On the same server, I need to deploy two versions of the same webapp (one for production and another for validation).
These two webapps use authentication with different databases.
I am struggling with the implementation of two different context for the two apps.
I have implemented the following code in server.xml but the authentication doesn't work anymore :
<Context path="http://localhost:8080/myapp1" docBase="/path/webapps/myapp1.war" debug="0" privileged="true">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="org.postgresql.Driver" digest="MD5"
connectionURL="jdbc:postgresql://localhost/postgres_prod?user=postgres&password=postgres"
userTable="utilisateurs" userNameCol="login" userCredCol="password"
userRoleTable="user_roles" roleNameCol="role_name" resourceName="UserDatabase"/>
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
</Context>
<Context path="http://localhost:8080/myapp2" docBase="/path/webapps/myapp2.war" debug="0" privileged="true">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="org.postgresql.Driver" digest="MD5"
connectionURL="jdbc:postgresql://localhost/postgres_val?user=postgres&password=postgres"
userTable="utilisateurs" userNameCol="login" userCredCol="password"
userRoleTable="user_roles" roleNameCol="role_name" resourceName="UserDatabase"/>
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
</Context>
I don't understand if I need to change something else in web.xml or tomcat-users.xml.
The authentication work when I test it with just one app (when I don't need a context tag).
Thank you in advance for your help !
I moved the content of the two Context tags in the context.xml file of the two applications.
Another resolved problem : With this part of the code in the server.xml I was not able to login as the tomcat manager.
Related
I am trying to get a simple example of Virtual Topics working but I am failing miserably.
From what I have read the documentation may be incorrect on the activemq site.
My C# is as follows:
I have a consumer connect to queue://Consumer.A.VirtualTopic.FOO
I have a producer connect to topic://VirtualTopic.FOO
The producer publishes a message
My server config is as follows:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<broker xmlns="http://activemq.apache.org/schema/activemq/apollo">
<notes>
The default configuration with tls/ssl enabled.
</notes>
<log_category console="console" security="security" connection="connection" audit="audit"/>
<authentication domain="apollo"/>
<!-- Give admins full access -->
<access_rule allow="admins" action="*"/>
<access_rule allow="*" action="connect" kind="connector"/>
<virtual_host id="mybroker">
<!--
You should add all the host names that this virtual host is known as
to properly support the STOMP 1.1 virtual host feature.
-->
<host_name>mybroker</host_name>
<host_name>localhost</host_name>
<host_name>127.0.0.1</host_name>
<!-- Uncomment to disable security for the virtual host -->
<!-- <authentication enabled="false"/> -->
<!-- Uncomment to disable security for the virtual host -->
<!-- <authentication enabled="false"/> -->
<access_rule allow="users" action="connect create destroy send receive consume"/>
<!-- You can delete this element if you want to disable persistence for this virtual host -->
<leveldb_store directory="${apollo.base}/data"/>
</virtual_host>
<web_admin bind="http://127.0.0.1:61680"/>
<web_admin bind="https://127.0.0.1:61681"/>
<connector id="tcp" bind="tcp://0.0.0.0:61613" connection_limit="2000"/>
<connector id="tls" bind="tls://0.0.0.0:61614" connection_limit="2000"/>
<connector id="ws" bind="ws://0.0.0.0:61623" connection_limit="2000"/>
<connector id="wss" bind="wss://0.0.0.0:61624" connection_limit="2000"/>
<key_storage file="${apollo.base}/etc/keystore" password="password" key_password="password"/>
<destinationInterceptors>
<virtualDestinationInterceptor>
<virtualDestinations>
<virtualTopic name="VirtualTopic.>" prefix="Consumer.*."/>
</virtualDestinations>
</virtualDestinationInterceptor>
</destinationInterceptors>
</broker>
Any help would be greatly appreciated
I made a mistake. I am using activemq apollo which is different from activemq. The configurations are different but the server does not complain if you give it bogus configs. The apollo configs are documented here: https://activemq.apache.org/apollo/documentation/user-manual.html. I needed to add a element with mirrored option set to true in the element.
What is ClassName used for in the following?
<realms>
<realm name="CustomDeviceProvisioningRealm" loginModule="CustomDeviceProvisioningLoginModule">
<className>com.worklight.core.auth.ext.DeviceAutoProvisioningAuthenticator</className>
<parameter name="validate-csr-function" value="ProvisioningAdapter.validateCSR" />
</realm>
Can I put more than on className in the same realm?
How can I merge an realm used for authentication with the realm used for Device provisioning?
For example: merging the one at the top with this one:
<realm loginModule="BankingLoginModule" name="MobileBankingRealm">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="AuthenticationAdapter.onAuthRequired" />
<parameter name="logout-function" value="AuthenticationAdapter.onLogout" />
</realm>
and how will this reflect on the Mobile Security test?
The classname element designates which Java class implements the authenticator and/or login module.
There cannot be more than 1 per realm/login module.
The mentioned class names in your question are the default ones provided by Worklight.
These are public classes that can be extended, which may be what you're looking for, instead of "merging".
You can also create your own that implement WorklightAuthenticator and WorklightLoginModule interfaces.
Have a question can we use the security tests in a external application(war) that gets deployed in Websphere liberty profile server. if yes then how to configure the same. The security test will be independent to worklight application and that of the external application.
What exactly are you talking about? Your scenario is not clear to me.
Worklight security tests are meant to be configured in the Worklight project's authenticationConfig.xml and to then be used to protect adapter procedures in the adapter XML file and/or applications in application-descriptor.xml; they are not meant to be used in any other context.
Your question is not clear.
I believe you want to protect your Worklight console (war) with security test and it is possible. you can protect your console with username and password. ( possible to use plain text or encrypted). For more info see this
to enable security test you need to edit your authenticationConfig.xml with the following code.
<staticResources>
<resource id="worklightConsole" securityTest="WorklightConsole">
<urlPatterns>/console*</urlPatterns>
</resource>
</staticResources>
<securityTests>
<customSecurityTest name="WorklightConsole">
<test realm="WorklightConsole" isInternalUserID="true"/>
</customSecurityTest>
</securityTests>
<realms>
<realm loginModule="requireLogin" name="WorklightConsole">
<className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
<onLoginUrl>/console</onLoginUrl>
</realm>
</realms>
<loginModules>
<loginModule name="requireLogin">
<className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
</loginModule>
</loginModules>
Is it possible to enable HTTPS protocol for an API on the WSO2 ESB?
https://localhost:8280/api/mySslApi
You can simply call the HTTPS endpoint of the API and it's enabled by default. Note that HTTPS port is 8243 not 8280.
https://localhost:8243/api/mySslApi
By default it is already enabled that way, if you follow axi2.xml config ,you will find below details,
1.for Http
<transportReceiver name="http" class="org.apache.synapse.transport.passthru.PassThroughHttpListener">
<parameter name="port" locked="false">8280</parameter>
<parameter name="non-blocking" locked="false">true</parameter>
<!--parameter name="bind-address" locked="false">hostname or IP address</parameter-->
<!--parameter name="WSDLEPRPrefix" locked="false">https://apachehost:port/somepath</parameter-->
<parameter name="httpGetProcessor" locked="false">org.wso2.carbon.mediation.transport.handlers.PassThroughNHttpGetProcessor</parameter>
<!--<parameter name="priorityConfigFile" locked="false">location of priority configuration file</parameter>-->
</transportReceiver>
2.for Https
<transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener">
<parameter name="port" locked="false">8243</parameter>
<parameter name="non-blocking" locked="false">true</parameter>
<parameter name="HttpsProtocols">TLSv1,TLSv1.1,TLSv1.2</parameter>
Yes, In WSO2 ESB, when we want to secure a REST API, we can simply make it available via HTTPS like bellow.
<resource uri-template="/view/{symbol}" methods="GET" protocol="https">
And let the security handlers validate the credentials.
<handlers>
<handler class="org.wso2.rest.BasicAuthHandler"/>
</handlers>
For detail information : https://docs.wso2.com/display/ESB490/Securing+APIs
We currently support BasicAuth/usernametoken secured endpoints via the publisher..You may need to edit the axis2.xml for "HostnameVerifier" parameter in caseof handshake errors..Check the following link for further details.
http://docs.wso2.org/wiki/display/AM131/Adding+an+API
We have an internal Glassfish 3.1 server where we have Jenkins deploy war-artifacts directly without any additional configuration.
This results in numerous rather verbose URL's like
http://xxx:5280/xxx_YYYY-52.20120824.0-SNAPSHOT/
and I would like to write a small ROOT.war (binding to "/") which simply lists all URL's in the current domain - preferably along with the <web-app><description>.... field.
This only needs to work with Glassfish. Is there a simple Glassfish API providing the information I need?
You can parse domain.xml. There is information about deployed apps, context root ... smth like this
<application context-root="/permit-1.0" location="${com.sun.aas.instanceRootURI}/applications/permit-1.0/" name="permit-1.0" object-type="user">
<property name="org.glassfish.ejb.container.application_unique_id" value="88379353331728384" />
<property name="defaultAppName" value="permit-1.0" />
<module name="permit-1.0">
<engine sniffer="ejb" />
<engine sniffer="security" />
<engine sniffer="web" />
</module>
</application>