Ldap security for JAMWiki

My last post was dedicated to using LDAP as security back end for Jenkins-CI. Now I would like to present a process of enabling the same security for my favourite wiki implementation ... JAMWiki. This post refers to version 1.2.0. I believe that it is a shame, that this is not well documented. There is a commented-out section in config xml (WEB-INF/applicationContext-security.xml), but it does not work out of the box as I have hoped for and it's modification is not an easy task for someone not familiar with spring security. That is why I wrote this post.

What I wanted to achieve was to connect the JAMWiki's security (users and roles) to my LDAP, that was presented in my last post. As it is always easier to manage users on the same place. This process is described on JAMWiki's web, but it is certainly not in a copy-paste form and it took me quite some time to modify into working piece of code.

This is what you need to do: Remove (or comment out) this whole section in the applicationContext-security.xml file. This section is found on the line 74 and forth.

<authentication-manager alias="authenticationManager">
  <authentication-provider user-service-ref="jamWikiAuthenticationDao">
   <password-encoder ref="jamwikiPasswordEncoder" />
  </authentication-provider>
 </authentication-manager>
 <b:bean id="jamWikiAuthenticationDao" class="org.jamwiki.authentication.JAMWikiDaoImpl" />
 <b:bean id="jamwikiPasswordEncoder" class="org.jamwiki.authentication.JAMWikiPasswordEncoder" />
 <b:bean id="authenticationFailureHandler" class="org.jamwiki.authentication.JAMWikiAuthenticationFailureHandler">
  <!-- do not include virtual wiki in the url, JAMWikiAuthenticationFailureHandler adds it -->
  <b:property name="authenticationFailureUrl" value="/Special:Login?message=error.login" />
 </b:bean>

and replace it with this:

<ldap-server id="ldapServer" url="ldap://10.0.0.10/dc=effy,dc=cz" port="389" />

<authentication-manager alias="authenticationManager">
 <ldap-authentication-provider server-ref="ldapServer" group-search-filter="member={0}" group-search-base="ou=wikigroups" user-dn-pattern="uid={0},ou=people" />
 <authentication-provider>
  <ldap-user-service server-ref="ldapServer" group-search-filter="member={0}" group-search-base="ou=wikigroups" user-search-filter="uid={0}" user-search-base="ou=people" />
 </authentication-provider>
</authentication-manager>
<b:bean id="authenticationFailureHandler" class="org.jamwiki.authentication.JAMWikiAuthenticationFailureHandler">
  <b:property name="authenticationFailureUrl" value="/Special:Login?message=error.login" />
</b:bean>

You need of course to replace my settings with yours, notably : url, port, group-search-base, user-search-base and filters. The most important think is the location of authentication-manager and ldap-authentication-provider as well as location of the ldap-server tag, which is located outside these tags. I have changed location of groups from the last post, but that is just a work in progress. You can also note that I am using anonymous LDAP access, because I do not think that wiki needs to know my LDAP admin account when it only performs read operations. If you do not want to use anonymous access, you just add admin info.

<ldap-server id="ldapServer" url="ldap://10.0.0.10/dc=effy,dc=cz" port="389" manager-dn="cn=admin,dc=mycompany,dc=de" manager-password="mypasswd"/>

Roles

All the roles are described on JAMWiki's web. I have entered them into LDAP in upper case (ADMIN, VIEW, etc.) and it works. These roles are created exactly like roles in my Jenkins post.

Limitations

1) You will not be able to modify or add users trough wiki's interface. Or more precisely (and sadly) ... you will, it just won't affect the LDAP, but just the wiki's database which is not than used for user autorization and authentization.

2) The same applies to the roles.

I believe, that the only working configuration of roles is the one dealing with GROUP_ANONYMOUS.

Conclusion

Configuring JAMWiki for using LDAP as the security back end is really easy when you have a proper xml. But it severely limits wiki's ability of managing users and roles. I do not think that it is a bad thing, but it is certainly something you need to count with.
I do like it and I will keep my users managed in LDAP instead of the internal wiki's database.

Comments

  1. Thank you for the good article.
    I have never heard before about this approach. As far as I understand, this all is about cyber security which is a need for business today. The purpose is similar to the one used by virtual data room service providers, to provide highly-protected repositories for business data.

    ReplyDelete

Post a Comment

Popular posts from this blog

Automatic jsp recompile on Jboss AS 7

Ldap security for Jenkins CI

Wicket CDI integration on Jboss AS 7