does anyone knows if tomcat is able to password protect file (like apache .htaccess )?
i mean when user request a file from tomcat webapp its prompt a dialogue to enter user-name and password and made this using configuration.
or protect the file depend on its IP address .
hope someone can help me ?
regads
you can set basic authentication in tomcat.
Add your user to tomcat-users.xml. Something like :
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="tomcat"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="myname" password="mypassword" roles="tomcat"/>
<user username="test" password="test"/>
</tomcat-users>
And Add configuration to your apps web.xml. like:
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/references/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>your-role</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Application</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the Manager Application
</description>
<role-name>your-role</role-name>
</security-role>
links to understand more:
http://www.avajava.com/tutorials/lessons/how-do-i-use-basic-authentication-with-tomcat.html
Related
Here is my code and the credentials are not working on the pop-up shown on application load.please have a look
tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users>
<role rolename="admin"/>
<user username="admin" password="admin" role="admin"/>
</tomcat-users>
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Web Application</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
Plus this Application is deployed on Heroku, so I might need help with this too
Make sure codes are not commented.
Also add below line instead of < role rolename="admin"/>
< role rolename="admin-gui"/>
< role rolename="manager-gui"/>
< user username="admin" password="admin" role="manager-gui,admin-gui"/>
restart tomcat and then check
For Wildfly,any authenticated user can access to any protected resource by below change in web.xml
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
in security-constraint and defining security role as below
<security-role>
<role-name>*</role-name>
</security-role>
But the same is not working for Websphere, throwing authorisation failed exception, for making it work below change is required in Websphere Adminconsole.
WAS AdminConsole -> Applications > Enterprise Applications -> click .EAR
click the Security role to user/group mapping
Select the roles you wish to use for authentication.(in my case it is
*,defined in web.xml)
Map special subject to "All authenticated in Application Realm"
How can I skip the adminconsole change to make it work, or any other better approach.
What works for me is that I define the ff in my web.xml:
<security-role>
role1
</security-role>
<security-role>
role2
</security-role>
<security-constraint>
<display-name>All Authenticated</display-name>
<web-resource-collection>
<web-resource-name>
All Authenticated Pages
</web-resource-name>
<url-pattern>/webpage.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>
<role-name>role2</role-name>
</auth-constraint>
</security-constraint>
Essentially this defines the roles and then a separate definition for the pages and the roles that will be permitted to access it.
And then I also define an ibm-application-bnd.xml in my EAR File as follows:
<?xml version="1.0" encoding="UTF-8"?>
<application-bnd
xmlns="http://websphere.ibm.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_2.xsd"
version="1.2">
<security-role name="role1">
<group name="role1" />
</security-role>
<security-role name="role2">
<group name="role2" />
</security-role>
</application-bnd>
This one I think WebSphere uses to map to its grouping your defined roles.
Hope this helps or puts you forward.
For achieving the above goal i.e authorization for all authenticated users in WebSphere, create one logical Role[No need to create any physical group] say "AllAuthneticated" in web.xml and provide it as authorization constrain.
<auth-constraint>
<role-name>AllAuthneticated</role-name>
</auth-constraint>
<security-role>
<role-name>AllAuthneticated</role-name>
</security-role>
And then define an ibm-application-bnd.xml in EAR File as follows:
<security-role name="AllAuthneticated">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
The above role mapping will allow all authenticated user to access protected resource.
I have defined LDAP user registry and made a custom form login page in my Dynamic Web Application which running at Websphere Liberty Profile 8.5.5
How can I bind my form from login page to LDAP user registry, so all user's credentials will be checked against this LDAP registry?
Thank you.
1) One way is to define mapping in server.xml - see Setting up BasicRegistry and role mapping on the Liberty profile, although it says about Basic registry, defining mapping is the same:
<application type="war" id="myWebApp" name="myWebApp"
location="${server.config.dir}/apps/myWebApp.war">
<application-bnd>
<security-role name="user">
<user name="Bob" />
<user name="user1" />
<group name="mygroup" />
</security-role>
</application-bnd>
</application>
2) If you don't want to change server.xml you can define these mappings in the application in the binding file - ibm-application-bnd.xml - like this:
<?xml version="1.0" encoding="UTF-8"?>
<application-bnd
xmlns="http://websphere.ibm.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd"
version="1.0">
<security-role name="user">
<user name="user1" />
<group name="mygroup" />
</security-role>
</application-bnd>
If you are packaging app in the EAR, put that file in the META-INF folder.
If you are deploying war, create META-INF folder and put it there (this is currently undocumented feature, but is working at least in 8.5.5.6).
Here is the information to configure LDAP registry
https://www-01.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.wlp.core.doc/ae/twlp_sec_ldap.html
In addition to that, you may also need to set the realm-name in your form-login declaration. For example,
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyRegistryRealmName</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
I've enabled the wl anaytics on my environment, (WLP v8,5 and WL6.2) but it's entry point is unprotected.
So I've looked around and found this article.
http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.monitor.doc/monitor/t_securing_op_analytics.html
And figured I should be able to protected it with LDAP as well.
However When I follow those steps I can't protect my analytics.
My next step was to go to worklightconsole.war and copy the configuration to have form enabled authentication.
So I've ended up with my web.xml from the analytics.war with the following:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>worklightRealm</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>
I even copied into the WAR the login.html and loginError.html.
However after I uploaded to my apps folder the modified analytics.war it still doesn't ask me for authentication and just pops open.
The configuration I have on server.xml of analytics is:
<application context-root="/analytics"
id="analytics"
location="analytics.war"
name="analytics"
type="war">
<application-bnd>
<security-role name="worklightadmin">
<user name="<someUserOnMyLDAP>"/>
</security-role>
</application-bnd>
<classloader delegation="parentLast"/>
</application>
Does anyone have any clues on what I'm doing wrong?
The security put in place only protects the data entry point which is the endpoint at which the worklight server sends data to the analytics platform. If you wish to also protect the actual console with Basic Auth, then you'll need to modify the server.xml for the WAR file. I think its something along these lines:
<security-constraint>
<web-resource-collection>
<web-resource-name>analytics</web-resource-name>
<url-pattern>/console/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
But I haven't tested this.
The problem
A tomcat manager page can not be accessed by a user granted a manager role.
The things I tryed to do
I added a user with a manager role into tomcat-users.xml:
<role rolename="manager"/>
<user username="emanemos" password="password" roles="manager"/>
I also looked up the $CATALINA_HOME/webapps/manager/WEB-INF/web.xml to be sure that manager role is really used to access the application:
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>manager</role-name>
</auth-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the Manager Application
</description>
<role-name>manager</role-name>
</security-role>
However, the manager application still asks for a login-password pair in an endless loop ignoring my input.
Does anybody have any ideas?
Did you restart Tomcat after making the changes to tomcat-users.xml?