I am newbie to JBoss and I have the application running in JBoss 6.2.
We usually have the login set up using JSF. It's showing a screen with username and password (created by JSF) and that's an internal part of the application and that works fine.
But I came to know there is basic authentication setup available in JBoss. We can configure it in a way that it requires to pass through authentication.
I searched on the internet and I found a way to introduce it like below:
D:\workspace_Csmart\jboss-eap-6.2\bin>add-user
What type of user do you wish to add?
a) Management User (mgmt-users.properties)
b) Application User (application-users.properties)
(a): b
Enter the details of the new user to add.
Using realm 'ApplicationRealm' as discovered from the existing property files.
Username : prabhu
User 'prabhu' already exits, would you like to update the existing user password and roles
Is this correct yes/no? yes
Password :
Re-enter Password :
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[user]: prabhu
Updated user 'prabhu' to file 'D:\workspace_Csmart\jboss-eap-
6.2\standalone\configuration\application-users.properties'
Updated user 'prabhu' to file 'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-users.properties'
Updated user 'prabhu' with groups prabhu to file 'D:\workspace_Csmart\jboss-eap-6.2\standalone\configuration\application-roles.prope
Updated user 'prabhu' with groups prabhu to file 'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-roles.propertie
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? yes
To represent the user add the following to the server-identities definition <secret value="cHJhYmh1QDEyMw==" />
And you see the user and password is updated in properties, so I ran the server with my local setup and it's up and running. But I didn't see any popup asking JBoss basic credentials. It's just directly going to the login page: http://10.17.195.15:8080/Proj/home.xhtml
Do I have to do anything with standalone.xml? security tag?
I would really appreciate it if anyone can point out what I am missing here? What do I need to do to make it work for JBoss Basic Authentication? Thanks!
1) First you need to move all your jsf files (that need protection) in some folder, for example secured folder.
2) Create index.jsf that redirects to protected start page and place it outside secured folder.
3) Create logout.jsf which does session.invalidate() and redirects to index.jsf page.
<html>
<body>
<%
if(session!=null)
{
session.invalidate();%>
<jsp:forward page="index.jsp" />
<%
} else{
%>
Logged Out Successfully....
<% }%>
</body>
</html>
4) Add security constraints to web.xml.
<security-constraint>
<web-resource-collection>
<web-resource-name>MySecureResources</web-resource-name>
<description>Some Description</description>
<url-pattern>/secured/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>TestRole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>TestRole</role-name>
</security-role>
5) Create jboss-web.xml file inside projects WEB_INF folder.
<?xml version="1.0"?>
<!DOCTYPE jboss-web PUBLIC
"-//JBoss//DTD Web Application 5.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
<jboss-web>
<security-domain>java:/jaas/BasicAuthWebAppPolicy</security-domain>
<context-root>/basicSecurityWebApp</context-root>
</jboss-web>
6) Create a file with some name like basicSecurityWebApp-roles.properties. and place it in WEB_INF/classes folder. Define role there and assign that role to some user.
TestUserOne=TestRole
7) Create another file with some name like basicSecurityWebApp-users.properties and place it in WEB-INF/classes folder and define username and password.
TestUserOne=TestPassword
8) Now you should modify login-config.xml in $PROFILE/conf/ folder. Add application-policy with the same name as BasicSecurityWebApp.
<application-policy name="BasicAuthWebAppPolicy">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties">basicSecurityWebApp-users.properties</module-option>
<module-option name="rolesProperties">basicSecurityWebApp-roles.properties</module-option>
</login-module>
</authentication>
9) Deploy application to JBoss.
10) Now every time you have to access our website you have to enter user and password you provided in credentials file (username as “TestUserOne” and password as “TestPassword”).
For more details see This
Yes. This somehow helped me to solve this I just did following things:
Under WebContent folder:
step1: change in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<description>Protects all resources</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>prabhu</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>prabhu</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name></realm-name>
</login-config>
step2 : change in jboss-web.xml
<jboss-web>
<context-root>C-SMART</context-root>
<security-domain>java:/jaas/other</security-domain>
</jboss-web>
step 3 : creating user and password for jboss basic authentication
D:\workspace_Csmart\jboss-eap-6.2\bin>add-user
What type of user do you wish to add?
a) Management User (mgmt-users.properties)
b) Application User (application-users.properties)
(a): b
Enter the details of the new user to add.
Using realm 'ApplicationRealm' as discovered from the existing property files.
Username : prabhu
User 'prabhu' already exits, would you like to update the existing user password and roles
Is this correct yes/no? yes
Password :
Re-enter Password :
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[prabhu]: prabhu
Updated user 'prabhu' to file 'D:\workspace_Csmart\jboss-eap-6.2\standalone\configuration\application-users.properties'
Updated user 'prabhu' to file 'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-users.properties'
Updated user 'prabhu' with groups prabhu to file 'D:\workspace_Csmart\jboss-eap-6.2\standalone\configuration\application-roles.properties'
Updated user 'prabhu' with groups prabhu to file 'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-roles.properties'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? yes
To represent the user add the following to the server-identities definition <secret value="cHJhYmh1QDEyMw==" />
Press any key to continue . . .
Step 4: verified above user changes reflected in following files
'D:\workspace_Csmart\jboss-eap-6.2\standalone\configuration\application-users.properties'
'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-users.properties'
'D:\workspace_Csmart\jboss-eap-6.2\standalone\configuration\application-roles.properties'
'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-roles.properties'
And its worked fine for me.. Thanks all your help..
Related
I have JBoss EAP 7
So I have done:
unzip keycloak-eap7-adapter-dist-3.2.1.Final.zip
and
./bin/jboss-cli.sh --file=adapter-install-offline.cli
and added the <security-constraint> element to web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Admins</web-resource-name>
<url-pattern>/admin/*</url-pattern>
...
<security-role>
<role-name>admin</role-name>
...
and in my standalone.xml, I have:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="snack.war">
<realm>Netzportal</realm>
<resource>netzportal</resource>
<public-client>true</public-client>
<auth-server-url>http://localhost:8180/auth</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>
</secure-deployment>
</subsystem>
And in the keycloak admin console I have registered the web application as client. The client opens at http://localhost:10080/czo/login.xhtml. So I have entered http://localhost:10080/czo/* as Valid Redirect URIs.
But when the application is running and I open http://localhost:10080/czo/login.xhtml, I do not get redirected to keycloak (which is also running)
You seems to be missing following entry ( since it does not appear in your listed web.xml configuration) which actually tell which kind of authentication to use for login
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>Netzportal</realm-name>
</login-config>
For more details on configuration check the docs.
I had the same problem, after a lot of suffering, I found that the web.xml file in the wrong folder
After logging in using HttpServletRequest.login(String, String), using the code below, on following requests I still get a Basic Authentication prompt. Why is the login function not working in my configuration?
My endpoint:
#POST
#Path("login")
#Consumes(MediaType.APPLICATION_JSON)
public void login(#Valid LoginRequest loginRequest) {
try {
User user = userController.findUserByUsername(loginRequest.getUsername()).orElseThrow(NotFoundException::new);
httpServletRequest.login(loginRequest.getUsername(), loginRequest.getPassword());
log.info(securityContext); // not null now!
}
catch (ServletException e) {
throw new NotAuthorizedException(e.getMessage(), e, AuthenticationHeaderFilter.CHALLENGE);
}
}
And my jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.jboss.com/xml/ns/javaee
http://www.jboss.org/j2ee/schema/jboss-web_5_1.xsd">
<security-domain>MyRealm</security-domain>
</jboss-web>
And my web.xml:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MyRealm</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
<security-constraint>
<display-name>Authenticated content</display-name>
<web-resource-collection>
<web-resource-name>Authentication required</web-resource-name>
<url-pattern>/api/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Anonymous content</display-name>
<web-resource-collection>
<web-resource-name>Exclude from Security</web-resource-name>
<url-pattern>/api/me/login</url-pattern>
</web-resource-collection>
</security-constraint>
Actually, the contract for HttpServletRequest#login does not mandate that the authenticated identity be remembered for the duration of the HTTP session (if one already exists), and certainly not that an HTTP session should be created upon successful authentication (for if one does not exist).
Technically speaking, the HttpServletRequest#login call goes straight through to the identity store (the method's Javadoc uses the term login mechanism for that). An identity store is a kind of database that typically only performs the credential validation and does not have knowledge about its environment (i.e. doesn't know about HTTP sessions, or remote EJB context IDs, or JCA inflow security IDs of whatever).
The authentication mechanism IS aware of its environment, and this one is invoked by calling HttpServletRequest#authenticate. But, this would normally be expected to start an interaction dialog with the user when not being authenticated yet, not remember the authenticated identity in the session if the user happens to be authenticated (the fact this happens to work on JBoss seems more like a coincidence than something that is supposed to happen).
That all said, section 13.10 of the Servlet spec does allow containers to create an HTTP session:
Containers may create HTTP Session objects to track login state. If a
developer creates a session while a user is not authenticated, and the
container then authenticates the user, the session visible to
developer code after login must be the same session object that was
created prior to login occurring so that there is no loss of session
information.
(emphasis mine)
But... it's not overly clear if this text is in regard to calling the login() method or the authenticate() one.
In short, this is one of the many small gaps in the Java EE security spec; it's just not defined how to programmatically do a login with a given username/password and explicitly say if you want or do not want that to be for the current request only or for the remainder of the HTTP session.
We hope to fix issues like this in the Java EE Security API (JSR 375) for Java EE 8.
The answer is that after invoking httpServletRequest#login(String, String) you should still invoke httpSevletRequest#authenticate(HttpServletResponse). My final, working code, is:
httpServletRequest.login(loginRequest.getUsername(), loginRequest.getPassword());
httpServletRequest.authenticate(httpServletResponse);
As you want programmatic authentication, there is no need of <login-config> in web.xml
Team,
I have a question on Single Sign On using Kerberos Authentication.
We have generated a keytab file for the domain like "POC.MAIL.COM" and our server is hosted on "SW.MAIL.COM". As our application runs on Websphere Application Server, we tried to set the Kerberos configuration as given in the document (page no:167)http://www.redbooks.ibm.com/redbooks/pdfs/sg247771.pdf .
We are facing the an error saying that "Cannot get credential for principal service HTTP/server1.SW.MAIL.COM#SW.MAIL.COM". Can someone help me in resolving the issue..?
Please post a comment if any additional information is required..
When I try to set the krb5.conf and keytab file on "Kerberos Authentication Mechanism page", we are getting this error.
When I ran the command klist as per your input, I got the output as below
"Key table: /etc/krb5/pocsso.keytab
Number of entries: 1
[1.] principal: HTTP/server1.sw.mail.com#POC.MAIL.COM
KVNO: 12
"
UPDATE
.
Ticket cache: FILE:/tmp/krb5cc_38698
Default principal: pocsso1#POC.MAIL.COM
Valid starting Expires Service principal
01/09/2014 16:15 02/09/2014 02:21 krbtgt/POC.MAIL.COM#POC.MAIL.COM
renew until 08/09/2014 16:15
Specify it only on the Global security > SPNEGO web authentication, not on the Kerberos configuration page. If keytab path is correct in your krb5.conf file, it is enough to provide just path to conf file (keytab is optional).
UPDATE
In the filter definition you should have:
Host name: server1.sw.mail.com
Kerberos realm name: POC.MAIL.COM
Filter criteria: yourFilterCriteria
Trim Kerberos realm from principal name - checked
See configuration details here: Enabling and configuring SPNEGO web authentication using the administrative console
Minimal configuration in web.xml for Java EE security. And you have to have Application Security enabled in the server configuration, and mapped userRole to some users/groups from registry.
<security-constraint>
<display-name>constraint</display-name>
<web-resource-collection>
<web-resource-name>all resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>userRole</role-name>
</auth-constraint>
</security-constraint>
A bit of a late answer.
Regenerate the keytab file by running the ktpass command as:
ktpass -out file.keytab -princ HTTP/server1.SW.MAIL.COM#POC.MAIL.COM -mapuser your-user -pass your-pwd -ptype KRB5_NT_PRINCIPAL
Solving the error:
org.ietf.jgss.GSSException, major code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Cannot get credential for principal HTTP/appserver.example.com#EXAMPLE.COM
boils downs to the following rules when generating the keytab file:
The principal service must follow the format
<service name>/<fully qualified hostname>#KerberosRealm
Double check the spelling of the principal service
The service name must be all upper case, that is HTTP and not http
The Kerberos realm must also be all upper case, and
The host name must be found in the /etc/host file or the DNS server.
Sources:
http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/usec_kerb_auth_mech.html
http://www.redbooks.ibm.com/redbooks/pdfs/sg247771.pdf (page 477)
tomcat 7.0 + JSF 2
I get 403 error right after logging in with correct credentials (wrong credentials directs to login.xhtml as expected). I've created new user in apache, rebooted the webservice and still cant connect with it.
tomcat-users.xml
<tomcat-users>
<user name="lala" password="lala!!!" roles="admin-gui,manager-gui" />
<role rolename="administrator"/>
<user username="admin" password="admin" roles="administrator"/>
</tomcat-users>
Why I can login only with lala and not with admin(i've added it manually). any idia why?
and a realm in server.xml (tomcat conf)
under <host>:
<Realm className="com.bannerplay.beans.Admin">
in the project's welcome file (login.xhtml) i've used j_security_check (form-based authentication)
<form method="post" action="j_security_check">
<p>
Enter user ID and password:<br/> <br/>
User ID <input type="text" name="j_username"/>
Password <input type="password" name="j_password"/> <br/><br/>
<input type="submit" value="Login"/>
</p>
</form>
and defined web.xml like that:
...
<security-constraint>
<display-name>Admin</display-name>
<web-resource-collection>
<web-resource-name>BannerPlay administration Tool</web-resource-name>
<description/>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>com.bannerplay.beans.Admin</realm-name>
<form-login-config>
<form-login-page>/faces/login.xhtml</form-login-page>
<form-error-page>/faces/login.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>administrator</role-name>
</security-role>
Project Tree:
when trying to access localhost:8080/myProject/ i get to login.xhtml , when typing correct credentials( the 'lala' user works, not the admin ) i get 403.
when trying to access localhost:8080/myProject/main.xhtml i'm re-directed to login page again.(after correct credentials)
I've tried to add "administrator" role to user lala, but has the same results.
what should i do? thanks
The solution is NOT to change the tomcat-users.xml file from the hard drive. It must be changed from eclipse. after changing it from HD I noticed it keeps coming back to old version of the file,instead of keeping my changes. this happens after running the project. Change it from eclipse and problem solved.
I want to pass a security context to my rest service.
On server side I try to get this with:
public Response postObject(#Context SecurityContext security, JAXBElement<Object> object) {
System.out.println("Security Context: " + security.getUserPrincipal());
.....
But actually the Syso is null.
On Client side im just doing:
ClientConfig config = new DefaultClientConfig();
Client client = Client.create(config);
client.addFilter(new HTTPBasicAuthFilter("user", "password"));
So, do I have to change in addition something in my web.xml to get it working?
I hoped its working without setting up static users in the tomcat user xml. So I can compare the user/password from security context with my "persistent" user/password hashmap located server sided. But when it is not working without tomcat user xml, how can it be done to add dynamically user to that user xml? When I ve static users I cant register a new user. I dont want to use this attempt: http://objecthunter.congrace.de/tinybo/blog/articles/89 cuz I want just to work with a semi persistence like a HashMap of user/password.
Besides another question: Why does everybody refer to Apache HttpClient when it is about security in Jersey, when it is working like I wrote as well?
My attempt refers to this post:
Jersey Client API - authentication
You need to set up your application on the server so that it requires Basic authentication. I.e. include something like the following in the web.xml in your application war file - otherwise Tomcat does not perform the authentication and does not populate the security context.
<security-constraint>
<display-name>Authentication Constraint</display-name>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>authentication required</description>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>realm_name</realm-name>
</login-config>