Reputation: 3221
jBPM custom authorization
I am trying to use in jBPM users from existing ASP .NET MVC Web Site.
As I understand from docs and this forum topics (first, second) best solution would be implementing of UserGroupInfoProducer that will call external service. But due lacking of experience with java I faced with several problems.
First approach: Create project with required implementation, deploy it and config jBMP to use it.
Problem was in implement interfaces that declared in another project, I've tried to add maven dependencies but after failing with some classes I've just added reference to required jar.
Deploy it on jboss like war failed, deploying like jar succeeded but server did not find UserGroupInfoProducer and other implemented interfaces.
Another problem in changing config of jbmp-console. Only way that I've found for that is modify archive directly, but I don't this it's right solution.
Second approach: Create own package of jBPM with required classes.
Problem here that I don't know what repository use for this and how to build version for my server.
As I understand from this link I need to use jbmp-console-ng, only maven task for creating war package that I found was in jbpm-console-ng-showcase I've tried to run it (release 6.2.0 Final) on:
On Windows: failed to execute because of maven error about long path, after migrating project to gradle and excluding dependencies on jmxtools-1.2.1.jar and jmxri-1.2.1.jar it created war but jboss failed to start service.
On Mac and Ubuntu using virtual box: it required to downgrade java to 1.6 and built war after this, but it failed to deploy due duplication of some classes.
As I understand you need to build diferently for each version of server but I don't know how to do this.
Third approach: Create come simulation of supported authorization ways. As I understand jBMP support LDAP, JAAS, database and file. Database and files will require duplicating users so I researched about simulating LDAP or JAAS (preferably using C#) but did not find any acceptable way.
I will be very grateful for any advise which of this approach may work or some other suggestions. Especially about building war of jbmp-console.
version used: jBPM(6.2.0 Final), jBoss(Wildfly 8.1.0 Final), Java(1.8.0.73), Ant(1.9.6), Gradle(2.11), Intellij IDEA (15.0.3).
Upvotes: 3
Views: 1587
Answers (1)
Reputation: 86
After a few weeks of try and error approach I have finally managed to provide fully custom authorization module for JBPM suite ( kid-wb, server and dashbuilder ) in our application. It wasn't easy and required some magic - overwriting two classes won't do it :)
My requirements was quite complex and final solution consist of kie-wb, server, dashbuiler and external authentication which provide by REST Web Service response users with roles based on token passed in session. Another thing that you have to keep in mind is that kie-wb and server are communicating through BASIC authentication - if you want to use server also you have to provide two possible methods of authentication. I won't be able to publish here any code, because it is not an open source project, but I will try to help the best I can.
If you are using WildFly as you are saying above, what you should look at is Undertow Servlet Extension
Overwriting handleDeployment method allow you to write your own IdentityManager( if you need one ) and register your custom AuthenticationMechanism.
To implement your own AuthenticationMechanism you should look at this project Custom Spnego Auth for WildFly
My solution was based on mentioned above project - you don't have to implement every class - in my case writing my own class implementing AuthenticationMechanism was sufficient to get custom authentication working in kie-wb ( not for server though).
So if you already have overwritten Servlet Extension ( and registered by putting file io.undertow.servlet.ServletExtension containing your custom servlet extension class name inside /WEB-INF/classes/META-INF/services/ path of .war file ) and implemented custom AuthenticationMechanism next thing you should do is write class implementing org.jboss.security.auth.spi.LoginModule interface. If you don't want to implement this interface all by yourself you can just extend one of already implemented classes from WildFly - for example UsernamePasswordLoginModule or other.
To let WildFly know that we are using non-standard Login module we have to modify standalone-full.xml as follows:
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="com.package.CustomAuth" flag="required">
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
and then...we are almost done :) One thing left to do is to modify deployment descriptor inside .war file. We have to change web.xml inside /WEB-INF dir as follows:
<login-config>
<auth-method>BASIC?silent=true,CUSTOM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login_failed.jsp</form-error-page>
</form-login-config>
</login-config>
CUSTOM is name of your authentication mechanism that was registered inside class implementing Servlet Extension class.
Above instruction does not cover kie-wb <-> kie server communication. This matter was more complex and required a few workarounds. As I said before I won't be able to provide full solution with more detailed examples, but feel free to ask me anything refering this case.
Upvotes: 5
Related Questions
- Google OAuth 2 authorization - Error: redirect_uri_mismatch
- Setting Authorization Header of HttpClient
- Authentication versus Authorization
- Unable to Start and Complete Task in JBPM
- JBPM6 WAR not Deploying on Jboss EAP 6.3.0 and EAP 6.2.0
- Can´t find jbpm workbench distribution zip to deploy in tomcat7
- Maven JBoss jbpm-form-modeler deployment
- Login failure in jbpm-console jboss-as-7
- jBPM and JBoss web app