Weblogic 12c kerberos application - kerberos

I have written an application which extends CAS 3.5.3
CAS supports Kerberos protocol for authentication. So when I deploy this application on tomcat/jboss etc, I am able to login to my application via Kerberos. I have done settings on jboss. However wasn't able to find any concrete documentation for weblogic.
The documents I have found is
http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-1619890.html - but this seems to be for securing the Weblogic console and now for my application.
When I try to login, getting the following error :-
Caused by: java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named jcifs.spnego.accept
at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130)
at javax.security.auth.login.LoginContext.init(LoginContext.java:259)
at javax.security.auth.login.LoginContext.(LoginContext.java:425)
... 144 more

It took quiet a long time to get this right, the steps are pretty simple. If you application is using jaas and you already have Kerberos authentication code (cas) in your webapp, the following solved my issue :-
1)Keep your jaas file inside /WEB-INF/classes dir.
2) pass this as an java opt, in startweblogic.cmd
set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.auth.login.config=\WEB-INF\classes\jaas.conf
reboot the server and try to login.

Set the following property to JAVA_OPTIONS in your domains\your_domain\bin\startWebLogic.cmd file, or alternatively set it in weblogic console at Environment/Servers/Control/your_domain/Server Start/Arguments.
-DUseSunHttpHandler=true

Related

Jboos connectivity Issue

I am getting the following error when trying to connect my application to jboss:
WARN | ISPN004022: Unable to invalidate transport for server:
/127.0.0.1:12222 ERROR | ISPN004017: Could not fetch transport
org.infinispan.client.hotrod.exceptions.TransportException:: Could not
connect to server: /127.0.0.1:12222
Tried searching a lot for a solution. It would be great is someone could help me out with this. Thanks
You must recall the following actions:
Make sure that your webapp is using the same port as defined in the socket-binding definitions for hotrod in the standalone.xml for JDG configuration folder;
Make sure that your webapp is using the proper inject annotations for your RemoteCacheManager class (remember to use the #ApplicationScopped annotation at the class definition and for additional methods used to get the cache instance);
If you are using JBoss and JDG on the same host, you must check declarations of the JBOSS_HOME environment variable. This variable must be assigned to the JDG installation home directory and not the JBoss EAP home (check also port-offset settings at startup if you're using a custom shell script);
If you are not using both products on the same host, check firewall and network settings;
Remember to re-deploy the application always after every modification and check both EAP and JDG console output for warnings and/or errors.
The following errors are related (for example):
14:38:42,610 WARN [org.infinispan.client.hotrod.impl.transport.tcp.TcpTransportFactory] (http-127.0.0.1:8080-1) ISPN004022:
Unable to invalidate transport for server: /127.0.0.1:11322
14:38:42,610 ERROR [org.infinispan.client.hotrod.impl.transport.tcp.TcpTransportFactory] (http-127.0.0.1:8080-1) ISPN004017:
Could not fetch transport: java.lang.IllegalStateException: Pool not open

A WebGroup/Virtual Host to handle /appname has not been defined

I get the following error message when I try to open up my application from the web (using 'appname' as my application name, the root name of my application - the error displays my app's actual name):
com.ibm.ws.webcontainer.internal.WebContainer handleRequest SRVE0255E: A WebGroup/Virtual Host to handle /appname has not been defined.
As far as I can tell, my application was installed correctly and is running on our Websphere server (WAS 8.5).
I'm at a loss for what to pursue in order to resolve this issue - what possible issue could my application be having?
Map your web module to /appname in the administration console, or use whatever context-root is specified for the web module.

Class loading for jaas custom login modules in WebSphere Liberty

UPDATE: Some context on the problem below. My goal is to handle requests for users where they supply a Kafka topic with each request. I use Message Hub deployed on Bluemix as Kafka provider. The requests will pass the broker URL, topic name, username, password and API key. Message Hub on Bluemix requires JAAS authentication and provides a login module with different LoginModule implementations. Some are based on CallbackHandlers, others on CredentialProviders.
I picked the one implemented in com.ibm.messagehub.login.MultiUserLoginModule. With that module I should only have to supply a custom credential provider like:
KafkaClient {
com.ibm.messagehub.login.MultiUserLoginModule required
credentialProvider="myApp.CustomCredentialProvider";
};
The challenges are in the class loader and how the CustomCredentialProvider can get the username/password from the request passed to the MultiUserLoginModule at runtime. What configuration do I have to use to get that working?
DETAILS: I have a web application running in WebSphere Liberty 8.5.5 and want to authenticate with a third-party service. That third-party service implements a JAAS LoginModule with a CredentialProvider. My web app extends the CredentialProvider with a CustomCredentialProvider to pass credentials.
What I don't understand is how the class loading is supposed to work. My server.xml defines:
The web application
<webApplication id="streaming-service" location="streaming-service.war" name="streaming-service"/>
The third-party login module
<jaasLoginModule className="com.ibm.messagehub.login.MultiUserLoginModule" controlFlag="REQUIRED" id="KafkaClient" libraryRef="messageHubLoginLib">
<options credentialProvider="myApp.CustomCredentialProvider" serviceName="kafka"/>
</jaasLoginModule>
The library that implements the third-party login module
<library id="messageHubLoginLib">
<fileset dir="${server.output.dir}" includes="messagehub.login-1.0.0.jar"/>
</library>
The login context
<jaasLoginContextEntry id="KafkaClient" loginModuleRef="KafkaClient" name="KafkaClient"/>
The result of the above configuration is a ClassNotFoundException for my CustomCredentialProvider:
Caused by: java.lang.RuntimeException: java.lang.ClassNotFoundException: myApp.CustomCredentialProvider
at com.ibm.messagehub.login.MultiUserLoginModule$MultiUserCallbackHandler.<clinit>(MultiUserLoginModule.java:80)
How do I have to change my configuration for the third-party JAAS login module to find myApp.CustomCredentialProvider implemented in my streaming-service web app?
Note: I already tried to generate a streaming-service.jar and add it directly to the messageHubLoginLib. That resolves the ClassNotFoundException but the CustomCredentialProvider class is loaded completely outside the context of my running web application and still gives me no access my credentials.
You were nearly there with the separate streaming-service.jar. Here are all the steps that are needed.
Identify the classes (from your app) that need to be visible to the login module.
Put all those classes into your messageHubLoginLib (e.g. in a separate streaming-service.jar)
DELETE those classes from your app.
Configure the app with a class loader child element that references the login module library using a commonLibraryRef attribute:
<webApplication id="streaming-service" location="streaming-service.war" name="streaming-service">
<classloader commonLibraryRef="messageHubLoginLib" />
</webApplication>
Generate a streaming-service.jar and add it directly to the messageHubLoginLib should be the right way to do. In this case, you have a jar file that is share-able between your JAAS login module and Web App.
However, you said "CustomCredentialProvider class is loaded completely outside the context of my running web application and still gives me no access my credentials". It sounds like you trying to store the credential in the CustomCredentialProvider class for uses between the login module and web app.
The CustomCredentialProvider class should be independent between the login module and web app. When request come in and try to access the web app, the server trigger the login module for authentication. If it passed, the access to the web app will be successfully.
I don't see you posted. May be you are missing the following configuration?
<jaasLoginContextEntry id="system.WEB_INBOUND" name="system.WEB_INBOUND" loginModuleRef="KafkaClient,hashtable,certificate,token" />
Can you place the MultiUserLoginModule and CustomCredentialProvider jar file in the ${server.config.dir}/lib/global directory and change the libraryRef point to global directory in your server.xml file as following:
<jaasLoginModule className="com.ibm.messagehub.login.MultiUserLoginModule" controlFlag="REQUIRED" id="KafkaClient" libraryRef="global">
<options credentialProvider="myApp.CustomCredentialProvider" serviceName="kafka"/>
</jaasLoginModule>

camunda-webapp and JAAS-authentication

In a Wildfly 8.1.0.Final we deploy:
our own CRM-webapp (Seam2/JSF1.2)
camunda-webapp 7.3.0
camunda-engine 7.3.0 as a module (shared engine)
custom engine-plugin to enable camunda-engine to use the user/group-store of our CRM
We display camunda tasklist in an iframe inside our CRM.
This setup runs fine so far, but we have to login twice.
So we need SSO, but cannot establish AD/LDAP, like in camunda-sso-jboss example.
I thought of Wildfly's JAAS and SSO capabilities, but i'am not sure, if camunda-webapp supports JAAS-authentication.
I think the security-domain configuration in jboss-web.xml is just generated by a maven archetype and has no effect on the camunda-webapp, is that right? I changed that configuration and it had no effect at all.
Can someone give me a hint, where i should hook into camunda-webapp or if it is possible at all?
Ok, i have a first success.
I changed org.camunda.bpm.webapp.impl.security.auth.Authentications.getFromSession to accept HttpServletRequest as parameter instead of HttpSession (called from AuthenticationFilter.doFilter). If the session contains no Authentications, i try to pull the Principle from the request and if one exists, i log em in silently (copied most from UserAuthenticationResource.doLogin).
Then i have a very simple webapp ("testA") with only one JSP and Basic Authentication. Both camunda-webapp and testA have the same security-domain configured, and the host in the undertow-subsystem has the "single-sign-on"-setting.
Now i can login into /testA, then call /camunda in another tab without further authentication.
The code has to be improved a lot. If everythink works fine, i'll post the details.
If someone thinks this is a wrong approach, please let me know ;-)

Connect HermesJMS to Wildfly 8.2

we recently changed our Application Server from Glassfish to Wildfly. With Glassfish we used QBrowser to monitor our JMS Queues, sadly that tool does not work with Wildfly.
After a quick search I found the Tool HermesJMS. Although there are lots of guides how to set up a connection to a JMS queue with it I couldn´t find anything directly for the JBoss Wildfly application server. After lots of reading through different guides I think I can now connect to the wildfly server but I just can´t connect to my jms queues.
First I tried to connect via JNDI InitialContext. Here´s my settings for it:
initialContextFactory: org.jboss.naming.remote.client.InitialContextFactory
providerURL: http-remoting://localhost:
urlPkgPrefixes: org.jboss.naming.remote.client
securityPrincipal: admin
securityCredentials: admin
It does connect but all I see are my deployed web applications and a "jms" folder. But they all contain the same web-applications again plus the jms folder and appear as a red circle with a white X in it.
So next I tried to set up a session manually via "Create new JMS Session" with following preferences:
Session: HornetQ
Plugin: HornetQ
Properties:
binding: jms/RemoteConnectionFactory
initialContextFactory: initialContextFactory: org.jboss.naming.remote.client.InitialContextFactory
providerURL: http-remoting://localhost:
urlPkgPrefixes: org.jboss.naming.remote.client
User: guest Password: pass
The guest user is an user I created in Wildfly as an application user
When I then double click on one of the queues it says that there is no such queue.
javax.jms.JMSException: There is no queue with name java:jboss/jms/queue/ngsEmailProvRequestQueue
at org.hornetq.jms.client.HornetQSession.createQueue(HornetQSession.java:397)
at hermes.impl.jms.SimpleDestinationManager.createDesintaion(SimpleDestinationManager.java:60)
at hermes.impl.JNDIDestinationManager.createDesintaion(JNDIDestinationManager.java:105)
at hermes.impl.jms.SimpleDestinationManager.getDestination(SimpleDestinationManager.java:137)
at hermes.impl.jms.AbstractSessionManager.getDestination(AbstractSessionManager.java:387)
at hermes.impl.DefaultHermesImpl.getDestination(DefaultHermesImpl.java:323)
at hermes.browser.tasks.BrowseDestinationTask.invoke(BrowseDestinationTask.java:122)
at hermes.browser.tasks.TaskSupport.run(TaskSupport.java:175)
at hermes.browser.tasks.ThreadPool.run(ThreadPool.java:170)
at java.lang.Thread.run(Thread.java:745)
Does anybody know what I´m missing? Is it even possible to get HermesJms to work with Wildfly? Of if not is there an alternative monitoring tool for JMS queues?
Thank you for your help.
To work with Wildfly, follow this doc: https://developer.jboss.org/wiki/UsingHermesJMSWithHornetQ
Second part: Configuring HermesJMS for JBoss7 / EAP6 with HornetQ
And change those values:
binding=jms/RemoteConnectionFactory
initialContextFactory=org.jboss.naming.remote.client.InitialContextFactory
providerURL=http-remoting://localhost:8080
urlPkgPrefixes=org.jboss.naming.remote.client
In the destinations, change also:
Name: sample
Domain: QUEUE
Maybe you could have a look at JMSToolbox on sourceforge: https://sourceforge.net/projects/jmstoolbox/?source=directory
i recently revisited this as the team is moving from glassfish (yaye...) to wildfly. I tried with wildfly9 and it works.
I think it is a matter of exporting your queue name. see below
java:/jms/queue/test does not work
java:jboss/exported/jms/queue/test works
Note: wildfly9.2 is the final version that has hornetq. wildfly 10++ supports artemis instead.