Error configuring External Authorisation for LDAP on JasperServer 6.0

[gedmf]

I have just upgraded from 5.6.0 to 6.0.0 and have my old favourite problem - LDAP configuration (MS AD actually).  First configured successfully under 4.5 then 4.7. I modified the 5.6.0 applicationContext-security.xml file to work in a similar manner to 4.7.  This doesn’t work with 6.0.0, so I have tried splitting the LDAP configuration using the sample_applicationContext-externalAuth-LDAP.xml file.  I get an error as follows:

 

2014-12-26 15:38:39,073 ERROR ContextLoader,Thread-1:331 - Context initialization failed

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'proxyBasicProcessingFilter' defined in ServletContext resource [/WEB-INF/applicationContext-externalAuth-LDAP.xml]: Could not resolve matching constructor (hint: specify index/type/name arguments for simple parameters to avoid type ambiguities)

 

I’ve seen one or two other posts with similar problems, but none of the solutions resolve the problem.  I have configured the beans ldapAuthenticationProvider, userSearch, and ldapContextSource in the externalAuth file with no success.

Has anybody else experienced this problem? Or can you spot the issue in my externalAuth extract below, please?

 

<beans xmlns="http://www.springframework.org/schema/beans"

       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">

 

<!-- ############ LDAP authentication ############

      - Sample configuration of external authentication via an external LDAP server.

    -->

 

<bean id="proxyAuthenticationProcessingFilter" class="com.jaspersoft.jasperserver.api.security.EncryptionAuthenticationProcessingFilter"

          parent="authenticationProcessingFilter">

<property name="authenticationManager">

<ref local="ldapAuthenticationManager"/>

</property>

 

<property name="authenticationSuccessHandler" ref="externalAuthSuccessHandler" />

</bean>

 

<bean id="proxyAuthenticationSoapProcessingFilter"

          class="com.jaspersoft.jasperserver.api.security.externalAuth.DefaultAuthenticationSoapProcessingFilter">

<property name="authenticationManager" ref="ldapAuthenticationManager"/>

<property name="authenticationSuccessHandler" ref="externalAuthSuccessHandler" />

 

<property name="filterProcessesUrl" value="/services"/>

</bean>

 

<bean id="proxyAuthenticationRestProcessingFilter" class="com.jaspersoft.jasperserver.api.security.externalAuth.DefaultAuthenticationRestProcessingFilter">

<property name="authenticationManager">

<ref local="ldapAuthenticationManager"/>

</property>

<property name="authenticationSuccessHandler" ref="externalAuthSuccessHandler" />

<property name="filterProcessesUrl" value="/rest/login"/>

</bean>

 

<bean id="proxyRequestParameterAuthenticationFilter"

          class="com.jaspersoft.jasperserver.war.util.ExternalRequestParameterAuthenticationFilter" parent="requestParameterAuthenticationFilter">

<property name="authenticationManager">

<ref local="ldapAuthenticationManager"/>

</property>

<property name="externalDataSynchronizer" ref="externalDataSynchronizer"/>

</bean>

 

<bean id="externalAuthSuccessHandler"

          class="com.jaspersoft.jasperserver.api.security.externalAuth.JrsExternalAuthenticationSuccessHandler" parent="successHandler">

<property name="externalDataSynchronizer">

<ref local="externalDataSynchronizer"/>

</property>

</bean>

 

<bean id="proxyBasicProcessingFilter"

          class="com.jaspersoft.jasperserver.api.security.externalAuth.ExternalAuthBasicProcessingFilter" parent="basicProcessingFilter">

<property name="authenticationManager" ref="ldapAuthenticationManager"/>

<property name="externalDataSynchronizer" ref="externalDataSynchronizer"/>

</bean>

 

<bean id="ldapAuthenticationManager" class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.JSProviderManager">

<property name="providers">

<list>

<ref local="ldapAuthenticationProvider"/>

<ref bean="${bean.daoAuthenticationProvider}"/>

<!--anonymousAuthenticationProvider only needed if filterInvocationInterceptor.alwaysReauthenticate is set to true

                <ref bean="anonymousAuthenticationProvider"/>-->

</list>

</property>

</bean>

 

<bean id="ldapAuthenticationProvider" class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSLdapAuthenticationProvider">

<constructor-arg>

<bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSBindAuthenticator">

<constructor-arg>

<ref local="ldapContextSource"/>

</constructor-arg>

<property name="userSearch" ref="userSearch"/>

</bean>

</constructor-arg>

<constructor-arg>

<bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSDefaultLdapAuthoritiesPopulator">

<constructor-arg index="0">

<ref local="ldapContextSource"/>

</constructor-arg>

<constructor-arg index="1">

<value/>

</constructor-arg>

<property name="groupRoleAttribute" value="cn"/>

<property name="groupSearchFilter" value="(&(member={0})(objectclass=group)(cn=JASPER_*))"/>

<property name="searchSubtree" value="true"/>

<!-- Can setup additional external default roles here  <property name="defaultRole" value="LDAP"/> -->

</bean>

</constructor-arg>

</bean>

 

<bean id="userSearch"

          class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSFilterBasedLdapUserSearch">

<constructor-arg index="0">

<value/>

</constructor-arg>

<constructor-arg index="1">

<value>(sAMAccountName={0})</value>

</constructor-arg>

<constructor-arg index="2">

<ref local="ldapContextSource" />

</constructor-arg>

<property name="searchSubtree">

<value>true</value>

</property>

</bean>

 

<bean id="ldapContextSource" class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource">

<constructor-arg value="ldap://LDAPSERVER:389/dc=jsr,dc=co,dc=uk"/>

<!-- manager user name and password (may not be needed)  -->

<property name="userDn" value="LDAPADMIN"/>

<property name="password" value="LDAPADMINPassword"/>

<property name="referral" value="follow"/>

</bean>

<!-- ############ LDAP authentication ############ -->

 

<!-- ############ JRS Synchronizer ############ -->

<bean id="externalDataSynchronizer"

          class="com.jaspersoft.jasperserver.api.security.externalAuth.ExternalDataSynchronizerImpl">

<property name="externalUserProcessors">

<list>

<ref local="externalUserSetupProcessor"/>

<!-- Example processor for creating user folder-->

<!--<ref local="externalUserFolderProcessor"/>-->

</list>

</property>

</bean>

 

<bean id="abstractExternalProcessor" class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.AbstractExternalUserProcessor" abstract="true">

<property name="repositoryService" ref="${bean.repositoryService}"/>

<property name="userAuthorityService" ref="${bean.userAuthorityService}"/>

<property name="tenantService" ref="${bean.tenantService}"/>

<property name="profileAttributeService" ref="profileAttributeService"/>

<property name="objectPermissionService" ref="objectPermissionService"/>

</bean>

 

<bean id="externalUserSetupProcessor" class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.ExternalUserSetupProcessor" parent="abstractExternalProcessor">

<!--Default permitted role characters; others are removed. Change regular expression to allow other chars.

                    <property name="permittedExternalRoleNameRegex" value="[A-Za-z0-9_]+"/>-->

 

<property name="userAuthorityService">

<ref bean="${bean.internalUserAuthorityService}"/>

</property>

<property name="defaultInternalRoles">

<list>

<value>ROLE_USER</value>

</list>

</property>

 

<property name="organizationRoleMap">

<map>

<!-- Example of mapping customer roles to JRS roles -->

<entry>

<key>

<value>ROLE_ADMIN_EXTERNAL_ORGANIZATION</value>

</key>

<!-- JRS role that the <key> external role is mapped to-->

<value>ROLE_ADMINISTRATOR</value>

</entry>

</map>

</property>

</bean>

 

<!-- EXAMPLE Processor

    <bean id="externalUserFolderProcessor"

          class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.ExternalUserFolderProcessor"

          parent="abstractExternalProcessor">

        <property name="repositoryService" ref="${bean.unsecureRepositoryService}"/>

    </bean>

    -->

<!-- ############ JRS Synchronizer ############ -->

</beans>

 

 

 

[tim_12]

The example proxyBasicProcessingFilter bean config provided with JS6 is broken.  Try the below, which fixed it for me:

(Of course now I need to understand why the organizationRoleMapping stuff which worked in 5.5 is now broken in 6 - sigh...)

 

 

    <bean id="proxyBasicProcessingFilter"          class="com.jaspersoft.jasperserver.api.security.externalAuth.ExternalAuthBasicProcessingFilter">        <property name="authenticationManager" ref="ldapAuthenticationManager"/>        <property name="externalDataSynchronizer" ref="externalDataSynchronizer"/>        <property name="authenticationEntryPoint">            <ref local="basicProcessingFilterEntryPoint"/>        </property>    </bean>[/code]

[dlitvak]

Note that unless you specifically use external authentication to authenticate users via rest or webservices, proxyBasicProcessingFilter can me completely removed from the sample file.  As a result of this, delegatingPreAuthenticatedFilter in applicationContext-security-web.xml will fall back on the non-external basicProcessingFilter behaviour.

 

Sample file is provided just as that.  It includes more scenarios than you might need.

[gedmf]

Hi tim_12,

Thank you for that information. The fix worked perfectly. I too moved on to fixing up the LDAP role mapping that used to work. I am using AD, and didn't include the User details in master properties before the migration, so enter them manually as per p31-33 in the v6.0.1 Authentication Cookbook. After including the mappings from external role to JRS role in the externalUserSetupProcessor, the bit I found missing that completed it and got it working was in the ldapContextSource bean.  I added the following after the password property; <property name="referral" value="follow"/>

Not sure if that helps, but I'd be happy to cast an eye over things if you like.

Once again, thanks for your help.

Ged

[gedmf]

Hi dlitvak,

 

Thank you for the explanation. That makes sense to me now. One or two of our people use the Report Studio tool remotely, which I think authenticates using REST under these circumstances. So am I correct in thinking that I should include the proxyBasicProcessingFilter.

 

Regards

 

Ged

[onelat]

Hi, i need help with ldap conf, i was trying to conf. it using the steps described in jasper documentaion, but i am having a problem, the error is this one

type Status report

 

message /jasperserver/login.html;jsessionid=623DD9EC81A3702EC57937EF900009E7

 

description The requested resource is not available

 

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">

 

 

 

 

 

class="com.jaspersoft.jasperserver.api.security.externalAuth.DefaultAuthenticationSoapProcessingFilter">

 

 

class="com.jaspersoft.jasperserver.war.util.ExternalRequestParameterAuthenticationFilter">

 

/login.html?error=1

/j_spring_switch_user

 

class="com.jaspersoft.jasperserver.api.security.externalAuth.ExternalAuthBasicProcessingFilter">

 

 

 

 

 

 

 

 

class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">

ou=people

(uid={0})

true

 

 

class="com.jaspersoft.jasperserver.api.security.externalAuth.ExternalDataSynchronizerImpl">

 

 

 

ROLE_USER

 

ROLE_ADMIN_EXTERNAL_ORGANIZATION

ROLE_ADMINISTRATOR

 

class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.ExternalUserFolderProcessor"

parent="abstractExternalProcessor">

 

 

 

 

Can some one help me, please,

 

Regards

[janakarajp]

Jasper version to version the code has as lot of Deprecation. please log a call with Jasper support.upgrading the version is like a new full setup and you may be encounter a tough time.