Login works with SSL and Active Directory. However, login with HTTP and local admin fails without error message. The web console just returns to the login screen. Also, the log says user authenticated. We're using Artemis 2.27.0.
bootstrap.xml:
<web path="web">
<binding uri="https://host1:sslport" keyStorePath="XXXXX" keyStorePassword="xxxxx">
<app url="activemq-branding" war="activemq-branding.war"/>
<app url="artemis-plugin" war="artemis-plugin.war"/>
<app url="console" war="console.war"/>
</binding>
<binding uri="http://host1:port">
<app url="activemq-branding" war="activemq-branding.war"/>
<app url="artemis-plugin" war="artemis-plugin.war"/>
<app url="console" war="console.war"/>
</binding>
</web>
login.config
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule sufficient
debug=false
reload=true
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule sufficient
-- The rest is secret --´
artemis.profile is default except for:
HAWTIO_ROLE='amq,LDAP_artemis_instance_admin,LDAP_artemis_admin'
´
Log
2022-12-20 14:52:53,822 INFO [io.hawt.web.auth.LoginServlet] Logging in user: user1
Audit
2022-12-20 14:52:53,824 AUDIT AMQ601715: User user1(LDAP_Application_Artemis_Admin)#xx.x.xx.xx:xxxxx successfully authenticated
´
Related
I have a Wildfly 9 server with a management console secured with LDAP, but due to some shenanigans in integrating Azure Pipelines I'm also trying to allow the management console to connect automatically using the jboss-cli without a username/password prompt. To my knowledge, if you wanted a user to be able to connect via the jboss-cli on the same local network as the Wildfly server, you would have a security-realm defined as follows:
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local"/>
</authentication>
<authorization/>
</security-realm>
...And if you wanted a management interface secured with LDAP, you'd have a security-realm like this:
<security-realm name="ManagementRealm">
<server-identities>
<ssl protocol="TLSv1.2">
<keystore path="mykeystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" key-password="changeit"/>
</ssl>
</server-identities>
<authentication>
<ldap connection="LdapConnection" base-dn="OU=Users,DC=user">
<username-filter attribute="accountName"/>
</ldap>
</authentication>
<authorization>
<ldap connection="LdapConnection">
<username-to-dn>
<username-filter base-dn="OU=Users,DC=user" attribute="accountName"/>
</username-to-dn>
<group-search group-name="SIMPLE" iterative="true" group-dn-attribute="cn" group-name-attribute="cn">
<principal-to-group group-attribute="memberOf"/>
</group-search>
</ldap>
</authorization>
</security-realm>
I tried merging the two, putting <local> and <properties> tags alongside <ldap> tags, but whichever of <properties> and <ldap> that is listed second gets flagged as an unrecognized token. Is there a proper way to secure a management console with LDAP when using a web browser, but allow connections without a username or password when using the jboss-cli on the same local network in Wildfly 9?
I already installed Apache ActiveMQ Artemis 2.26.0 and tried to create master slave cluster.
I create master slave cluster based on a Youtube video. Apache ActiveMQ Artemis 2.15.0 is used in that video.
When I try to create it in command prompt there is no notification that backup already announced, but I can open the live server in 8161 and backup server in 8162.
Then I create address and queue in localhost 8161. And already succeeded.
I got the problem when I try to send message in 8161. I got the notification:
Could not send message: java.lang.IllegalStateException : AMQ229031: Unable to validate user from Management. Username: null; SSL certificate subject DN: unavailable
For the information, I found that difference in bootsrap.xml (slave) that the script is different. The different is:
ActiveMQ Artemis 2.26.0
<!-- The web server is only bound to localhost by default -->
<web path="web" rootRedirectLocation="console">
<binding uri="http://localhost:8161">
<app url="activemq-branding" war="activemq-branding.war"/>
<app url="artemis-plugin" war="artemis-plugin.war"/>
<app url="console" war="console.war"/>
</binding>
</web>
ActiveMQ Artemis 2.15.0
<!-- The web server is only bound to localhost by default -->
<web bind="http://localhost:8161" path="web">
<app url="activemq-branding" war="activemq-branding.war"/>
<app url="artemis-plugin" war="artemis-plugin.war"/>
<app url="console" war="console.war"/>
</web>
Does the difference affect or not when create backup server in localhost 8162?
I try the steps on the Youtube video and searched for the solution in Google, but I don't find the solution. I expect to run live and backup server successfully, and I want to know the right steps to install master slave cluster.
currently We have CAS SSO to our existing .net application, but now client is asking for Shibboleth SSO instead CAS. I'm totally new to Shibboleth.
Client has given the below details:
entityid= urn:mace:incommon:xxx.edu
metadata URL for test environment is:
https://shibboleth-test.xxx.edu/idp/shibboleth
By using guidelines from Shibboleth site, below are the steps i followed.
Installed Shibbolth Service provider (shibboleth-sp-2.6.1.4-win64.msi)
Installed Java with JCE
Installed Shibboleth Idp (in which jetty also checked)(shibboleth-identity-provider-3.3.3-x64.msi)
Web Application with self signed certificate
attached my Shibboleth2.xml file
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180"> <InProcess logger="native.logger"> <ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="2" name="shibboleth-test.xxx.edu" scheme="https" port="443" />
</ISAPI> </InProcess> <RequestMapper type="Native"> <RequestMap> <Host name="shibboleth-test.xxx.edu" scheme="https" port="443">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap></RequestMapper><ApplicationDefaults entityID="urn:mace:incommon:xxx.edu" REMOTE_USER="eppn persistent-id targeted-id" cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2"> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https"> <SSO entityID=""urn:mace:incommon:xxx.edu" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 SAML1 </SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 <my system IP">/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root#localhost"
helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <!-- Map to extract attributes from SAML assertions. --> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
Problems I'm facing......
When i try to access https://shibboleth-test.xxx.edu/Shibboleth.sso/Status
getting error no metadataprovider available.
Noticed Problems:
1.when i try to add Metadataprovider Shibboleth daemon 2 service is getting
stopped and unable to start.if i remove it's is running.
2.Shibboleth Idp 3 deamon is getting stopped very frequently
When i run 'SC interrogate shibd_idp' in command prompt, results are
control service failed 1062
the service has not been started.
I donno what is wrong with my work.
Can any one please tell me what are the steps to be followed to accomplish this integration.
Thanks in advance,
Hema
There will be a tag in shibboleth2.xml called metadata provider, you will need to open that.
If you have done this but shill service is not getting started then you can check the log and give additional info in question.
Another reason I can think of is connection problem. Try downloading idP's metadata and store it physically in the SP configuration folder. Manually map the file, using following tag
<MetadataProvider type="XML" file="partner-metadata.xml"/>
All the issues has been resolved after we upgraded from Shibboleth 2.6 to 3.0.2. we are getting the Shibboleth Identity provider login page.We are able to see the attributes in Session.Now we are working on how to retrieve the attributes in our application and how to redirect to our application home page.Currently we created 1 sample html page under secure folder in our application. once we logged in we are able to this html page.But when i tried to redirect to our application home page, it's giving 500 error. Can any one knows like how to redirect to our app home page and retrieve the attributes in the application.
I am trying to use port unification for glassfish 4 to redirect any http request to https. I could easily do this with V3 but I am having issues with glassfish v4 - Java 1.7.
Commands that I executed in glassfish v4 -
asadmin create-protocol --securityenabled=false http-redirect
asadmin create-protocol-filter --protocol http-redirect --classname org.glassfish.grizzly.config.portunif.HttpRedirectFilter redirect-filter
asadmin create-protocol --securityenabled=false pu-protocol
asadmin create-protocol-finder --protocol pu-protocol --targetprotocol http-listener-2 --classname org.glassfish.grizzly.config.portunif.HttpProtocolFinder http-finder
asadmin create-protocol-finder --protocol pu-protocol --targetprotocol http-redirect --classname org.glassfish.grizzly.config.portunif.HttpProtocolFinder http-redirect
set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-1.protocol=pu-protocol
All the above command execute without errors. However when I try accessing the web it throws exception and the http address does not launch - localhost:8080 fails
Exception in Glassfish -
WARNING: Exception during FilterChain execution
java.lang.ClassCastException: org.glassfish.grizzly.memory.HeapMemoryManager$TrimmableHeapBuffer cannot be cast to org.glassfish.grizzly.http.HttpContent
at org.glassfish.grizzly.config.portunif.HttpRedirectFilter.handleRead(HttpRedirectFilter.java:99)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.portunif.PUFilter.handleRead(PUFilter.java:231)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
at java.lang.Thread.run(Thread.java:722)
Appreciate it if this can be resolved, is there any other way to do port redirection from http to https?
Make sure your last command includes "asadmin" as set is a DOS command.
This worked for me with GlassFish 4.0 when I used the following commands (although it looks pretty similar to yours):
asadmin create-protocol --securityenabled=false http-redirect
asadmin create-http-redirect --redirect-port 8181 --secure-redirect true http-redirect
asadmin create-protocol --securityenabled=false pu-protocol
asadmin create-protocol-filter --protocol http-redirect --classname org.glassfish.grizzly.config.portunif.HttpRedirectFilter redirect-filter
asadmin create-protocol-finder --protocol pu-protocol --targetprotocol http-listener-2 --classname org.glassfish.grizzly.config.portunif.HttpProtocolFinder http-finder
asadmin create-protocol-finder --protocol pu-protocol --targetprotocol http-redirect --classname org.glassfish.grizzly.config.portunif.HttpProtocolFinder http-redirect
asadmin set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-1.protocol=pu-protocol
I have noticed that the this causes the HTTP tab for http-listener-1 (Configurations --> server-config --> Network Config --> Network Listeners --> http-listener-1 --> SSL tab) to no longer display. Not an issue for me.
So I'm not sure why, but when I used the protocol name pu-protocol it would not configure correctly and it would not show up in the Admin console under the protocols list. All I had to do was use a different name for the protocol and everything worked fine. I used the name portunif-protocol and as soon as I ran the command to create it, it showed up in the Glassfish Admin console under the Protocols section as you would expect. Now I've got my site redirecting to https as desired!
Commands I used:
asadmin create-protocol --securityenabled=false http-redirect
asadmin create-http-redirect --redirect-port 443 --secure-redirect true http-redirect
asadmin create-protocol --securityenabled=false portunif-protocol
asadmin create-protocol-filter --protocol http-redirect --classname org.glassfish.grizzly.config.portunif.HttpRedirectFilter redirect-filter
asadmin create-protocol-finder --protocol portunif-protocol --targetprotocol http-listener-2 --classname org.glassfish.grizzly.config.portunif.HttpProtocolFinder http-finder
asadmin create-protocol-finder --protocol portunif-protocol --targetprotocol http-redirect --classname org.glassfish.grizzly.config.portunif.HttpProtocolFinder http-redirect
asadmin set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-1.protocol=portunif-protocol
Hope that helps anyone else that may have ran into the same issue I did.
tomcat 7.0 + JSF 2
I get 403 error right after logging in with correct credentials (wrong credentials directs to login.xhtml as expected). I've created new user in apache, rebooted the webservice and still cant connect with it.
tomcat-users.xml
<tomcat-users>
<user name="lala" password="lala!!!" roles="admin-gui,manager-gui" />
<role rolename="administrator"/>
<user username="admin" password="admin" roles="administrator"/>
</tomcat-users>
Why I can login only with lala and not with admin(i've added it manually). any idia why?
and a realm in server.xml (tomcat conf)
under <host>:
<Realm className="com.bannerplay.beans.Admin">
in the project's welcome file (login.xhtml) i've used j_security_check (form-based authentication)
<form method="post" action="j_security_check">
<p>
Enter user ID and password:<br/> <br/>
User ID <input type="text" name="j_username"/>
Password <input type="password" name="j_password"/> <br/><br/>
<input type="submit" value="Login"/>
</p>
</form>
and defined web.xml like that:
...
<security-constraint>
<display-name>Admin</display-name>
<web-resource-collection>
<web-resource-name>BannerPlay administration Tool</web-resource-name>
<description/>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>com.bannerplay.beans.Admin</realm-name>
<form-login-config>
<form-login-page>/faces/login.xhtml</form-login-page>
<form-error-page>/faces/login.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>administrator</role-name>
</security-role>
Project Tree:
when trying to access localhost:8080/myProject/ i get to login.xhtml , when typing correct credentials( the 'lala' user works, not the admin ) i get 403.
when trying to access localhost:8080/myProject/main.xhtml i'm re-directed to login page again.(after correct credentials)
I've tried to add "administrator" role to user lala, but has the same results.
what should i do? thanks
The solution is NOT to change the tomcat-users.xml file from the hard drive. It must be changed from eclipse. after changing it from HD I noticed it keeps coming back to old version of the file,instead of keeping my changes. this happens after running the project. Change it from eclipse and problem solved.