We have a Spring-MVC application with websockets deployed on a Jetty server. We also have HashLoginService as shown below configured for jetty. When the application starts, we are able to access it with websockets functionality intact on FF, Chrome, Opera, IE but not on Safari. The only thing we get back is 401. After disabling the HashLoginService, websockets work fine. Is there some configuration in Jetty or somewhere required so that websockets work in Safari with authentication. Thank you.
Safari version : 11.0.3(desktop version)
Jetty - 9.4
jetty.xml :
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Default Realm</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
</New>
</Arg>
</Call>
web.xml from project:
<security-constraint>
<web-resource-collection>
<web-resource-name>username</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user-role</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>username</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user-role</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>user-role</role-name>
</security-role>
Any idea what we can do? Thanks.
Standard HTTP Authentication is apparently not supported on Safari and WebSockets.
See: https://bugs.webkit.org/show_bug.cgi?id=80362
You can find some workarounds at a different stackoverflow answer.
HTTP headers in Websockets client API
Related
I'm trying disable some http methods on my glassfish.
I would like know how I can does not provide a communication through "option" and "trace" http methods on glassfish v3.
< Allow: TRACE, OPTIONS
You can add the following security constraint to your web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Forbidden</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
We have what I believe to be a pretty standard form based authentication for a web application running on wildfly 8.2.
The authentication works well, except that when we stop&start the server some users are unable to log in again.
I have managed to reproduce one variant of this:
If I open the login page, /xxxx/app, before I restart, and then try to log in after the server is up again, I end up on a blank /xxxx/j_security_check page.
In my logs I can see that the actual authentication is run OK.
If I have understood this j_security_check mechanism properly, it goes something like this:
I access /xxxx/app
Wildfly sees that this url requires authentication. It remembers it and forwards me to login.jsp.
When I submit my login form to the magical j_security_check address it replaces it with the remembered /xxxx/app address.
If this is conceptually correct, I can see that a restart can be troublesome; The web server no longer remembers the /xxxx/app address and doesn't know where to redirect me to.
Does anyone have a workaround for this problem?
Any way to give wildfly a default page to go to after j_security_check?
Edit: I found this one: It is probably the same underlying cause:
Jboss Wildfly 8.1 session timeout on login page
jboss-web.xml:
<jboss-web>
<security-domain>ptsmc</security-domain>
<default-encoding>UTF-8</default-encoding>
</jboss-web>
web.xml:
<servlet-mapping>
<servlet-name>main</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
<!-- -->
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>ptsmc</display-name>
<web-resource-collection>
<web-resource-name>ptsmc</web-resource-name>
<url-pattern>/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>WEB</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Users must have this role to be granted access to Application</description>
<role-name>WEB</role-name>
</security-role>
login.jsp:
<form name="login_form" method="POST" action="<%=response.encodeURL(request.getContextPath() + "/j_security_check")%>">
<table>
<tr><td>User id:</td><td><input type=text name=j_username autofocus onblur="this.value = this.value.toUpperCase();"></td></tr>
<tr><td>Password:</td><td><input type=password name=j_password></td></tr>
<tr><td> </td><td><input type=submit value="Submit"></td></tr>
</table>
</form>
I need help in configuring GF3.1.2 i have done following changes, please do let me know if i am missing anything important as after changes it is NOT working.
my id is nilesh2811#gmail.com
I could not found any particular thread or answers in forum if any link is there will be helpful.
if you have any document for this please forward.
please do the needful
web.xml
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/faces/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>authorized</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>authorized</role-name>
</security-role>
sun-web.xml
<security-role-mapping>
<role-name>authorized</role-name>
<principal-name>admin</principal-name>
<group-name>authorized</group-name>
</security-role-mapping>
domain.xml
<security-service>
<auth-realm classname="com.sun.enterprise.security.auth.realm.file.FileRealm" name="admin-realm">
<property name="file" value="${com.sun.aas.instanceRoot}/config/admin-keyfile"></property>
<property name="jaas-context" value="fileRealm"></property>
</auth-realm>
<auth-realm classname="com.sun.enterprise.security.auth.realm.file.FileRealm" name="file">
<property name="file" value="${com.sun.aas.instanceRoot}/config/keyfile"></property>
<property name="jaas-context" value="fileRealm"></property>
</auth-realm>
<auth-realm classname="com.sun.enterprise.security.auth.realm.certificate.CertificateRealm" name="certificate">
<property name="assign-groups" value="authorized"></property>
</auth-realm>
The login-config section is incomplete in your web.xml
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>certificate</realm-name>
</login-config>
The realm-name content must match the name attribute of auth-realm element in domain.xml, which in your case is "certificate"
[updated]
In addition, the CA certificate must be imported in the server's truststore
${com.sun.aas.instanceRoot}/config/cacerts.jks
Actually I tries on glassfish 3.1.2 and it worked under following conditions:
1.I have to use the same key(trust) store of jks type and in the same location. In order to talk with other certificate formats you have to convert them to format jks format can handle.
2.in a glassfish-web.xml you should have like this mapping
<security-role-mapping>
<role-name>manager</role-name>
<group-name>authorized</group-name>
</security-role-mapping>
3.in a domain.xml file you should have the followings:
<auth-realm classname="com.sun.enterprise.security.auth.realm.certificate.CertificateRealm" name="certificate">
<property name="assign-groups" value="authorized"></property>
</auth-realm>
Note: in web.xml you have to have realm name matching domain.xml file
When anyone will try this first time it will take time for them to understand, withing simple words, both client and server trust-stores should trust each other certificates, first it is better to use Self-signed certificates exchange certificates to server and client, one can use following article for help which has simplified steps. follow article then you can use your own methods certificates which ever u want.
http://www.slideshare.net/krizsan/scdjws-5-study-notes-3085287
SCDJWS 5
or nowadays know as
Oracle Certified Professional,
Java EE 5 Web Services Developer
Study Notes
by
Ivan A Krizsan
Version: February 23, 2012
Set
Client Authentication: true
in http-listener-2.
I'm using JDBCRealm for Tomcat 7 user auth and SSL for https but I can not figure out how to combine them. My goal is to make all the page secure by SSL and possible to view only by a certain role. I'm using JSF 2.1. Here is my code in web.xml
<security-role>
<description/>
<role-name>employee</role-name>
</security-role>
<security-role>
<description/>
<role-name>administrator</role-name>
</security-role>
<security-role>
<description/>
<role-name>boss</role-name>
</security-role>
<security-constraint>
<display-name>ConstraintPrac</display-name>
<web-resource-collection>
<web-resource-name>panelprac</web-resource-name>
<url-pattern>panele/pracownik/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>employee</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
They seem to work separately but what i need is a combined way. Now Tomcat is not redirecting to the port 8443 (https) and You can access any page just by typing it in the browser. I used this page for SSL http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html and this one for JDBCRealm http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html. I want my program to allow access certain pages only to certain roles and at the same time do everything on HTTPS. Please help me with this one. I don't know where I've made the mistake. I don't receive any errors.
RESOLVED
The problem was deeper than I thought. Tomcat 7 doesn't support custom form user authentication therefore security roles presented above didn't work. To solve this I had to create a Filter class to protect unauthorized entry's to pages.
I will leave this topic in case someone has the same problem (if the admin finds this topic irrelevant feel free to delete it)
I'm working with a developer here who just inherited an existing site. It is a Weblogic 8.1 website with j_security_check authentication behind an apache reverse proxy. We're getting some issues with the logins, and are not sure about j_security_check config. It seems very black boxy and magicky. How do we get information on how it's configured, specifically how to change the target page after successful login.
Thank you.
weblogic will automaticly redirect to the requested page. In the web.xml is defined with resources are protected by the form-login (as it is called). So just request the first page and you will be presented with the login. After an successfull login you will be redirected to the original requested page.
You'll see something similar to this in your web.xml (the "myRoleName" will be replaced by the sercurity role as defined in your Webloggic Server Console under Security > Realms > myreal > Groups). If you have multiple roles, this will differ slightly.
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/flows/*</url-pattern>
<url-pattern>Controller.jpf</url-pattern>
<http-method>GET</http-method>
<http-method>Post</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>myRoleName</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>login.jsp</form-login-page>
<form-error-page>fail_login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>
Only role for the Application
</description>
<role-name>myRoleName</role-name>
</security-role>