JasperServer user authentication with Microsoft Active Directory

fcosfc
Paco Saucedo's blog » JasperReports )

I was appointed to evaluate JasperServer last week and I have to say that I’m really pleased with this Open Source reporting server, specially from my developer’s point of view, because it’s fully integrated with iReport IDE, which I had previously used to design JasperReports that I embed in my Java Swing Applications.

One of the requisites was that the product could be integrated with an Microsoft Active Directory infrastructure, so our systems administration team could setup and maintain the server in a quick and easy way. Although the user guide of my version (community project, release 4.1) referred to an “External Authentication Cookbook”, I just could found a former version on the Internet (release 3.5) and there are some differences, so I’d like to write about my findings. thus you don’t have to spend a morning configuring a simple test environment.

First of all, you have to edit the <application-server-path>/jasperserver/WEB-INF/applicationContext-security.xml config file, in my case C:\Program Files\jasperreports-server-cp-4.2.1\apache-tomcat\webapps\jasperserver\WEB-INF\applicationContext-security.xml, locate the bean authenticationManager and uncomment the line <ref local=”ldapAuthenticationProvider”/> , so your system will search for users in Active Directory first.

The next step is to look for the bean ldapContextSource, uncomment the lines and point to one of your domain controllers, using the credentials of an user that can read the directory. Here you have an example:

<bean id="ldapContextSource">
   <constructor-arg value="ldap://dc01.test.local:389/dc=test,dc=local"/>
   <property name="userDn">
      <value>CN=administrator,CN=Users,DC=test,DC=local</value>
   </property>
   <property name="password">
      <value>p@ssw9rd</value>
   </property>
</bean>

The next bean to configure is the userSearch one, changing the default constructor argument (uid={0}) by (sAMAccountName={0}) and setting up the DN root where you have configured your user accounts:

<bean id="userSearch">
  <constructor-arg index="0">
    <value>OU=USERS_OU</value>
  </constructor-arg>
  <constructor-arg index="1">
    <value>(sAMAccountName={0})</value>
  </constructor-arg>
  <constructor-arg index="2">
    <ref local="ldapContextSource" />
  </constructor-arg>
  <property name="searchSubtree">
    <value>true</value>
  </property>
</bean>

The last step is to change some values into the ldapAuthenticationProvider configuration, here you have an excerpt of  the one running on my test server, so you can compare with yours:

<bean id="ldapAuthenticationProvider"
      class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
  <constructor-arg>
    <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
      <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
      <property name="userSearch"><ref local="userSearch"/></property>
    </bean>
  </constructor-arg>
  <constructor-arg>
    <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
      <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
      <constructor-arg index="1"><value>OU=GROUPS_OU</value></constructor-arg>
      <property name="groupRoleAttribute"><value>CN</value></property>
      <!--property name="groupSearchFilter"><value>((member={1})(CN=*))</value></property-->
      <property name="searchSubtree"><value>true</value></property>
    </bean>
  </constructor-arg>
</bean>

Finally, I’d like to point out that it is not a good idea to have your Active Directory passwords navigating as clear text through the insecure HTTP protocol, so it’s a good idea to change the default security constraints, in order to use the HTTPS protocol, enabling SSL into the <application-server-path>/jasperserver/WEB-INF/web.xml file. Please, review the Apache Tomcat documentation to enable HTTPS, taking into account that the JasperServer bundled Tomcat server uses APR.

Feedback
randomness