We Keep Coding

How to enable single sign-on across different applications deployed in the same WildFly server

I have multiple applications deployed to a single WildFly server, version 26.1.2. Those applications have the same application security domain specified in their jboss-web.xml files.
Chapter Web Single Sign-On of WildFly Elytron Security explains how to enable single sign-on across different applications deployed into different servers, where these applications belong to same security domain.
I guess there must be an easier way to do this when all applications are running on the same server. I will appreciate any help you can provide on this matter.
This is the jboss-web file of application xyz2ap112-web:
<jboss-web>
<context-root>/xyz2ap112-web</context-root>
<resource-ref>
<res-ref-name>jdbc/xyz2db112</res-ref-name> <!-- Logical name only. -->
<jndi-name>java:/jdbc/xyz2db112</jndi-name> <!-- Real JNDI name. -->
</resource-ref>
<security-domain>xyz2ap112-web-security-domain</security-domain>
</jboss-web>
Actually the applications also share the same database, so the only difference between their jboss-web.xml files is the context root.
This is the login configuration for all the applications in their web.xml file:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/faces/login.xhtml</form-login-page>
<form-error-page>/faces/error.xhtml</form-error-page>
</form-login-config>
<realm-name>xyz2ap112-web-security-domain</realm-name>
</login-config>
This is the definition of the application security domain in the standalone-full.xml file:
<application-security-domain name="xyz2ap112-web-security-domain" security-domain="xyz2db112-jdbc-security-domain"/>
This is the definition of the security domain in the standalone-full.xml file:
<security-domain name="xyz2db112-jdbc-security-domain" default-realm="xyz2db112-jdbc-realm" permission-mapper="default-permission-mapper">
<realm name="xyz2db112-jdbc-realm" role-decoder="groups-to-roles"/>
</security-domain>

ActiveMQ Artemis Management Console with HTTPS

Is it possible to expose ActiveMQ Artemis (2.16.0) Management Console with HTTPS instead of plain HTTP?
Can't find any documentation on neither in Artemis docs or hawt.io to do that kind of setup.

Check out this documentation from the ActiveMQ Artemis User Manual.
You can simply set the bind attribute of the web element in bootstrap.xml to use https instead of http. Then, of course, you'll need to configure the other relevant settings like keyStorePath, keyStorePassword, etc.

Custom SSL TrustManager for Java App server

I'm trying to setup SSL connections for a web service that is B2B and need to do client authentication on the server. Since the server hosts URLs that are also accessible from regular users through browser, not all connections to the host need to do client-auth. Only specific URLs require client-auth to validate the callers X509 certificate. We are using JBoss 5.x, which is based on Tomcat 5.x so I have a connector configuration like so:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}" sslProtocol = "TLS"
scheme="https" secure="true" enableLookups="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/.myKeyStore"
keystorePass="password1" />
As you can see I have a keystore configured so we can provide our Signed Cert and I have clientAuth=false as the specific URLs needing client-auth will be configured in web.xml like so:
<security-constraint>
<web-resource-collection>
<web-resource-name>clientAuthResources</web-resource-name>
<url-pattern>/clientauth/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>authOnly</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myRealm</realm-name>
</login-config>
<security-role>
<role-name>authOnly</role-name>
</security-role>
Through a custom JAAS Login module I can actually get this to work IF in the connector config above I also specific a truststore that has the client certs. That is where my issue is. Given the setup of our application and how we scale, each jboss application server setup supports a specific segentation of our users and I do not want truststores configured all over the place on the file system. We need to load the trusted certificates dynamically in code from our database. The custom JAAS login moduble does this at web level, and it also assignes roles, however without the connector truststore the login module never gets called, connection is terminated at SSL level before HTTP getes involved.
After much research on the web I've determined I need a custom X509TrustManager configured in the SSLContext/SSLSocketFactory to get around this. This custom trust manager would also validate client certs off the ones stored in our database. I have created this custom trust manager, however I cannot seem to hook it up. Does anyone know a way to configure this in jboss or tomcat 5.x? I noticed in Tomcat 7 the following config is available on a connector, trustManagerClassName, however that is not an option for me. I assume its possible, any help is greatly appreciated.

You can write your own org.apache.tomcat.util.net.jsse.JSSEImplementation and pass its full class name in the SSLImplementation attribute of your connector.
See examples here:
http://code.google.com/p/jsslutils/wiki/ApacheTomcatUsage
http://code.google.com/p/jsslutils/source/browse/trunk/extra/apachetomcat5/src/main/java/org/jsslutils/extra/apachetomcat5/JSSLutilsImplementation.java
http://code.google.com/p/jsslutils/source/browse/trunk/extra/apachetomcat5/src/main/java/org/jsslutils/extra/apachetomcat5/JSSLutilsJSSESocketFactory.java

Proxy tomcat urls to map a host request to a path

how, if possible, can I redirect a request for a hostname to a specific subdirectory of one of the deployed apps?
E.g., I wish to forward
http://host.com
to
http://host.com/app/path
It is however possible to redirect to a specific application on tomcat, e.g.,
<Host name="host.com" appBase="webapps">
<Context path="/" docBase="webapps/app" debug="6"/>
</Host>
But I've never managed to redirect it to a subpath of an application. I'd fancy a tomcat-only approach over using an external mod_proxy with apache2 to achieve this.

This worked for me by changing path to "" (i.e. making it default web app for the Host)
<Host name="host.com" appBase="webapps">
<Context path="" docBase="webapps/app" debug="6"/>
</Host>
It serves static files correctly, but my JSTL fails now.
Anyways, can you try?

This does not seem possible. Final solution was to use mod_proxy of Apache2 to proxy the request.

How do I deploy to nexus (hosted by secureci)?

Like recommended in a previous SO-Answer I'm running a VmWare image of secureci as a preconfigured development infrastructure containing maven, nexus, hudson, svn.
Now I want to configure maven on my Windows XP machine to deploy its artifacts to nexus. But when I configure my pom.xml like this (taken from Deploying Artifacts to Nexus):
<distributionManagement>
<!-- use the following if you're not using a snapshot version. -->
<repository>
<id>nexus</id>
<name>RepositoryProxy</name>
<url>scp://192.168.0.197/nexus/content/repositories/releases</url>
</repository>
<!-- use the following if you ARE using a snapshot version. -->
<snapshotRepository>
<id>nexus</id>
<name>RepositoryProxy</name>
<url>scp://192.168.0.197/nexus/content/repositories/snapshots</url>
</snapshotRepository>
</distributionManagement>
... mvn deploy prints the error message:
Error deploying artifact: Exit code: 1 -
mkdir: cannot create directory `/nexus': Permission denied
In settings.xml I configured username and password like this:
<servers>
<server>
<id>nexus</id>
<username>tangens</username>
<password>********</password>
</server>
</servers>
Question: What configuration do I have to use for deploying to nexus?
I already tried https instead of scp, but with this maven ran into problems with missing certificates.
I tried http instead of scp, but secureci has a firewall installed to block access to port 80 (http), causing a timeout.
EDIT:
I found that nexus stores its artifacts at /root/sonatype-work/nexus/storage/snapshots/. But I don't like the idea to enter the credentials of the root account in my settings.xml.
EDIT:
Q: Did you enabled deployment for a hosted repository under Nexus?
Yes, it's enabled by default.
Q: Is Nexus listening on port 80?
There is an apache running on port 80.
Server: Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 mod_ssl/2.2.8 OpenSSL/0.9.8g mod_wsgi/1.3 Python/2.5.2
Q: If a firewall is not allowing HTTP, why don't you just add an exception for HTTP connections from the "host" IP?
Because I assumed SecureCI is well configured and there should be a way to do it without tweaking the installation. But perhaps I'm too naive here.

The error is clear: the user tangens doesn't have the permission to create /nexus on the remote machine. Actually, your scp url is not correct and isn't pointing to the right location as you mentioned it. You'd have to give the user tangens the right permission or to configure sshd to allow root to connect but this is not a good idea.
Having that said, I don't think that scp is the way to go with Nexus. If you deploy using scp, Nexus won't be notified of the deployment and your artifacts won't be visible. According to Deploying Artifacts to Nexus and to the chapter 9.4.2. Update the POM: Deployment Configuration of the Nexus book, deployment must be done with HTTP PUT. In other words, your distributionManagement section should look like something like this:
<distributionManagement>
...
<repository>
<id>releases</id>
<name>Internal Releases</name>
<url>http://localhost:8081/nexus/content/repositories/releases</url>
</repository>
...
</distributionManagement>
I noticed you said that SecureCI uses a firewall that is configured to drop connections on port 80. However, as I'm not using SecureCI myself, I have a few (maybe stupid) questions:
Did you enabled deployment for a hosted repository under Nexus?
Is Nexus listening on port 80?
If a firewall is not allowing HTTP, why don't you just add an exception for HTTP connections from the "host" IP?
EDIT: According to the OP answers, I think that using HTTPS might be indeed the "natural" way to go with SecureCI. But, before you can upload via HTTPS, you'll need to add the SecureCI's CA certificate (the certificate of the issuer of their certificate) into your JDK. You can follow these instructions to do this. But before going further, the real question is:
Does SecureCI provide the CA certificate (the certificate of the issuer of their certificate)?
If they don't, I don't know how to make deployment possible without tweaking the firewall rules.

Sorry. Just came across the question.
There are two options, as other posters have mentioned: supply the certificate to Maven or turn on HTTP access and open port 80 (which is closed by default for security).
For enabling HTTP access, see /trac/secureci/wiki/HowTo/EnableHttp in SecureCI (under the HowTo docs on the wiki, How do I enable HTTP access?).
For the certificate, the public and private key are in /etc/apache2/ssl/.
If you want to replace the default cert, the docs for installing your own (which could be self-signed or signed by a recognized CA) are in the SecureCI wiki at /trac/secureci/wiki/HowTo/InstallSslCert (under the HowTo docs on the wiki, How do I install an SSL certificate?). The location of the existing cert is noted there as well.