I am in a process of deploying ActiveMQ with custom Authentication and Authorization. I have a query regarding custom authorization map.
Question
I want to have the authorization entries read from database rather than activemq.xml. We don't want to write our authorization entries in activemq.xml file. I don't want to change the wildcard queue name hierarchies as provided in default authorization plugin.
What code components do I need to re-write ?
I have figured out the answer to my above question. I only need to interface my custom class so that I am able to load authorization entries from a source other than activemq.xml. And I can also re-load my authorization every 1 minute so that If a new role or authorization entry is made, it gets reloaded in to the system without restarting.
Solution Configurations
Create a class that interface AuthorizationMap.
In my case I extended my class from DefaultAuthorizationMap.java. I
want similar functionality and want to change only the input of authorization entries. My code reads roles from a database. Refer to section "Code-CustomAuthorizationMap" below.
Configure CustomAuthorizationMap class as bean in activemq.xml
<plugins>
<jaasAuthenticationPlugin configuration="activemq"/>
<authorizationPlugin>
<map>
<bean xmlns="" class="com.test.CustomAuthorizationMap"
</map>
</authorizationPlugin
</plugins>
Add lib to classpath
a. Create the jar file. Place it in "%ActiveMQ-Home%/lib" folder. E.g. custom-authorization.jar
b. Modify "%ActiveMQ-Home%/bin/activemq.bat".
**Replace**
set ACTIVEMQ_CLASSPATH=%ACTIVEMQ_CONF%;%ACTIVEMQ_BASE%/conf;%ACTIVEMQ_HOME%/conf;%ACTIVEMQ_CLASSPATH%;
**With**
set ACTIVEMQ_CLASSPATH=%ACTIVEMQ_CONF%;%ACTIVEMQ_BASE%/conf;%ACTIVEMQ_HOME%/conf;%ACTIVEMQ_CLASSPATH%;%ACTIVEMQ_HOME%/lib/custom-authorization.jar;
Code-CustomAuthorizationMap
package com.test.authorization.map;
import java.util.ArrayList;
import java.util.List;
import org.apache.activemq.command.ActiveMQQueue;
import org.apache.activemq.command.ActiveMQTempQueue;
import org.apache.activemq.command.ActiveMQTopic;
import org.apache.activemq.filter.DefaultDestinationMapEntry;
import org.apache.activemq.filter.DestinationMapEntry;
import org.apache.activemq.security.AuthorizationEntry;
import org.apache.activemq.security.DefaultAuthorizationMap;
public class SecGwAuthorizationMap extends DefaultAuthorizationMap {
public SecGwAuthorizationMap() throws Exception {
super();
List<DestinationMapEntry> authorizationEntries =
loadAuthorizationEntriesFromPropFiles();
// For information. After loading I populate
//authorization entries like below
// AuthorizationEntry entry = new AuthorizationEntry();
// entry.setTopic(">");
// entry.setAdmin("admins");
// entry.setRead("admins");
// entry.setWrite("admins");
// authorizationEntries.add(entry);
// entry = new AuthorizationEntry();
// entry.setQueue(">");
// entry.setAdmin("admins");
// entry.setRead("admins");
// entry.setWrite("admins");
// authorizationEntries.add(entry);
// entry= new AuthorizationEntry();
// entry.setTopic("ActiveMQ.Advisory.>");
// entry.setAdmin("gcabrokerusers,admins,users");
// entry.setRead("gcabrokerusers");
// entry.setWrite("gcabrokerusers");
// authorizationEntries.add(entry);
// entry = new AuthorizationEntry();
// entry.setQueue("gcaa.test.jms.>");
// entry.setAdmin("gcabrokerusers");
// entry.setRead("gcabrokerusers");
// entry.setWrite("gcabrokerusers");
// authorizationEntries.add(entry);
setAuthorizationEntries(authorizationEntries);
}
public SecGwAuthorizationMap(List<DestinationMapEntry>
authorizationEntries) {
super(authorizationEntries);
// TODO Auto-generated constructor stub
}
}
Note:- Below is a sample roles.properties files to tell how we are creating authorization roles.
roles.properties file
//commentedLine Destination Read-ACLs Write-ACLs AdminAcls Type
ActiveMQ.Advisory.>::admins,appUsr::admins,appusr::admins,appUsr::TOPIC
test.accounts.queue::appClientId::appClientId::admins::QUEUE
>::admins::admins::admins::QUEUE
>::admins::admins::admins::TOPIC
Related
I have a task from a company, that send me a virtual machine with everything set up. The task is that i have to create an API to retrieve Person details from the database and display it.
The problem is that when i run the application, the server returns an index.html with hello world text in it. However, when i try to change the index.html, it does not change in the browser, but when i do request through postman, i get the "updated" index.html.
What i also realised that i cannot access the API that i have created, to check if i can access APIs in the first place.
The path where the index.html returns is "http://hocalhost:8080/tutorial-applicans/"
My Service is PersonService.java:
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
#Stateless
#Path("person")
public class PersonService{
#PersistenceContext(unitName = "de.erknrw_tutorial-applicants_pu")
private EntityManager em;
#GET
#Path("hello")
#Produces(MediaType.TEXT_PLAIN)
public String sayHello(){
return "Hello World!!!"
}
}
I am trying to get "Hello World!!!", but my path is wrong, when i tried "http://hocalhost:8080/tutorial-applicans/person/hello".
Might be worth mentioning that there is also a JAXRSConfiguration.java file:
import javax.ws.rs.ApplicationPath;
import javax.ws.rs.core.Applications;
#ApplicationPath(JAXRSConfiguration.RESTROOT)
public class JAXRSConfiguration extends Application{
public static final String RESTROOT = "webresources";
}
How do access the sayHello()? How does the path look like?
Thanks in advance
When deploying on a webapp, the JAX-RS application is configured as a Servlet. So, you have to add the application path prior to the path of the resource.
The endpoint would be:
http://[server]:[port]/[context path]/[application path]/[resource path]/[operation path]
In your case:
http://hocalhost:8080/tutorial-applicans/webresources/person/hello
in my simple web application, i have two web service method. one is storeName()and another one is viewAllNames() methods.
Admin role can be access to both methods. But user role should be access viewAllNames() method.
I am going to use Apache shiro, maven with web based project and rest service. Provide authorization only for those two methods.
My actual rest url is :
http://localhost:8080/SimpleRest/simpleservice/store/jackreobert --> admin only
http://localhost:8080/SimpleRest/simpleservice/viewall/ --> user only
How to configure shiro.ini, web.xml and annotaion/xml.
For shiro approach, do i need pass any other information into web service url, how to achieve this.
SimpleService.java
package com.simple.rest;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Response;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.json.JSONException;
#Path("/simpleservice")
public class SimpleService {
#Path("/store/{name}")
#GET
#Produces("application/json")
public Response storeName(#PathParam("name") String name) throws JSONException {
/**
* Here insert logic
*/
String result = "Given name: " + name + " successfully stored";
return Respo}nse.status(200).entity(result).build();
}
#Path("/viewall")
#GET
#Produces("application/json")
public Response viewAllNames() throws JSONException {
/**
* Here retrieve logic
*/
String result = "All names are taken";
return Response.status(200).entity(result).build();
}}
Thanks for reading for my post.
Help me,
Thanks in advance.
My suggestion is to use Permissions. Protect your application resources with permissions. Assign permissions to roles and assign Roles to Users.
As of Shiro 1.4.0-RC2 there is official JAX-RS support, take a look at the sample.
i´m trying to add some authentication and authorization functionality to my small web application. therefore i´m using apache shiro.
my plan: using an existing ldap server for user authentication and using a properties or ini file for authorization.
here´s a small example:
user x wants to use the application
he enters his username and his password
the ldap server is used for authentication --> user + pwd correct?
if authentication is verified and correct, a properties file or ini file is used to check if the user is permitted, to start some functions inside the application.
i hope you know what i´m trying to do.
now i´m not sure how to implement this feature. is it enough to use an ini file or is it required to implement my own realm?! is there an example implementation?
i´m grateful for every information
and sorry for my bad english :/
Yes, you have to implement a realm but this is not difficult. You just have to extend JndiLdapRealm and override the queryForAuthorizationInfo method.
This method returns an AuthorizationInfo interface type. In your case the easiest is to return an instance of SimpleAuthorizationInfo which implements this interface.
You must initialize the AuthorizationInfo with the roles and/or permissions for the authenticated user. When this method is called, the user is already authenticated but not authorized.
Inside this method you can read the authorization information from any data source that you want, it can be a properties or ini file, properties associated with the user in the LDAP server, a database or anything that pleases you.
A realm implementation could be:
package example.shiro.realm.ldap;
import javax.naming.NamingException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.ldap.JndiLdapRealm;
import org.apache.shiro.realm.ldap.LdapContextFactory;
import org.apache.shiro.subject.PrincipalCollection;
public class JndiLdapAuthzRealm extends JndiLdapRealm {
private List<String> getRoles(String userName) {
List<String> roles = new ArrayList<>();
// TODO: get roles from data source and fill list
roles.add("user");
roles.add("admin");
return roles;
}
private List<String> getPermissions(String userName) {
List<String> perms = new ArrayList<>();
// TODO: get permissions from data source and fill list
perms.add("myapp:run");
perms.add("myapp:file:create");
return perms;
}
#Override
protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principals,
LdapContextFactory ldapContextFactory) throws NamingException {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
String userName = principals.getPrimaryPrincipal().toString();
info.addRoles(getRoles(userName));
info.addStringPermissions(getPermissions(userName));
return info;
}
}
In your case, rewrite the getRoles and getPermissions to get the roles and permissions for the authenticated user from the properties or ini file.
In shiro.ini:
[main]
ldapRealm = example.shiro.realm.ldap.JndiLdapAuthzRealm
ldapRealm.userDnTemplate = uid={0},cn=users,cn=accounts,dc=example,dc=com
ldapRealm.contextFactory.url = ldap://192.168.0.10
I'm building a grails app that has the spring-security-core 1.2.7.3 plugin as well as spring-security-ui 0.2 plugin, and would like to obtain a list of ALL the users that are currently logged in (ie have a currently active session). Users can login either through a login controller (daoAuthenticationProvider) or automatically through a rememberMe cookie.
I have implemented the code below, using ConcurrentSessionControlStrategy to create a sessionRegistry:
in /conf/spring/resources.groovy:
import org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy
import org.springframework.security.web.session.ConcurrentSessionFilter
import org.springframework.security.core.session.SessionRegistryImpl
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
beans = {
userDetailsService(lablore.MyUserDetailsService)
sessionRegistry(SessionRegistryImpl)
sessionAuthenticationStrategy(ConcurrentSessionControlStrategy, sessionRegistry) {
maximumSessions = -1
}
concurrentSessionFilter(ConcurrentSessionFilter){
sessionRegistry = sessionRegistry
expiredUrl = '/login/concurrentSession'
}
}
In /plugins/spring-security-core/conf/DefaultSecurityConfig.groovy
useHttpSessionEventPublisher = true
In the controller:
controller{
def sessionRegistry
action(){
def loggedInUsers = sessionRegistry.getAllPrincipals()
}
}
It works well for
-users that login through the login page
-users that logout through a 'logout' link
-users who's session expires
HOWEVER, it does NOT work for users that authenticate automatically with a rememberMe cookie. It doesn't see that they have a newly created session.
If I understand correctly, this is because the RememberMeAuthenticationFilter is 'further up' in the filter chain compared to the ConcurrentSessionFilter, which is the one running the sessionRegistry? Or, I messed something up with my configurations....
Any help on how to get this to work would be great !
Thanks!!
The ConcurrentSessionControlStrategy is deprecated,
Use the ConcurrentSessionControlAuthenticationStrategy instead
Alternatively,
You can implement the HttpSessionListener interface which has the sessionCreated(HttpSessionEvent event) and sessionDestroyed(HttpSessionEvent event) methods, But you have to add the class you used
Implementations of this interface are notified of changes to the list of active sessions in a web application. To receive notification events, the implementation class must be configured in the deployment descriptor for the web application.
You can either add the implementation class to your deployment descriptor like so(i.e you web.xml file)
<listener>
<listener-class>com.hazelcast.web.SessionListener</listener-class>
</listener>
or by using the WebXmlConfig plugin in grails
Your implementation class could look like below, see Online users with Spring Security also
class WebSessionListener implements HttpSessionListener{
sessionCreated(HttpSessionEvent se){
//Checked if user has logged in Here and keep record
HttpSession webSession = se.getSession();
}
sessionDestroyed(HttpSessionEvent se){
//Checked if user has logged in Here and keep record
HttpSession webSession = se.getSession();
}
}
I really am having a nightmare configuring Tomcat to set up a connection pool. I have done a lot of reading of various forums and the documents from Tomcat but am having to ask here as a last resort. This is the first time I have tried to get connections from the container so it's all new to me.
I have been having NameNotFoundException's which only seem to be fixed when I put the context.xml file back from MyApp/META-INF/context.xml to Tomcat 6.0/conf/context.xml, so for some reason it's not seeing the context.xml file in MyApp's META-INF directory. Any ideas?
Now I am getting an SQLNestedException: Cannot create PoolableConnectionFactory (''#'localhost' (using password:YES))
First of all it suprises me that the user is blank because I have specified 'root' in the context.xml. As for not being able to create a PoolableConnectionFactory, I have seen a couple of example context.xml files that had a factory attribute. Do I need this? If so what class should I specify there?
My context.xml is:
<?xml version='1.0' encoding='utf-8'?>
<Context>
<!-- Configure a JDBC DataSource for the user database -->
<Resource name="jdbc/searchdb"
type="javax.sql.DataSource"
auth="Container"
user="root"
password="mypassword"
driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3306/search"
maxActive="8"
maxIdle="4"/>
<!-- Default set of monitored resources -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<!--<WatchedResource>META-INF/context.xml</WatchedResource>-->
</Context>
I have seen a context.xml with a WatchedResource elemnt for the META-INF/context.xml. I tried it but it didn't seem to make a difference and it seems strange to me so I have commented it out. Should I actually be including it?
My test servlet:
package search.web;
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
import java.util.*;
import java.sql.*;
import javax.sql.*;
import javax.naming.*;
import search.model.*;
public class ConPoolTest extends HttpServlet {
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws IOException, ServletException {
Context ctx = null;
DataSource ds = null;
Connection conn = null;
try {
ctx = new InitialContext();
ds = (DataSource)ctx.lookup("java:comp/env/jdbc/searchdb");
conn = ds.getConnection();
if(conn != null) {
System.out.println("have a connection from the pool");
}
} catch(SQLException e) {
e.printStackTrace();
} catch(NamingException e) {
e.printStackTrace();
} finally {
try {
if(conn!=null) {
conn.close();
}
} catch(SQLException e) {
e.printStackTrace();
}
}
}
}
I look forward to your suggestions.
Many thanks
Joe
PS I would have also listed the stack trace, but for some reason it is showing up in the console, but not in the logs.
Update:
Now that I look at the error message again I'm wondering what it is that is denying me access. I assumed that it was the database, but is itactually the container? Do I need to set up some sort of authentication in the tomcatusers.xml file?
The Tomcat docs for JNDI Datasources contain complete examples how to setup JDBC data sources in the context.xml
Some comments to your question:
Tomcat should copy the context.xml from your app's WAR to conf/Catalina/localhost/app.xml during deployment (when it unpacks your app). The file should not go to conf/. Check whether you have an old copy lying around in these places and clean that up.
The error that it's using the wrong user also suggests that there is more than a single context.xml and you're looking at the wrong one.
You don't need PoolableConnectionFactory with Tomcat 6. This might be cruft left from an update from Tomcat 5 or something broke and they tried several things and forgot to clean up the config file.
Tomcat automatically watches web.xml; there is no need to make it a WatchedResource a second time.