UPDATE: Some context on the problem below. My goal is to handle requests for users where they supply a Kafka topic with each request. I use Message Hub deployed on Bluemix as Kafka provider. The requests will pass the broker URL, topic name, username, password and API key. Message Hub on Bluemix requires JAAS authentication and provides a login module with different LoginModule implementations. Some are based on CallbackHandlers, others on CredentialProviders.
I picked the one implemented in com.ibm.messagehub.login.MultiUserLoginModule. With that module I should only have to supply a custom credential provider like:
KafkaClient {
com.ibm.messagehub.login.MultiUserLoginModule required
credentialProvider="myApp.CustomCredentialProvider";
};
The challenges are in the class loader and how the CustomCredentialProvider can get the username/password from the request passed to the MultiUserLoginModule at runtime. What configuration do I have to use to get that working?
DETAILS: I have a web application running in WebSphere Liberty 8.5.5 and want to authenticate with a third-party service. That third-party service implements a JAAS LoginModule with a CredentialProvider. My web app extends the CredentialProvider with a CustomCredentialProvider to pass credentials.
What I don't understand is how the class loading is supposed to work. My server.xml defines:
The web application
<webApplication id="streaming-service" location="streaming-service.war" name="streaming-service"/>
The third-party login module
<jaasLoginModule className="com.ibm.messagehub.login.MultiUserLoginModule" controlFlag="REQUIRED" id="KafkaClient" libraryRef="messageHubLoginLib">
<options credentialProvider="myApp.CustomCredentialProvider" serviceName="kafka"/>
</jaasLoginModule>
The library that implements the third-party login module
<library id="messageHubLoginLib">
<fileset dir="${server.output.dir}" includes="messagehub.login-1.0.0.jar"/>
</library>
The login context
<jaasLoginContextEntry id="KafkaClient" loginModuleRef="KafkaClient" name="KafkaClient"/>
The result of the above configuration is a ClassNotFoundException for my CustomCredentialProvider:
Caused by: java.lang.RuntimeException: java.lang.ClassNotFoundException: myApp.CustomCredentialProvider
at com.ibm.messagehub.login.MultiUserLoginModule$MultiUserCallbackHandler.<clinit>(MultiUserLoginModule.java:80)
How do I have to change my configuration for the third-party JAAS login module to find myApp.CustomCredentialProvider implemented in my streaming-service web app?
Note: I already tried to generate a streaming-service.jar and add it directly to the messageHubLoginLib. That resolves the ClassNotFoundException but the CustomCredentialProvider class is loaded completely outside the context of my running web application and still gives me no access my credentials.
You were nearly there with the separate streaming-service.jar. Here are all the steps that are needed.
Identify the classes (from your app) that need to be visible to the login module.
Put all those classes into your messageHubLoginLib (e.g. in a separate streaming-service.jar)
DELETE those classes from your app.
Configure the app with a class loader child element that references the login module library using a commonLibraryRef attribute:
<webApplication id="streaming-service" location="streaming-service.war" name="streaming-service">
<classloader commonLibraryRef="messageHubLoginLib" />
</webApplication>
Generate a streaming-service.jar and add it directly to the messageHubLoginLib should be the right way to do. In this case, you have a jar file that is share-able between your JAAS login module and Web App.
However, you said "CustomCredentialProvider class is loaded completely outside the context of my running web application and still gives me no access my credentials". It sounds like you trying to store the credential in the CustomCredentialProvider class for uses between the login module and web app.
The CustomCredentialProvider class should be independent between the login module and web app. When request come in and try to access the web app, the server trigger the login module for authentication. If it passed, the access to the web app will be successfully.
I don't see you posted. May be you are missing the following configuration?
<jaasLoginContextEntry id="system.WEB_INBOUND" name="system.WEB_INBOUND" loginModuleRef="KafkaClient,hashtable,certificate,token" />
Can you place the MultiUserLoginModule and CustomCredentialProvider jar file in the ${server.config.dir}/lib/global directory and change the libraryRef point to global directory in your server.xml file as following:
<jaasLoginModule className="com.ibm.messagehub.login.MultiUserLoginModule" controlFlag="REQUIRED" id="KafkaClient" libraryRef="global">
<options credentialProvider="myApp.CustomCredentialProvider" serviceName="kafka"/>
</jaasLoginModule>
Related
We just upgraded from AEM6.1 to 6.3. I am trying to execute a workflow but getting the below error-
07.08.2017 15:20:21.233 *ERROR* [sling-threadpool-cc7c6ae7-7243-4db2-9490-b0810d422592-(apache-sling-job-thread-pool)-282-Granite Workflow Queue(com/adobe/granite/workflow/job/etc/workflow/models/content-request-for-deletion/jcr_content/model)] com.adobe.granite.repository.impl.SlingRepositoryImpl Bundle com.adobe.granite.workflow.core is NOT whitelisted to use SlingRepository.loginAdministrative
07.08.2017 15:20:21.233 *ERROR* [sling-threadpool-cc7c6ae7-7243-4db2-9490-b0810d422592-(apache-sling-job-thread-pool)-282-Granite Workflow Queue(com/adobe/granite/workflow/job/etc/workflow/models/content-request-for-deletion/jcr_content/model)] com.adobe.granite.workflow.core.job.JobHandler Error executing workflow step
java.lang.RuntimeException: Error logging in as service user
at com.adobe.granite.workflow.core.util.ServiceLoginUtil.getWorkflowPayloadSession(ServiceLoginUtil.java:82)
at com.adobe.granite.workflow.core.util.ServiceLoginUtil.getWorkflowPayloadWorkflowSession(ServiceLoginUtil.java:127)
at com.adobe.granite.workflow.core.job.JobHandler.process(JobHandler.java:203)
at org.apache.sling.event.impl.jobs.JobConsumerManager$JobConsumerWrapper.process(JobConsumerManager.java:500)
at org.apache.sling.event.impl.jobs.queues.JobQueueImpl.startJob(JobQueueImpl.java:291)
at org.apache.sling.event.impl.jobs.queues.JobQueueImpl.access$100(JobQueueImpl.java:58)
at org.apache.sling.event.impl.jobs.queues.JobQueueImpl$1.run(JobQueueImpl.java:227)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.jcr.LoginException: Bundle com.adobe.granite.workflow.core is NOT whitelisted
at org.apache.sling.jcr.base.AbstractSlingRepository2.loginAdministrative(AbstractSlingRepository2.java:378)
at com.adobe.granite.workflow.core.util.ServiceLoginUtil.getWorkflowPayloadSession(ServiceLoginUtil.java:76)
... 9 common frames omitted
Do I need to create a service user? How can I do so?
You will find useful this link https://issues.apache.org/jira/browse/SLING-5135
loginAdministrative is a deprecated method which you can still use, although in 6.3 an extra security level was added so in order to be able to use it you would need to create an OSGi config
org.apache.sling.jcr.base.internal.LoginAdminWhitelist.fragment More info here
This problem occur when we try to access resource resolver by administrative services in aem 6.3 or abouve version ...you can remove this error by following way
Apache Sling Service User Mapper Service
enter image description here
There are two options in this configurations:
Service mappings: The service mappings configuration can be used here.
You can configure it like this:
Bundle-Symbolic-Name: Sub-Service[Optional] = System-User-Name
Default User: If there is no service mapping corresponding to a bundle, then the bundle will pick default User and use it as it’s service authentication user.So if you don't want to provide any service mappings, you can use the option of default user.But it is not specific to the bundle.
Apache Sling Service User Mapper Amendment
enter image description here
his configuration is used when you want to have an individual configuration for a particular project.
If there are more than one configurations correspond to a particular bundle, based on the ranking, service can be picked.(The highest the number will be having highest ranking).
New loginService methods
Now the new methods are introduced to replace loginAdministrative methods:
ResourceResolver getServiceResourceResolver(Map authenticationInfo) throws LoginException;
Session loginService(String serviceInfo, String workspace) throws LoginException, RepositoryException;
Note: Each bundle using the ResourceResolverFactory or SlingRepository service actually gets an instance bound to the using bundle. That bundle is used to identify the service.
I have written an application which extends CAS 3.5.3
CAS supports Kerberos protocol for authentication. So when I deploy this application on tomcat/jboss etc, I am able to login to my application via Kerberos. I have done settings on jboss. However wasn't able to find any concrete documentation for weblogic.
The documents I have found is
http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-1619890.html - but this seems to be for securing the Weblogic console and now for my application.
When I try to login, getting the following error :-
Caused by: java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named jcifs.spnego.accept
at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130)
at javax.security.auth.login.LoginContext.init(LoginContext.java:259)
at javax.security.auth.login.LoginContext.(LoginContext.java:425)
... 144 more
It took quiet a long time to get this right, the steps are pretty simple. If you application is using jaas and you already have Kerberos authentication code (cas) in your webapp, the following solved my issue :-
1)Keep your jaas file inside /WEB-INF/classes dir.
2) pass this as an java opt, in startweblogic.cmd
set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.auth.login.config=\WEB-INF\classes\jaas.conf
reboot the server and try to login.
Set the following property to JAVA_OPTIONS in your domains\your_domain\bin\startWebLogic.cmd file, or alternatively set it in weblogic console at Environment/Servers/Control/your_domain/Server Start/Arguments.
-DUseSunHttpHandler=true
I've created Web Application running on Java Liberty Runtime on Bluemix. Login is done by using SSO service with SAML enterprise provider. After login user redirected to my app and on every JAX-RS request I get user's credentials by following code:
Subject s = WSSubject.getCallerSubject();
Object credential = s.getPrivateCredentials().iterator().next();
String loginToken = credential.toString();
Everything works fine, but if the user has been idle for more then 10 minutes and then perform any ajax request WSSubject.getCallerSubject() returns null, and I required to refresh application.
I've tried to increase timeout by adding following attribute to web.xml:
<session-config>
<session-timeout>60</session-timeout>
</session-config>
But it didn't help. So I'm looking how can I increase timeout or possible I can retrieve user credentials in a different way?
You need to add the optional element <authCache> to the server.xml file to change the default values for the authentication cache.
As you mentioned in your question, the default value is 10 minutes. To change it to 60 minutes you need to include the following in the server.xml file:
<authCache initialSize="50" maxSize="25000" timeout="60m"/>
The documentation here provides more details and also explains initialSize and maxSize options, I left the default value for these two above and just updated timeout.
If you are deploying your application using the default method of pushing the war file, you will need to use a different approach to deploy the application with a custom server.xml file. Please check the documentation here for options on pushing Liberty profile applications (more specific check sections Server Directory and Packaged Server).
In this case, you may also want to check the server.xml file that is currently deployed and modify that version to add the <authCache> element.
You can get a copy of the file by running the following command:
$ cf files <your_app_name> app/wlp/usr/servers/defaultServer/server.xml
In a Wildfly 8.1.0.Final we deploy:
our own CRM-webapp (Seam2/JSF1.2)
camunda-webapp 7.3.0
camunda-engine 7.3.0 as a module (shared engine)
custom engine-plugin to enable camunda-engine to use the user/group-store of our CRM
We display camunda tasklist in an iframe inside our CRM.
This setup runs fine so far, but we have to login twice.
So we need SSO, but cannot establish AD/LDAP, like in camunda-sso-jboss example.
I thought of Wildfly's JAAS and SSO capabilities, but i'am not sure, if camunda-webapp supports JAAS-authentication.
I think the security-domain configuration in jboss-web.xml is just generated by a maven archetype and has no effect on the camunda-webapp, is that right? I changed that configuration and it had no effect at all.
Can someone give me a hint, where i should hook into camunda-webapp or if it is possible at all?
Ok, i have a first success.
I changed org.camunda.bpm.webapp.impl.security.auth.Authentications.getFromSession to accept HttpServletRequest as parameter instead of HttpSession (called from AuthenticationFilter.doFilter). If the session contains no Authentications, i try to pull the Principle from the request and if one exists, i log em in silently (copied most from UserAuthenticationResource.doLogin).
Then i have a very simple webapp ("testA") with only one JSP and Basic Authentication. Both camunda-webapp and testA have the same security-domain configured, and the host in the undertow-subsystem has the "single-sign-on"-setting.
Now i can login into /testA, then call /camunda in another tab without further authentication.
The code has to be improved a lot. If everythink works fine, i'll post the details.
If someone thinks this is a wrong approach, please let me know ;-)
I am using httpinvoker in JBoss 4.0.4 (little old) for EJB invocations.
Since there are so many clients that make calls to my server, I want to identify the clients for each call in server.
Is there a way to do this with JBoss httpinvoker?
I could imagine adding a header to identify my client in each HTTP request, but cannot find a way to add a header in httpinvoker.
Auditing builds on a name, and thus on an authentication scheme somehow.
Therefore I suggest using the standard client authentication infrastructure to solve your problem. This works for RMI as well (it's not bound to HTTP), and the user ID is even passed down into your EJBs.
Server
Put the EJB in a security-domain (ejb.jar: META-INF/jboss.xml)
You could use the application-policy other which just the UsersRolesLoginModule (conf/login-config.xml); this is the default policy, it's already configured.
Add users.properties and roles.properties to your ejb.jar file (top level package): These are used by the UsersRolesLoginModule
For each user, add his name and a (dummy) password to users.properties
Client
Create a callback class which implements a javax.security.auth.callback.CallbackHandler: This callback is used, when the authentication needs the user and the password.
Create a javax.security.auth.login.LoginContext; pass the callback handler as the 2nd argument; call login() on the instance of the LoginContext
Connect normally to the EJB server using an InitialContext
Add -Djava.security.auth.login.config=.../jboss-4/client/auth.conf when you start the client
This way a user ID is passed from the client to the EJB (as part of the standard authentication process). Now, in the EJB methods, you can get the user ID by calling getCallerPrincipal() on the SessionContext instance. I have tested this against JBoss 4.2.3
Additional information: JBoss client authentication
Addendum 1:
Using RMI or HTTP, the password is not transported in a secure way. In this case just use a dummy password, this is OK for auditing.
On the other hand, if you use RMI over SSL or HttpInvoker over HTTPS, you could change to a real and secure authentication quickly.
Addendum 2:
I am not sure, if it works without defining roles. Possibly you have to
Add a line in roles.properties for each user: Add a connect role, for example
Add role definitions in ejb-jar.xml as well: security-role-ref for each EJB, and security-role and method-permission in the assembly-descriptor
Update
As there is already a login module, there might be another possibility:
If you have the source code of the login module, you could possibly use another TextCallback to get additional information from the client (in your case a user ID). The information could be used to create a custom Principal. Within the EJB, the result of getCallerPrincipal() could be cast to the custom principal.