I'm currently trying to fix in issue in our JBOSS Deployment with different SOAP Endpoints, we trying to close the Webservice Interface over https(port 8443) to only allow it via CA Authentication (port 8444).
We are Using JBOSS 7.4.7 and JDK 11
Here are the JBOSS Standalone Configurations:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="https" port="8443"/>
<socket-binding name="httpsca" port="8444"/>
</socket-binding-group>
[...]
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<https-listener name="https" socket-binding="https" max-post-size="0" secure="true" ssl-context="ssl"/>
<https-listener name="httpsca" socket-binding="httpsca" max-post-size="0" secure="true" ssl-context="sslca"/>
</server>
[...]
<subsystem xmlns="urn:jboss:domain:webservices:2.0" statistics-enabled="${wildfly.webservices.statistics-enabled:${wildfly.statistics-enabled:false}}">
<modify-wsdl-address>true</modify-wsdl-address>
<wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
<wsdl-port>8444</wsdl-port>
<wsdl-secure-port>8444</wsdl-secure-port>
<endpoint-config name="Standard-Endpoint-Config"/>
<endpoint-config name="Recording-Endpoint-Config"/>
<client-config name="Standard-Client-Config"/>
</subsystem>
<tls>
<key-stores>
<key-store name="test">
<credential-reference clear-text="****"/>
<implementation type="JKS"/>
<file path="ssl_keystore.jks" relative-to="jboss.server.config.dir"/>
</key-store>
<key-store name="test-trusted">
<credential-reference clear-text="****"/>
<implementation type="JKS"/>
<file path="ssl_truststore.jks" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="serverssl" key-store="test">
<credential-reference clear-text="****"/>
</key-manager>
</key-managers>
<trust-managers>
<trust-manager name="serverssl-ca" key-store="test-trusted"/>
</trust-managers>
<server-ssl-contexts>
<server-ssl-context name="test-ssl" cipher-suite-filter="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" cipher-suite-names="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" protocols="TLSv1.2 TLSv1.3" key-manager="serverssl"/>
<server-ssl-context name="test-sslca" cipher-suite-filter="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" cipher-suite-names="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" protocols="TLSv1.2 TLSv1.3" need-client-auth="true" key-manager="serverssl" trust-manager="serverssl-ca"/>
</server-ssl-contexts>
</tls>
We are having trouble setting only one Port for the WSDL Endpoint.
1. If I don't set <wsdl-secure-port>, then the JBOSS throws an error because it trys to create a http endpoint which is not active at all.It also occurs if I only set the <wsdl-secure-port> and not the <wsdl-port>.
Are we doing something wrong or is that a bug from JBOSS ?
Thanks for any help and tips in advice.
Related
I am new to working with JBoss and I'm working on setting up a cluster to test with. I followed the directions from middleware to setup a JBoss Domain cluster on a single Linux VM using JBoss EAP 7.1.6. I am now trying to deploy a web application to my cluster using the admin console to test that the cluster is working.
I have created a simple hello world web app using liweinan's cluster demo source code that should display the current time. I tested the app and it displays correctly on a standalone cluster, but when I test my domain cluster I am seeing the page telling me that I need to disable the welcome content. What am I doing wrong? Is there something that also needs to be configured on the slaves?
Here is my jboss-web.xml in my application war:
<jboss-web>
<context-root>/</context-root>
</jboss-web>
In the host-master.xml the domain controller is:
<domain-controller>
<local/>
</domain-controller>
In the domain.xml file I have updated the interfaces to match the address of my machine. I also commented out the welcome content in the undertow.
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<!--<location name="/" handler="welcome-content"/>-->
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<!--<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>-->
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
In both of the host-slave.xml files I have updated the socket interface management port, the interface inet-address, and added an offset for the servers.
Any help or suggestions would be greatly appreciated. I've been researching this for days without success.
It turns out the issue wasn't with my configuration. When you deploy the application you can't change the name. I was changing it from ClusterDemo.war to ClusterDemo. When I left the .war on the name, the app ran with no issues.
I have a JBoss 7.2 app server and I start the server, I am able to connect to both the http and https ports but after a while running the server, I am not able to connect to the https port anymore but the http port still works so the server is still running. I tail the logs when I try to connect to the https port but nothing shows up and when I do a netstat on the https port, the port is still listening. Has anyone had this type of issue before?
JBoss Standalone.xml configuration
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="${jboss.home.dir}/standalone/configuration/XXXXX.keystore" keystore-password="XXXXXXXXX" alias="1"/>
</ssl>
</server-identities>
<subsystem xmlns="urn:jboss:domain:undertow:7.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enabled-protocols="TLSv1.1,TLSv1.2" enable-http2="true" ssl-session-cache-size="500" ssl-session-timeout="1800"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<access-log pattern="%h %l %u %t %r %s %b %{i,Referer} %{i,User-Agent} %S %T %{i,X-Forwarded-For}" prefix="access_log_"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>
I'm trying to replace the Wildfly 10 default homepage (accessed from http://hostname:port) by one of my own web application.
I found a good way to do it by removing some parts of the undertow subsystem of the standalone.xml of my wildfly and by adding a war to the default-web-module.
My problem is that I don't have a war, I have a ear (with a war in it), and it doesn't work with that.
Hereunder is the undertow part of my standalone.xml file :
<subsystem xmlns="urn:jboss:domain:undertow:3.1">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost" default-web-module="myear.ear/mywar.war">
<access-log pattern="%{i,X-Forwarded-For} %h %{i,SM_UNIVERSALID} %t %H %p %U %q %s %D %T" prefix="http-in" suffix=".log"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
Can this solution work with an ear instead of a war, or have I to find another way ?
Thank you in advance,
Seb
Finally, I solved it by redirecting the index.html page of the welcome-content folder of WildFly to my application, it's simpler and it works perfectly.
Seb
I want to close mail-smtp port.
<socket-binding-group name="standard-sockets"
default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<!--<outbound-socket-binding name="mail-smtp">-->
<!--<remote-destination host="localhost" port="25"/>-->
<!--</outbound-socket-binding>-->
</socket-binding-group>
Can I disable mail subsystem if I will not use mail?
<subsystem xmlns="urn:jboss:domain:mail:2.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session>
</subsystem>
If you should remove mail service, subsystem can be removed
Remove extension: <extension module="org.jboss.as.mail"/>
Remove the complete subsystem mail:
<subsystem xmlns="urn:jboss:domain:mail:2.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session>
</subsystem>
Remove outbound-socket-binding mail-smtp
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
You can also use CLI to remove the subsystem:
/subsystem=mail:remove
/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=mail-smtp:remove
/extension=org.jboss.as.mail:remove
:reload
I want to implement SSO between two apps that are deployed on same instance of Wildfly 9. I have searched about it but never got enough information regarding it.
First thing is we have to start from standalone.xml:
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<single-sign-on domain="localhost"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/9"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
Then in jboss-web.xml put following entry of security-domain and valve:
<jboss-web>
<security-domain>java:/jaas/other</security-domain>
<valve>
<class-name>org.apache.catalina.authenticator.SingleSignOn</class-name>
</valve>
</jboss-web>
I am not sure about changes in web.xml.
I think we have to provide information about security-constraint and login-config.
Please help me to implement this concept in both clustered and non-clustered environment.
Try to add the following line at default-host host under the default-server server:
<single-sign-on path="/"/>
At the end, it will be like:
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<single-sign-on path="/"/>
</host>
</server>
I'm using Wildfly 9.0.2 Final.
org.apache.catalina.authenticator.SingleSignOn can't work on WildFly AS, because Tomcat is substituted by Undertow as a web container.
Normally, you don't need any change to jboss-web.xml.
For an IdP based on PicketLink, you can set jboss-web.xml as following to enable the PicketLink Authenticator:
<filter>
<filter-name>IDPFilter</filter-name>
<filter-class>org.picketlink.identity.federation.web.filters.IDPFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>IDPFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I complete the "tiago mussi" answer, valve are note supported anymore on widlfy because it uses the new webserver undertow, you can put the valve line in jboss-web it will do nothing at all...
<single-sign-on domain="localhost"/>
this is bad syntax because there is a bug in domain sso
<single-sign-on path="/"/>
this is the right syntax then in your web application you will see JSESSIONSSOID or like this name in plus than SESSIONID
picketLink is too much just for use SSO, because it handle API REST SSO, social secure, and it is a specific module with a new mechanism authentication, and furthermore if you will manage several URL you can't because you have to put in configuration the url, it is not dynamic...