I am working on a JavaEE7 tutorial ; currently I am trying to establish a security domain using wildfly 8.2.0. These are the settings I use:
jboss-web.xml:
<jboss-web>
<security-domain>my-aktion</security-domain>
</jboss-web>
The part of standalone.xml that handles this security-domain:
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="my-aktion" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/MyAktionDS"/>
<module-option name="principalsQuery" value="select password from organizer where email=?"/>
<module-option name="rolesQuery" value="select 'Organizer','Roles' from organizer where email=?"/>
<module-option name="hashAlgorithm" value="SHA-256" />
<module-option name="hashEncoding" value="hex" />
<module-option name="hashCharset" value="UTF-8" />
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
And that´s the error I get when I try to deploy:
> "JBAS014771: Services with missing/unavailable dependencies" => [
> "jboss.deployment.unit.\"my-aktion.war\".component.DonationServiceBean.CREATE
> is missing [jboss.security.security-domain.my-aktion]",
> "jboss.deployment.unit.\"my-aktion.war\".component.CampaignServiceBean.CREATE
> is missing [jboss.security.security-domain.my-aktion]",
> "jboss.undertow.deployment.default-server.default-host./my-aktion.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.my-aktion]" ]}
I can´t make heads or tails from this error message, but it seems to be something I did wrong with the my-aktion security domain, maybe someone has a hint. In any case, I tried deleting jboss-web.xml, the application deploys fine, but I can´t login, probably because the querys handling the login are in the "my-aktion" security-domain. Probably a newbie error here, but I just can´t find it.
EDIT: By the way, just in case it matters: the two Beans mentioned in the error are annotated #Stateless and I have no beans.xml.
EDIT2: I solved the problem, but I still don´t know what caused it. The solution: I deleted myaktion-ds.xml, which contained the registration of my datasource and moved its content to a tag in my standalone.xml. Now everything works, although why it does is beyond me.
I´ll leave this question here for a couple of days, just in case someone can enlighten me.
I'm working on the same tutorial and had the same problem. It tookt me houres, but i finaly found a solution that worked for me:
It seems that the deployment process triggert by my IDE (netbeans) is configurated by the standalone-full.xml and not by standalone.xml.
After editing the both xml-files every thing worked fine for me.
Related
We have a website that is protected with Forms Authentication in IIS. We would like to make one page in this website accessible to everyone without any authentication.
All the resources I saw mentions using tag but it's not working for us for some reason.
web.config:
<configuration>
<location path="public.htm">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="UserLogin.aspx" />
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
Both public.htm and UserLogin.aspx are in the same folder. When we browse public.htm, we get 401.2.
If disable Forms Authentication, public.htm is accessible.
UPDATE (5/21):
Disabled Forms Authentication in but still getting 401.2 error.
<configuration>
<location path="public.htm">
<system.web>
<authentication mode="None" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="UserLogin.aspx" />
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
It sounds just like your anonymous authentication has been disabled or your current login user don't have permission to view the public.htm.
If you are hosting it in VS, please ensusre Enabled anonymous authentication has been selected and you current logon user have permission to access the htm file.
If you are hosting it in IIS, please ensure anonymous authentication has been enabled and the authorization rule would looks just like
<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>
The authentication in applicationhost.config would looks like
<location path="Sitename">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
And the authorization rule for public.htm would be.
<location path="public.htm">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
Please remember to grant IUSER read permission to access public.htm.
I have a running WCF web role on Azure (not ASP.NET hosted!). I've seen many tutorials, tried many of them, and saw many SO questions - none of them seem to match my specific situation:
I'm able to connect with RDP
I see the MSVSMON.exe process in the host
I can attach to any process via VS2013-Update4 Server Explorer -> Instance -> Attach Debugger... (which process is the host, btw?)
The service works: tested with unit-test with the remote service reference
Disabled firewall - still no luck
I currently use Azure SDK 2.5
But when I try to Step Into from my unit-test, it says A remote operation is taking longer than expected and then: Unable to automatically step into the server. Connecting to the server machine '*.cloudapp.net' failed. The Microsoft Visual Studio Remote Debugging Monitor (MSVSMON.EXE) does not appear to be running on the remote computer. This may be because a firewall is preventing communication to the remote computer. Please see Help for assistance on configuring remote debugging.
What am I missing?
The csdef file:
<?xml version="1.0" encoding="utf-8"?>
<ServiceDefinition name="MyServiceWebRole.Azure" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition" schemaVersion="2014-06.2.4">
<WebRole name="MyServiceWebRole" vmsize="Small">
<Sites>
<Site name="Web">
<Bindings>
<Binding name="Endpoint1" endpointName="Endpoint1" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="Endpoint1" protocol="http" port="80" />
</Endpoints>
<ConfigurationSettings>
<Setting name="Variable_1" />
<!-- ... -->
<Setting name="Variable_N" />
</ConfigurationSettings>
<Imports>
<Import moduleName="RemoteAccess" />
<Import moduleName="RemoteForwarder" />
</Imports>
</WebRole>
</ServiceDefinition>
The Cloud.cscfg file:
<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration serviceName="MyServiceWebRole.Azure" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration" osFamily="4" osVersion="*" schemaVersion="2014-06.2.4">
<Role name="MyServiceWebRole">
<Instances count="1" />
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.Enabled" value="true" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountUsername" value="***" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountEncryptedPassword" value="***" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountExpiration" value="2016-10-01T23:59:59.0000000+03:00" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteForwarder.Enabled" value="true" />
<Setting name="Variable_1" value="Variable_1_Value=" />
<!-- ... -->
<Setting name="Variable_N" value="Variable_N_Value" />
</ConfigurationSettings>
<Certificates>
<Certificate name="Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption" thumbprint="***" thumbprintAlgorithm="sha1" />
</Certificates>
</Role>
</ServiceConfiguration>
I have followed this article Using IdSrv2 as IP-STS with membership store and can work fine on my first client App with returnurl: abc.com/a.aspx in one of the Relying Parties & Resources.
For my scenario I just want to create a Identity Provider I created. this is because I don't want to show all of the Idendity providers that I created in the HRD page just want to show my IDP and the other idnetity services from social network(facebook, google+, etc.) .
but I met it always return to the abc.com/a.aspx when I login to my second client app.is there any solution to solve my problem ?
I have created the setup that I believe you are trying to achieve. So I have Portal1 and Portal2. Both portals are set to authenticate users agains idsrv2 (thinktecture identityserver) and are set to use HRD. Idsrv2 is set to delegate authentication of users through HRD to idsrv (thinktecture identityserver).
The configuration of Portal1 web.config (only the important part) is
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://localhost/Portal1/" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://idsrv2">
<keys>
<add thumbprint="BCD339ECD62BC50DEDA3B54D2236D12AE1217687" />
</keys>
<validIssuers>
<add name="http://idsrv2" />
</validIssuers>
</authority>
</issuerNameRegistry>
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://localhost/idsrv2/issue/hrd" realm="https://localhost/Portal1/" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>
And configuration of Portal2 (also important parts only) is:
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://localhost/Portal2/" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://idsrv2">
<keys>
<add thumbprint="BCD339ECD62BC50DEDA3B54D2236D12AE1217687" />
</keys>
<validIssuers>
<add name="http://idsrv2" />
</validIssuers>
</authority>
</issuerNameRegistry>
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://localhost/idsrv2/issue/hrd" realm="https://localhost/Portal2/" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>
Now, configuration of idsrv (the parts I believe are important):
And finally the configuration of idsrv2:
And last the network flow when authenticating on Portal1
I'm trying to protect my administration which is after domain.com/edit/ with Realm and JDBC. I have done this on my development machine on a glassfish 4. But I don't get this thing working on openshift/jboss.
What I've done:
myproject.openshift\config\standalone.xml
[...]
<management>
<security-realms>
<security-realm name="managementSecurityRealm">
<authentication>
<jaas name="loginRealm" />
</authentication>
</security-realm>
</security-realms>
<management-interfaces>
<native-interface security-realm="managementSecurityRealm">
<socket-binding native="management-native" />
</native-interface>
<http-interface security-realm="managementSecurityRealm">
<socket-binding http="management-http" />
</http-interface>
</management-interfaces>
</management>
[...]
<security-domains>
<security-domain name="loginRealm">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName"
value="java:jboss/datasources/MysqlDS" />
<module-option name="principalsQuery"
value="select PASSWORD from c_user where EMAIL=?" />
<module-option name="rolesQuery"
value="select groups_ROLENAME, 'Roles' from c_user_c_user_role where User_EMAIL=?" />
<module-option name="hashAlgorithm" value="SHA-256" />
</login-module>
</authentication>
</security-domain>
[...]
myproject\src\main\webapp\WEB-INF\jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/loginRealm</security-domain>
</jboss-web>
And at last my myproject\src\main\webapp\WEB-INF\web.xml
[...]<security-constraint>
<display-name>administration-constraint</display-name>
<web-resource-collection>
<web-resource-name>administration</web-resource-name>
<description>authorisation area</description>
<url-pattern>/edit/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>headchef</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>loginRealm</realm-name>
<form-login-config>
<form-login-page>/viewLogin.jsf</form-login-page>
<form-error-page>/viewError.jsf</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Administrator</description>
<role-name>headchef</role-name>
</security-role>
<security-role>
<description>normal user which can create recipes</description>
<role-name>cook</role-name>
</security-role>
[...]
For example when I call the url http://myproject-namespace.rhcloud.com/edit/somepages
I can access it directly. The login page will not be displayed! If I access the login page viewLogin.jsf directly and I try to login, jboss tells me "javax.servlet.ServletException: No authenticator available for programmatic login."
I dont know what I did wrong. Why I'm able to access the administration without login in and why do I get this exception. And last of it all, I'm generating my password hashes with
Hashing.sha256().hashString(password, com.google.common.base.Charsets.UTF_8).toString();
Is it possible to set the encoding for the password algorithm function?
I appreciate any help.
I'm running JBosss AS 7 in a domain mode. When I applied the changes to host.xml, I received the following errors.
[Host Controller] Message: JBAS014789: Unexpected element '{urn:jboss:domain:1.2}socket-binding' encountered
I followed this reference guide.
https://community.jboss.org/wiki/SecuringAdministrationConsoleWithHttps
host.xml
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
</authentication>
<server-identities>
<ssl>
<keystore path=".keystore" relative-to="jboss.home.dir" password="changeit"/>
</ssl>
</server-identities>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<properties path="application-users.properties" relative-to="jboss.domain.config.dir" />
</authentication>
</security-realm>
</security-realms>
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket interface="management" port="${jboss.management.native.port:9999}"/>
</native-interface>
<http-interface security-realm="ManagementRealm">
<socket interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding https="management-https"/>
</http-interface>
</management-interfaces>
</management>
Thanks!
Make correct changes in configuration file on particular row and column as shown in stack trace ParseError at [row,col]:[x,y]
I have been dealing with the same issue, and it's tricky for a number of reasons. I've listed the changes to standalone.xml that got me going. It goes without saying that you need to build a keystore to reference.
The most problematic part of this configuration is that the <ssl> element in management.security-realms.security-realm uses a different syntax than when configuring the <ssl> element in <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host">. I've listed both elements here to show the contrast. You don't actually need to configure SSL for web services to get secure your console. I added the extra detail to show how they differ.
<management>
<security-realms>
<security-realm name="ManagementRealm">
<server-identities>
<ssl protocol="TLS">
<keystore path="/my/path/to/certs/my_cert.jks" keystore-password="mypass"/>
</ssl>
</server-identities>
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
</security-realms>
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="ManagementRealm">
<socket-binding http="management-console-https"/>
</http-interface>
</management-interfaces>
</management>
.
.
.
<profile>
.
.
.
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">
<ssl password="mypass" certificate-key-file="/my/path/to/certs/my_cert.jks" protocol="TLSv1" verify-client="false" certificate-file="/my/path/to/certs/my_cert.jks"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
.
.
.
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
.
.
.
<socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
<socket-binding name="management-console-https" interface="management" port="${jboss.management.console.https.port:9991}"/>
Also, since you won't be using it, remove the old socket-binding:
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
I hope that this helps.