JasperServer CE not importing Active Directory roles with spaces?

[jackh]

Hello -

Recently we moved from Jasper Pro to CE.  We installed the latest CE (Product Version: 5.1.0 Build: 20130508_1313) and followed the instructions in the Authentication Cookbook (which is nearly identical to what we had done in the pro version, but in a new single file).  We can now authenticate and sync roles to users to our Active Directory.  However, not all roles sync - a role with spaces in the name, such as "Software Development" or "NJ Management" does NOT come over to Jasper, while a role such as "SoftwareDevelopment" without the space comes over fine.

Any ideas how we can resolve this issue?  It was working fine in the pro version.

Thanks for any assistance.

   - Jack

[elizam]

Unfortunately, this may be a bug in 5.1.  I have filed it as such and notified the developer responsible.

[dlitvak]

Bingo, I just realized that this is by design. 

When you look in the logs after you turn up log level for com.jaspersoft.jasperserver.api.security.externalAuth.processors, you should see a warning "External role  XXX YYY has forbidden characters according to permittedExternalRoleNameRegex: [A-Za-z0-9_]+.  Skipping this role for the user ZZ"

To fix the problem, please modify permittedExternalRoleNameRegex which is [A-Za-z0-9_]+ regex by default.  To do that, add this property to applicationContext-externalAuth-LDAP.xml externalUserSetupProcessor bean as follows:

<bean id="externalUserSetupProcessor" class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.ExternalUserSetupProcessor" parent="abstractExternalProcessor">
        <property name="userAuthorityService">
            <ref bean="${bean.internalUserAuthorityService}"/>
        </property>
        .....

        <property name="permittedExternalRoleNameRegex" value="[A-Za-z0-9_s]+">
    </bean>

The property permittedExternalRoleNameRegex was added to fix another bug at or after the time of the actual doc writing.  Apologies.

[jackh]

First, thank you for that detailed explanation, which makes total sense. I tried this, and it still doesn't work, so perhaps it is a bug? I turned up the logging as you suggested and I see lines like this:

 

WARN ExternalUserSetupProcessor,http-bio-80-exec-7:258 - External role PRL_INFORMATION TECHNOLOGY has forbidden characters according to permittedExternalRoleNameRegex: [A-Za-z0-9_\s]+

 

As you can see the "\s" is in there. Any other thoughts?

 

Thank you!

 

- Jack

[dlitvak]

My mistake, please use instead. I changed the original post as well.

[naumchik2301]

Hello!

This property working fine, but may be You have some solution how to replace spaces to underline? Just in 4.7 it was automaticaly, and now I want to upgrade to 5.1 but I'll need change all permissions :(

Thx

[dlitvak]

Sorry for your trouble. It's probably best to post a separate issue if you want attention faster :) or contact support. However, since I am accidentally here...

 

Sounds like you might have a prof. edition, no?

 

Yes, in 5.1, code has gone through some refactoring. We accidentally dropped this replace. Ooops. We are going to put it back in 5.2.

 

For you, you have this option 1, unless you are using LDAP:

You can follow the old authentication cookbook and configure this the old way, which is going to utilize the old code. 1 thing you would absolutely need to do though is to re-add JIAuthenticationSynchronizer in /** filter chain after delegatingRequestParameterAuthenticationFilter (in filterChainProxy bean in applicationContext-security-web.xml). Now, I have not tested this personally ..., but it should work.

 

If you are on LDAP, we are in trouble, as we dropped com.jaspersoft.jasperserver.multipleTenancy.ldap.LdapExternalUserProcessor by accident.

We have since re-added it to 5.2

Hence, Option 2 is to map your external roles with spaces to JRS internal ones in the new 5.1 config. To do that, setup key-value pairs in organizationRoleMap property of mtExternalUserSetupProcessor bean.

ROLE ADMIN EXTERNAL ORGANIZATION

ROLE_ADMIN_EXTERNAL_ORGANIZATION|*

 

Note |*, it will assign organization id to the role, which usually is not the case.

 

Good luck

 

 

 

 

[naumchik2301]

Deleted

[naumchik2301]

 

 

Hello!

 

No, I have community edition :)

 

1 option not good, because I don't want in new version use old config :), Ok, I'm waiting 5.2 release.

 

P.S.

 

when would be avalibale 5.2 release ? :)

 

Thx

 

[dlitvak]

Looking at July-August. We are wrapping it up here.