I'm trying to get familiar with TomEE, or at least TomCat 7 that is used in an older application I'm currently working.
In the tomcat location there is a web.xml. As far as I understood this is used for all servlets that have no own web.xml, right? Or will this be also used for those servlets that have an own one?
Not sure about the hierachy of this configuration files.
Tried to get a basic authentication working for a module that can be assigned by a url like \localhost:8080\AB
The tomcat-users for \localhost:8080\manager is working fine.
But can't get an login for \localhost:8080\AB
I tried modify the web.xml like:
<security-role>
<role-name>users</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>basic demo resource</web-resource-name>
<url-pattern>\AB\*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
But still no login is required for accessing this servlet.
Than I found out, that there is another web.xml in this Java project, which I also tried to modify with the code above.
I know I'm doing something wrong, but don't get what it is right now.
The role "users" was created in tomcat-users.xml and a user is also assigned to that group.
You have define only security constraint not roles. You need to define tomcat user and crossponding roles like.
<tomcat-users>
<role rolename="AB"/> <!-- you have to define all roles -->
<user username="myname" password="mypassword" roles="AB"/>
<!-- you have to assign login and roles -->
</tomcat-users>
The web.xml in the tomcat directory contains the default settings. A webapp can override definitions in its own web.xml.
To access to /AB you need:
to use FORWARD slashes: <url-pattern>/AB/*</url-pattern>
to have a user with role users in your user database
to enter the username and password in the login popup dialog.
Related
We have what I believe to be a pretty standard form based authentication for a web application running on wildfly 8.2.
The authentication works well, except that when we stop&start the server some users are unable to log in again.
I have managed to reproduce one variant of this:
If I open the login page, /xxxx/app, before I restart, and then try to log in after the server is up again, I end up on a blank /xxxx/j_security_check page.
In my logs I can see that the actual authentication is run OK.
If I have understood this j_security_check mechanism properly, it goes something like this:
I access /xxxx/app
Wildfly sees that this url requires authentication. It remembers it and forwards me to login.jsp.
When I submit my login form to the magical j_security_check address it replaces it with the remembered /xxxx/app address.
If this is conceptually correct, I can see that a restart can be troublesome; The web server no longer remembers the /xxxx/app address and doesn't know where to redirect me to.
Does anyone have a workaround for this problem?
Any way to give wildfly a default page to go to after j_security_check?
Edit: I found this one: It is probably the same underlying cause:
Jboss Wildfly 8.1 session timeout on login page
jboss-web.xml:
<jboss-web>
<security-domain>ptsmc</security-domain>
<default-encoding>UTF-8</default-encoding>
</jboss-web>
web.xml:
<servlet-mapping>
<servlet-name>main</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
<!-- -->
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>ptsmc</display-name>
<web-resource-collection>
<web-resource-name>ptsmc</web-resource-name>
<url-pattern>/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>WEB</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Users must have this role to be granted access to Application</description>
<role-name>WEB</role-name>
</security-role>
login.jsp:
<form name="login_form" method="POST" action="<%=response.encodeURL(request.getContextPath() + "/j_security_check")%>">
<table>
<tr><td>User id:</td><td><input type=text name=j_username autofocus onblur="this.value = this.value.toUpperCase();"></td></tr>
<tr><td>Password:</td><td><input type=password name=j_password></td></tr>
<tr><td> </td><td><input type=submit value="Submit"></td></tr>
</table>
</form>
I am trying the BASIC authentication mechanism. When i try to access the constrained resource second time the popup for username and password does not come up.
Following are the roles and users defined in my tomcat-users.xml
<role rolename="Admin"/>
<role rolename="Member"/>
<role rolename="Guest"/>
<user username="Annie" password="admin" roles="Admin, Member, Guest"/>
<user username="Diane" password="coder" roles="Member, Guest"/>
<user username="Ted" password="newbie" roles="Guest"/>
Following are the entries defined in my web.xml
<web-app>
<display-name>SecurityApp</display-name>
<servlet>
<servlet-name>BeerAppServlet</servlet-name>
<servlet-class>com.example.servlets.BeerAppServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>BeerAppServlet</servlet-name>
<url-pattern>/Beer/AddRecipe</url-pattern>
</servlet-mapping>
<security-role> <role-name>Admin</role-name> </security-role>
<security-role> <role-name>Member</role-name> </security-role>
<security-role> <role-name>Guest</role-name> </security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Update</web-resource-name>
<url-pattern>/Beer/AddRecipe/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>Member</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</web-app>
My webapp name is SecurityApp.
For the first time when i access my app as follows
http://localhost:8083/SecurityApp/Beer/AppRecipe i get the popup for entering the user name and password and i enter the following credentials username=Diane password=coder. After entering the above credentials the authentication is success.
For the second time when i type this url http://localhost:8083/SecurityApp/Beer/AppRecipe.
I dont get the authentication popup for username and password. Why is it so. can anyone please explain
By using basic access authentication the credentials are stored at client side (your browser).
The web browser takes care of creating a BASE64-Encode of username and password and send it automatically each time you request to the same page. This means that you are "logged in" immediately without re-entering your credentials.
You can just close and open your browser, to show the username/password dialog again.
Because the browser caches your credentials (username, password) for the page and authentication realm and automatically sends them the next time you visit the page. This is how BASIC authentication works. If you close (all instances of) the browser, it will ask for credentials again, unless it is configured to store them permanently. You can check this related question.
I'm using JDBCRealm for Tomcat 7 user auth and SSL for https but I can not figure out how to combine them. My goal is to make all the page secure by SSL and possible to view only by a certain role. I'm using JSF 2.1. Here is my code in web.xml
<security-role>
<description/>
<role-name>employee</role-name>
</security-role>
<security-role>
<description/>
<role-name>administrator</role-name>
</security-role>
<security-role>
<description/>
<role-name>boss</role-name>
</security-role>
<security-constraint>
<display-name>ConstraintPrac</display-name>
<web-resource-collection>
<web-resource-name>panelprac</web-resource-name>
<url-pattern>panele/pracownik/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>employee</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
They seem to work separately but what i need is a combined way. Now Tomcat is not redirecting to the port 8443 (https) and You can access any page just by typing it in the browser. I used this page for SSL http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html and this one for JDBCRealm http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html. I want my program to allow access certain pages only to certain roles and at the same time do everything on HTTPS. Please help me with this one. I don't know where I've made the mistake. I don't receive any errors.
RESOLVED
The problem was deeper than I thought. Tomcat 7 doesn't support custom form user authentication therefore security roles presented above didn't work. To solve this I had to create a Filter class to protect unauthorized entry's to pages.
I will leave this topic in case someone has the same problem (if the admin finds this topic irrelevant feel free to delete it)
The problem
A tomcat manager page can not be accessed by a user granted a manager role.
The things I tryed to do
I added a user with a manager role into tomcat-users.xml:
<role rolename="manager"/>
<user username="emanemos" password="password" roles="manager"/>
I also looked up the $CATALINA_HOME/webapps/manager/WEB-INF/web.xml to be sure that manager role is really used to access the application:
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>manager</role-name>
</auth-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the Manager Application
</description>
<role-name>manager</role-name>
</security-role>
However, the manager application still asks for a login-password pair in an endless loop ignoring my input.
Does anybody have any ideas?
Did you restart Tomcat after making the changes to tomcat-users.xml?
I'm working with a developer here who just inherited an existing site. It is a Weblogic 8.1 website with j_security_check authentication behind an apache reverse proxy. We're getting some issues with the logins, and are not sure about j_security_check config. It seems very black boxy and magicky. How do we get information on how it's configured, specifically how to change the target page after successful login.
Thank you.
weblogic will automaticly redirect to the requested page. In the web.xml is defined with resources are protected by the form-login (as it is called). So just request the first page and you will be presented with the login. After an successfull login you will be redirected to the original requested page.
You'll see something similar to this in your web.xml (the "myRoleName" will be replaced by the sercurity role as defined in your Webloggic Server Console under Security > Realms > myreal > Groups). If you have multiple roles, this will differ slightly.
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/flows/*</url-pattern>
<url-pattern>Controller.jpf</url-pattern>
<http-method>GET</http-method>
<http-method>Post</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>myRoleName</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>login.jsp</form-login-page>
<form-error-page>fail_login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>
Only role for the Application
</description>
<role-name>myRoleName</role-name>
</security-role>