I need help in configuring GF3.1.2 i have done following changes, please do let me know if i am missing anything important as after changes it is NOT working.
my id is nilesh2811#gmail.com
I could not found any particular thread or answers in forum if any link is there will be helpful.
if you have any document for this please forward.
please do the needful
web.xml
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/faces/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>authorized</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>authorized</role-name>
</security-role>
sun-web.xml
<security-role-mapping>
<role-name>authorized</role-name>
<principal-name>admin</principal-name>
<group-name>authorized</group-name>
</security-role-mapping>
domain.xml
<security-service>
<auth-realm classname="com.sun.enterprise.security.auth.realm.file.FileRealm" name="admin-realm">
<property name="file" value="${com.sun.aas.instanceRoot}/config/admin-keyfile"></property>
<property name="jaas-context" value="fileRealm"></property>
</auth-realm>
<auth-realm classname="com.sun.enterprise.security.auth.realm.file.FileRealm" name="file">
<property name="file" value="${com.sun.aas.instanceRoot}/config/keyfile"></property>
<property name="jaas-context" value="fileRealm"></property>
</auth-realm>
<auth-realm classname="com.sun.enterprise.security.auth.realm.certificate.CertificateRealm" name="certificate">
<property name="assign-groups" value="authorized"></property>
</auth-realm>
The login-config section is incomplete in your web.xml
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>certificate</realm-name>
</login-config>
The realm-name content must match the name attribute of auth-realm element in domain.xml, which in your case is "certificate"
[updated]
In addition, the CA certificate must be imported in the server's truststore
${com.sun.aas.instanceRoot}/config/cacerts.jks
Actually I tries on glassfish 3.1.2 and it worked under following conditions:
1.I have to use the same key(trust) store of jks type and in the same location. In order to talk with other certificate formats you have to convert them to format jks format can handle.
2.in a glassfish-web.xml you should have like this mapping
<security-role-mapping>
<role-name>manager</role-name>
<group-name>authorized</group-name>
</security-role-mapping>
3.in a domain.xml file you should have the followings:
<auth-realm classname="com.sun.enterprise.security.auth.realm.certificate.CertificateRealm" name="certificate">
<property name="assign-groups" value="authorized"></property>
</auth-realm>
Note: in web.xml you have to have realm name matching domain.xml file
When anyone will try this first time it will take time for them to understand, withing simple words, both client and server trust-stores should trust each other certificates, first it is better to use Self-signed certificates exchange certificates to server and client, one can use following article for help which has simplified steps. follow article then you can use your own methods certificates which ever u want.
http://www.slideshare.net/krizsan/scdjws-5-study-notes-3085287
SCDJWS 5
or nowadays know as
Oracle Certified Professional,
Java EE 5 Web Services Developer
Study Notes
by
Ivan A Krizsan
Version: February 23, 2012
Set
Client Authentication: true
in http-listener-2.
Related
With WildFly 8.2.1, I am trying to make existing webservice (JAX-WS) use SSL, but I haven't seen any use of SSL in quickstarts and the information I was able to google is limited. So far I've added this to web.xml:
<security-constraint>
<display-name>Foo security</display-name>
<web-resource-collection>
<web-resource-name>FooService</web-resource-name>
<url-pattern>/foo/FooService</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
and this is in my standalone.xml:
<subsystem xmlns="urn:jboss:domain:webservices:1.2">
<wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
<endpoint-config name="Standard-Endpoint-Config"/>
<endpoint-config name="Recording-Endpoint-Config">
<pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
<handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
</pre-handler-chain>
</endpoint-config>
<client-config name="Standard-Client-Config"/>
</subsystem>
but apparently that's not enough; when I look into standalone/data/wsdl/foo.ear/foo.war/FooService/Bar.wsdl I see:
<service name="FooService">
<port binding="foowsb:FooBinding" name="FooBinding">
<soap:address location="http://localhost:8080/foo/FooService"/>
</port>
</service>
Note that in the EAR/WAR, the soap:address.location is filled just with a placeholder (I suppose that the value is ignored).
I've found some info about setting up security realm, and creating the self-signed certificate using keytool (which I did), but I completely miss how this should be linked together.
I've also tried to setup wsdl-uri-scheme=https, but this is supported only in later versions of CXF.
Seems that the soap:address.location value is not ignored when it's being replaced, since changing that from REPLACE_WITH_ACTUAL_URL to https://REPLACE_WITH_ACTUAL_URL did the trick - now the service got exposed on https://localhost:8443.
There is a couple of more steps I had to do in standalone.xml: in undertow, add https-listener:
<https-listener name="secure" socket-binding="https" security-realm="SslRealm"/>
define the SslRealm:
<security-realm name="SslRealm">
<server-identities>
<ssl>
<keystore path="foo.keystore" relative-to="jboss.server.config.dir" keystore-password="foo1234" alias="foo" key-password="foo1234"/>
</ssl>
</server-identities>
<authentication>
<truststore path="foo.truststore" relative-to="jboss.server.config.dir" keystore-password="foo1234"/>
</authentication>
</security-realm>
Note that I reuse the same keystore for server and clients here. And since my clients are ATM in the same WF node during development, I had to setup the client-side part there, too:
<system-properties>
<property name="javax.net.ssl.trustStore" value="${jboss.server.config.dir}/foo.keystore"/>
<property name="javax.net.ssl.trustStorePassword" value="foo1234"/>
<property name="org.jboss.security.ignoreHttpsHost" value="true"/>
</system-properties>
The last property should be replaced in WF 9+ with cxf.tls-client.disableCNCheck.
I've enabled the wl anaytics on my environment, (WLP v8,5 and WL6.2) but it's entry point is unprotected.
So I've looked around and found this article.
http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.monitor.doc/monitor/t_securing_op_analytics.html
And figured I should be able to protected it with LDAP as well.
However When I follow those steps I can't protect my analytics.
My next step was to go to worklightconsole.war and copy the configuration to have form enabled authentication.
So I've ended up with my web.xml from the analytics.war with the following:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>worklightRealm</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>
I even copied into the WAR the login.html and loginError.html.
However after I uploaded to my apps folder the modified analytics.war it still doesn't ask me for authentication and just pops open.
The configuration I have on server.xml of analytics is:
<application context-root="/analytics"
id="analytics"
location="analytics.war"
name="analytics"
type="war">
<application-bnd>
<security-role name="worklightadmin">
<user name="<someUserOnMyLDAP>"/>
</security-role>
</application-bnd>
<classloader delegation="parentLast"/>
</application>
Does anyone have any clues on what I'm doing wrong?
The security put in place only protects the data entry point which is the endpoint at which the worklight server sends data to the analytics platform. If you wish to also protect the actual console with Basic Auth, then you'll need to modify the server.xml for the WAR file. I think its something along these lines:
<security-constraint>
<web-resource-collection>
<web-resource-name>analytics</web-resource-name>
<url-pattern>/console/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
But I haven't tested this.
I have an annoying error which I can't solve for quite a while. I recently was introduced to container-based security and try to implement it. I have configure the realm as following:
<Realm className="org.apache.catalina.realm.JDBCRealm"
debug="99"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://127.0.0.1:3306/identify"
connectionName="adm" connectionPassword="pw"
userTable="users" userNameCol="login"
userCredCol="password"
allRolesMode="authOnly" />
</Realm>
Unfortunately I can't login with this. The log error messages are:
SEVERE: Exception performing authentication
java.sql.SQLException: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version
for the right syntax to use near 'null WHERE login = 'user1'' at line 1
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:2928)
at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1571)
at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:1666)
at com.mysql.jdbc.Connection.execSQL(Connection.java:2994)
at com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:936)
at com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:1030)
at org.apache.catalina.realm.JDBCRealm.getRoles(JDBCRealm.java:640)
at org.apache.catalina.realm.JDBCRealm.authenticate(JDBCRealm.java:430)
at org.apache.catalina.realm.JDBCRealm.authenticate(JDBCRealm.java:355)
at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146)
at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180)
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:282)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:440)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:851)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:278)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:300)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:636)
Please notice the '' around the user name... Is this correct?
As you see I also use allRolesMode="authOnly", because I don't need this functionality and moreover the database doesn't have and won't ever have an additional column for user roles (it is quite pointless if won't use it than every user will have the same value in this column - big waste of recourses.).
The server is Tomcat 7.0.19
You have to set the userRoleTable and roleNameCol properties in case of allRolesMode="authOnly" too. Without them the SQL query will contain the String null (as you can see in the message of the exception). The value of userRoleTable could be the same as the value of userTable, and roleNameCol also could be same as userNameCol.
A simple workaround is creating an SQL view which emulates the roles table:
CREATE VIEW roles (username, role)
AS SELECT username, 'user' FROM users;
And a solution:
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://127.0.0.1:3306/test"
connectionName="..." connectionPassword="..."
userTable="users" userNameCol="username" userCredCol="password"
userRoleTable="users" roleNameCol="username"
/>
(Surprisingly it works without any allRolesMode.)
The required web.xml snippets:
<security-constraint>
<web-resource-collection>
<web-resource-name>protected zone</web-resource-name>
<url-pattern>/prot/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>*</role-name>
</security-role>
(Note: Lets say you have 1 million users, a new attribute in the users table with one million user\0 string would cost only around 5 megabytes. I agree with that this is not a beautiful solution but it's not intolerable big nowadays.)
I have Tomcat 7.0.27.0 with JDK 1.6
I am using tomcat only for Authentication and not for authorization
Following is the setup
context.xml
<Realm className="org.apache.catalina.realm.JDBCRealm"
connectionName="login"
connectionPassword="password"
connectionURL="jdbc:oracle:thin:#127.0.0.1:1521:authdb"
driverName="oracle.jdbc.OracleDriver"
userTable="appusers"
userNameCol="username"
userCredCol="password"
allRolesMode="authOnly"/>
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/modules/*</url-pattern>
<url-pattern>/index.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<!--
security-role>
<role-name>user</role-name>
security-role>
-->
I got it working by removing <security-role> block from web.xml &
putting auth-contraint with role-name as *
If you remove auth-contraint block from security-contraint then web context authentication itself will not be invoked !!
does anyone knows if tomcat is able to password protect file (like apache .htaccess )?
i mean when user request a file from tomcat webapp its prompt a dialogue to enter user-name and password and made this using configuration.
or protect the file depend on its IP address .
hope someone can help me ?
regads
you can set basic authentication in tomcat.
Add your user to tomcat-users.xml. Something like :
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="tomcat"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="myname" password="mypassword" roles="tomcat"/>
<user username="test" password="test"/>
</tomcat-users>
And Add configuration to your apps web.xml. like:
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/references/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>your-role</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Application</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the Manager Application
</description>
<role-name>your-role</role-name>
</security-role>
links to understand more:
http://www.avajava.com/tutorials/lessons/how-do-i-use-basic-authentication-with-tomcat.html
I'm working with a developer here who just inherited an existing site. It is a Weblogic 8.1 website with j_security_check authentication behind an apache reverse proxy. We're getting some issues with the logins, and are not sure about j_security_check config. It seems very black boxy and magicky. How do we get information on how it's configured, specifically how to change the target page after successful login.
Thank you.
weblogic will automaticly redirect to the requested page. In the web.xml is defined with resources are protected by the form-login (as it is called). So just request the first page and you will be presented with the login. After an successfull login you will be redirected to the original requested page.
You'll see something similar to this in your web.xml (the "myRoleName" will be replaced by the sercurity role as defined in your Webloggic Server Console under Security > Realms > myreal > Groups). If you have multiple roles, this will differ slightly.
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/flows/*</url-pattern>
<url-pattern>Controller.jpf</url-pattern>
<http-method>GET</http-method>
<http-method>Post</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>myRoleName</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>login.jsp</form-login-page>
<form-error-page>fail_login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>
Only role for the Application
</description>
<role-name>myRoleName</role-name>
</security-role>