I have multiple tomcat servers with independent configurations running in the same server at different ports. Recently converted few tomcat servers from http to https. So the strange problem is:
Application 1: running at https://x.y.z.w:10001 (https)
Application 2: running at http://x.y.z.w:8888 (http)
If I access Application 2 from my browser (chrome/firefox) first it works fine.
If I access Application 1 first and later Application 2, Application 2 URL is getting changed to https://x.y.z.w:8888 automatically. Even if I restart the browser, Application 2 URL getting redirected to https. After this the only way to solve this problem is to delete browser cache and access Application 2 first.
How to prevent Application 2 URL getting redirected to https automically?
Added the below code for Application 1's tomcat web.xml file. This did not help me.
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>0</param-value>
</init-param>
</filter>
This issue is fixed now. Added code in WebSecurityConfigurerAdapter of Spring boot application.
http
.headers()
.httpStrictTransportSecurity()
.includeSubDomains(false)
.maxAgeInSeconds(0);
Regds
-raju
Related
I have multiple applications deployed to a single WildFly server, version 26.1.2. Those applications have the same application security domain specified in their jboss-web.xml files.
Chapter Web Single Sign-On of WildFly Elytron Security explains how to enable single sign-on across different applications deployed into different servers, where these applications belong to same security domain.
I guess there must be an easier way to do this when all applications are running on the same server. I will appreciate any help you can provide on this matter.
This is the jboss-web file of application xyz2ap112-web:
<jboss-web>
<context-root>/xyz2ap112-web</context-root>
<resource-ref>
<res-ref-name>jdbc/xyz2db112</res-ref-name> <!-- Logical name only. -->
<jndi-name>java:/jdbc/xyz2db112</jndi-name> <!-- Real JNDI name. -->
</resource-ref>
<security-domain>xyz2ap112-web-security-domain</security-domain>
</jboss-web>
Actually the applications also share the same database, so the only difference between their jboss-web.xml files is the context root.
This is the login configuration for all the applications in their web.xml file:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/faces/login.xhtml</form-login-page>
<form-error-page>/faces/error.xhtml</form-error-page>
</form-login-config>
<realm-name>xyz2ap112-web-security-domain</realm-name>
</login-config>
This is the definition of the application security domain in the standalone-full.xml file:
<application-security-domain name="xyz2ap112-web-security-domain" security-domain="xyz2db112-jdbc-security-domain"/>
This is the definition of the security domain in the standalone-full.xml file:
<security-domain name="xyz2db112-jdbc-security-domain" default-realm="xyz2db112-jdbc-realm" permission-mapper="default-permission-mapper">
<realm name="xyz2db112-jdbc-realm" role-decoder="groups-to-roles"/>
</security-domain>
I use ProxyServlet in web.xml in order to redirect requests from the frontend serveur to the backend server.
<servlet>
<servlet-name>ProxyServlet</servlet-name>
<servlet-class>weblogic.servlet.proxy.HttpProxyServlet</servlet-class>
<init-param>
<param-name>WebLogicHost</param-name>
<param-value>xxx.xxx.xxx.xxx</param-value>
</init-param>
<init-param>
<param-name>WebLogicPort</param-name>
<param-value>xxxx</param-value>
</init-param>
</servlet>
But my problem is that I want to use a dynamic IP adress and port... so can I use env value or somthing else. Because I want to deploy the same WAR into diffrent servers.
weblogic 12c
Thank you Emmanuel Collin.
The solution is to use a deployment plan which is an xml file that we put on each server (DEV, QUALIF, PROD) and in each file we put the value of IP address and port.
I am a beginner in using CAS. My CAS server is up and running at port 8443(Secured HTTP layer). I have also made two applications - JAVA Client(My own JAVA Client) and PHP Client(Officially provided by CAS) for testing my CAS server. I am able to use single Sign On for both of the clients. I have also enabled Single Sign Out in the CAS properties file. My current version of CAS is 4.0.0 and I am using Apache Tomcat version 8.0.23
I have added the following dependency for Sign Out in web.xml for JAVA Client
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class> org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class> org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
But while performing Single Sign Out, When I log out of PHP Application I am unable to log out of already opened JAVA Applications. This means that on logging out from PHP application does not destroy my existing JAVA Application Sessions.
So after a lot of research I came across this and I was successfully able to implement Sign Out feature. But I do not want to use a common session database.
In the official documentation of CAS it is mentioned that:
CAS sends an HTTP POST message directly to the service ( back channel communication): this is the traditional way of performing notification to the service.
When CAS is configured for SLO, it attempts to send logout messages to every application that requested authentication to CAS during the SSO session.
But I am unable to understand how to fetch the SLO message as I do not receive any POST request( while tracking using firebug) during logout of an application. So Can anyone please help me to perform Single Sign Out.
Thanks in advance.
As found on CAS documentation:
When a CAS session ends, it notifies each of the services that the SSO session is no longer valid, and that relying parties need to invalidate their own session.
This can happen in two ways:
CAS sends an HTTP POST message directly to the service (back channel communication): this is the traditional way of performing notification to the service.
CAS redirects (HTTP 302) to the service with a message and a RelayState parameter (front channel communication): This feature is inspired by SAML SLO, and is needed if the client application is composed of several servers and use session affinity. The expected behaviour of the CAS client is to invalidate the application web session and redirect back to the CAS server with the RelayState parameter.
Usage Warning!
Front-channel SLO at this point is still experimental.
(emphasis added by me)
If you do not see corresponding activity on the browser, you are probably using option #1 where POST messages are send on the backend.
SLO is way more complicated than SSO...
Sorry if this will be too common or simple question but I don't know what should I put into Google to finaly find the answer.
I have GWT application which is now currently running on Glassfish. I can run the application on port 8080 (http) or 8181 (https). The thing is - am I using SSL now?
Default self signed certificate is enough for me for now (I know about keytool and import certificates), I just have to clarify this simple question.
I red here GWT and SSL not working? I need to set up security-constraint in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>sslprotect</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Is this enough then? In the comments Sam writes something about "implement the whole usage of SSL correctly."
So question: Is this enough? Is my application SSL protected now?
To be honest, I studied security algorithms on the University but I failed in implementation misserably.
It should be enough. If you can see the https in front of your URL, everything is fine. You can check if you are SSL-protected by browsing to the http URL, this should return an error or redirect you to the https URL.
I'm trying to setup SSL connections for a web service that is B2B and need to do client authentication on the server. Since the server hosts URLs that are also accessible from regular users through browser, not all connections to the host need to do client-auth. Only specific URLs require client-auth to validate the callers X509 certificate. We are using JBoss 5.x, which is based on Tomcat 5.x so I have a connector configuration like so:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}" sslProtocol = "TLS"
scheme="https" secure="true" enableLookups="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/.myKeyStore"
keystorePass="password1" />
As you can see I have a keystore configured so we can provide our Signed Cert and I have clientAuth=false as the specific URLs needing client-auth will be configured in web.xml like so:
<security-constraint>
<web-resource-collection>
<web-resource-name>clientAuthResources</web-resource-name>
<url-pattern>/clientauth/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>authOnly</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myRealm</realm-name>
</login-config>
<security-role>
<role-name>authOnly</role-name>
</security-role>
Through a custom JAAS Login module I can actually get this to work IF in the connector config above I also specific a truststore that has the client certs. That is where my issue is. Given the setup of our application and how we scale, each jboss application server setup supports a specific segentation of our users and I do not want truststores configured all over the place on the file system. We need to load the trusted certificates dynamically in code from our database. The custom JAAS login moduble does this at web level, and it also assignes roles, however without the connector truststore the login module never gets called, connection is terminated at SSL level before HTTP getes involved.
After much research on the web I've determined I need a custom X509TrustManager configured in the SSLContext/SSLSocketFactory to get around this. This custom trust manager would also validate client certs off the ones stored in our database. I have created this custom trust manager, however I cannot seem to hook it up. Does anyone know a way to configure this in jboss or tomcat 5.x? I noticed in Tomcat 7 the following config is available on a connector, trustManagerClassName, however that is not an option for me. I assume its possible, any help is greatly appreciated.
You can write your own org.apache.tomcat.util.net.jsse.JSSEImplementation and pass its full class name in the SSLImplementation attribute of your connector.
See examples here:
http://code.google.com/p/jsslutils/wiki/ApacheTomcatUsage
http://code.google.com/p/jsslutils/source/browse/trunk/extra/apachetomcat5/src/main/java/org/jsslutils/extra/apachetomcat5/JSSLutilsImplementation.java
http://code.google.com/p/jsslutils/source/browse/trunk/extra/apachetomcat5/src/main/java/org/jsslutils/extra/apachetomcat5/JSSLutilsJSSESocketFactory.java