I have the following code in a web service deployed on WebLogic 12.2.1. It will retrieve the keystore file name and password from WebLogic configuration.
InitialContext ic = new InitialContext();
MBeanServer server = (MBeanServer) ic.lookup("java:comp/env/jmx/runtime");
ObjectName runtime = new ObjectName("com.bea:Name=MLMAppSrv01,Type=Server");
Object keyStoreFileName = server.getAttribute(runtime, "CustomIdentityKeyStoreFileName");
Object keyStorePassPhrase = server.getAttribute(runtime, "CustomIdentityKeyStorePassPhrase");
It is able to retrieve the keystore file name, but when it tries to retrieve the password, the following exception is thrown.
[Management:141302]Access not allowed for Subject: principals=[], on resource Server, action: read, target CustomIdentityKeyStorePassPhrase.
Under the domain's security, I have already enabled "Clear Text Credential Access Enabled".
What else could be wrong?
Thanks in advance.
You are not passing any Username in your code. With weblogic user or some other admin user you should retrieve the password. Otherwise it will not allow you to access the password.
If you want to use some other user than weblogic then make sure that you add that user to Administrator group.
You can pass the credentials as given in below sample code.
Hashtable properties = new Hashtable();
properties.put(Context.INITIAL_CONTEXT_FACTORY,
"weblogic.jndi.WLInitialContextFactory");
// NOTE: The port number of the server is provided in the next line,
// followed by the userid and password on the next two lines.
properties.put(Context.PROVIDER_URL, "t3://localhost:9001");
properties.put(Context.SECURITY_PRINCIPAL, "weblogic");
properties.put(Context.SECURITY_CREDENTIALS, "welcome1");
try {
ctx = new InitialContext(properties);
} catch (NamingException ne) {
ne.printStackTrace(System.err);
System.exit(0);
}
I think you are not authenticated and therefore get no access to restricted ressources. Add the annotation #RunAs("WEBLOGIC") to your class and configure it in the WEB-INF/weblogic-ejb-jar.xml
(Where WEBLOGIC is the name of a user with administrator rights in the Weblogic console, the default Admin Account is even named weblogic)
Your class should look like this:
#Stateless
#RunAs("WEBLOGIC")
public class SomeService {
// ...
}
Contents of the weblogic-ejb-jar.xml
<?xml version="1.0" encoding="UTF-8"?>
<weblogic-ejb-jar>
<run-as-role-assignment>
<role-name>WEBLOGIC</role-name>
<run-as-principal-name>weblogic</run-as-principal-name>
</run-as-role-assignment>
</weblogic-ejb-jar>
I have a similar case, which my jersey code needs to get the keys from the keystore programmatically in WLS. No EJB settings are required. You just need to define the web.xml and weblogic.xml properly.
web.xml:
<servlet>
<servlet-name>{jersey webservice class}</servlet-name>
<run-as>
<role-name>admRole</role-name>
</run-as>
</servlet>
<security-role>
<role-name>admRole</role-name>
</security-role>
weblogic.xml:
<run-as-role-assignment>
<role-name>admRole</role-name>
<run-as-principal-name>wlsadm</run-as-principal-name>
</run-as-role-assignment>
Related
I am using the SecretManager tool in aspnetcore to store a connection string during development to keep it out of source control.
This works just fine.
But now I want to publish the app to Azure. When it publishes, there is no connection string in appsettings.json so the app cannot connect to the database.
So how am I supposed to include the connection string?
If I simple add it to appsettings.json, does it not defeat the whole purpose of using the secrets manager? As now I have put a username and password into a document which is under source control.
Is there something I am missing? Am I supposed to FTP to the site and add it there?
You're supposed to put it in the Azure site settings. That's the preferred approach.
If your json looks like this:
{
"ConnectionStrings": {
"Context": "Server=(localdb)\\mssqllocaldb;Database=local-dev;Trusted_Connection=True"
}
}
You create a connection string with the name Context (alternatively a setting with the key ConnectionStrings:Context) and enter your connection string in the apps Application Settings page:
Just make sure you're using environment variables in your Startup:
var builder = new ConfigurationBuilder()
.AddEnvironmentVariables();
When I add a data source that contain the user and password properties in the server.xml in WebSphere Liberty
Example:
<dataSource jdbcDriverRef="db2-driver" type="javax.sql.DataSource">
<properties.db2.jcc user="MyUser" password="MyPassword"
databaseName="dbName" serverName="localhost" portNumber="50000"/>
</dataSource>
I get the following warning in the logs:
J2CA8050I: An authentication alias should be used instead of defining a user name
and password on dataSource[default-0].
Looking at how to do this in Configuring authentication aliases for the Liberty profile I see them put the user and password in another element called authData like this:
<authData id="auth1" user="MyUser" password="MyPassword"/>
I don't get what advantage moving the user name and password from the dataSource element to the authData element is giving me. In both cases the password is showing in plain text in the server.xml file.
WebSphere Liberty uses an adapter to manage it's database connections. By specifying an authentication alias the password used by the adapter will be encrypted. If you do not use an auth alias, the userID and password will get stored without encryption on adapter properties.
Additionally, aliases provide another layer of abstraction since the aliases themselves are a resource. The benefit here is that the alias can be configured independently if the database user/password needs to be changed and there are many datasources configured, they can all point to the same auth data.
Use the securityUtility encode command in the wlp/bin directory to encode the password in your server.xml.
If you add authentication data via WebSphere Developer Tools (WDT), you will be prompted during setting password to encode (xor) /encrypt (aes) it. And it will be saved in server.xml for example like that:
<authData user="user" password="{xor}Lz4sLCgwLTs="></authData>
I have created WCF Data service and put the code like:
public class WcfDataService1 : DataService<myEdmxEntity>
{
public static void InitializeService(DataServiceConfiguration config)
{
myEdmxEntity conn = new myEdmxEntity();
config.SetEntitySetAccessRule("*", EntitySetRights.All);
config.DataServiceBehavior.MaxProtocolVersion = DataServiceProtocolVersion.V3;
config.UseVerboseErrors = true;
}
}
then service is successfully created and its accessible using "Content type for an external data source" in SharePoint Provider hosted app.I can browse to the external list and View records and create new records.
However, when i try to update or delete any record, i get the following error:
LobSystem (External System) returned authentication error.
In that case i have provided the full permission to farm user in BCS service as well as provide execute permission to that user in application pool too.
Please help!
Finally resolved my issue, after surfing lots of blogs and found that just uninstallation of "WebDAVAuthoringRules" from IIS is the cure of your problem.
Thanks,
Rishi
I am trying to configure eXist to LDAP to authenticate users and I have checked out the documentation at eXist LDAP Security. Turns out the default configuration only supports three settings:
security.ldap.connection.url (The connection URL of the LDAP server), security.ldap.dn.user(The user list DN), and security.ldap.dn.group (The group list DN).
It doesn't work for my case because the LDAP server does not enable anonymous queries, which means I have to provide the user name/password in order to establish the connection.
Any suggestion on how I could achieve this other than enable anonymous queries on the LDAP server?
Thanks,
Thomas
It seems like you can implement your own context factory and feed it to exist with the security.ldap.contextFactory parameter.
The context factory is the java class used to initialize a connection to the directory. You can implement a context factory that initializes the connection with the ad-hoc credentials.
The idea is to implement a class like this:
public class MyCustomContextFactory implements InitialContextFactory {
public Context getInitialContext(Hashtable env) {
// Fetch the application DN and password somehow (config file...)
String applicationDN = ...;
String password = ...;
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, applicationDN);
env.put(Context.SECURITY_CREDENTIALS, password);
return new InitialDirContext(env);
}
}
You generate a jar file, add it in the classpath of your server, and specify the configuration parameter:
security.ldap.contextFactory = your.java.package.name.MyCustomContextFactory
Context
I have a J2EE application running on a JBoss 4.2.3 application server. The application is reachable through a web interface. The authentication is done with basic authentication. Inside of the EJBs I ask the security context of the bean for the principal (the name of the logged in user) and do some authorization checks if this user is allowed to access this method of the EJB. The EJBs life inside a different ear than the servlets handling the web frontend, so I can't access the spring application context directly.
Required change
I want to switch to Spring Security for handling the user login.
Question
How can I propagate the spring login information to the JBoss security context so I can still use my EJBs without having to rewrite them?
Ideas and links
I already found a page talking about "Propagating Identity from Spring Security to the EJB Layer", but unfortunatelly it refers to an older version of Spring Security (Acegi) and I'm not familiar enough with Spring Security to make this work with the actual version (3.0.2).
Here is something that looks similar using WebLogic.
If you properly configure spring-security (filter in filter chain, security-context.xml),
you may use annotation #Secured, to restrict users with needed user roles. You may use this annotation on class level or/and method level.
If you need to know all authorization info about current user, you may use this helper (i wrote this for my webapp, but it maybe useful for other. MyUserDetails is a service bean, the spring-security's UserDetail descendant.):
public class LoginHelper {
/**
* #return user object if user is authenticated and null if is not
*/
public static User getUser() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null) {
Object principal = authentication.getPrincipal();
if (principal instanceof MyUserDetails) {
return ((MyUserDetails) principal).getUser();
}
}
return null;
}
/**
* Check for authenticated user
*
* #return true if user is authenticated and false if is not
*/
public static boolean isAuthenticated() {
final User user = getUser();
return user != null;
}
}
I have the same issue, and it would be great if someone could think of a better way to integrate Spring Security and a Java EE application with EJBs.
I think you can annotate your classes with your own annotations such as #MyAnnotation("ADMIN"). And then create an interceptor to manually check the beforementioned "LoginHelper" to get the users's privilege and compare with the method's annotation attributes. And throw an exception when the Names don't match.