Drools Guvnor – Manage access

Externalize business or technical rules is very important for scalable applications but the BRMS service access should be managed. guvnor provides control UI access and operations using role based authorizations.

There are several permissions types as listed in drools-guvnor reference manual. Admin with all permissions. Analyst or Analyst read-only: analyst permissions for a specific category. Package admin, Package developer or Package read-only: package permissions for a specific package.

Allow user authentication control by updating the file compenent.xml located into the server deployed folder

...
<component name="org.jboss.seam.security.roleBasedPermissionResolver>
      <property name="enableRoleBasedAuthorization">false</property>
</component>
// change false to true
...

Embedded Guvnor in Jboss server control access configuration:

Stop guvnor server if started in user guest mode and enable role based authorization.

Add drools-guvnor access policy in the file login-config.xml located in server/default/conf

<application-policy name="drools-guvnor">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" 
flag="required">
<module-option name="usersProperties">
props/drools-guvnor-users.properties</module-option>
<module-option name="rolesProperties">
props/drools-guvnor-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>

Create properties files for users and roles with respective contents:

# A roles.properties file for UsersRolesLoginModule (drools-guvnor-roles.properties)
superuser=admin
packuser=package.admin
rulesviewer=package.readonly
# A users.properties file for UsersRolesLoginModule (drools-guvnor-users.properties)
rulesviewer=drools
packuser=proto
superuser=admin

Restart the Jboss guvnor server and log into web interface using created accounts.

Using lightweight container Tomcat and Mysql server – Configuring drools-guvnor JAAS authentication module

Prequisites: Working with Drools Guvnor 5.3 deployed in Apache tomcat 6 running with Mysql 5.JDK version 1.6

0 – Deploy guvnor application with context name drools-guvnor.

All users are guests then go the administration panel and set authorization for user admin or create another user with authorizations. Stop the server and we are going to enable Jaas database authentication

1 – Create authdb schema with guvnorusers table in mysql database.

CREATE TABLE guvnorusers (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `username` varchar(255) DEFAULT NULL,
  `password` varchar(255) DEFAULT NULL,
  PRIMARY KEY (`id`)
);

INSERT INTO guvnorusers values (1,"admin","admin");

2 – Build a custom loginModule 

Download my custom loginModule sources customloginmodule_sources Compile and export this sources as java archive (jar).

3 – In %TOMCAT_HOME%/lib 

Copy the loginModule exported jar file and the mysql connector jar.

4 – In %TOMCAT_HOME%/conf/context.xml, we add a resource declaration

<Resource name="jdbc/URDroolsDS" auth="Container"
 type="javax.sql.DataSource" driverClassName="com.mysql.jdbc.Driver"
 url="jdbc:mysql://yourserveradress:3306/authdb" username="dbuser"
 password="dbuserpassword" maxActive="20" maxIdle="10" maxWait="-1" />

5 – Update %TOMCAT_HOME%/webapps/drools-guvnor/WEB-INF/components.xml to configure our repository to use external database and security settings

<security:identity authenticate-method="#{authenticator.authenticate}" 
     jaas-config-name="drools-guvnor"/>

<security:role-based-permission-resolver 
     enable-role-based-authorization="true"/>

6 – Update %TOMCAT_HOME%/conf/server.xml to add a Realm declaration

<Realm className="org.apache.catalina.realm.LockOutRealm">
...
<Realm appName="drools-guvnor" 
  className="com.test.droolsproto.loginModule.Realm.DroolsJaasRealm" 
  dataSourceName="jdbc/URDroolsDS" localDataSource="true"/>
...
</Realm>

7 – Create a file jaasConfig on %TOMCAT_HOME%/conf with this content:

drools-guvnor{
com.test.droolsproto.loginModule.module.DroolsLoginModule
required debug=true;
};

8 – Before runing Tomcat create in %TOMCAT_HOME%/bin a setenv.sh file if you running on linux or setenv.bat on windows with this content (Working on linux)

…
JAVA_OPTS=”-Xms128m -Xmx256m -Djava.security.auth.login.config=$CATALINA_HOME/conf/jaasConfig”
export JAVA_OPTS
…

Now it’s time to restart your guvnor server and check authentication!

Reference: Drools-guvnor manage access – part 1 ,Drools-guvnor manage access – part 2 from our JCG partner Gael-Jurin Nkouyee at the NGJWEBLOG blog.

Do you want to know how to develop your skillset to become a Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you two of our best selling eBooks for FREE!

JPA Mini Book

Learn how to leverage the power of JPA in order to create robust and flexible Java applications. With this Mini Book, you will get introduced to JPA and smoothly transition to more advanced concepts.

JVM Troubleshooting Guide

The Java virtual machine is really the foundation of any Java EE platform. Learn how to master it with this advanced guide!

Given email address is already subscribed, thank you!
Oops. Something went wrong. Please try again later.
Please provide a valid email address.
Thank you, your sign-up request was successful! Please check your e-mail inbox.
Please complete the CAPTCHA.
Please fill in the required fields.

2 Responses to "Drools Guvnor – Manage access"

  1. Sri says:

    Hi,
    After doing everything I get following error message. I tried to to debug and I see username quest is being passed to loginModule and I don’t see any login window for guvnor. How would I configure guvnor to see login window that way I can put valid username and password?

    ERROR 08-08 11:07:04,600 (Logger.java:error:1092) JAAS authentication fai
    led
    javax.security.auth.login.LoginException: Security Exception
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:856)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:1
    86)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:6
    80)

  2. Prashant says:

    Please provide the link to download customLoginModule.

Leave a Reply


− six = 3



Java Code Geeks and all content copyright © 2010-2014, Exelixis Media Ltd | Terms of Use | Privacy Policy
All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners.
Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries.
Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.
Do you want to know how to develop your skillset and become a ...
Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you two of our best selling eBooks for FREE!

Get ready to Rock!
You can download the complementary eBooks using the links below:
Close