Pivotal Knowledge Base

Follow

PULSE Authentication with LDAP

Applies To
GemFire PULSE 7.X - 8.X

Purpose
The current PULSE version requires customers to modify their LDAP structure to allow users to login and manage the distributed system. As described in the user guide, every user that needs be able to login in PULSE should be part of the group "PULSEUSER".
Even when an internal feature request has been already opened for this, in some cases the customers are resilient to wait and want to be able to achieve this functionality right away, without (of course) needing to change their structure to make the required users part of the PULSEUSER group.
This article provides the required steps to achieve this requirement.

Description
The goal is to allow users from multiple groups (and outside of the PULSEUSER group) to use the PULSE application. Keep in mind that the approach works and has been tested, but it is still a workaround and it implies messing around with the pulse configuration files, so be careful when suggesting this to customers.

PULSE implements user authentication and authorization using the spring security framework, so you should have an understanding of the framework before proceeding with the custom implementation.

The files that will be changed are "spring-security.xml" (shipped with the product in the folder "WEB-INF/classes" of the PULSE war application after it has been deployed to the web application server) and "pulse-authentication-custom.xml", defined by the customer following the user guide on how to use LDAP authentication with pulse.

For sake of simplicity, let's suppose that we want only users from the "Admin" and "Alien" groups from the Justice League to access PULSE.

At this point our internal LDAP structure is as follows (only bdiaz is part of the Admin group, and only ckent is part of the Alien group):

 

pulse-authentication-custom.xml
This file contains the configuration used by spring-security to authenticate and authorize users. First of all, we'll need to change the attribute "group-search-base" of the element "ldap-authentication-provider". This attributes defines the part of the directory tree under which group searches should be performed. By default the authority names generated by spring-security will have the prefix ROLE_ prepended to the group name, and that's we are going to use afterwards. Moreover, the first element also contains the configuration for our ldap server. Since all of our groups are under "ou=groups" and all of our users are under "ou=users", the resulting element changes will be like the following:

<ldap-server url="ldap://localhost:10389/dc=justiceleague,dc=com"/>

<ldap-authentication-provider user-dn-pattern="uid={0},ou=users" group-search-base="ou=groups" group-search-filter="uniqueMember={0}"/>

spring-security.xml

This file contains, among a lot of other things, the security interceptors used by spring to authenticate and authorize users. These interceptors have the url pattern to which are applied and the list of roles that can access the specific url. We'll need to change specifically the interceptors configured for patterns "/*.html" and "/pulse/*" that are, long story short, all of the secured pages included in the application. By default the list of roles configured are "ROLE_USER,ROLE_GEMFIRETESTING,ROLE_PULSEUSER", so we'll need to add all of the ldap groups that we want to allow. By default, the implementation of the LDAP Authentication Provider in Spring Security converts the resulting authorities to upper case and the comparison between these authorities and the configured ones is done using the actual case of the strings, so we must always configure the roles in upper case. Since we want users from "Admin" and "Alien" group to be able to use PULSE, the resulting element will be like the following ():

<intercept-url pattern="/*.html" access="ROLE_ADMIN,ROLE_ALIEN"/>
<intercept-url pattern="/pulse/*" access="ROLE_ADMIN,ROLE_ALIEN"/>

After changing this configuration, only "Bruno Diaz" and "Clark Kent" will be able to login into PULSE.
Below are the required steps to enable full logging for spring-security framework in Tomcat, which can be really useful for diagnosing purposes.
1 - Open the file "logging.properties", found in the "conf" folder under the directory where Tomcat is installed.
2 - Add the "org.springframework.security.level=FINE" to the bottom of the file.
3 - Restart Tomcat.

 

Comments

Powered by Zendesk