I am trying to configure eXist to LDAP to authenticate users and I have checked out the documentation at eXist LDAP Security. Turns out the default configuration only supports three settings:
security.ldap.connection.url (The connection URL of the LDAP server), security.ldap.dn.user(The user list DN), and security.ldap.dn.group (The group list DN).
It doesn't work for my case because the LDAP server does not enable anonymous queries, which means I have to provide the user name/password in order to establish the connection.
Any suggestion on how I could achieve this other than enable anonymous queries on the LDAP server?
Thanks,
Thomas
It seems like you can implement your own context factory and feed it to exist with the security.ldap.contextFactory parameter.
The context factory is the java class used to initialize a connection to the directory. You can implement a context factory that initializes the connection with the ad-hoc credentials.
The idea is to implement a class like this:
public class MyCustomContextFactory implements InitialContextFactory {
public Context getInitialContext(Hashtable env) {
// Fetch the application DN and password somehow (config file...)
String applicationDN = ...;
String password = ...;
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, applicationDN);
env.put(Context.SECURITY_CREDENTIALS, password);
return new InitialDirContext(env);
}
}
You generate a jar file, add it in the classpath of your server, and specify the configuration parameter:
security.ldap.contextFactory = your.java.package.name.MyCustomContextFactory
Related
I am trying to read emails from XXX domain using Java Mail API. I am able to login and read the email using IMAPS protocol using PUTTY from server.
However from Java, I am getting Authentication Error:
Following is the screenshot where I am able to connect from PUTTY:
Following is my Code:
Properties properties = new Properties();
properties.put("mail.imap.host", "hostname");
properties.put("mail.imap.port", "993");
Session session = Session.getDefaultInstance(properties, new javax.mail.Authenticator()
{
protected PasswordAuthentication getPasswordAuthentication()
{
return new PasswordAuthentication("username", "password");
}
});
Store store = session.getStore("imaps");
store.connect("username", "password");
What does making it stop to read mail from Java ?
Internally, mail domain is using outlook exchange server.
Username being passed is full xxxx#domain.com.
You can remove the property settings; they have no effect since you're using imaps. And you can get rid of the Authenticator since you're passing the username and password explicitly.
You need to pass the host explicitly as well, otherwise it's connecting to localhost, which may be why it's failing. Look at the JavaMail debug output to see what it's actually doing. If that doesn't solve your problem, post the debug output.
I have the following code in a web service deployed on WebLogic 12.2.1. It will retrieve the keystore file name and password from WebLogic configuration.
InitialContext ic = new InitialContext();
MBeanServer server = (MBeanServer) ic.lookup("java:comp/env/jmx/runtime");
ObjectName runtime = new ObjectName("com.bea:Name=MLMAppSrv01,Type=Server");
Object keyStoreFileName = server.getAttribute(runtime, "CustomIdentityKeyStoreFileName");
Object keyStorePassPhrase = server.getAttribute(runtime, "CustomIdentityKeyStorePassPhrase");
It is able to retrieve the keystore file name, but when it tries to retrieve the password, the following exception is thrown.
[Management:141302]Access not allowed for Subject: principals=[], on resource Server, action: read, target CustomIdentityKeyStorePassPhrase.
Under the domain's security, I have already enabled "Clear Text Credential Access Enabled".
What else could be wrong?
Thanks in advance.
You are not passing any Username in your code. With weblogic user or some other admin user you should retrieve the password. Otherwise it will not allow you to access the password.
If you want to use some other user than weblogic then make sure that you add that user to Administrator group.
You can pass the credentials as given in below sample code.
Hashtable properties = new Hashtable();
properties.put(Context.INITIAL_CONTEXT_FACTORY,
"weblogic.jndi.WLInitialContextFactory");
// NOTE: The port number of the server is provided in the next line,
// followed by the userid and password on the next two lines.
properties.put(Context.PROVIDER_URL, "t3://localhost:9001");
properties.put(Context.SECURITY_PRINCIPAL, "weblogic");
properties.put(Context.SECURITY_CREDENTIALS, "welcome1");
try {
ctx = new InitialContext(properties);
} catch (NamingException ne) {
ne.printStackTrace(System.err);
System.exit(0);
}
I think you are not authenticated and therefore get no access to restricted ressources. Add the annotation #RunAs("WEBLOGIC") to your class and configure it in the WEB-INF/weblogic-ejb-jar.xml
(Where WEBLOGIC is the name of a user with administrator rights in the Weblogic console, the default Admin Account is even named weblogic)
Your class should look like this:
#Stateless
#RunAs("WEBLOGIC")
public class SomeService {
// ...
}
Contents of the weblogic-ejb-jar.xml
<?xml version="1.0" encoding="UTF-8"?>
<weblogic-ejb-jar>
<run-as-role-assignment>
<role-name>WEBLOGIC</role-name>
<run-as-principal-name>weblogic</run-as-principal-name>
</run-as-role-assignment>
</weblogic-ejb-jar>
I have a similar case, which my jersey code needs to get the keys from the keystore programmatically in WLS. No EJB settings are required. You just need to define the web.xml and weblogic.xml properly.
web.xml:
<servlet>
<servlet-name>{jersey webservice class}</servlet-name>
<run-as>
<role-name>admRole</role-name>
</run-as>
</servlet>
<security-role>
<role-name>admRole</role-name>
</security-role>
weblogic.xml:
<run-as-role-assignment>
<role-name>admRole</role-name>
<run-as-principal-name>wlsadm</run-as-principal-name>
</run-as-role-assignment>
I have installed "Domino Sample REST Service Feature" from 901v00_11.20141217-1000 version of XPages Extension Library. OpenNtfSample service (com.ibm.domino.services.sample.service.SampleService) works as it should in general and the only problem with it that it completely ignores authentication settings of the server.
I have tried both Basic and Session Authentication as described in Authenticating Domino REST Service Requests and the result I get is the following - the service returns data always and does not ask for any user name and password.
The server is configured with Session Authentication now and I get password prompt when I try to access
{my_server}/api/data
but does not get it when I open
{my_server}/api/sample
After I had added this Web Site Rule
Description: DAS service
Type of rule: Override Session Authentication
Incoming URL pattern: /api/
the server changed password prompt for
{my_server}/api/data
but
{my_server}/api/sample
remained open.
Has anybody experienced this kind of error? Can anybody help me password protect this sample service so that I could start developing my own once based this example?
The /api/sample resource is wide open on purpose. That just returns a link to the contacts resource -- /xpagesext.nsf/api/sample/contacts.
If you really want to prevent anonymous access to the /api/sample resource, there are two possible solutions: 1) Disable anonymous access for all HTTP requests, or 2) Make a change to the RootResource class. The first solution is a server config change. I'm sure you can find details about that elsewhere. Since this is StackOverflow, I'll focus on the second solution.
As you have already noticed, we don't allow anonymous access to the /api/data resource. You can mimic that behavior in the /api/sample resource with a simple change to RootResource.getLinks(). Near the top of the method, just add these lines of code:
boolean authenticated = false;
Session session = ContextInfo.getUserSession();
if ( session != null ) {
String userName = session.getEffectiveUserName();
if ( userName != null && !userName.equals("Anonymous")) {
authenticated = true;
}
}
if ( !authenticated ) {
throw new NoAccessSignal("Need user context");
}
By the way, you won't need to make the same change to the contacts resource class (ContactsListResource.java). Because the contacts resource URL includes a database name (xpagesext.nsf), the web server will attempt to open the database before forwarding the request to the REST service. You can prevent anonymous access to the contacts resource by changing the ACL of xpagesext.nsf. Just make sure the default access is "No access".
I understand there is more than one way of handling service authentication/authorization, but I cannot make it work for static files.
Is there a way of configuring the behavior to be the same as with services; if not authenticated a request to index.html should redirect to login page the same as a request to secured dto/service.
I am currently looking into RawHttpHandlers but since it is too early in the pipeline how do I get the authentication setup in the apphost config?
thanks in advance
Gjergji
You would have to use IAppHost.RawHttpHandlers because that's the only custom handler in ServiceStack's Request Pipeline that gets executed before the built-in static file handling is accessed.
But you should still be able to access the Users Session with the available extension methods, e.g:
this.RawHttpHandlers.Add(httpReq =>
{
var isStaticFileRequest = httpReq.PathInfo.StartsWith("/static");
if (isStaticFileRequest)
{
var session = httpReq.GetSession();
if (!session.HasRole("TheRole"))
return new ForbiddenHttpHandler();
}
return null;
});
This handler simply checks if it's a request for a static file, in this case the path info starts with /static, and if is checks the user session if they have the required role, if not it returns a Forbidden request, otherwise it returns null to tell ServiceStack to continue executing the request.
Note: if it's needed you can access any registered dependency from outside of ServiceStack with HostContext.Resolve, e.g:
var authRepo = HostContext.Resolve<IAuthRepository>();
Context
I have a J2EE application running on a JBoss 4.2.3 application server. The application is reachable through a web interface. The authentication is done with basic authentication. Inside of the EJBs I ask the security context of the bean for the principal (the name of the logged in user) and do some authorization checks if this user is allowed to access this method of the EJB. The EJBs life inside a different ear than the servlets handling the web frontend, so I can't access the spring application context directly.
Required change
I want to switch to Spring Security for handling the user login.
Question
How can I propagate the spring login information to the JBoss security context so I can still use my EJBs without having to rewrite them?
Ideas and links
I already found a page talking about "Propagating Identity from Spring Security to the EJB Layer", but unfortunatelly it refers to an older version of Spring Security (Acegi) and I'm not familiar enough with Spring Security to make this work with the actual version (3.0.2).
Here is something that looks similar using WebLogic.
If you properly configure spring-security (filter in filter chain, security-context.xml),
you may use annotation #Secured, to restrict users with needed user roles. You may use this annotation on class level or/and method level.
If you need to know all authorization info about current user, you may use this helper (i wrote this for my webapp, but it maybe useful for other. MyUserDetails is a service bean, the spring-security's UserDetail descendant.):
public class LoginHelper {
/**
* #return user object if user is authenticated and null if is not
*/
public static User getUser() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null) {
Object principal = authentication.getPrincipal();
if (principal instanceof MyUserDetails) {
return ((MyUserDetails) principal).getUser();
}
}
return null;
}
/**
* Check for authenticated user
*
* #return true if user is authenticated and false if is not
*/
public static boolean isAuthenticated() {
final User user = getUser();
return user != null;
}
}
I have the same issue, and it would be great if someone could think of a better way to integrate Spring Security and a Java EE application with EJBs.
I think you can annotate your classes with your own annotations such as #MyAnnotation("ADMIN"). And then create an interceptor to manually check the beforementioned "LoginHelper" to get the users's privilege and compare with the method's annotation attributes. And throw an exception when the Names don't match.