JAAS configuration in Bonita 6.X

Hello everyone,

I’m trying to configure a JAAS authentication in a Bonita 6.2.5 Community Tomcat bundle but it seems that i can not change the login module.
I have changed the LoginManager at “BonitaBPMCommunity-6.2.5-Tomcat-6.0.37\bonita\client\platform\conf\loginManager-config.properties” to org.bonitasoft.console.common.server.login.impl.jaas.JAASLoginManagerImpl
I enabled the SECURITY_OPTS at setenv.bat and I added it to the CATALINA_OPTS:

set SECURITY_OPTS=“-Djava.security.auth.login.config=%CATALINA_HOME%\bonita\client\platform\conf\jaas-standard.cfg”

set CATALINA_OPTS=%CATALINA_OPTS% %SECURITY_OPTS% %BONITA_HO…

And last I have changed the login module at “BonitaBPMCommunity-6.2.5-Tomcat-6.0.37\bonita\client\platform\conf\jaas-standard.cfg” but my login module is not loaded and the authentication system is still the default one.

I have checked that if i set a wrong classpath at LoginManager the application crash at login page but if i do the same at loginModule classpath nothing happens.

I have checked the source code of JAASLoginManagerImpl at “https://github.com/bonitasoft/bonita-web/blob/6.2.x/common/common-server/src/main/java/org/bonitasoft/console/common/server/login/impl/jaas/JAASLoginManagerImpl.java” and I seen that the JAAS_AUTH_LOGIN_CONTEXT it’s build with the string “BonitaAuth” and one underscore “_” plus the tenant id instead of the hyphen “-” that appears by default at jaas-standard.cfg. I change it to “BonitaAuth_1” but still nothing happen.

I’m missing something? is there any documentation for this configuration?

Thanks in advance and sorry for my english.

I’m checking the LDAP configuration (not available for community edition) and i see that the JAAS configuration depends on JAASAuthenticationServiceImpl class that is only at “com” package so it’s not accessible from the community edition.

I’m a bit disappointed, this is a configuration available at 5.X community edition and now seems that is limited to private editions.

Hi Ruben,

The documentation for security setup on community has some gaps in it, mainly because security is a huge topic, and we might spend a long time trying to cover every possibility. So there may be a little bit of trial and error to get it working.

The default login class is ConsoleIdentityLoginModule - probably that was what is in your jaas-standard.cfg when you first set it up. This is the login module that checks credentials against the BonitaSoft database.

BonitaAuth_1 is the correct syntax for jaas-standard.cfg for those cases where the tenant is the default tenant, so assuming that you have not installed multiple tenants, then that should work. You might also try BonitaAuthentication_1 (that was the name required in 1 version from a while back, and I don’t recall when it was updated in community.

The first thing to try is a jaas module without the “_1” - so your jaas-standard.cfg file should read :

BonitaAuth {
org.mypackage.myLoginModule required;
};

if that doesn’t work, try the other BonitaAuth settings. otherwise we will need confirm that your loginModule is being loaded / referenced (did you create your own login module, or are you using one you got from apache or someone else?)

-Declan

Hi Declan,
First, thanks for the reply.

Exactly, the default login module was ConsoleIdentityLoginModule and i change it to the CAS login module (org.jasig.cas.client.jaas.CasLoginModule) but this class is never loaded. I can set a non existing class and there is no classDefNotFoundExection.

I try with all the login context that i could imagine

BonitaAuthentication_1 {
org.jasig.cas.client.jaas.CasLoginModule required
[conf]
};
BonitaAuthentication-1…
BonitaAuthentication…
BonitaAuth_1…
BonitaAuth-1…
BonitaAuth…

I think that maybe can be a tomcat realm configuration matter but this lines at the documentation make me think that is not possible to enable JAAS at community edition because there is no JAASAuthenticationServiceImpl in community edition.

Default Bonita installation comes with an authentication service implementation based on Bonita database.
In order to activate Active Directory/LDAP authentication this service’s implementation needs to be changed.

To do so, edit this file
<BONITA_HOME>/server/tenants/<TENANT_ID>/conf/services/cfg-bonita-authentication-impl.xml

Replace AuthenticationServiceImpl by JAASAuthenticationServiceImpl

I’m afraid that i will need implement my own AuthenticationService to enable JAAS authentication.
I will make some more tests.

Thank you again for your reply.

I have changed the bonita_home configured at setenv file and the change was applied (so, the script was loaded). But if i set a not existing file at SECURITY_OPTS nothing happens.

I have checked catalina and bonita logs and there is no warnings.

I have checked for any trailing space or any extra line break at the end of the files and i deleted it and nothing has changed.

It seems that this SECURITY_OPTS is not readed but i dont know why.

Hi Yhon,

Thank you very much for your answer. Like I had assumed, I have to implement my own GenericAuthenticationService.

Thank you again.

Hi Ruben,
The default authentication changed from version 5 to version 6. In version 5, JAAS is used as authentication system.
In version 6, there is a new Authentication Service. This service can be implemented as you want.
In community edition, you will find one implementation using Bonita database. A ready JAAS implementation is only available in Subscription edition. However, a JAAS implementation can be developed for Community edition as well and it will work.

You can make a copy from the existing implementation and create your own to work with JAAS. This will seem as the following code:

public class JAASAuthenticationServiceImpl implements GenericAuthenticationService {
public AuthenticationServiceImpl(final IdentityService identityService, final TechnicalLoggerService logger) {
this.identityService = identityService;
this.logger = logger;
}

@Override
public String checkUserCredentials(Map<String, Serializable> credentials) {
   //TODO: Write your code 
}

Hope it helps.

Yhon

Ruben,

so for some reason, the authentication block is not being picked up - the fact that you’re not getting any classNotFound exceptions proves that. so there’s something wrong with one of the config files. i would say lets look at the catalina log and the bonita log, because there might be a warning in there about a parameter not found.

As silly as it sounds, can you check for trailing spaces in the cfg and in the setenv script.
we can also try changing the setenv script to a file that does not exist, and see if the log picks up on it - just to confirm that the setenv script is being properly called.

if none of this works, I may have you mail me the config files and i will copy them onto an installation i have to try to get my set-up to find the auth configuration.

I’ve updated the loginModule config a number of times - mainly as part of the subscription rather than the community - but if you’re using CAS then it’s likely that the directory that is behind CAS is something you could use one of the existing jaas modules to interface to.

-declan

can you cut and paste the setenv script here for me?
I just want to confirm that the SECURITY_OPTS is making it onto the CATALINA_OPTS properly
thx,
-declan