By | February 24, 2016

How to integrate Kie Drools Workbench 6.3 with FreeIPA LDAP (LDAP + Tomcat + Drools Kie Workbench)

 
How to integrate Kie Drools Workbench 6.3 with FreeIPA LDAP
In this tutorial we will discuss about tomcat JNDIRealm, this inbuilt class is used for connecting to FreeIPA server. Let’s discuss some easy steps to implement this
 

Step 1

Create users and groups on your FreeIPA LDAP server, login to FreeIPA GUI
Let’s say I have 5 user and 5 groups are created on FreeIPA LDAP
 

  • User name – droolsadminuser, Group name – droolsadmin
  • User name – droolsanalystuser Group name – analyst
  • droolsdeveloperuser developer
  • droolsnormaluser user
  • droolsmanageruser manager

 
Once you have successfully created your FreeIPA LDAP users and groups verify the directory structure using jxplorer or any other LDAP browser
In my case,




For users, my LDAP directory structure is –
cn=users,cn=org,dc=toodey,dc=com
For groups, my LDAP directory structure is –
cn=groups,cn=org,dc=toodey,dc=com
 

Note – Before going further make sure you have successfully created user and groups and you should also know about your LDAP directory structure (use jxplorer to browser LDAP directories)
Once you know your user credentials and respective LDAP directory structure you are good to go

 

Step 2 

Configure JNDIRealm class in your apache tomcat $CATALINA_HOME/conf/server.xml file,comment all the other Realm tag and paste below JNDIRealm configuration
 
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionName="uid=admin,cn=users,cn=org,dc=toodey,dc=com"
connectionPassword="admin"
connectionURL="ldap://127.0.0.1:389"
userPattern="uid={0},cn=users,cn=org,dc=toodey,dc=com"
roleBase="cn=groups,cn=org,dc=toodey,dc=com"
roleName="cn"
roleSearch="(member={0})"
allRolesMode="authOnly"
/>
 

org.apache.catalina.realm.JNDIRealm is a inbuilt catalina class available in tomcat lib.
You can find more information about this in online documentation – Online Doc.

Enter your connection password and connection name.
I am considering you have already installed drools and its working fine with default settings, for Authorization you need to edit your web.xml and drools workbench-policy.properties file.
Now, Open web.xml of drools – /webapps/drools-kie-wb/WEB-INF/web.xml
You need to add roles in <auth-constraint> tag, below you will find some roles I have added
droolsadmin
analyst
developer
user
manager
 
Sample File content of drools web.xml

<context-param>
<param-name>org.jboss.seam.transaction.disableListener</param-name>
<param-value>true</param-value>
</context-param>
<security-constraint>
<web-resource-collection>
<web-resource-name>download</web-resource-name>
<url-pattern>/org.kie.workbench.drools.KIEDroolsWebapp/archive</url-pattern>
<url-pattern>/org.kie.workbench.drools.KIEDroolsWebapp/defaulteditor/upload/*</url-pattern>
<url-pattern>/org.kie.workbench.drools.KIEDroolsWebapp/defaulteditor/download/*</url-pattern>
<url-pattern>/org.kie.workbench.drools.KIEDroolsWebapp/dtablexls/file</url-pattern>
<url-pattern>/org.kie.workbench.drools.KIEDroolsWebapp/scorecardxls/file</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>droolsadmin</role-name>
<role-name>analyst</role-name>
<role-name>manager</role-name>
<role-name>user</role-name>
<role-name>developer</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>console</web-resource-name>
<url-pattern>/kie-drools-wb.html</url-pattern>
<url-pattern>/org.kie.workbench.drools.KIEDroolsWebapp/*</url-pattern>
<url-pattern>*.erraiBus</url-pattern>
<url-pattern>/resourceList</url-pattern>
<url-pattern>/editor</url-pattern>
<url-pattern>/editor/*</url-pattern>
<url-pattern>/menuconnector/*</url-pattern>
<url-pattern>/menu/*</url-pattern>
<url-pattern>/uuidRepository</url-pattern>
<url-pattern>/transformer</url-pattern>
<url-pattern>/assetservice</url-pattern>
<url-pattern>/filestore</url-pattern>
<url-pattern>/dictionary</url-pattern>
<url-pattern>/themes</url-pattern>
<url-pattern>/customeditors</url-pattern>
<url-pattern>/simulation</url-pattern>
<url-pattern>/formwidget</url-pattern>
<url-pattern>/calledelement</url-pattern>
<url-pattern>/stencilpatterns</url-pattern>
<url-pattern>/jbpmservicerepo</url-pattern>
<url-pattern>/processdiff</url-pattern>
<url-pattern>/taskforms</url-pattern>
<url-pattern>/taskformseditor</url-pattern>
<url-pattern>/processinfo</url-pattern>
<url-pattern>/syntaxcheck</url-pattern>
<url-pattern>/plugins</url-pattern>
<url-pattern>/plugin</url-pattern>
<url-pattern>/plugin/*</url-pattern>
<url-pattern>/stencilset/*</url-pattern>
<url-pattern>/plugins/*</url-pattern>
<url-pattern>/maven2wb/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>droolsadmin</role-name>
<role-name>analyst</role-name>
<role-name>manager</role-name>
<role-name>user</role-name>
<role-name>developer</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>formModeler</web-resource-name>
<url-pattern>/formModeler/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>droolsadmin</role-name>
<role-name>analyst</role-name>
<role-name>manager</role-name>
<role-name>user</role-name>
<role-name>developer</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp?message=Login failed: Invalid UserName or Password</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Administrator - Administrates the BRMS system. Has full access
rights to make any changes necessary. Also has the
ability to add and remove users from the system.
</description>
<role-name>droolsadmin</role-name>
</security-role>
<security-role>
<description>Analyst - Responsible for creating and designing processes
into the system. Creates process flows and handles
process change requests. Needs to test processes that
they create. Also creates forms and dashboards.
</description>
<role-name>analyst</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>developer</role-name>
</security-role>
<error-page>
<error-code>403</error-code>
<location>/not_authorized.jsp</location>
</error-page>
<context-param>
<param-name>resteasy.document.expand.entity.references</param-name>
<param-value>false</param-value>
</context-param>
</web-app>
 

Now, edit the workbench-policy.properties file, it’s in /webapps/drools-kie-wb/WEB-INF/classes/workbench-policy.properties and copy paste the below content

 
# List of features
feature.wb_project_authoring=Project authoring
feature.wb_artifact_repository=Artifact repository
feature.wb_administration=Administration
feature.wb_admin_ou=Organizational units
feature.wb_admin_repos=Repositories
feature.wb_deployments=Deployments
feature.wb_management=Management
feature.wb_contributors=Contributors
feature.wb_asset_management=Asset Management
feature.wb_jobs=Jobs
feature.wb_process_definitions=Process definitions
feature.wb_process_instances=Process instances
feature.wb_tasks=Tasks
feature.wb_process_dashboard=Process dashboard
feature.wb_dashboard_builder=Dashboard builder
feature.wb_plugin_management=PlugIn Management
feature.wb_search=Search
feature.wb_authoring=Authoring
feature.wb_deploy=Deploy
feature.wb_process_management=Process management
feature.wb_task_management=Tasks
feature.wb_dashboards=Dashboards
feature.wb_everything=Full access
# assets management features
feature.wb_configure_repository=Configure Repositories Process
feature.wb_promote_assets=Promote Assets Process
feature.wb_release_project=Release Process
# data modeller features
feature.wb_data_modeler_edit_sources=Edit Java Sources
# List of project operation
feature.wb_project_authoring_save=Project Save Button
feature.wb_project_authoring_delete=Project Delete Button
feature.wb_project_authoring_copy=Project Copy Button
feature.wb_project_authoring_rename=Project Rename Button
feature.wb_project_authoring_buildAndDeploy=Project BuildAndDeploy Button
# Groups of features
# (Features can be excluded by adding the prefix '!')
# Groups of project operation
profile.wb_project_operation=wb_project_authoring_save, wb_project_authoring_delete, wb_project_authoring_copy, wb_project_authoring_rename, wb_project_authoring_buildAndDeploy
profile.wb_authoring=wb_project_authoring, wb_contributors, wb_asset_management, wb_artifact_repository, wb_administration, wb_admin_ou, wb_admin_repos
profile.wb_deploy=wb_deployments, wb_jobs
profile.wb_process_management=wb_process_definitions, wb_process_instances
profile.wb_task_management=wb_tasks
profile.wb_dashboards=wb_process_dashboard, wb_dashboard_builder
profile.wb_plugins=wb_plugin_management
profile.extensions=wb_extensions
profile.perspective_editor = wb_perspective_editor
profile.apps = wb_apps
profile.datasets = wb_datasets
profile.wb_everything=wb_administration, wb_authoring, wb_deploy, wb_process_management, wb_task_management, wb_dashboards, wb_search, wb_project_operation, wb_plugins, wb_extensions, wb_perspective_editor, wb_apps, wb_datasets, wb_data_modeler_edit_sources
profile.wb_for_developers=wb_everything, !wb_extensions, !wb_administration
profile.wb_for_business_analysts=wb_everything, !wb_artifact_repository, !wb_administration, !wb_deploy, !wb_extensions, !wb_data_modeler_edit_sources
profile.wb_for_business_users=wb_everything, !wb_authoring, !wb_deploy, !wb_deploy, !wb_extensions, !wb_data_modeler_edit_sources
profile.wb_for_managers=wb_dashboards, wb_search, !wb_extensions
profile.wb_for_assets_management=wb_configure_repository, wb_promote_assets, wb_release_project
# Granted roles per feature
# Users with a given role will only be able to access those features specified.
#
# NOTES:
# - If a group feature is granted that also implies granting all its children features.
# - Features left out of the list are granted to all roles by default.
# - A role can be denied by adding the prefix '!'.
roles.wb_everything=droolsadmin
roles.wb_for_developers=developer
roles.wb_for_business_analysts=analyst
roles.wb_for_business_users=user
roles.wb_for_managers=manager
 
Now you are good to go

Before restarting the tomcat enable the JNDIRealm logging of tomcat to debug the log messages
Add below content into your /etc/tomcat7/conf/logging.properties file and save it

 
org.apache.catalina.realm.level = FINE
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
 
Now, restart the tomcat and try to login to your drools workbench
You can debug logs in /var/log/tomcat7/catalina.out file




 

Leave a Reply

Your email address will not be published. Required fields are marked *