-
Notifications
You must be signed in to change notification settings - Fork 1
Configuration
=== RuleChains uses a USF developed means of CAS to provide both authentication and authorization support by way of a Grails plugin developed at USF and modifications to the CAS code to provide for it.
What's important to know is that the CAS server is providing "attributes" in it's service ticket. These "attributes" are passed down to RuleChains and "captured" in a custom user details service provided by the USF grails plugin and converted to "roles" for the application. Since the "roles" come from an external source, the roles are defined in an external configuration file as well so you can authorize the application as needed (without having "static" roles defined in the classes giving it role name flexibility).
So what does this mean? Let's make an example:
The "attributes" passed might look like this:
RULECHAINS_USER,RULECHAINS_ADMIN
In RuleChains, they will be converted to these roles:
ROLE_RULECHAINS_USER,ROLE_RULECHAINS_ADMIN
=== In the Config.groovy file, look for this line:
grails.config.folder = '/usr/local/etc/grails/RuleChains'
RuleChains is looking for all it's external configuration files in this folder. You can either create this folder or specify a new one and copy the sample RuleChainsAuth.groovy and RuleChains.groovy files to the external location that works best for you and modify the above reference as needed (or just create your own new files there)
=== Here's the "sample" authorization file.
grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugins.springsecurity.interceptUrlMap = [
// Basic resources
'/js/**': ['permitAll'],
'/css/**': ['permitAll'],
'/images/**': ['permitAll'],
// Front Page
'/*': ['isFullyAuthenticated()'],
// Basic handling for errors and auth
'/error': ['permitAll'],
'/errors/**': ['permitAll'],
'/login/**': ['permitAll'],
'/logout/**': ['permitAll'],
// Built in services
'/source/': ['isFullyAuthenticated()'],
'/ruleSet/': ['isFullyAuthenticated()'],
'/ruleSet/*': ['isFullyAuthenticated()'],
'/ruleSet/*/*': ['isFullyAuthenticated()'],
'/ruleSet/*/*/*': ['isFullyAuthenticated()'],
'/chain/': ['isFullyAuthenticated()'],
'/chain/*': ['isFullyAuthenticated()'],
'/chain/*/*': ['isFullyAuthenticated()'],
'/job/': ['isFullyAuthenticated()'],
'/job/*': ['isFullyAuthenticated()'],
'/job/*/*': ['isFullyAuthenticated()'],
'/chainServiceHandler/': ['isFullyAuthenticated()'],
'/chainServiceHandler/*': ['isFullyAuthenticated()'],
'/backup/download/': ["hasRole('ROLE_ITPRSUPERVISOR')"],
'/backup/upload/': ["hasRole('ROLE_ITPRSUPERVISOR')"],
// Definable services tied to a rule chain
'/service/testServicehandler/': ["hasRole('ROLE_SOME_ROLE_FOR_DEFINEDSERVICE')"]
]
environments {
production {
grails.serverURL = "http://myserver.com:8080/RuleChains"
grails.plugins.springsecurity.cas.serverUrlPrefix = 'https://casdomain.com'
}
development {
grails.serverURL = "http://localhost:8080/RuleChains"
grails.plugins.springsecurity.cas.serverUrlPrefix = 'https://casdomain.com'
}
test {
grails.serverURL = "http://localhost:8080/RuleChains"
grails.plugins.springsecurity.cas.serverUrlPrefix = 'https://casdomain.com'
}
}
// Added by the Spring Security CAS (USF) plugin:
grails.plugins.springsecurity.userLookup.userDomainClassName = 'edu.usf.cims.UsfCasUser'
grails.plugins.springsecurity.cas.active = true
grails.plugins.springsecurity.cas.sendRenew = false
grails.plugins.springsecurity.cas.key = '9a3433aca7184008df30ee8f5c62f160' //unique value for each app
grails.plugins.springsecurity.cas.artifactParameter = 'ticket'
grails.plugins.springsecurity.cas.serviceParameter = 'service'
grails.plugins.springsecurity.cas.filterProcessesUrl = '/j_spring_cas_security_check'
grails.plugins.springsecurity.cas.proxyCallbackUrl = "${grails.serverURL}/secure/receptor"
grails.plugins.springsecurity.cas.proxyReceptorUrl = '/secure/receptor'
grails.plugins.springsecurity.cas.useSingleSignout = false
grails.plugins.springsecurity.cas.driftTolerance = 120000
grails.plugins.springsecurity.cas.loginUri = '/login'
grails.plugins.springsecurity.cas.useSamlValidator = true
grails.plugins.springsecurity.cas.authorityAttribute = 'eduPersonEntitlement'
grails.plugins.springsecurity.cas.serviceUrl = "${grails.serverURL}/j_spring_cas_security_check"
// Git Configuration Block
gitConfig {
cas {
emailAttribute = "mail"
fallbackMap = [
'john': 'john@somecompany.com'
]
}
gitRemotelogin = 'mygit_remoteusername'
gitRemotePassword = 'mygit_remotepassword'
gitRemoteURL = 'mygit_https_url'
fallbackEmailDefault = 'mygit_emailaddress'
fallbackUsername = 'mygit_username'
branch = 'master'
}
// Global values. To be available to rules and defined services (aka: passwords, usernames, etc.)
rcGlobals {
mypassword = 'somevalue'
}
Since this is using Spring Security ACL, you can use these references to help customize this further:
SpringSource Reference and Grails Spring Security ACL Plugin Reference
In addition, it's important to configure CAS. To do this you'll need to, at a minimum, specify the grails.serverURL and grails.plugins.springsecurity.cas.serverUrlPrefix for each of your environments
===
RuleChains "synchronizes" with a git repository so the full change history is recorded (and recoverable). It's necessary to bind your instance of RuleChains to a remote git repository and branch. At the very end of this configuration file you will see the Git configuration block. You will need to specify your credentials, remote repository url and more. RuleChains can read from CAS attributes to obtain your email address (if available to you, the value of "emailAttribute" will be the key for the email value) or you can populate the fallback Map (you'll need the fallback map anyway if the attribute is not passing the email address you want to use)
===
RuleChains has a section for any global variables you may want to declare. Why? You likely don't want to store passwords anywhere that will undergo version control. References to these globals in your defined services, Groovy rules or even SQL won't have to be updated when they change values (just update your configuration). In Groovy rules (or even input and output reordering), the "rcGlobals" variable is available to access them. Similarly, in SQL/Stored Procedures you reference them like: ${rcGlobals.mypassword}. Finally, in Defined Services, the "username" and "password" accepts the references as well (without starting with "rcGlobals", just specify the key which contains the value you want referenced).
=== RuleChains relies on defining, at least, two data sources. One for the "default" connection and at least one more for actual use in executing chains. The "default" connection is strictly for storage of rules and the application data itself. In this example, we will call that database "RuleChains" and define it in a Grails style Datasource.groovy file.
Here's an example below. It's setup for MySQL for the default datasource and another datasource called datasource_staging using Oracle. The syntax for this is standard for grails and you can reference the Grails Documentation for Multiple Datasources. The one thing you will see missing is the "hibernate" section (it refers to the "caching" setup). We don't want that for rulechains so don't include that section.
Here's the "sample" datasources file.
dataSource {
pooled = true
driverClassName = "com.mysql.jdbc.Driver"
dialect = org.hibernate.dialect.MySQL5InnoDBDialect
username = "myusername"
password = "mypassword"
properties {
maxActive = -1
minEvictableIdleTimeMillis=1800000
timeBetweenEvictionRunsMillis=1800000
numTestsPerEvictionRun=3
testOnBorrow=true
testWhileIdle=true
testOnReturn=true
validationQuery="SELECT 1"
}
}
// environment specific settings
environments {
development {
dataSource {
dbCreate = "create-drop" // one of 'create', 'create-drop', 'update', 'validate', ''
url = "jdbc:mysql://localhost:3306/RuleChains?useUnicode=yes&characterEncoding=UTF-8&autoReconnect=true"
loggingSql = true
}
dataSource_staging {
dialect = org.hibernate.dialect.Oracle10gDialect
driverClassName = 'oracle.jdbc.driver.OracleDriver'
username = 'myusername'
password = 'otherpassword'
url = 'jdbc:oracle:thin:@myhost.com:1526:STAGINGDVLP'
}
}
test {
dataSource {
dbCreate = "update"
url = "jdbc:mysql://localhost:3306/RuleChains?useUnicode=yes&characterEncoding=UTF-8&autoReconnect=true"
}
dataSource_staging {
dialect = org.hibernate.dialect.Oracle10gDialect
driverClassName = 'oracle.jdbc.driver.OracleDriver'
username = 'myusername'
password = 'otherpassword'
url = 'jdbc:oracle:thin:@myhost.com:1526:STAGINGTEST'
}
}
production {
dataSource {
dbCreate = "update"
url = "jdbc:mysql://localhost:3306/RuleChains?useUnicode=yes&characterEncoding=UTF-8&autoReconnect=true"
}
dataSource_staging {
dialect = org.hibernate.dialect.Oracle10gDialect
driverClassName = 'oracle.jdbc.driver.OracleDriver'
username = 'myusername'
password = 'otherpassword'
url = 'jdbc:oracle:thin:@myhost.com:1526:STAGINGPROD'
}
}
}
[ <- Overview | How a "Link" functions -> ]