: /opt/BOS-5.0.1/runtime/ear/ejb3/bonita.ear

     [echo] EJB3 ear has been generated in ear/ejb3 directory.

     [echo] You can use it in the easybeans container, jonas 5 and jboss 5 application server.

BUILD SUCCESSFUL

Total time: 4 seconds

Now, copy the bonita.ear file into your jboss deploy directory.

cp /opt/BOS-5.0.1/runtime/ear/ejb3/bonita.ear
 /opt/jboss/server/default/deploy/

login-config.xml

Add the 2 stanzas to the end of your login-config.xml, before the end tag. It is valid for an AD server (ie: (sAMAccountName={0}) is typically AD).)


<application-policy name="BonitaAuth">

  <authentication>

        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" 

        flag="required">

        <module-option name="java.naming.provider.url">ldap://your_ldap_server:389</module-option>

        <module-option name="java.naming.security.authentication">simple</module-option>

        <module-option name="baseCtxDN">DC=domain,DC=com</module-option>

        <module-option name="bindDN">DOMAIN\ldapbrowser</module-option>

        <module-option name="bindCredential"><![CDATA[Yourpasswd]]></module-option>

        <module-option name="baseFilter">(sAMAccountName={0})</module-option>

        <module-option name="searchScope">SUBTREE_SCOPE</module-option>

        <module-option name="allowEmptyPasswords">false</module-option>

        <module-option name="debug">true</module-option>

        <module-option name="rolesCtxDN">DC=domain,DC=com</module-option>

        <module-option name="roleFilter">(sAMAccountName={0})</module-option>

        <module-option name="roleAttributeID">memberOf</module-option>

        <module-option name="roleAttributeIsDN">true</module-option>

        <module-option name="roleNameAttributeID">cn</module-option>

        <module-option name="java.naming.referral">follow</module-option>

        </login-module>

    </authentication>

  </application-policy>

  <application-policy name="BonitaStore">

    <authentication>

       <login-module code="org.ow2.bonita.identity.auth.BonitaRemoteLoginModule" flag="required"/>

       <login-module code="org.jboss.security.ClientLoginModule" flag="required">

         <module-option name="password-stacking">useFirstPass</module-option>

      </login-module>

    </authentication>

  </application-policy>

Your jaas-standard.cfg will then not be used anymore. You can comment everything out.

Implementation of AuthentionService interface

Java Code

Here you need to develop a little piece of java. Here is an example that will get you through for starters.

package com.domain.bonita.auth;

/**
 * @author chapeaurouge
 * @date 04/03/2010
 * @version 0.1
 */

import org.ow2.bonita.facade.exception.UserNotFoundException;
import org.ow2.bonita.services.AuthenticationService;

public class SimpleLdapAuth implements AuthenticationService {

	private String persistenceServiceName;

	public SimpleLdapAuth(String persistenceServiceName) {
		super();
		this.persistenceServiceName = persistenceServiceName;
	}

	/**
	 * Determines if the user should have amdin accesses to the bonita interface
	 * Let's say that Domain Admins have that privilege
	 */
	public boolean isUserAdmin(String username) throws UserNotFoundException {
		if (username.equals("MyAdmin")) {
			return true;
		} else {
			return false;
		}
	}

	/**
	 * @return always true. If the LDAP request failed before, it doesn't matter (?)
	 * Necessary to implement interface
	 */
	public boolean checkUserCredentials(String username, String password) {
		return true;
	}
}

Compiling

Compile the java code into a .class. Make sure the bonita jars are in your classpath.

javac -cp ~/BOS-5.0.1/runtime/lib/server/bonita* SimpleLdapAuth.java

You should then have your .class file. If you did it locally, you can then upload it to your server.

Deploying

A manual way would be to do the following.
Go to your /opt/jboss/server/default/lib, create the directory hierarchy for your package name. So with our example, you could type

mkdir -p com/domain/bonita/auth

Then copy, your .class in it. Now, still in your jboss lib directory, create a .jar file, as:

jar -cvf domainLdapAuth.jar com/domain/bonita/auth/SimpleLdapAuth.class

Your jar will now be deployed on the next server startup.

Getting more verbose output

Edit /opt/jboss/server/default/conf/jboss-log4j.xml, and uncomment the following block:


 <category name="org.jboss.security">

 <priority value="TRACE"/>

 <appender-ref ref="CONSOLE.SECURITY"/>

 </category>

Conclusion

This should be it. I may have forgotten some things, or overlooked some steps. Hopefully, this was of some help for some of you.
You can now (re)start your jBoss server for the changes to take effect. Don’t forget to tail -f server.log to see how it looks like.
Your feedback and comments are welcome.
Thanks to rlg and abirembaut for their help in the forums.

10 Comments :, , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...

Archives

All entries, chronologically...