Drools-guvnor manage access part-2

Using lightweight container Tomcat and Mysql server – Configuring drools-guvnor JAAS authentication module

Prequisites: Working with Drools Guvnor 5.3 deployed in Apache tomcat 6 running with Mysql 5.JDK version 1.6

0 – Deploy guvnor application with context name drools-guvnor. All users are guests then go the administration panel and set authorization for user admin or create another user with authorizations. Stop the server and we are going to enable Jaas database authentication

1 – Create authdb schema with guvnorusers table in mysql database.

CREATE TABLE guvnorusers (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `username` varchar(255) DEFAULT NULL,
  `password` varchar(255) DEFAULT NULL,
  PRIMARY KEY (`id`)
);
INSERT INTO guvnorusers values (1,"admin","admin");

2 – Build a custom loginModule
Here you can find the maven source project for the custom login moduleĀ drools login project sources
Just compile it and build a maven jar artifact.

3 – In %TOMCAT_HOME%/lib
Copy the loginModule exported jar file and the mysql connector jar.

4 – In %TOMCAT_HOME%/conf/context.xml, we add a resource declaration

<Resource name="jdbc/URDroolsDS" auth="Container"
	type="javax.sql.DataSource" driverClassName="com.mysql.jdbc.Driver"
	url="jdbc:mysql://yourserveradress:3306/authdb" username="dbuser"
	password="dbuserpassword" maxActive="20" maxIdle="10" maxWait="-1" />

5 – Update %TOMCAT_HOME%/webapps/drools-guvnor/WEB-INF/components.xml
to configure our repository to use external database and security settings

<security:identity authenticate-method="#{authenticator.authenticate}"
     jaas-config-name="drools-guvnor"/>

<security:role-based-permission-resolver
     enable-role-based-authorization="true"/>

6 – Update %TOMCAT_HOME%/conf/server.xml to add a Realm declaration

<Realm className="org.apache.catalina.realm.LockOutRealm">
...
<Realm appName="drools-guvnor"
  className="com.test.droolsproto.loginmodule.realm.DroolsJaasRealm"
  dataSourceName="jdbc/URDroolsDS" localDataSource="true"/>
...
</Realm>

7 – Create a file jaasConfig on %TOMCAT_HOME%/conf with this content:
drools-guvnor{
com.test.droolsproto.loginmodule.DroolsLoginModule
required debug=true;
};

8 – Before runing Tomcat create in %TOMCAT_HOME%/bin a setenv.sh file if you running on linux or setenv.bat on windows with this content (Working on linux)

JAVA_OPTS=”-Xms128m -Xmx256m -Djava.security.auth.login.config=$CATALINA_HOME/conf/jaasConfig”
export JAVA_OPTS

Now it’s time to restart your guvnor server and check authentication!

Drools-guvnor manage access – part 1

Externalize business or technical rules is very important for scalable applications but the BRMS service access should be managed. guvnor provides control UI access and operations using role based authorizations.

There are several permissions types as listed in drools-guvnor reference manual.
Admin with all permissions.
Analyst or Analyst read-only: analyst permissions for a specific category.
Package admin, Package developer or Package read-only: package permissions for a specific package.

– Allow user authentication control by updating the file compenent.xml located into the server deployed folder

...
<component name="org.jboss.seam.security.roleBasedPermissionResolver>
      <property name="enableRoleBasedAuthorization">false</property>
</component>
// change false to true
...

Embedded Guvnor in Jboss server control access configuration:

Stop guvnor server if started in user guest mode and enable role based authorization.

Add drools-guvnor access policy in the file login-config.xml located in server/default/conf

<application-policy name="drools-guvnor">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" 
flag="required">
<module-option name="usersProperties">
props/drools-guvnor-users.properties</module-option>
<module-option name="rolesProperties">
props/drools-guvnor-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>

Create properties files for users and roles with respective contents:

# A roles.properties file for UsersRolesLoginModule (drools-guvnor-roles.properties)
superuser=admin
packuser=package.admin
rulesviewer=package.readonly

# A users.properties file for UsersRolesLoginModule (drools-guvnor-users.properties)
rulesviewer=drools
packuser=proto
superuser=admin

Restart the Jboss guvnor server and log into web interface using created accounts.

Drools – Guvnor: Spring integration

Using Spring 2.5, Drools-guvnor 5.0

Download Drools guvnor standalone version here jboss-drools-guvnor

Spring configuration:
– bean rulesAgent is for communication between our application and guvnor,
the Drools platform BRMS.
– bean droolsService uses rulesAgent to provide the needed service.

<bean id="rulesAgent" class="com.test.droolsproto.utils.DroolsProtoAgent"></bean>
<bean id="droolsService" class="com.test.droolsproto.serviceImpl.RuleDroolServiceImpl">
<property name="ruleAgent" ref="rulesAgent"></property>
</bean>

Create file “brmsdeployedrules.properties” for the ruleAgent:
In this file the link to use a running instance of guvnor. The package “com.test.droolsproto.rules” is an existing rules package in guvnor. DroolsDemo at the end of package value is the name of the snapshot. A snapshot in guvnor represents an image of rule’s package at specific time.

newInstance=true
url=http://localhost:8080/drools-guvnor/org.drools.guvnor.Guvnor/
package= com.test.droolsproto.rules/DroolsDemo
poll=30
name=droolsconfig

In the web project add drools librairies (drools-api-5.0.1, drools-core-5.0.1) and create DroolsProtoAgent class:

public class DroolsProtoAgent {
   private RuleBase rulebase;
   private StatefulSession session;
   
   private DroolsProtoAgent(){
   }
   
   public RuleBase getRulebase() {
    if (rulebase != null) return rulebase;
    else {
       RuleAgent agent = RuleAgent.newRuleAgent( "/brmsdeployedrules.properties" );
       RuleBase rulebase = agent.getRuleBase();
       return rulebase;
    }
  }
  
  public void setRulebase(RuleBase rulebase) {
    this.rulebase = rulebase;
  }
  
  public void setSession(StatefulSession session) {
    this.session = session;
  }
  
  public StatefulSession getSession() {
    if ( rulebase == null ) {
      rulebase = getRulebase();
    }
    session = rulebase.newStatefulSession();
    return session;
  }
}

Create a drools service:

public class RuleDroolServiceImpl implements RuleDroolsService {

   @Autowired
   private DroolsProtoAgent ruleAgent;

   @Override
   public String applyRule(ValueObject a, ValueObject b){

   try {
     // Load knowledge base session
     StatefulSession ksession = ruleAgent.getSession();
     ksession.startProcess("droolsProcess"); //Start a predefined process in guvnor
     
     // Insert VO as Fact
     ksession.insert(a);
     ksession.insert(b);

     ksession.fireAllRules(); //Apply rules
     return "success or specific guvnor response";
   } catch (Throwable t) {
     t.printStackTrace();
     return "failure";
   }
  }

  public DroolsProtoAgent getRuleAgent() {
   return ruleAgent;
  }

  public void setRuleAgent(DroolsProtoAgent ruleAgent) {
   this.ruleAgent = ruleAgent;
  }
}

Drools integration is complete.