I want to make my website pages password protected.I make the website using restful webservices in java using jersey.So can any one tell me how to protect my web pages using apache shiro.Any one have implemented example to securing a website using apache shiro if yes than plz share the example.I shall be thankful :)
For protecting your webservices using shiro you can use following template files and can customize with your own requirements. Include the jars or add to pom as required.
Add these to web.xml
<filter>
<filter-name>Shiro</filter-name>
<filter-class>
org.apache.shiro.web.servlet.IniShiroFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>Shiro</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Now for shiro.ini to be place in WEB-INF (I am using basic Authentication with username and roles in shiro.ini which you can use from database etc as per your need, Assuming that /rest is the url for jersey rest services)
[main]
[urls]
/rest/** = noSessionCreation,authcBasic
/**= anon
[users]
admin=admin
Related
My question is
"Can I use #RolesAllowed on RESTful Resources implemented on CXF ?".
First of all, I explain the context causing this question.
I'm working at some projects in which developers have to remake one part of the some web systems into RESTful WEB Apis.This present system has server system built by Spring and Hibernate. And its client application as UI is developed by ActionScript through
FLEX framework.
Now I'm surveying the proper way to design and remake our present system into RESTful APIs through reading some documents or develop some prototypes.So, we temporarily decided to use Apache-CXF ver.2.7.4 as JAX-RS implementation and TOMCAT ver.7 as Web applications container.
Then, I am struggling for the way of user authorizations now.
As you know, I mean the word 'Authorization' as some control mechanism that constrain some users to access functions according to user's roll like ROLE_ADMIN, ROLL_EMPLOYEE and so on.And our team wants to use #RolesAllowed annotation to constrain user to access some RESTful methods in REST resource classes.
Through surveying, I knew that we can use #RolesAllowed annotation if we use Jersey as JAX-RS imple and TOMCAT, because Jersey framework provides
com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory
for developers to activate #RolesAllowed annotation by adding following lines in web.xml
<init-param>
<param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
<param-value>
com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory
</param-value>
</init-param>
as init-param of jersey's ServletContainer.
But our team has decided Apache CXF as JAX-RS imple.I've already surveyed the security and authorization parts of web documents in CXF site. But I couldn’t get solutions or how to use #RolesAllowed on RESTful resource methods.
So If you know the requirements or how to use #RolesAllowed on RESTful resource implemented on Apache CXF and TOMCAT, teach me that, please.Or if you can definitively conclude that we can't use #RolesAllowed in frameworks choice of Apache CXF and TOMCAT, please teach me the background knowledge of that conclusion.
Additionally, I suppose that I can use #RolesAllowed in REST resource by CXF on JBOSS as app server, not on TOMCAT. Is this assumption true ? I'm sorry that I've not made a trial to use JBOSS instead of TOMCAT.
Best regards.
Yes, this can be done. I'll assume that you (like me) did not want to use Spring Security as part of the solution (to handle authentication and authorization) since there is seem to be plenty of resources on how to enable the JSR-250 annotations with Spring Security.
My solution began with a simple JAX-RS project built from the CXF-supplied Archetype Project org.apache.cxf.archetype:cxf-jaxrs-service:2.7.5 (lastest GAV # time of writing).
This gives you a basic HelloWorld class with supporting config files.
A few modifications need to be made.
First, add the following dependencies to the pom.xml:
<dependency>
<groupId>javax.annotation</groupId>
<artifactId>jsr250-api</artifactId>
<version>1.0</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
<scope>provided</scope>
</dependency>
Why? Because Tomcat is not a full J2EE Container, it does not support all JSR-250 Annotations (of which #RolesAllowed is one). Further, although CXF recognizes and will work with #RolesAllowed, it does not bundle an implementation, expecting it to be provided by either a J2EE container or the inclusion of the api as above.
The servlet-api is listed because I needed it # compile time for a method I add to HellowWorld.java (see below).
Second, modify beans.xml as follows:
<bean class="my.pkg.HelloWorld" id="helloWorldService"/>
<jaxrs:serviceBeans>
<ref bean="helloWorldService"/>
</jaxrs:serviceBeans>
<bean id="authorizationInterceptor"
class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
<property name="securedObject" ref="helloWorldService" />
</bean>
The SecureAnnotationsInterceptor is what will scan the helloWorldService and enforce the #RolesAllowed annotations.
Note that the helloWorldService had to be pulled out of the <jaxrs:serviceBeans> stanza so it could be referenced both there and in the authorizationInterceptor.
Third, add some roles and users to tomcat-users.xml or alternative (eg. JDBC Realm, etc.) I did this:
<role rolename="hello-user" />
<role rolename="hello-role1"/>
<role rolename="hello-role2" />
<user username="hello1" password="Password1" roles="hello-role1,hello-user"/>
<user username="hello2" password="Password1" roles="hello-role2,hello-user"/>
This creates 2 users who each have a shared role (hello-user) plus their own distinct role.
Fourth, add the following to web.xml to enable BASIC authentication:
<security-constraint>
<web-resource-collection>
<web-resource-name>Hello Services</web-resource-name>
<url-pattern>/hello/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>hello-user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
With this, I decided to require the role hello-user for everything under /hello/*. That's not essential, but beware that I did have some issues omitting some of the stanzas, wildcards and roles... so experiment with care here.
Fifthly (and finally), mark up the HelloWorld.java class:
#Path("/hello")
#RolesAllowed("hello-user")
public class HelloWorld {
#GET
#Path("/echo/{input}")
#Produces("text/plain")
#RolesAllowed("hello-role1")
public String ping(#PathParam("input") String input) {
return input;
}
#POST
#Produces("application/json")
#Consumes("application/json")
#Path("/jsonBean")
#RolesAllowed("hello-role2")
public Response modifyJson(JsonBean input) {
input.setVal2(input.getVal1());
return Response.ok().entity(input).build();
}
#GET
#Produces("text/plain")
#Path("/cliche")
public Response getClichedMessage(#Context HttpServletRequest request) {
return Response.
ok().
entity("Sending \"Hello World\" to user \"" + request.getUserPrincipal().getName() + "\"").
build();
}
}
I added the last method (getClichedMessage()) to show that both users can access the method because they have the hello-user role with which the class is annotated. The SecureAnnotationsInterceptor is smart enough to handle that.
That's all. Seems to me, this is the STTCPW using just Tomcat, CXF and BASIC authenitcation. The key for the CXF + #RolesAllowed is the SecureAnnotationsInterceptor.
Update: I should acknowledge that Converting Jersey REST Examples to Apache CXF was particularly helpful, especially for pointing out the SecureAnnotationsInterceptor whose connection to #RolesAllowed is not well documented elsewhere.
Update 2: The Jersey-CXF blog entry doesn't seem be migrated to gmazza's new blog. However, the example I used is on github. It contains a config file with SecureAnnotationsInterceptor definition and a bean with #RolesAllowed annotation
I am having an Rest Web Services application and Admin web application,
Rest web services will be interacted with mobile , where are Admin web application will be used for maintaining purpose.
for both webservice application and amin web application the credentails are same.
so i need josso to provide single sign on for this.
Can you please help how to star configure. I have gone through Josso site where there was a basic info. can any one please help me out if u have any doc to configure .Thank you
I have a similar application setup where one web application provides Rest Services as well as user-facing web application. As far as I know, JOSSO will provide you with user-facing SSO authentication and is not intended to work with rest services.
Instead what I have done is define the URLs of my rest services in the deployment descriptor (web.xml) under a web-resource-collection that will be ignored under JOSSO configuration. Then I defined a separate filter to handle the rest authentication separately. More specifically:
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>public-resources</web-resource-name>
<url-pattern>/restservices/</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
josso-agent-config.xml
<configuration>
<agent:agent-configuration>
<agent:partner-apps>
<agent:partner-app id="myapplication-sp" vhost="10.1.8.11" context="/myappcontext" ignore-web-resource-collections="public-resources"/>
</agent:partner-apps>
</agent:agent-configuration>
</configuration>
With this I was able to use JOSSO to secure most of my web application and ignore the rest services I have. I used a custom authentication filter for my rest services (Spring).
Hope this helps!
I want to use a python backend while developing a SmartGWT front end. In order to get the debugging working correctly, I think I need the dev server running in eclipse which means the webserver will be running in eclipse.
My python (Django) backend needs to serve the requests for the data and I'd like it to not be a cross-domain issue, however cross-domain also seems to require the ports match too.
What is the simplest way to work around this? Been thinking about setting up my hosts file with a bogus domain and then have two entries, one for data, one for js. But, this requires setting up a second IP on the machine because the ports have to match too.
If I want anyone else to be able to see the pages I can't use localhost and my external IP since they won't be able to get to my localhost.
Is there some simpler setup?
Is there some simple proxy piece I could drop into the eclipse dev server that would proxy the data requests to a different server?
Other ideas?
I am using a proxy servlet in my gwt setup for this purpose.
I am using a tomcat proxy servlet from jetty util artifact:
<dependency>
<groupId>org.mortbay.jetty</groupId>
<artifactId>jetty-util</artifactId>
<version>6.1.22</version>
<scope>runtime</scope>
</dependency>
My web.xml looks like this:
<servlet>
<servlet-name>JettyProxy</servlet-name>
<servlet-class>org.mortbay.servlet.ProxyServlet$Transparent</servlet-class>
<init-param>
<param-name>ProxyTo</param-name>
<param-value>http://yourserver</param-value>
</init-param>
<init-param>
<param-name>Prefix</param-name>
<!-- will be removed from request -->
<param-value>/prefix/</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>JettyProxy</servlet-name>
<url-pattern>/prefix/*</url-pattern>
</servlet-mapping>
If you get some weired error about some _context variable, make sure that the jetty-util.jar is in your classpath before the GWT SDK.
Use -noserver for the DevMode. See http://code.google.com/webtoolkit/doc/latest/DevGuideCompilingAndDebugging.html#How_do_I_use_my_own_server_in_development_mode_instead_of_GWT's
The easiest way to do it is if you have both backend and frontend on your development machine.
For my projects I am using GWT on the frontend and cherrypy (python) on the backend.
I set up both projects in eclipse and when developing I start a debugger for the cherrypy backend and one for the GWT frontend. So I can basically debug backend and frontend at the same time. Works really good.
Communication between python backend and gwt frontend is done via RequestBuilder (JSON) and the good thing about this setup is that I can test the backend's data communication directly without GWT.
So the development url is usually something like: http://localhost:8080/?gwt.codesvr=127.0.0.1:9997
Port 8080 is used by my cherrypy backend.
I'm trying to figure out (if it's possible) how to integrate the JBoss GateIn Portal app with PicketLink-STS to generate a security token (i.e. SAML Assertion) that can be used to implement "Single Sign On" (thus talk to backside EJB services that require authentication).
There is decent documentation on how to configure JBoss 5.1 with EJB services and have them protected by PicketLink-STS for authentication with a security token (implemented via security domains and login config modules).
However, it's not clear how to get the JBoss 5.1/GateIn portal application to integrate with PicketLink-STS, so that the portlets can obtain a security token (for the logged in user) than can then be passed to the backside EJB services that are validated against the PicketLink-STS for authentication?
Wonder if this is possible or a dead-end road.
I'm no expert on GateIn, but, I show my results after some research .
First I based on version 3.4 of GateIn is the last for JBoss 5.
To configure Gatein authentication SAML token-based, must be enabled SSO autentication, the integration GateIn with SAML2 use JBoss project Picketlink Federation.
SAML SSO authentication is based on circle of trust between SP and IDP. This can be done by following the steps described in this link: Chapter 6. Authentication and Identity - SAML
The resources required can be downloaded from the following url:
GateIn SSO: https://repository.jboss.org/nexus/content/groups/public/org/gatein/sso/sso-packaging/1.1.2-Beta02/sso-packaging-1.1.2-Beta02.zip
idp-sig (STS and more examples): https://repository.jboss.org/nexus/service/local/repositories/releases/content/org/picketlink/quickstarts/picketlink-quickstarts/2.1.1.Final/picketlink-quickstarts-2.1.1.Final-webapps-jboss-as5.zip
The STS configuration is a part of the Identity Provider and this can be edited as described in the following documentation: SecurityToken Service Configuration (PicketLinkSTS Element)
After you have completed all the steps to enable authentication based SAML tokens (working correctly), you must add the following filter to GateIn (like SAML2LogoutFilter):
<filter>
<filter-name>PicketlinkSTSIntegrationFilter</filter-name>
<filter-class>org.gatein.sso.agent.filter.PicketlinkSTSIntegrationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>PicketlinkSTSIntegrationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
This filter set org.picketlink.identity.federation.core.wstrust.SamlCredential into org.jboss.security.client.SecurityClient, which enables to propagate authentication from SAML2 ticket into underlying EJB or WS calls.
See also:
SAML EJB Integration with PicketLink STS
SAML WS Integration with PicketLink STS
I hope this help.
I have few questions about https in Scala Lift:
How can I set for my web application use only https protocol?
Must I rewrite some code for existing application for using https?
Is request response cycle changes or there is no any differents?
Where to find good scala lift open source project using https or just to see advanced use of framework?
Thanks.
HTTPS needs to be enabled in your servlet container, such as Jetty or Tomcat. It doesn't have much to do with your web application. Then you need to tell the servlet container to use HTTPS for some or all pages in the deployment descriptor. This is what your web.xml file will look like:
<web-app>
. . .
<security-constraint>
. . .
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>