gabrielinux Posted June 24, 2008 Share Posted June 24, 2008 Hi all, I just configured JasperServer to work with LDAP authentication. Unfortunately, every time a user logs in -- even if he's not in an authorized department -- JasperServer creates an external user in its database and assigns a default role. How can I prevent this behavior? I do not want external users to be able to login unless I manually add them to the users list first. The file that contains the default role is WEB-INFapplicationContext.xml. The only work-around that I've found so far is to change ROLE_USER to ROLE_ANONYMOUS here, and then remove access to everything in the repository from ROLE_ANONYMOUS. However, this still creates accounts upon a successful login which is very undesirable.<bean id="userAuthorityServiceTarget" class="com.jaspersoft.jasperserver.api.metadata.user.service.impl.UserAuthorityServiceImpl"> <property name="sessionFactory" ref="sessionFactory"/> <property name="objectMappingFactory" ref="mappingResourceFactory"/> <property name="persistentClassFactory" ref="persistentMappings"/> <property name="profileAttributeService" ref="profileAttributeService"/> <property name="defaultInternalRoles"> <list> <value>ROLE_ANONYMOUS</value> </list> </property> </bean> Help? :( Link to comment Share on other sites More sharing options...
swood Posted June 25, 2008 Share Posted June 25, 2008 The model we were looking at is that you want to authenticate and authorize the user's access based on the external service and roles. The assumption is that if you can login successfully authorizing against the external service, then you can use JasperServer. Is there a way to stop unauthorized users from logging in? Can you change the LDAP query used in the authentication process to stop that? Otherwise, your approach of denying the invalid users access seems right. Though users are created, they can do nothing. ShermanJaspersoft Link to comment Share on other sites More sharing options...
gabrielinux Posted June 25, 2008 Author Share Posted June 25, 2008 Well, so far I have only been able to tell Spring where to find my users. The problem is that I don't know how to setup the filters to tell it to check if the user is a member of a specific security group. The documentation mentions how to check if users belong to an organizational unit, but not a security group. Essentially, my users are stored this way: cn=myusername,ou=DepartmentUsers,dc=mongefranco,dc=com. Then, I have several security groups. For example, JasperServer users (all of which should have access to JasperServer) belong to this security group: cn=JasperServerUsers,ou=ApplicationGroups,ou=Groups,dc=mongefranco,dc=com. Finally, each user is also part of another security group denoting his or her department. This department should determine the role name: cn=Development,ou=DepartmentGroups,dc=mongefranco,dc=com. Any idea how I would set that up in the ApplicationContext-security.xml file?Post edited by: gabrielinux, at: 2008/06/25 14:49 Link to comment Share on other sites More sharing options...
swood Posted June 26, 2008 Share Posted June 26, 2008 I am looking at http://acegisecurity.org/guide/springsecurity.html#ldap-with-acegi for the approach. Could you set your additional filtering in the userSearch bean and add the userSearch as a property to the ldapAuthProvider bean, or change the userDnPatterns property on the ldapAuthProvider bean? This way, the authentication will only find users who are part of (cn=JasperServerUsers) and reject the rest. ShermanJaspersoft Link to comment Share on other sites More sharing options...
gabrielinux Posted June 27, 2008 Author Share Posted June 27, 2008 Thanks Sherman. I added a filter under the userSearch bean, and then referenced the bean as a property. However, it looks like the filter has no effect at all -- No matter what I put in the filter, users are always authenticated. My userSearch bean looks like this: <bean id="userSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch"> <constructor-arg index="0"> <value></value> </constructor-arg> <constructor-arg index="1"> <value>(memberOf=CN=JasperServerUsers,OU=ApplicationGroups,OU=Groups,DC=mongefranco,DC=com)</value> <!-- uid --> </constructor-arg> <constructor-arg index="2"> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="searchSubtree"> <value>true</value> </property> </bean> And the userSearch and UserDNPatterns in the ldapAuthenticationProvider bean look like these: <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> <property name="userSearch"><ref local="userSearch" /></property> <property name="userDnPatterns"><list> <value>cn={0},ou=DepartmentUsers</value> <value>cn={0},ou=AdminUsers</value> </list></property> </bean> Do I have the userSearch property in the wrong place? Or maybe my userSearch filter is incorrect??? Link to comment Share on other sites More sharing options...
swood Posted June 27, 2008 Share Posted June 27, 2008 I don't know the answer here. There will probably be some answers on the Spring Security (Acegi) forums. http://forum.springframework.org/forumdisplay.php?f=33 ShermanJaspersoft Link to comment Share on other sites More sharing options...
gabrielinux Posted July 1, 2008 Author Share Posted July 1, 2008 Thanks! I found the answer in that other forum. It's a bit messy, but it works. :) I'll post my config file sometime after I do more testing. Link to comment Share on other sites More sharing options...
lsmoke Posted April 1, 2009 Share Posted April 1, 2009 I am looking for a solution to this question as well. Could you post your userSearch code? Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now