I want to remove the authentication of user for kie-server. For this I have tried to remove the below mentioned configuration from the web.xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>REST web resources</web-resource-name>
<url-pattern>/services/rest/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>kie-server</role-name>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
//from above config removed this portion
<auth-constraint>
<role-name>kie-server</role-name>
<role-name>user</role-name>
</auth-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>KIE Server</realm-name>
</login-config>
Now server is starting but not able to see the task/claim/start/finish task
So where should I modify the configurations so that I can use the kie-server server without login. And want to perform operations based on groups.
You see, task service is a separate module in kie. In that sense, it is wise to make an autologin then to chase all the places that inherit authentication.
Related
` <security-constraint>
<web-resource-collection>
<web-resource-name>myapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>TESTAPP</realm-name>
</login-config>`
I am trying to secure my web application deployed on tomcat with redhat SSO.. But when I deploy my application on the Linux box and start the tomcat server, I get the below error,
02-Apr-2020 11:14:26.046 SEVERE [main] org.apache.catalina.startup.ContextConfig.authenticatorConfig Cannot configure an authenticator for method [KEYCLOAK]
02-Apr-2020 11:14:26.047 SEVERE [main] org.apache.catalina.startup.ContextConfig.configureStart Marking this application unavailable due to previous error(s)
When I go to web.xml and change the authentication method from KEYCLOAK to BASIC, I'm able to start the application but on entering the web address, instead of redirecting to the SSO page, Iget a small popup for user anme and address.Can anyone think what's going on?
I have JBoss EAP 7
So I have done:
unzip keycloak-eap7-adapter-dist-3.2.1.Final.zip
and
./bin/jboss-cli.sh --file=adapter-install-offline.cli
and added the <security-constraint> element to web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Admins</web-resource-name>
<url-pattern>/admin/*</url-pattern>
...
<security-role>
<role-name>admin</role-name>
...
and in my standalone.xml, I have:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="snack.war">
<realm>Netzportal</realm>
<resource>netzportal</resource>
<public-client>true</public-client>
<auth-server-url>http://localhost:8180/auth</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>
</secure-deployment>
</subsystem>
And in the keycloak admin console I have registered the web application as client. The client opens at http://localhost:10080/czo/login.xhtml. So I have entered http://localhost:10080/czo/* as Valid Redirect URIs.
But when the application is running and I open http://localhost:10080/czo/login.xhtml, I do not get redirected to keycloak (which is also running)
You seems to be missing following entry ( since it does not appear in your listed web.xml configuration) which actually tell which kind of authentication to use for login
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>Netzportal</realm-name>
</login-config>
For more details on configuration check the docs.
I had the same problem, after a lot of suffering, I found that the web.xml file in the wrong folder
After logging in using HttpServletRequest.login(String, String), using the code below, on following requests I still get a Basic Authentication prompt. Why is the login function not working in my configuration?
My endpoint:
#POST
#Path("login")
#Consumes(MediaType.APPLICATION_JSON)
public void login(#Valid LoginRequest loginRequest) {
try {
User user = userController.findUserByUsername(loginRequest.getUsername()).orElseThrow(NotFoundException::new);
httpServletRequest.login(loginRequest.getUsername(), loginRequest.getPassword());
log.info(securityContext); // not null now!
}
catch (ServletException e) {
throw new NotAuthorizedException(e.getMessage(), e, AuthenticationHeaderFilter.CHALLENGE);
}
}
And my jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.jboss.com/xml/ns/javaee
http://www.jboss.org/j2ee/schema/jboss-web_5_1.xsd">
<security-domain>MyRealm</security-domain>
</jboss-web>
And my web.xml:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MyRealm</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
<security-constraint>
<display-name>Authenticated content</display-name>
<web-resource-collection>
<web-resource-name>Authentication required</web-resource-name>
<url-pattern>/api/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Anonymous content</display-name>
<web-resource-collection>
<web-resource-name>Exclude from Security</web-resource-name>
<url-pattern>/api/me/login</url-pattern>
</web-resource-collection>
</security-constraint>
Actually, the contract for HttpServletRequest#login does not mandate that the authenticated identity be remembered for the duration of the HTTP session (if one already exists), and certainly not that an HTTP session should be created upon successful authentication (for if one does not exist).
Technically speaking, the HttpServletRequest#login call goes straight through to the identity store (the method's Javadoc uses the term login mechanism for that). An identity store is a kind of database that typically only performs the credential validation and does not have knowledge about its environment (i.e. doesn't know about HTTP sessions, or remote EJB context IDs, or JCA inflow security IDs of whatever).
The authentication mechanism IS aware of its environment, and this one is invoked by calling HttpServletRequest#authenticate. But, this would normally be expected to start an interaction dialog with the user when not being authenticated yet, not remember the authenticated identity in the session if the user happens to be authenticated (the fact this happens to work on JBoss seems more like a coincidence than something that is supposed to happen).
That all said, section 13.10 of the Servlet spec does allow containers to create an HTTP session:
Containers may create HTTP Session objects to track login state. If a
developer creates a session while a user is not authenticated, and the
container then authenticates the user, the session visible to
developer code after login must be the same session object that was
created prior to login occurring so that there is no loss of session
information.
(emphasis mine)
But... it's not overly clear if this text is in regard to calling the login() method or the authenticate() one.
In short, this is one of the many small gaps in the Java EE security spec; it's just not defined how to programmatically do a login with a given username/password and explicitly say if you want or do not want that to be for the current request only or for the remainder of the HTTP session.
We hope to fix issues like this in the Java EE Security API (JSR 375) for Java EE 8.
The answer is that after invoking httpServletRequest#login(String, String) you should still invoke httpSevletRequest#authenticate(HttpServletResponse). My final, working code, is:
httpServletRequest.login(loginRequest.getUsername(), loginRequest.getPassword());
httpServletRequest.authenticate(httpServletResponse);
As you want programmatic authentication, there is no need of <login-config> in web.xml
I want to consume a REST resource available at http://localhost:9080/StudentWeb/MyRest-rest/services/students/
from my AngularJS app, and the REST application is deployed in Websphere Appliation Server with following deployment descriptor (web.xml). And application is working perfect with this configuration, with users in RegisteredUsers role.
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>MyRestApplicationServicesWeb</display-name>
<servlet>
<description>
JAX-RS Tools Generated - Do not modify</description>
<servlet-name>MyRestRest</servlet-name>
<servlet-class>com.ibm.websphere.jaxrs.server.IBMRestServlet</servlet-class>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>com.myrest.student.rest.StudentApplication</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
<enabled>true</enabled>
<async-supported>false</async-supported>
</servlet>
<servlet-mapping>
<servlet-name>MyRestRest</servlet-name>
<url-pattern>/MyRest-rest/*</url-pattern>
</servlet-mapping>
<security-role>
<description>RegisteredUsers</description>
<role-name>RegisteredUsers</role-name>
</security-role>
<security-constraint>
<display-name>Area for authenticated users</display-name>
<web-resource-collection>
<web-resource-name>Protected Resources</web-resource-name>
<url-pattern>/MyRest-rest/services/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>RegisteredUsers</role-name>
</auth-constraint>
</security-constraint>
<filter>
<filter-name>CORSFilter</filter-name>
<filter-class>com.myrest.student.filter.StudentCORSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CORSFilter</filter-name>
<url-pattern>/MyRest-rest/*</url-pattern>
</filter-mapping>
</web-app>
I want secure the data flow between the AngularJS app and WAS REST endpoint, by adding converting REST API to https. For that added,
<user-data-constraint>
<description>Redirects http requests to https</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
in the security-constraint tag.
And please find the CORS filter added,
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
System.out.println("Inside Filter");
((HttpServletResponse) response).addHeader("Access-Control-Allow-Origin", "*");
((HttpServletResponse) response).addHeader("Access-Control-Allow-Credentials", "true");
((HttpServletResponse) response).addHeader("Access-Control-Allow-Method", "GET, POST, PUT, DELETE, OPTIONS");
((HttpServletResponse) response).addHeader("Content-Type", "application/json");
((HttpServletResponse) response).addHeader("Access-Control-Allow-Headers", "Content-Type");
String accessControlReqHeader = ((HttpServletRequest) request).getHeader("Access-Control-Request-Headers");
System.out.println(accessControlReqHeader);
if (((HttpServletRequest) request).getMethod().equalsIgnoreCase("OPTIONS")) {
((HttpServletResponse) response).addHeader("Access-Control-Allow-Headers", accessControlReqHeader);
} else {
chain.doFilter(request, response);
}
}
But now getting error on AngularJS app as follows,
XMLHttpRequest cannot load http://localhost:9080/StudentWeb/MyRest-rest/services/students/12341234. The request was redirected to 'https://localhost:9443/StudentWeb/MyRest-rest/services/students/12341234', which is disallowed for cross-origin requests that require preflight.
I can see this as a CORS issue for https. How can I get around with this issue.
Here's your problem, or at least one of them.
((HttpServletResponse) response).addHeader("Access-Control-Allow-Origin", "*");
You can't use the wildcard when sending credentials with a CORS request. Instead explicitly list the origin. If you will have many, inspect the origin header from the client and if your server decides to serve content to that client then return the content of the request origin header as the value of Access-Control-Allow-Origin response header.
I have a web app running on Tomcat 7, and I've successfully gotten SSL and form-based authentication to work by using https and the appropriate port directly. However I'd like to require SSL for the login page and can't seem to get this to work if I navigate to the root of my web app. E.g. if I go to http://localhost:8080/ProjectManagementSystem/login.html it redirects to SSL, but not if I go to http://localhost:8080/ProjectManagementSystem The latter does redirect to the login page but doesn't change to SSL.
Is this possible without moving the login page to its own directory (as in this question)?
The relevant pieces from web.xml are:
<security-constraint>
<web-resource-collection>
<web-resource-name>PMS</web-resource-name>
<url-pattern>/login.html</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ProjectManagementSystem</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
I've tried a number of different configurations (e.g. adding additional url-patterns like /) but can't get anything to redirect when I go to the web-app's root. I'd really appreciate knowing if this is impossible or if I'm just doing something wrong. Thanks.
ETA: I actually went ahead and tried moving login.html to login/login.html and changing it to <url-pattern>/login/*</url-pattern> and it still doesn't work. So I think I must be doing something wrong, but I can't for the life of me figure out what.
ETA2: I also tried <url-pattern>/*</url-pattern> and <url-pattern>*</url-pattern> and <url-pattern>*.html</url-pattern> and none of these worked either...
ETA3: I tried changing the web-resource-name as well, in case it was conflicting with another part of the web.xml, but that still didn't work. I'm about out of ideas.
I got this to work in JBOSS 7.1.1 as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>*</web-resource-name>
<url-pattern>/logon.jsp</url-pattern>
<url-pattern>/logonReconnect.jsp</url-pattern>
<url-pattern>/logoff.do</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
E.g. there were 3 pages allowing logon, together with SSL configuration in standalone.xml this forces SSL for the log on pages and session but does not place a constraint on other content. This was to address a kind of bizzre problem in IE8 and earlier where active content (hotspots) was disabled if we placed the constraint on all content.
I had the same problem: Only the root page did not redirect to https, all other pages did. I managed to fix it by using TWO url-patterns in the security-constraint like
<security-constraint>
<web-resource-collection>
<web-resource-name>PMS</web-resource-name>
<url-pattern>*.xhtml</url-pattern>
<url-pattern>/</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>