Saturday, March 8, 2014

Hawtio authentication with LDAP on Tomcat 7

Motivation


Larger organizations usually do grant access to applications via directory servers, i.e. Active Directory or OpenLDAP. For this purpose I have created this document describing how this can be implemented when using the Hawtio web-application.

This article is part I of three different scenarios:
  • Hawtio deployed on Tomcat 7
  • Hawtio deployed on JBoss Fuse
  • Hawtio deployed on JBoss EAP


Hawtio authentication with LDAP on Tomcat 7


This section will show you how to setup authentication for Hawtio on Tomcat. For this purpose we will
  • Install Tomcat 7 (part of EWS 2.0.1)
  • Configure LDAP authentication on Tomcat 7
  • Install Apache Directory Server
  • Deploy Hawtio on Tomcat 7
The steps are described in more details in the following sub-sections.


Install Tomcat 7

      unzip jboss-ews-application-servers-2.0.1-1-RHEL6-x86_64.zip
  • Create jboss-ews-2.0/tomcat7/bin/setenv.sh with the following content
    JAVA_OPTS="${JAVA_OPTS} -Djava.security.auth.login.config=${CATALINA_HOME}/conf/jaas.config -Dhawtio.authenticationEnabled=true -Dhawtio.realm=hawtio -Dhawtio.role=admins  
                            -Dhawtio.rolePrincipalClasses=com.sun.security.auth.UserPrincipal"

Configure LDAP authentication on Tomcat 7

  • Create jboss-ews-2.0/tomcat7/conf/jaas.config
    hawtio {
       com.sun.security.auth.module.LdapLoginModule REQUIRED
       userProvider="ldap://localhost:10389/ou=people,dc=example,dc=com"
       bindPrincipal="uid=admin,ou=system"
       bindCredentials="secret"
       bindAuthenticationType="simple"
       userFilter="(&(uid={USERNAME})(objectClass=inetOrgPerson))"
       authzIdentity="{OU}"
       useSSL=false
       debug=true;
    };
  • In jboss-ews-2.0/tomcat7/conf/server.xml insert into the Host section (after the Valve)
    <Context path="/hawtio-default-1.2.2" crossContext="true">
      <Realm className="org.apache.catalina.realm.JAASRealm" appName="hawtio"/>
    </Context>


Install Apache Directory Server

  • Install Apache Directory Studio in Eclipse (more info at http://directory.apache.org/studio/). I have used JBDS 7.1 for this purpose.
  • Create a Apache DS instance
    • Open the LDAP perspective
    • Create a new LDAP server of type "ApacheDS 2.0.0"
    • Create a new Connection
      • Assign port 10389
      • Specify bind user/password as uid=admin,ou=system/secret
    • Import schema
      • Open the connection with the bind user/password uid=admin,ou=system/secret
      • Do a right-click on "Root DSE" and choose Import / LDIF Import
      • Import the example LDIF file you can download here 

Deploy Hawtio on Tomcat 7

  • Download Hawtio hawtio-default-1.2.2.war from here
  • Copy hawtio-default-1.2.2.war to jboss-ews-2.0/tomcat7/webapps/
  • Startup Tomcat by executing
    jboss-ews-2.0/tomcat7/bin/startup.sh
    tail -f jboss-ews-2.0/tomcat7/logs/catalina.out

  • Login with admin/hawtorwhat. This should succeed and the following output is shown in catalina.out
    [LdapLoginModule] search-first mode; SSL disabled
    [LdapLoginModule] user provider: ldap://localhost:10389/ou=people,dc=example,dc=com
    [LdapLoginModule] searching for entry belonging to user: admin
    [LdapLoginModule] found entry: uid=admin,ou=people,dc=example,dc=com
    [LdapLoginModule] attempting to authenticate user: admin
    [LdapLoginModule] authentication succeeded
    [LdapLoginModule] added LdapPrincipal "uid=admin,ou=people,dc=example,dc=com" to Subject
    [LdapLoginModule] added UserPrincipal "admin" to Subject
    [LdapLoginModule] added UserPrincipal "admins" to Subject

  • Logout and try to login with johndoe/notsohawt. This should fail and this output appears in catalina.out
    [LdapLoginModule] search-first mode; SSL disabled
    [LdapLoginModule] user provider: ldap://localhost:10389/ou=people,dc=example,dc=com
    [LdapLoginModule] searching for entry belonging to user: johndoe
    [LdapLoginModule] found entry: uid=johndoe,ou=people,dc=example,dc=com
    [LdapLoginModule] attempting to authenticate user: johndoe
    [LdapLoginModule] authentication succeeded
    [LdapLoginModule] added LdapPrincipal "uid=johndoe,ou=people,dc=example,dc=com" to Subject
    [LdapLoginModule] added UserPrincipal "johndoe" to Subject
    [LdapLoginModule] added UserPrincipal "programmers" to Subject