[#4381] - Role mappings don't work for externally authenticated users

Category:
Bug report
Priority:
None
Status:
New
Project: Severity:
Minor
Resolution:
Open
Component: Reproducibility:
Always
Assigned to:
3

I've configured jasperserver to use LDAP for authentication. I am able to login successfully but having trouble in role mapping.

Using below bean definition my groupRoleAttribute returns ca-dev-user,ca-qa-user.

<bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSDefaultLdapAuthoritiesPopulator">
<constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
<constructor-arg index="1"><value>ou=Group,ou=orgUnit,o=orgName</value></constructor-arg>
<property name="groupRoleAttribute" value="cn"/>
<property name="groupSearchFilter" value="(&amp;(|(cn=ca-dev*)(cn=ca-qa*))(memberuid={1}))"/>
<property name="searchSubtree" value="true"/>
<!-- Can setup additional external default roles here <property name="defaultRole" value="LDAP"/> -->
</bean>
...

and it gets converted to ROLE_CA_DEV_USER and ROLE_CA_QA_USER but still my below mapping doesnt work.

<bean id="externalUserSetupProcessor" class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.ExternalUserSetupProcessor" parent="abstractExternalProcessor">
...
<property name="organizationRoleMap">
<map>
<entry>
<key>
<value>ROLE_CA_QA_USER</value>
</key>
<value>ROLE_USER</value>
</entry>
<entry>
<key>
<value>ROLE_CA_DEV_USER</value>
</key>
<value>ROLE_ADMINISTRATION</value>
</entry>
</map>
</property>
</bean>

The work around that I had to do was to use the value when ROLE prefix is applied to my upper case groupRoleAttribute as shown below.

<bean id="externalUserSetupProcessor" class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.ExternalUserSetupProcessor" parent="abstractExternalProcessor">
...
<property name="organizationRoleMap">
<map>
<entry>
<key>
<value>ROLE_CA-QA-USER</value>
</key>
<value>ROLE_USER</value>
</entry>
<entry>
<key>
<value>ROLE_CA-DEV-USER</value>
</key>
<value>ROLE_ADMINISTRATION</value>
</entry>
</map>
</property>
</bean>

I believe the mapping is looked into before converting hypen to '-' to underscore '_'.

v6.0.1
yokulkarni's picture
Joined: Mar 20 2015 - 4:11pm
Last seen: 4 years 3 weeks ago

2 Comments:

#1

Thanks for reporting this as I just ran into exactly the same thing. I tried virtually all permutations of ROLE_, upshift and - to _ without luck and was about to give up before I found this. Would be great to either get it fixed, or at least add a note to the external auth manual.

#2
  • Priority:High» None

Same problem here, after 4 years it persists (version 7.1.1 community). But just saved my day. In my case I have groups with chars like #, space, hyphen, accents.
Examples: In LDAP: #UNIT-GROUP NAME / In JRS: ROLE_#UNIT-GROUP NAME

Feedback
randomness