Preventing a default role with LDAP authentication

[gabrielinux]

Hi all,

 

I just configured JasperServer to work with LDAP authentication. Unfortunately, every time a user logs in -- even if he's not in an authorized department -- JasperServer creates an external user in its database and assigns a default role. How can I prevent this behavior? I do not want external users to be able to login unless I manually add them to the users list first.

 

The file that contains the default role is WEB-INFapplicationContext.xml. The only work-around that I've found so far is to change ROLE_USER to ROLE_ANONYMOUS here, and then remove access to everything in the repository from ROLE_ANONYMOUS. However, this still creates accounts upon a successful login which is very undesirable.

<bean id="userAuthorityServiceTarget"

 

 

class="com.jaspersoft.jasperserver.api.metadata.user.service.impl.UserAuthorityServiceImpl">

<property name="sessionFactory" ref="sessionFactory"/>

<property

 

name="objectMappingFactory" ref="mappingResourceFactory"/>

<property

 

name="persistentClassFactory" ref="persistentMappings"/>

<property

 

name="profileAttributeService" ref="profileAttributeService"/>

<property

 

name="defaultInternalRoles">

<list>

<value>ROLE_ANONYMOUS</value>

 

 

</list>

</property>

</bean>

 

Help? :(

[swood]

The model we were looking at is that you want to authenticate and authorize the user's access based on the external service and roles. The assumption is that if you can login successfully authorizing against the external service, then you can use JasperServer.

 

Is there a way to stop unauthorized users from logging in? Can you change the LDAP query used in the authentication process to stop that?

 

Otherwise, your approach of denying the invalid users access seems right. Though users are created, they can do nothing.

 

 

Sherman

Jaspersoft

[gabrielinux]

Well, so far I have only been able to tell Spring where to find my users. The problem is that I don't know how to setup the filters to tell it to check if the user is a member of a specific security group. The documentation mentions how to check if users belong to an organizational unit, but not a security group.

 

Essentially, my users are stored this way: cn=myusername,ou=DepartmentUsers,dc=mongefranco,dc=com.

 

Then, I have several security groups. For example, JasperServer users (all of which should have access to JasperServer) belong to this security group: cn=JasperServerUsers,ou=ApplicationGroups,ou=Groups,dc=mongefranco,dc=com.

 

Finally, each user is also part of another security group denoting his or her department. This department should determine the role name: cn=Development,ou=DepartmentGroups,dc=mongefranco,dc=com.

 

Any idea how I would set that up in the ApplicationContext-security.xml file?

Post edited by: gabrielinux, at: 2008/06/25 14:49

[swood]

I am looking at http://acegisecurity.org/guide/springsecurity.html#ldap-with-acegi

for the approach.

 

Could you set your additional filtering in the userSearch bean and add the userSearch as a property to the ldapAuthProvider bean, or change the userDnPatterns property on the ldapAuthProvider bean? This way, the authentication will only find users who are part of (cn=JasperServerUsers) and reject the rest.

 

 

Sherman

Jaspersoft

[gabrielinux]

Thanks Sherman. I added a filter under the userSearch bean, and then referenced the bean as a property. However, it looks like the filter has no effect at all -- No matter what I put in the filter, users are always authenticated.

 

My userSearch bean looks like this:

 

<bean id="userSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">

<constructor-arg index="0">

<value></value>

</constructor-arg>

<constructor-arg index="1">

<value>(memberOf=CN=JasperServerUsers,OU=ApplicationGroups,OU=Groups,DC=mongefranco,DC=com)</value> <!-- uid -->

</constructor-arg>

<constructor-arg index="2">

<ref local="initialDirContextFactory" />

</constructor-arg>

<property name="searchSubtree">

<value>true</value>

</property>

</bean>

 

 

And the userSearch and UserDNPatterns in the ldapAuthenticationProvider bean look like these:

 

<bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">

<constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>

<property name="userSearch"><ref local="userSearch" /></property>

<property name="userDnPatterns"><list>

<value>cn={0},ou=DepartmentUsers</value>

<value>cn={0},ou=AdminUsers</value>

</list></property>

</bean>

 

Do I have the userSearch property in the wrong place? Or maybe my userSearch filter is incorrect???

[swood]

I don't know the answer here.

 

There will probably be some answers on the Spring Security (Acegi) forums. http://forum.springframework.org/forumdisplay.php?f=33

 

 

 

Sherman

Jaspersoft

[gabrielinux]

Thanks! I found the answer in that other forum. It's a bit messy, but it works. :)

 

I'll post my config file sometime after I do more testing.

[lsmoke]

I am looking for a solution to this question as well. Could you post your userSearch code?

 

Thanks.