Secure Session Cookie + Glassfish 3.1 - ssl

I'm looking for a solution similar to this:
httpOnly Session Cookie + Servlet 3.0 (e.g. Glassfish v3)
I want to turn the HTTP headers: http-only and Secure off so that authentication with https carries across to http requests.
However,
1 Relating to the other post. I am not using servlet 3.0. I may be willing to try to use servlet 3.0 if there was decent documentation somewhere on how to migrate an intellij project from serverl 2.5 to 3.0. It does not seem obvious how to use this. Changing my maven pom to javax.servlet 3.0 and then editing my web.xml version to 3.0 doesn't work. Gives a facet-error on the 3.0 version. Sigh.
This is my primary approach to solve this. I edited domains/domain1/config for default-web.xml and domain.xml to what I thought would work but it doesn't. Oracle's documentation does not seem very clear to me on this.
domain.xml
<web-container>
<session-config>
<session-manager>
<manager-properties></manager-properties>
<store-properties></store-properties>
</session-manager>
<session-properties>
<property name="cookieSecure" value="false"></property>
<property name="cookieHttpOnly" value="false"></property>
</session-properties>
</session-config>
</web-container>
....
<configs>
<config name="server-config">
<http-service sso-enabled="true">
<access-log></access-log>
<virtual-server id="server" sso-cookie-secure="false" sso-cookie-http-only="false" network-listeners="http-listener-1,http-listener-2"></virtual-server>
<virtual-server id="__asadmin" sso-cookie-http-only="false" network-listeners="admin-listener"></virtual-server>
</http-service>
default-web.xml
<session-config>
<session-timeout>60</session-timeout>
<cookie-config>
<http-only>false</http-only>
<secure>false</secure>
</cookie-config>
<cookie-properties>
<property name="cookieSecure" value="false" />
<property name="cookieHttpOnly" value="false" />
</cookie-properties>
<tracking-mode>COOKIE</tracking-mode>
</session-config>

Okay I feel a bit stupid but I generally have never written to a specific container before to make sure that my code was portable across containers. However, after some research, I discovered that you can put a WEB-INF/glassfish-web.xml file that looks like this to control your security cookie setting for each WAR file under glassfish.
http://blogs.oracle.com/jluehe/entry/ow_to_configure_the_security
<?xml version="1.0" encoding="UTF-8"?>
<glassfish-web-app>
<session-config>
<cookie-properties>
<b><property name="cookieSecure" value="[true|false|dynamic]"/></b>
</cookie-properties>
</session-config>
</glassfish-web-app>

Related

Flex2gateway not working on https/ssl on websphere

We are upgrading our ColdFusion 9 non-ssl application to ColdFusion 11 ssl enabled setup using Websphere.
We have a few flex components that utilize Flex2Gateway to call remote services. The application/Flex2gateway calls work fine with http but not on https.
The following urls give me a blank page which as per Adobe forums mean that Flex2Gateway is setup right:
http://example.com/flex2gateway
https://example.com/flex2gateway
The app calls the non-ssl url(not sure why):
http://example.com/flex2gateway and then gets redirected to
https://example.com/flex2gateway
When I look at the browser developer tools(IE, Chrome) the redirection from
http://example.com/flex2gateway to https://example.com/flex2gateway
seems to be working fine. Can anybody provide some insights on a possible solution?
Here is my remoting-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<service id="remoting-service"
class="flex.messaging.services.RemotingService"
messageTypes="flex.messaging.messages.RemotingMessage">
<adapters>
<adapter-definition id="cf-object"
class="coldfusion.flash.messaging.ColdFusionAdapter" default="true"/>
<adapter-definition id="java-object"
class="flex.messaging.services.remoting.adapters.JavaAdapter"/>
</adapters>
<default-channels>
<channel ref="my-cfamf-secure"/>
</default-channels>
<destination id="ColdFusion">
<channels>
<channel ref="my-cfamf-secure"/>
</channels>
<properties>
<source>*</source>
</properties>
</destination>
I do see the following in services-config.xml and I did uncomment the WebsphereLoginCommand option but saw no difference.
<security>
<login-command class="flex.messaging.security.JRunLoginCommand" server="JRun"/>
<!-- Uncomment the correct app server
<login-command class="flex.messaging.security.TomcatLoginCommand" server="Tomcat"/>
<login-command class="flex.messaging.security.WeblogicLoginCommand" server="Weblogic"/>
<login-command class="flex.messaging.security.WebSphereLoginCommand" server="WebSphere"/>
-->
UPDATE: I got https disabled on our server and receive the below error now when I try to access flex component:
faultCode:Client.Error.MessageSend faultString:'Send Failed' faultDetail:'Channel.Connect.Failed error NetConection.Call.Failed: HTTP: Failed:url: 'http://example.com/flex2gateway/"

How to list dynamically the available web applications in Glassfish domain?

We have an internal Glassfish 3.1 server where we have Jenkins deploy war-artifacts directly without any additional configuration.
This results in numerous rather verbose URL's like
http://xxx:5280/xxx_YYYY-52.20120824.0-SNAPSHOT/
and I would like to write a small ROOT.war (binding to "/") which simply lists all URL's in the current domain - preferably along with the <web-app><description>.... field.
This only needs to work with Glassfish. Is there a simple Glassfish API providing the information I need?
You can parse domain.xml. There is information about deployed apps, context root ... smth like this
<application context-root="/permit-1.0" location="${com.sun.aas.instanceRootURI}/applications/permit-1.0/" name="permit-1.0" object-type="user">
<property name="org.glassfish.ejb.container.application_unique_id" value="88379353331728384" />
<property name="defaultAppName" value="permit-1.0" />
<module name="permit-1.0">
<engine sniffer="ejb" />
<engine sniffer="security" />
<engine sniffer="web" />
</module>
</application>

How to configure SSL in WSDL First CXF Framework web service?

I am new to CXF framework. Recently successfully created webservices using CXF and Spring Endpoint. I am using WSDL first approach. Can you please suggest how to use SSL(https) for web services. I have idea about truststore and keystore. I am using Apache Tomcat server.
below is my ApplicationContext.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:cxf="http://cxf.apache.org/core"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd"
default-autowire="byName">
<!-- Service endpoint -->
<jaxws:endpoint id="CalculatorWebService"
implementorClass="com.web.calculator.service.CalculatorContractImpl"
implementor="#CalculatorImpl"
address="/CalculatorWS">
</jaxws:endpoint>
<bean id="CalculatorImpl" class="com.web.calculator.service.CalculatorContractImpl"/>
I believe I need to make some configuration entries for truststore here and similarly some configuration for keystore in client side in some xml. Also I think I need some Passwordcallback class for using keystores.
Can you please help me with the configurations that has to be made to enable SSL.
Your help is truly appreciated...
Thanks...
Here is great tutorial how to set up everything you need with SSL in your CXF. Please refer to section Configuring SSL Support.
And do not forget to enable https in your tomcat. The full "how to do this" is provided here. I assume that you did not try anything yet. All you need to do just follow these steps because there is everything explained very clear.

OpenAM/OpenSSO agent for JBoss EAP 6 / JBoss AS 7

I'd like to add the OpenAM/OpenSSO SSO feature to JBoss EAP 6 or JBoss AS 7. This means I must install an SSO Java EE agent on JBoss. Forgerock's OpenAM download page gives the opportunity to get agents for previous versions of JBoss, but new JBoss EAP 6 / JBoss AS 7 are not supported (for the moment).
Do you know if such an agent is available somewhere, or will be available in short future? If not, do you know how to change JBoss configuration to make it work with OpenAM?
It seems there is no official agent for JBoss EAP 6 for the moment.
However, I could make it work with OpenAM SSO by configuring my JBoss instance manually. To do it, I started with existing jboss_v42_agent.zip available on forgerock download site. Using the jars agent.jar, openssoclientsdk.jar and agent configuration files, I could build a JBoss module using this module.xml:
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="openam.agents">
<resources>
<resource-root path="agent.jar"/>
<resource-root path="openssoclientsdk.jar"/>
<resource-root path="."/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.servlet.api" />
<module name="org.picketbox"/>
</dependencies>
</module>
Then I must update standalone.xml by adding a security domain:
<security-domain name="AMRealm" cache-type="default">
<authentication>
<login-module code="com.sun.identity.agents.jboss.v40.AmJBossLoginModule" flag="required">
<module-option name="unauthenticatedIdentity" value="anonymous"/>
</login-module>
<login-module code="org.jboss.security.ClientLoginModule" flag="required">
<module-option name="restore-login-identity" value="true"/>
</login-module>
</authentication>
</security-domain>
Finaly I deployed the agentapp.war on JBoss after having modified the MANIFEST.MF by adding a line:
Dependencies: openam.agents
where openam.agents is the name of my module.
Now for the application I want to enable SSO for, I also must perform some updates:
web.xml: Add the and nodes:
<filter>
<filter-name>Agent</filter-name>
<display-name>Agent</display-name>
<description>OpenAM Tomcat Policy Agent Filter</description>
<filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Agent</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
jboss-web.xml: Declare the security-domain to be used
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>AMRealm</security-domain>
</jboss-web>
MANIFEST.MF: Apply same modification than in agentapp.was (add "Dependencies: openam.agents" line)
I'm not sure if it's the best way to enable SSO on JBoss EAP 6 / AS 7 (I'm not a expert), but it seems to work well.
One idea is putting an Apache http server with the OpenAM policy agent installed getting the requests in front of Jboss 7.
This is known as the reverse proxy integration. You can find out more here:
http://developers.sun.com/identity/reference/techart/app-integration.html
and http://docs.oracle.com/cd/E19575-01/820-3746/gjbna/index.html
Using the reverse proxy aproach you don't have to care about the application's runtime environment.
I noticed some days ago that forgerock has now released a J2EE Agent for JBoss 7.x but I haven't tested it yet. See http://forgerock.org/openam.html

Glassfish create JDBCResources, -Pools and Security Realms from application

How can I create JDBCResources, -Pools and Security Realms in a Glassfish 3.1 Server from within my Application, if they are not already created? I am writing an application that relies on this resources, however I don't want to configure the server manually every time the application is deployed on a different server.
Doing this with a shell script feels like a workaround.
Glassfish provides a REST interface. You can create a new security (authentication) realm in a certain configuration (say, server-config in a DAS on localhost, admin port 4848) with a POST to:
http://localhost:4848/management/domain/configs/config/server-config/security-service/auth-realm
Do a GET to that resource to see the parameters.
You can use the same interface to create connection pools.
Ok, I found a solution for half of the Question.
I created a file called glassfish-resources.xml in my WEB-INF folder and added the following content to it:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE resources PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Resource Definitions//EN" "http://glassfish.org/dtds/glassfish-resources_1_5.dtd">
<resources>
<jdbc-connection-pool
name="java:app/jdbc/BeerUserPool"
res-type="javax.sql.DataSource"
datasource-classname="org.postgresql.ds.PGSimpleDataSource"
pool-resize-quantity="2"
max-pool-size="32"
steady-pool-size="0"
statement-timeout-in-seconds="30">
<property name="User" value="USERNAME"></property>
<property name="Password" value="PASSWORD"></property>
<property name="PortNumber" value="12345678"></property>
<property name="dataBaseName" value="DATABASE_NAME"></property>
<property name="ServerName" value="yourDBUrl.com"></property>
<property name="Ssl" value="false"></property>
<property name="ProtocolVersion" value="0"></property>
</jdbc-connection-pool>
<jdbc-resource
pool-name="java:app/jdbc/BeerUserPool"
jndi-name="java:app/jdbc/BeerUser"></jdbc-resource>
<
</resources>
Addingt the java:app/ to the names is important, without it it won't work correctly. This connection pool is also only application scoped and gets destroyed after the application is undebloyed (except you add an additional argument).
This pool can now be accessed with JPA with the following persistence.xml.
<?xml version="1.0" encoding="UTF-8"?>
<persistence version="1.0" xmlns="http://java.sun.com/xml/ns/persistence">
<persistence-unit name="jsf-jpa-war" transaction-type="JTA">
<provider>org.eclipse.persistence.jpa.PersistenceProvider</provider>
<jta-data-source>java:app/jdbc/BeerUser</jta-data-source>
<properties>
<property name="eclipselink.logging.level" value="FINE"/>
</properties>
</persistence-unit>
</persistence>
However I found no soultion how I can define the security realms in the same way.