JasperServer user authentication with Microsoft Active Directory

I was appointed to evaluate JasperServer last week and I have to say that I’m really pleased with this Open Source reporting server, specially from my developer’s point of view, because it’s fully integrated with iReport IDE, which I had previously used to design JasperReports that I embed in my Java Swing Applications.

One of the requisites was that the product could be integrated with an Microsoft Active Directory infrastructure, so our systems administration team could setup and maintain the server in a quick and easy way. Although the user guide of my version (community project, release 4.1) referred to an “External Authentication Cookbook”, I just could found a former version on the Internet (release 3.5) and there are some differences, so I’d like to write about my findings. thus you don’t have to spend a morning configuring a simple test environment.

First of all, you have to edit the <application-server-path>/jasperserver/WEB-INF/applicationContext-security.xml config file, in my case C:\Program Files\jasperreports-server-cp-4.2.1\apache-tomcat\webapps\jasperserver\WEB-INF\applicationContext-security.xml, locate the bean authenticationManager and uncomment the line <ref local=”ldapAuthenticationProvider”/> , so your system will search for users in Active Directory first.

The next step is to look for the bean ldapContextSource, uncomment the lines and point to one of your domain controllers, using the credentials of an user that can read the directory. Here you have an example:

<bean id="ldapContextSource">
   <constructor-arg value="ldap://dc01.test.local:389/dc=test,dc=local"/>
   <property name="userDn">
      <value>CN=administrator,CN=Users,DC=test,DC=local</value>
   </property>
   <property name="password">
      <value>p@ssw9rd</value>
   </property>
</bean>

The next bean to configure is the userSearch one, changing the default constructor argument (uid={0}) by (sAMAccountName={0}) and setting up the DN root where you have configured your user accounts:

<bean id="userSearch">
  <constructor-arg index="0">
    <value>OU=USERS_OU</value>
  </constructor-arg>
  <constructor-arg index="1">
    <value>(sAMAccountName={0})</value>
  </constructor-arg>
  <constructor-arg index="2">
    <ref local="ldapContextSource" />
  </constructor-arg>
  <property name="searchSubtree">
    <value>true</value>
  </property>
</bean>

The last step is to change some values into the ldapAuthenticationProvider configuration, here you have an excerpt of  the one running on my test server, so you can compare with yours:

<bean id="ldapAuthenticationProvider"
      class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
  <constructor-arg>
    <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
      <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
      <property name="userSearch"><ref local="userSearch"/></property>
    </bean>
  </constructor-arg>
  <constructor-arg>
    <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
      <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
      <constructor-arg index="1"><value>OU=GROUPS_OU</value></constructor-arg>
      <property name="groupRoleAttribute"><value>CN</value></property>
      <!--property name="groupSearchFilter"><value>((member={1})(CN=*))</value></property-->
      <property name="searchSubtree"><value>true</value></property>
    </bean>
  </constructor-arg>
</bean>

Finally, I’d like to point out that it is not a good idea to have your Active Directory passwords navigating as clear text through the insecure HTTP protocol, so it’s a good idea to change the default security constraints, in order to use the HTTPS protocol, enabling SSL into the <application-server-path>/jasperserver/WEB-INF/web.xml file. Please, review the Apache Tomcat documentation to enable HTTPS, taking into account that the JasperServer bundled Tomcat server uses APR.

Advertisements

15 Comments on “JasperServer user authentication with Microsoft Active Directory”

  1. OK, I have it working finally, but I’m facing a little problem. The user name is case sensitive in jasper. That means, User, user, UsEr, all will be different users to Jasper, but they are the same user to Active Directory. Is there a way to assure the user will be created, say, lower case, no matter how the user type it on the logon field?

    • fcosfc says:

      Hi Andrés,

      I’m happy that my post has been useful to you. I’ve checked that no matter the scheme you use for the same username you log on with the correct user. For example, if my username is fsaucedo, I can log on with fSaucedo, FSAUCEDO, fSauCedo, etc. So I don’t understand what you mean when you say “The user name is case sensitive in jasper”, could you be so kind as to be more specific? Please, take into account that JasperServer imports the details it needs from Active Directory to its repository the first time that the user logs on.

      Best regards,

      Paco Saucedo.

      • What I mean is that Jasper creates the different users on it’s database. That is a problem when you are assigning roles.

        I log the first time as fsaucedo and assign it the role X. Then I log in as FSAUCEDO, the credentials will work because for Active Directory is the same user, but for Jasper it will be a new user, and the role X is not assigned to it.

        What I would want is for Jasper to create the users in a standard way (lowercase), no matter how the user type the logon name.

  2. fcosfc says:

    Hi Andrés,

    To be perfectly honest, I didn’t realize that JasperServer created a different user if you log on with the same user but a different camelcase scheme, I always use lowercases! Anyway, I manage the roles within Active Directory groups, these groups are imported as roles when the user logs on, any change on them in Active Directory is imported when the user logs back. Finally, I assign permissions on JasperServer to Active Directory groups.

    Regards,

    Paco.

  3. […] wrote about the integration between JasperServer and Microsoft Active Directory last October. One of the readers of the post, Andrés Arenas, drew my attention to a problem: if an […]

  4. Miguel Angel Perez Gómez says:

    Hi Paco,

    Just one question, I see you were using JS CE 4.2.1, but could you tell me which AD version you were using?, W2k8 R2, W2k3, etc.

    Thanks in advance

  5. esz says:

    This article might be little old, but do you know if it’s possible to use DIGEST-MD5 in binding do LDAP server? Active Directory in our company is not allowing plain text authorization..

    • fcosfc says:

      Hi,

      I’m not an expert in Spring Security, but maybe this reference might the starting point of the solution to your problem: http://www.jayway.com/2008/12/09/encrypting-properties-with-jasypt/

      Regards,

      Paco.

      • esz says:

        Thanks fcosfc for your answer. Actually i’m ok with password in plain text in config file. The problem which i try to solve is sending password in plain text do LDAP server (Active Directory server in my case). There are few mechanisms (authentication methods) which i can use to address that problem, i.e. digest-md5 or gssapi. I’m trying to use digest-md5 which i know that works with Windows Server 2008 r2 but had no luck. Seems like spring framework doesn’t have that option implemented or at least i didn’t find that information.

  6. kbprodigy says:

    AD is not case sensitive, so user, User, UsEr are all the same to AD; but not for Jasper Server, so every time the user enters the name in different caps those users will be added creating duplicates on the local database.

    To prevent this, edit the file:

    webapps/jasperserver/WEB-INF/jsp/templates/login.jsp

    Change line 70:

    That’s it!

  7. […] I copied the LDAP server configuration I described on my post JasperServer user authentication with Microsoft Active Directory, I restarted tomcat and tried to log on using my Active Directory credentials, but the access was […]

  8. Kieron says:

    Paco, have you ever gotten it to work with jasperserver 6.2


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s