I'm fighting with a Glassfish v3 and a very simple JAX-RS service (taken athttp://www.vogella.de/articles/REST/article.html
What I want to achieve is setup basic http authentication for all the resources. If wish when a user request http://localhost:8080/de.vogella.jersey.first/rest/hello, the browser popups an alert prompting for username+password.
I've decided to go for a JDBCRealm authentication. I use PostgreSQL 8.4 and the correct JDBC driver.
My problem is that the authentication doesn't seem to be active (the HTTP headers are very simple ones :
Request URL:http://localhost:8080/de.vogella.jersey.first/rest/hello
Request Method:GET
Status Code:200 OK
Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
Cache-Control:max-age=0
Connection:keep-alive
Cookie:JSESSIONID=ec48541dc7654806fcf022d79e66; treeForm:tree-hi=treeForm:tree:configuration:loggerSetting
Host:localhost:8080
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Response Headers
Content-Type:text/html
Date:Fri, 07 Oct 2011 14:26:26 GMT
Server:GlassFish Server Open Source Edition 3.0.1
Transfer-Encoding:chunked
X-Powered-By:Servlet/3.0
The authentication is setup but seems inactive. At that point, I need your skills for analyzing what I've done wrong.
What I've done so far :
1/ Deployed the JAX-RS service (this works ok, see previous URL)
2/ Created a database, created two tables :
CREATE TABLE groups
(
username character varying(16) NOT NULL,
id character varying(20) NOT NULL,
CONSTRAINT groups_pkey PRIMARY KEY (username, id),
CONSTRAINT fk_username FOREIGN KEY (username)
REFERENCES users (username) MATCH SIMPLE
ON UPDATE NO ACTION ON DELETE NO ACTION
);
CREATE TABLE users
(
username character varying(16) NOT NULL,
"password" character varying(32) NOT NULL,
CONSTRAINT users_pkey PRIMARY KEY (username)
);
and populated them as follow :
table "groups" -> "webuser";"employees"
table "users" -> "webuser";"webuser"
3/ In the Glassfish admin GUI,I added a Connect Pool called "postgres" as follow :
The additional properties are shown here :
4/ I then created a JDVC Resource called "postgres" as shown below :
5/ In the Glassfish admin GUI, I added a Security Realm, called "postgres", as shown below :
6/ I also set to "FINEST" the log level for javax.enterprise.system.core.security in the "Logger Settings".
After requesting the webservice from a browser, I get the following in the server.log file :
[#|2011-10-07T16:26:26.410+0200|FINE|glassfish3.0.1|javax.enterprise.system.core.security|_ThreadID=67;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.web.integration.WebSecurityManager;MethodName=setPolicyContext;|[Web-Security] Policy Context ID was: de.vogella.jersey.first/de_vogella_jersey_first|#]
[#|2011-10-07T16:26:26.412+0200|FINE|glassfish3.0.1|javax.enterprise.system.core.security.com.sun.enterprise.security|_ThreadID=67;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.SecurityContext;MethodName=setCurrentSecurityContext;|SecurityContext: setCurrentSecurityContext method called|#]
7/ Regarding the code, I didn't add any annotation, but I updated my web.xml as follow :
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<display-name>de.vogella.jersey.first</display-name>
<servlet>
<description>JAX-RS Tools Generated - Do not modify</description>
<servlet-name>JAX-RS Servlet</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>de.vogella.jersey.first</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>JAX-RS Servlet</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>customer creation</web-resource-name>
<url-pattern>/rest/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>webusers</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>postgres</realm-name>
</login-config>
<security-role>
<role-name>webusers</role-name>
</security-role>
</web-app>
And the sun-web.xml as follow :
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 Servlet 2.5//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
<sun-web-app error-url="">
<context-root>/de.vogella.jersey.first</context-root>
<security-role-mapping>
<role-name>webusers</role-name>
<group-name>webusers</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class java code.</description>
</property>
</jsp-config>
</sun-web-app>
What is wrong with this ? Did I forgot anything ?
Thank you for your time !
I found out that I had to disable the "Keep session between deployments". This option can be found in the server, by double-clicking on the deployment server and unchecking the box.
Related
I'm trying to get familiar with TomEE, or at least TomCat 7 that is used in an older application I'm currently working.
In the tomcat location there is a web.xml. As far as I understood this is used for all servlets that have no own web.xml, right? Or will this be also used for those servlets that have an own one?
Not sure about the hierachy of this configuration files.
Tried to get a basic authentication working for a module that can be assigned by a url like \localhost:8080\AB
The tomcat-users for \localhost:8080\manager is working fine.
But can't get an login for \localhost:8080\AB
I tried modify the web.xml like:
<security-role>
<role-name>users</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>basic demo resource</web-resource-name>
<url-pattern>\AB\*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
But still no login is required for accessing this servlet.
Than I found out, that there is another web.xml in this Java project, which I also tried to modify with the code above.
I know I'm doing something wrong, but don't get what it is right now.
The role "users" was created in tomcat-users.xml and a user is also assigned to that group.
You have define only security constraint not roles. You need to define tomcat user and crossponding roles like.
<tomcat-users>
<role rolename="AB"/> <!-- you have to define all roles -->
<user username="myname" password="mypassword" roles="AB"/>
<!-- you have to assign login and roles -->
</tomcat-users>
The web.xml in the tomcat directory contains the default settings. A webapp can override definitions in its own web.xml.
To access to /AB you need:
to use FORWARD slashes: <url-pattern>/AB/*</url-pattern>
to have a user with role users in your user database
to enter the username and password in the login popup dialog.
I'm trying disable some http methods on my glassfish.
I would like know how I can does not provide a communication through "option" and "trace" http methods on glassfish v3.
< Allow: TRACE, OPTIONS
You can add the following security constraint to your web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Forbidden</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
We have what I believe to be a pretty standard form based authentication for a web application running on wildfly 8.2.
The authentication works well, except that when we stop&start the server some users are unable to log in again.
I have managed to reproduce one variant of this:
If I open the login page, /xxxx/app, before I restart, and then try to log in after the server is up again, I end up on a blank /xxxx/j_security_check page.
In my logs I can see that the actual authentication is run OK.
If I have understood this j_security_check mechanism properly, it goes something like this:
I access /xxxx/app
Wildfly sees that this url requires authentication. It remembers it and forwards me to login.jsp.
When I submit my login form to the magical j_security_check address it replaces it with the remembered /xxxx/app address.
If this is conceptually correct, I can see that a restart can be troublesome; The web server no longer remembers the /xxxx/app address and doesn't know where to redirect me to.
Does anyone have a workaround for this problem?
Any way to give wildfly a default page to go to after j_security_check?
Edit: I found this one: It is probably the same underlying cause:
Jboss Wildfly 8.1 session timeout on login page
jboss-web.xml:
<jboss-web>
<security-domain>ptsmc</security-domain>
<default-encoding>UTF-8</default-encoding>
</jboss-web>
web.xml:
<servlet-mapping>
<servlet-name>main</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
<!-- -->
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>ptsmc</display-name>
<web-resource-collection>
<web-resource-name>ptsmc</web-resource-name>
<url-pattern>/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>WEB</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Users must have this role to be granted access to Application</description>
<role-name>WEB</role-name>
</security-role>
login.jsp:
<form name="login_form" method="POST" action="<%=response.encodeURL(request.getContextPath() + "/j_security_check")%>">
<table>
<tr><td>User id:</td><td><input type=text name=j_username autofocus onblur="this.value = this.value.toUpperCase();"></td></tr>
<tr><td>Password:</td><td><input type=password name=j_password></td></tr>
<tr><td> </td><td><input type=submit value="Submit"></td></tr>
</table>
</form>
Given that I cannot create any new role because they are created in a CAS server and I do not have any control over them, is there a way to protect a PDF file to be opened only if a user has both "customer" and "professional" roles?
In other words, considering the following three users:
user1 has only "customer" role
user2 has "customer" and "professional" roles
user3 has "customer" and "professional" roles
user4 has only "professional" role
only user2 and user3 should be allowed to see the PDF.
Basically, I would like to do something like:
<security-constraint>
<web-resource-collection>
<web-resource-name>auth</web-resource-name>
<url-pattern>/doc/profesionalCustomer.pdf</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>professional,customer</role-name>
</auth-constraint>
</security-constraint>
Is this even possible?
Thanks in advance
This is not possible using declarative security (i.e. via web.xml). You can only list roles that have access to a resource like in the following:
<security-constraint>
<web-resource-collection>
<web-resource-name>auth</web-resource-name>
<url-pattern>/doc/profesionalCustomer.pdf</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>professional</role-name>
<role-name>customer</role-name>
</auth-constraint>
however in this case you would grant access to all users that have either professional or customer role which is not what you want. There is no construct that allows you to grant access for a user that has a combination of roles.
One way you can go about it is to deal with it programmatically: direct a client to a servlet that examines whether the user is in both customer and professional role using HttpServletRequest#isUserInRole(String) and if it is forwards the request to the default servlet which retrieves the pdf. Furthermore if you want to defer what combination of roles are granted access to deployment time, rather then hard-coding it in the servlet you can have the granting servlet parameterized appropriately through /web-app/servlet/init-param or /web-app/context-param element of your web.xml.
The following is web.xml excerpt that would support this:
<servlet>
<servlet-name>PDF Retriever</servlet-name>
<servlet-class>com.stackoverflow.PDFRetrieverServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>PDF Retriever</servlet-name>
<url-pattern>/docs/pdf/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>PDF Docs - customer and professional only</web-resource-name>
<url-pattern>/docs/pdf/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>PDF Docs Private</web-resource-name>
<url-pattern>/private/pdf/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name />
</auth-constraint>
</security-constraint>`
and here is coding for doGet of the servlet:
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
if (request.isUserInRole("customer") && request.isUserInRole("professional")) {
String urlSuffix = request.getPathInfo();
RequestDispatcher rd = request.getRequestDispatcher("/private/pdf"
+ urlSuffix);
rd.forward(request, response);
} else {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
}
}
I wanted to read a bit on this topic and found the below link quite useful :
http://www.devarticles.com/c/a/Java/Securing-Struts-Applications/1/
I have implemented FORM based authetication with Glassfish 3.1 + JDBCRealm + MySQL (MD5). I've got only two roles, user and admin. Everything is going great, I can see from the log that authentication is working in both cases as an uset and as an admin (Watch log below)
Q1: Is it possible to make two different index-files so that when user is admin, he/she goes to /admin/index.xhtml and when user is in role user he goes direct to faces/user/index.xhtml?
Q2: Now when I logged in as an user, I can still go to "admin side" with just writting the whole link straight to address field in a browser, why ja how to avoid that?
Q3: When I logged in as a user and I have ONLY faces/admin/index.xhtml in welcome file list, it redirects me to that file even if xml file tells something else, why?
<welcome-file-list>
<welcome-file>faces/admin/index.xhtml</welcome-file> *?? ----> it goes always here, cause it is the first one I think?*
<welcome-file>faces/user/index.xhtml</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Admin Pages</display-name>
<web-resource-collection>
<web-resource-name>Protected Admin Area</web-resource-name>
<description/>
<url-pattern>/faces/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>User Pages</display-name>
<web-resource-collection>
<web-resource-name>Protected Users Area</web-resource-name>
<description/>
<url-pattern>/faces/users/*</url-pattern>
<!--url-pattern>/faces/users/index.xhtml</url-pattern-->
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>JDBCRealm</realm-name>
<form-login-config>
<form-login-page>/faces/loginForm.xhtml</form-login-page>
<form-error-page>/faces/loginError.xhtml</form-error-page>
</form-login-config>
</login-config>
</web-app>
LOG:
FINE: Login module initialized: class com.sun.enterprise.security.auth.login.JDBCLoginModule
FINEST: JDBC login succeeded for: admin groups:[admin, user]
FINE: JAAS login complete.
FINE: JAAS authentication committed.
FINE: Password login succeeded for : admin
FINE: Set security context as user: admin
FINE: [Web-Security] Setting Policy Context ID: old = null ctxID = jdbcrealm/jdbcrealm
FINE: [Web-Security] hasUserDataPermission perm: (javax.security.jacc.WebUserDataPermission GET)
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINE: [Web-Security] Policy Context ID was: jdbcrealm/jdbcrealm
FINE: [Web-Security] Codesource with Web URL: file:/jdbcrealm/jdbcrealm
FINE: [Web-Security] Checking Web Permission with Principals : null
(Edit after myfear's answer)
-----In glassfish-web.xml I have roles like that. If I understood it correctly it means that admin belongs to groups: admin, customer and user. Customer belongs to groups: customer and user and User belongs to group user. Did I understand it correctly?
<security-role-mapping>
<role-name>admin</role-name>
<group-name>admin</group-name>
<group-name>customer</group-name>
<group-name>user</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>customer</role-name>
<group-name>customer</group-name>
<group-name>user</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>user</role-name>
<group-name>user</group-name>
</security-role-mapping>
</glassfish-web-app>
Thank you!
Sami
I've just attempted this as part of a University class and here's how I got the functionality I think you're after.
I'm using Netbeans with a Glassfish 4.1.1 server and have already configured the user roles in the servers file realm.
My project has 3 files:
index.xhtml
users/mainmenu.xhtml
admin/mainmenu.xhtml
The welcome page is set to index.xhtml with the following hyperlinks:
<h4>
<a href="/ED-Secure-war/faces/admin/mainmenu.xhtml">
Admin Login
</a>
</h4>
<h4>
<a href="/ED-Secure-war/faces/user/mainmenu.xhtml">
User Login
</a>
</h4>
In my web.xml security section I have the following roles configured
Now because access to each of these is restricted via the user groups, when you click on the hyperlinks on index you'll be prompted to login. If you enter a valid admin login for the admin link you'll be redirected to admin/mainmenu.xhtml, and vice versa for a user login.
A1) Welcome files aren't related to roles. If you need to do any kind of logic for dispatching users, you need to think about using boolean HttpServletRequest.isUserInRole(String role) or something similar to find out in which role the user is in.
A2) That shouldn't happen. You need to check the roles you have in your JDBCRealm. To what I see here, everything is configured the right way.
A3) I am not sure if I understand your remark "XML" file the right way. But welcome-files aren't bound to roles and .. see A1)
Thanks,
M
For your question 1: use the filter from where you can redirect the user to the specific page either userlogin.xhtml or adminlogin.xhtml
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
String userName = SecurityAssociation.getPrincipal().getName();
String userNameSubject = SecurityAssociation.getSubject().toString();
System.out.println("Yeeey! Get me here and find me in the database: " + userName+ " Subject : "+userNameSubject);
filterChain.doFilter(servletRequest, servletResponse);
}