adding security to embedded jetty - authentication

I have a problem configuring BASIC-auth in jetty
here's my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>resources</web-resource-name>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MyRealm</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
and here's my java code where I try to add a LoginService
HashLoginService myrealm = new HashLoginService("MyRealm");
myrealm.setConfig("src/main/resources/jetty-realm.properties");
root.getSecurityHandler().setLoginService(myrealm);
my jetty-realm.properties file has following user
user: Lag976JGQdeosfQM,user
I can make a connection but I can't authenticate, and I'm stuck on this for a long time now, so whoever helps me out get's a free digital beer! ;)

Ok so I've found out what I didn't do,
you have to start a LoginService before you can use it so I changed my java code to
HashLoginService myrealm = new HashLoginService("MyRealm");
myrealm.setConfig("src/main/resources/jetty-realm.properties");
myrealm.start();
root.getSecurityHandler().setLoginService(myrealm);

Related

how can we provide access for all authenticated users(basic authentication) in websphere for any role

For Wildfly,any authenticated user can access to any protected resource by below change in web.xml
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
in security-constraint and defining security role as below
<security-role>
<role-name>*</role-name>
</security-role>
But the same is not working for Websphere, throwing authorisation failed exception, for making it work below change is required in Websphere Adminconsole.
WAS AdminConsole -> Applications > Enterprise Applications -> click .EAR
click the Security role to user/group mapping
Select the roles you wish to use for authentication.(in my case it is
*,defined in web.xml)
Map special subject to "All authenticated in Application Realm"
How can I skip the adminconsole change to make it work, or any other better approach.
What works for me is that I define the ff in my web.xml:
<security-role>
role1
</security-role>
<security-role>
role2
</security-role>
<security-constraint>
<display-name>All Authenticated</display-name>
<web-resource-collection>
<web-resource-name>
All Authenticated Pages
</web-resource-name>
<url-pattern>/webpage.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>
<role-name>role2</role-name>
</auth-constraint>
</security-constraint>
Essentially this defines the roles and then a separate definition for the pages and the roles that will be permitted to access it.
And then I also define an ibm-application-bnd.xml in my EAR File as follows:
<?xml version="1.0" encoding="UTF-8"?>
<application-bnd
xmlns="http://websphere.ibm.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_2.xsd"
version="1.2">
<security-role name="role1">
<group name="role1" />
</security-role>
<security-role name="role2">
<group name="role2" />
</security-role>
</application-bnd>
This one I think WebSphere uses to map to its grouping your defined roles.
Hope this helps or puts you forward.
For achieving the above goal i.e authorization for all authenticated users in WebSphere, create one logical Role[No need to create any physical group] say "AllAuthneticated" in web.xml and provide it as authorization constrain.
<auth-constraint>
<role-name>AllAuthneticated</role-name>
</auth-constraint>
<security-role>
<role-name>AllAuthneticated</role-name>
</security-role>
And then define an ibm-application-bnd.xml in EAR File as follows:
<security-role name="AllAuthneticated">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
The above role mapping will allow all authenticated user to access protected resource.

Protect wl analytics with LDAP

I've enabled the wl anaytics on my environment, (WLP v8,5 and WL6.2) but it's entry point is unprotected.
So I've looked around and found this article.
http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.monitor.doc/monitor/t_securing_op_analytics.html
And figured I should be able to protected it with LDAP as well.
However When I follow those steps I can't protect my analytics.
My next step was to go to worklightconsole.war and copy the configuration to have form enabled authentication.
So I've ended up with my web.xml from the analytics.war with the following:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>worklightRealm</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>
I even copied into the WAR the login.html and loginError.html.
However after I uploaded to my apps folder the modified analytics.war it still doesn't ask me for authentication and just pops open.
The configuration I have on server.xml of analytics is:
<application context-root="/analytics"
id="analytics"
location="analytics.war"
name="analytics"
type="war">
<application-bnd>
<security-role name="worklightadmin">
<user name="<someUserOnMyLDAP>"/>
</security-role>
</application-bnd>
<classloader delegation="parentLast"/>
</application>
Does anyone have any clues on what I'm doing wrong?
The security put in place only protects the data entry point which is the endpoint at which the worklight server sends data to the analytics platform. If you wish to also protect the actual console with Basic Auth, then you'll need to modify the server.xml for the WAR file. I think its something along these lines:
<security-constraint>
<web-resource-collection>
<web-resource-name>analytics</web-resource-name>
<url-pattern>/console/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
But I haven't tested this.

JAAS configuration in web.xml shows white screen

i try to use JAAS for authetification so i configured my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin</web-resource-name>
<url-pattern>/servlets/ForbiddenServlet</url-pattern>
</web-resource-collection>
<web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Admin</realm-name>
<form-login-config>
<form-login-page>/../pages/login.jsp</form-login-page>
<form-error-page>/../pages/error.jsp</form-error-page>
</form-login-config>
</login-config>
If i go on my ForbiddenServlet page theres just a white screen...
i thought the login.jsp would be shown.
If id dont use FORM and use BASIC instead it works fine!
EDIT: with "it works fine!" i dont mean that the login.jsp is shown
but a default login window pops up.
form-login-page and form-error-page are paths relative to the webapp root. I think you should remove the "/.." part.

Tomcat 7 container managed security and SSL dont work together + jsf 2.1

I'm using JDBCRealm for Tomcat 7 user auth and SSL for https but I can not figure out how to combine them. My goal is to make all the page secure by SSL and possible to view only by a certain role. I'm using JSF 2.1. Here is my code in web.xml
<security-role>
<description/>
<role-name>employee</role-name>
</security-role>
<security-role>
<description/>
<role-name>administrator</role-name>
</security-role>
<security-role>
<description/>
<role-name>boss</role-name>
</security-role>
<security-constraint>
<display-name>ConstraintPrac</display-name>
<web-resource-collection>
<web-resource-name>panelprac</web-resource-name>
<url-pattern>panele/pracownik/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>employee</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
They seem to work separately but what i need is a combined way. Now Tomcat is not redirecting to the port 8443 (https) and You can access any page just by typing it in the browser. I used this page for SSL http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html and this one for JDBCRealm http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html. I want my program to allow access certain pages only to certain roles and at the same time do everything on HTTPS. Please help me with this one. I don't know where I've made the mistake. I don't receive any errors.
RESOLVED
The problem was deeper than I thought. Tomcat 7 doesn't support custom form user authentication therefore security roles presented above didn't work. To solve this I had to create a Filter class to protect unauthorized entry's to pages.
I will leave this topic in case someone has the same problem (if the admin finds this topic irrelevant feel free to delete it)

Bea Weblogic (8.1) and j_security_check

I'm working with a developer here who just inherited an existing site. It is a Weblogic 8.1 website with j_security_check authentication behind an apache reverse proxy. We're getting some issues with the logins, and are not sure about j_security_check config. It seems very black boxy and magicky. How do we get information on how it's configured, specifically how to change the target page after successful login.
Thank you.
weblogic will automaticly redirect to the requested page. In the web.xml is defined with resources are protected by the form-login (as it is called). So just request the first page and you will be presented with the login. After an successfull login you will be redirected to the original requested page.
You'll see something similar to this in your web.xml (the "myRoleName" will be replaced by the sercurity role as defined in your Webloggic Server Console under Security > Realms > myreal > Groups). If you have multiple roles, this will differ slightly.
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/flows/*</url-pattern>
<url-pattern>Controller.jpf</url-pattern>
<http-method>GET</http-method>
<http-method>Post</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>myRoleName</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>login.jsp</form-login-page>
<form-error-page>fail_login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>
Only role for the Application
</description>
<role-name>myRoleName</role-name>
</security-role>