Jboss Global Module Slot
This week I spent some time tasting the recently launched JBoss BPM Suite 6. BPM is certainly a field I enjoy working with and for a long time I’ve been missing an enterprise supported solution from Red Hat on this. Now it’s finally out there.
- Jboss Global Module Slot Lock
- Jboss Global Module Slot Key
- Jboss Global Module Slots
- Jboss Global Module Slot Programming
The command we will use is 'module' and you need to provide three arguments: the module name, the resources (JAR files) and the dependencies used. Optionally you can add a module slot, in case your module uses several different implementations. Here's the script for creating a MySQL module (line 1) + driver (line 2) + data source (line 3). Rajendrapopuri October 28th, 2016 on 6:10 pm. Hi Jay, How to load application properties files in JBoss instances at run time? Currently I created a module under modules folder and placed application configuration properties folders in that folder. The slot attribute is for specifying the version of the module you want to include, it defaults to main when not specified. Hi @JamesR.Perkins, I did three setting firstable. Only jboss-deployment-structure.xml with call modules inside deployment tag. Only jboss-deployment-structure.xml with call modules inside sub-deployment tag that is j-d-s.xml that I did post and third any of previous setting plus global-modules declare.
JBoss BPMS is collection of some great open source projects (such as jBPM and Drools) with some additions from Red Hat and the enterprise support. It’s said to be deployed on any Java EE6 container but it have an out-of-the-box integration with JBoss EAP 6 (off course) and that’s the bundle I’ve been playing with (standalone mode). For instructions on installing it simply follow the Installation Guide, it’s quite strait forward. Now let’s finally get into this post topic…
The company I work for uses Windows Active Directory and everybody, even the Mac users as myself, log into their machines using directory accounts. So it not only makes sense but it is a requirement that every system we deploy for internal users authenticates against the AD. JBoss BPMS adopts the RBAC approach for authorization and since the users’ roles are also defined on company’s AD one of the very first things I had to check was the integration with Windows Active Directory.
I’ve learned that the default roles for JBoss BPMS are “admin”, “developer”, “analyst”, “user” and “manager” and it is even possible to change the role names if needed, specially if they conflicts to existing ones on AD (see Eric D. Schabell post on this). This was not my case. However, the AD roles I created for my tests had to be different. They had a “bpm_” prefix and I rather not change the JBoss BPM default role names. The solution was simple as JBoss EAP has a built in security module capable of authenticating against AD using LDAP. This module can also map AD roles to the names used by JBoss BPM. These are the steps I followed:
1- Create an ldap roles properties file
A role properties file will be used by the security domain to map the AD user roles to role names used by the application. It will add or replace the user roles found on the LDAP search based on these properties. Create a file called “jbpm-roles.properties” inside the $JBOSS_HOME/standalone/configuration folder with the following content:
The properties names are the AD user roles and the values are the new roles to be assigned to the user.
2- Setup an LDAP security domain on JBoss EAP
This can be accomplished both editing the server’s configuration file or using the CLI tool.
Editing the server’s configuration file:
This method follows the instructions posted on MiddlewareMagic website with a few adaptations for Windows AD. Since I am on standalone mode I’ve opened $JBOSS_HOME/standalone/configuration/standalone.xml file on a text edito, searched for the security subsystem (<subsystem xmlns=”urn:jboss:domain:security:1.2″>) and added a new security domain:
A very important thing to notice on this configuration is that the “bindDn” option should be set with the user principal name (UPN) in the format user@DNS-domain-name when using Windows Active Directory 2008/2012. Another important option is the “rolesProperties” which defines the location of the file created on the previous step.
According to MiddlewareMagic:
Jboss Global Module Slot Lock
“‘org.jboss.security.auth.spi.LdapExtLoginModule’ requires ‘com.sun.jndi.ldap.LdapCtxFactory’ class, so we need to make sure that we add the global module (…) so that the Jar which contains the above class will be added in the classpath”
Search for the “ee” subsystem (<subsystem xmlns=”urn:jboss:domain:ee:1.1″>) and add the following inside:
If your server was running while you were doing those configurations, restart the server.
Using a CLI script:
This method will produce the same as editing the servers configuration file and is specially useful if you’re running JBoss in domain mode and in clustered environments. Save a file named “ldap_security_domain.cli” somewhere on server’s filesystem with the following content:
Now execute it using the following command:
3- Configure JBoss BPM to use the ldap security domain
Yo’ll now need to tell JBoss BPM applications to use the ldap security domain. You’ll need to do it for both the Business Central and the DashBuilder applications. Open the files “$JBOSS_HOME/standalone/deployments/business-central.war/WEB-INF/jboss-web.xml” and “$JBOSS_HOME/standalone/deployments/dashbuilder.war/WEB-INF/jboss-web.xml” and edit the following line:
You’ll need to redeploy the application so these changes become effective. I found easier to do it through the CLI:
4- Tracing errors
Jboss Global Module Slot Key
If you’re facing any problem you can enable tracing for JBoss Security and check the $JBOSS_HOME/standalone/log/server.log file for details. If you have used the CLI script I posted above, the trace should be already enabled. Otherwise, search for the logging subsystem (<subsystem xmlns=”urn:jboss:domain:logging:1.2″>) on the $JBOSS_HOME/standalone/configuration/standalone.xml file and add the following logging category:
Jboss Global Module Slots
Jboss Global Module Slot Programming
You should now be able to log into the Business Central and DashBuilder managing user roles through Windows AD without having to change the JBoss BPM default role names.