I need to implement a CAS Proxy Granting Ticket System.
So I need to understand the system. There is a good doc here, but I have no idea about the proxyCallback I need.
Could someone explain me that ?
The CAS will invoke the pgtURL to provide a special ticket that will enable that application to acquire new tickets for other applications.
This is the setup in web.xml:
<servlet>
<servlet-name>casproxy</servlet-name>
<servlet-class>edu.yale.its.tp.cas.proxy.ProxyTicketReceptor</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>casproxy</servlet-name>
<url-pattern>/casProxy/*</url-pattern>
</servlet-mapping>
To get a new ticket for another service with the special ticket:
SecurityContext sc = SecurityContextHolder.getContext();
CasAuthenticationToken auth = (CasAuthenticationToken)sc.getAuthentication();
String pgtIOU = auth.getProxyGrantingTicketIou();
String newTicket = ProxyTicketReceptor.getProxyTicket(pgtIOU, anotherService);
Then you redirect to that service giving to it the new ticket.
Related
I'm aware that this question might not be explicitly about "programming" but I have some trouble
understanding the concept. Maybe you're able to help.
Basically, I'm deploying a WAR offering several REST endpoints based on JAX-RS to a WildFly 20 server.
Here is the baseline:
Endpoints must be secured.
A frontend client (based on React) shall be able to access this API.
Keycloak is being used to authenticate users of the React app.
This is what I have so far:
React client
The app integrates the keycloak-js adapter. Any login is routed through Keycloak which issues a JWT token which is used for all further requests by the app, i.e. they contain an Authorization: Bearer <token> header. Check.
JAX-RS application in WildFly
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>api</web-resource-name>
<url-pattern>/users/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
keycloak.json
{
"realm": "my-realm",
"auth-server-url": "${keycloak.url}/auth",
"ssl-required": "none",
"resource": "my-client",
"public-client": true,
"confidential-port": 0,
"principal-attribute" : "preferred_username",
"enable-cors": true
}
The (showcase) problem
The initial request to http://localhost:8090/api/users redirects the user the Keycloak login. After a successful login, the same URL is accessible without sending the authentication header. That's the point where I'm stuck. My understanding is that I need to tell my server application "Hey, check any incoming request to this URL if it contains the valid JWT token issued by Keycloak".
I assume that there are ways so that WildFly can handle exactly this. Or do I have to implement some JWT validation service my own?
If you don't want to gets redirected to login page at all and the /users path is not used to serve any web contents (e.g. jsp, html, etc.), then it's safe to tell the Keycloak that /users is only accessible via "Bearer" tokens. Then in cases that such a token doesn't exist in the request, it just returns proper HTTP status code and doesn't do anything. You can do this by setting bearer-only property to true in the keycloak.json file. So your file should look like this:
{
"realm": "my-realm",
"auth-server-url": "${keycloak.url}/auth",
"ssl-required": "none",
"resource": "my-client",
"public-client": true,
"confidential-port": 0,
"principal-attribute" : "preferred_username",
"enable-cors": true,
"bearer-only": true
}
I have the following code in a web service deployed on WebLogic 12.2.1. It will retrieve the keystore file name and password from WebLogic configuration.
InitialContext ic = new InitialContext();
MBeanServer server = (MBeanServer) ic.lookup("java:comp/env/jmx/runtime");
ObjectName runtime = new ObjectName("com.bea:Name=MLMAppSrv01,Type=Server");
Object keyStoreFileName = server.getAttribute(runtime, "CustomIdentityKeyStoreFileName");
Object keyStorePassPhrase = server.getAttribute(runtime, "CustomIdentityKeyStorePassPhrase");
It is able to retrieve the keystore file name, but when it tries to retrieve the password, the following exception is thrown.
[Management:141302]Access not allowed for Subject: principals=[], on resource Server, action: read, target CustomIdentityKeyStorePassPhrase.
Under the domain's security, I have already enabled "Clear Text Credential Access Enabled".
What else could be wrong?
Thanks in advance.
You are not passing any Username in your code. With weblogic user or some other admin user you should retrieve the password. Otherwise it will not allow you to access the password.
If you want to use some other user than weblogic then make sure that you add that user to Administrator group.
You can pass the credentials as given in below sample code.
Hashtable properties = new Hashtable();
properties.put(Context.INITIAL_CONTEXT_FACTORY,
"weblogic.jndi.WLInitialContextFactory");
// NOTE: The port number of the server is provided in the next line,
// followed by the userid and password on the next two lines.
properties.put(Context.PROVIDER_URL, "t3://localhost:9001");
properties.put(Context.SECURITY_PRINCIPAL, "weblogic");
properties.put(Context.SECURITY_CREDENTIALS, "welcome1");
try {
ctx = new InitialContext(properties);
} catch (NamingException ne) {
ne.printStackTrace(System.err);
System.exit(0);
}
I think you are not authenticated and therefore get no access to restricted ressources. Add the annotation #RunAs("WEBLOGIC") to your class and configure it in the WEB-INF/weblogic-ejb-jar.xml
(Where WEBLOGIC is the name of a user with administrator rights in the Weblogic console, the default Admin Account is even named weblogic)
Your class should look like this:
#Stateless
#RunAs("WEBLOGIC")
public class SomeService {
// ...
}
Contents of the weblogic-ejb-jar.xml
<?xml version="1.0" encoding="UTF-8"?>
<weblogic-ejb-jar>
<run-as-role-assignment>
<role-name>WEBLOGIC</role-name>
<run-as-principal-name>weblogic</run-as-principal-name>
</run-as-role-assignment>
</weblogic-ejb-jar>
I have a similar case, which my jersey code needs to get the keys from the keystore programmatically in WLS. No EJB settings are required. You just need to define the web.xml and weblogic.xml properly.
web.xml:
<servlet>
<servlet-name>{jersey webservice class}</servlet-name>
<run-as>
<role-name>admRole</role-name>
</run-as>
</servlet>
<security-role>
<role-name>admRole</role-name>
</security-role>
weblogic.xml:
<run-as-role-assignment>
<role-name>admRole</role-name>
<run-as-principal-name>wlsadm</run-as-principal-name>
</run-as-role-assignment>
I am developing a Java EE application using Jboss and the authentication.
I know JBoss has two files login.html and login-fail.html in order to use authentication.
The form in login.html file uses the action "j_security_check".
I was wondering if we could use this file but also if if we could develop our own action.
I would like to keep the action "j_security_check" but I would like to access my databse to set a session variable for example after a successful connection.
The missing keyword you're looking for is "Custom JBoss Login Module" :)
There are various examples which shows how to implement and integrate it in your app.
There is also JBoss documentation where your can get an overview of login modules already available in JBoss. DatabaseServerLoginModule is one of them and can probably be used with your database.
A simple demonstration of custom login page in a Servlet container can be found here.
In order to use your own login page with specific login module under JBoss do following:
Implement your own login page with 'j_security_check' action. BTW it's part of servlet API and is not JBoss specific.
Refer your login page in web.xml:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-failed.jsp</form-error-page>
</form-login-config>
</login-config>
Optional: Refer required login module in WEB-INF/jboss-web.xml if it's not used by default (login modules can be defined in standalone.xml)
<jboss-web>
<security-domain>org.example.YourSecurityDomain</security-domain>
</jboss-web>
Optional: deploy custom login module implementation within your application and register it in login-config.xml. Check JBoss example for details.
I am having trouble adding the JAX-RS 2.0 facet to an Eclipse 4.3. Dynamic Web project with Glassfish 4.0. I tried the approach noted here and the values that are filled in for the parameters with "Disabled Library Configuration" are:
JAX-RS servlet name: JAX-RS Servlet
JAX-RS servlet class name: javax.ws.rs.core.Application
URL mapping patterns: /jaxrs/*
That gets saved without any problems. Then, when I go back to the Project Properties, I get a pop-up that says "The currently displayed page contains invalid values". Acknowledging that, and getting to the JAX-RS facet page, all the fields are now empty, and instead of saying "Disabled Library Configuration", the Type says "Unknown Library Configuration". Going to the main Project Facets page and trying to uncheck the JAX-RS facet item gives a pop-up that says "Failed while uninstalling JAX-RS (REST Web Services) 2.0. Reason: Failed while uninstalling JAX-RS (REST Web Services) 2.0. The details say "Failed while uninstalling JAX-RS (REST Web Services) 2.0.
org.eclipse.jst.javaee.web.internal.impl.WebAppImpl cannot be cast to org.eclipse.jst.j2ee.webapplication.WebApp"
I updated Eclipse to 4.3.1 and got the same behavior. The fields getting blanked out without any warning when they were initially saved, and not being able to uninstall the JAX-RS facet leads me to believe there's something wrong with my Eclipse install or project file (although I tried this with several projects and they all behaved the same).
Can anyone point me at a way to fix this?
I'm using Jersey as runtime and this is how I can configure directly in web.xml.
I did not have much luck using the project facet settings.
Hope this helps.
(change the provide package param below to fit yours)
<servlet>
<servlet-name>Jersey REST Service</servlet-name>
<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>com.paypal.l10n.nextgen.extractor.rest</param-value>
</init-param>
<init-param>
<param-name>unit:WidgetPU</param-name>
<param-value>persistence/widget</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Jersey REST Service</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
I have some resources in my jax-rs application i want to validate jax-rs request before it enters into the resource annotated by javax.ws.rs.Path. so, how can i create handler or filter for my resources .I have searched so many sites. their suggestions are use proxy or servlet filters . without using proxy or servlet filters can i create handler/ filter ?
Just like in JAX-WS SOAPHandler is available for soap request ,in the same way is there any handlers for validating jax-rs request.
Here Validating jax-rs request means pre-checking, post checking and Exception handling..
(I am using jersey jars)
You need to create a Filter that implements the ContainerResponseFilter or ContainerRequestFilter provided by Jersey. Then in your web.xml you define it like so:
<servlet>
<servlet-name>MY API</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>com.sun.jersey.spi.container.ContainerRequestFilters</param-name>
<param-value>com.example.filters.ReqFilter</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.spi.container.ContainerResponseFilters</param-name>
<param-value>com.example.filters.RespFilter</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>MY API</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
http://jersey.java.net/nonav/apidocs/1.6/jersey/com/sun/jersey/spi/container/ContainerRequestFilter.html
http://jersey.java.net/nonav/apidocs/1.6/jersey/com/sun/jersey/spi/container/ContainerResponseFilter.html