I'm writing an administration webapp to be deployed on Wildfly.
It's gonna be used by the same users that have access to the Administration Console (http://localhost:9990/).
It would be great if I could just declare that my app should use HTTP Basic auth in the ManagementRealm, just like the Console does.
The naive, optimistic try did not work:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Panel</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ManagementRealm</realm-name>
</login-config>
</web-app>
This does not trigger the HTTP Basic login dialog at all.
Is there any simple way to plug my app into the ManagementRealm?
I found that I need to create a security domain that's linked with the ManagementRealm. The configuration is spread over three places:
1) A new security domain needs to be added that delegates to ManagementRealm using RealmDirect login module:
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
....
<security-domain name="management" cache-type="default">
<authentication>
<login-module code="RealmDirect" flag="required">
<module-option name="realm" value="ManagementRealm"/>
</login-module>
</authentication>
</security-domain>
This can be done via jboss-cli:
/subsystem=security/security-domain=management:add(cache-type=default)
/subsystem=security/security-domain=management/authentication=classic:add(\
login-modules=[{\
"code"=>"RealmDirect", "flag"=>"required", \
"module-options"=>[("realm"=>"ManagementRealm")]\
}])
2) The app need to reference this security domain using WEB-INF/jboss-web.xml:
<jboss-web>
<security-domain>management</security-domain>
</jboss-web>
3) Than a straightforward web.xml to turn on HTTP Basic login dialog:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-role>
<role-name>*</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Panel</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>[message show in login dialog]</realm-name>
</login-config>
</web-app>
Wildfly won't follow the security-constraint unless you bind it to a security role:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Panel</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ManagementRealm</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
</web-app>
This will make basic auth load but then you have the problem where ManagementRealm is only bound to the management ports in your standalone.xml, so you will have to change that. You may need to remove ApplicationRealm so it doesn't conflict.
<management-interfaces>
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
Related
Im trying to secure my java ee rest api by keycloak but if I try to access path that should be protected I got only Forbidden writen on screen and thats it. I have no errors in logs and do not know where to look for bug.
web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name></web-resource-name>
<description>Protects all resources</description>
<url-pattern>/pato-api/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>pato</realm-name>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>user/</web-resource-name>
<url-pattern>/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>user</role-name>
</security-role>
I do not realy know where to look keycloak is running wildfly is running database is running...
If I access secured path I got this
I am trying add basic authorization for my Rest webservice. on weblogic i have created the same user under default security realm . when i executing my rest client without passing authorization it is returning HTTP 200 means application is consuming the request. however in case i pass authorization then it validates the username password. i want my service to work with authorization only. Can someone please let me know what i am missing or if i am doing anything wrong?
in web.xml i have below:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>PP</display-name>
<servlet>
<servlet-name>jersey-servlet</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>com.att.eddpp.preprocessing</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>wl-dispatch-policy</param-name>
<param-value>PP-work-manager</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>jersey-servlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>PP</web-resource-name>
<url-pattern>/PP/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>PPRST</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>PPRST</role-name>
</security-role>
</web-app>
in weblogic.xml i have added
<?xml version="1.0" encoding="UTF-8"?>
<wls:weblogic-web-app
xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-web-app"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.7/weblogic-web-app.xsd">
<wls:weblogic-version>12.1.3</wls:weblogic-version>
<wls:context-root>PP</wls:context-root>
<wls:security-role-assignment>
<wls:role-name>PPRST</wls:role-name>
<wls:principal-name>PPRST</wls:principal-name>
</wls:security-role-assignment>
</wls:weblogic-web-app>
Your constraint is for /PP/* but you jersey resource is under /* . I think that's the problem.
I have put in place a samlWebSso20 config using the Liberty Buildpack on Bluemix and the ADFS idp from my customer.
I have a single web application deployed on the Liberty instance.
I am using the Server Directory option to push on Bluemix as explained here
Here is my server.xml:
<?xml version="1.0" encoding="UTF-8"?>
<server description="johan">
<featureManager>
<feature>webProfile-7.0</feature>
<feature>samlWeb-2.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
<samlWebSso20 id="defaultSP" nameIDFormat="unspecified"
spCookieName="my_cookie"
idpMetadata="${server.config.dir}/resources/security/FederationMetadata.xml"
userIdentifier="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
sessionNotOnOrAfter="2h">
</samlWebSso20>
<keyStore id="defaultKeyStore" password="***" />
<webApplication context-root="/" location="MySampleApp.war" name="MySampleApp" type="war">
<security-role name="any-authenticated">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
<security-role name="administrators">
<user name="user1#customer.com" />
<user name="user2#customer.com" />
</security-role>
</webApplication>
And here is the web.xml of the app deployed on Liberty
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-constraint>
<display-name>SampleAppServicesConstraint</display-name>
<web-resource-collection>
<web-resource-name>SampleAppServices</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>any-authenticated</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>SampleAppAdminConstraint</display-name>
<web-resource-collection>
<web-resource-name>SampleAppAdmin</web-resource-name>
<url-pattern>/admin</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrators</role-name>
</auth-constraint>
</security-constraint>
<display-name>SampleApp</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
When I hit the /admin route of the SampleApp, I get redirected to the ADFS login page. I then log in with user1#customer.com and get redirected to my app. However, I get a 403 even though the user is in the 'administrators' role.
Below is the error message in the logs:
[AUDIT ] CWWKS9104A: Authorization failed for user user1#customer.com while invoking MySampleApp on /admin. The user is not granted access to any of the required roles: [administrators].
Note that if I change the AuthConstraint role from administrators to any_authenticated for the /admin route, user1#customer.com can then access the admin page.
Could someone please share some experience and explain what I am doing wrong.
Thanks
Change
<security-role name="administrators">
<user name="user1#customer.com" />
<user name="user2#customer.com" />
</security-role>
To
<security-role name="administrators">
<user name="user1#customer.com" access-id="user:<issuer name here> /user1#customer.com"/>
<user name="user2#customer.com" access-id="user:<issuer name here> /user1#customer.com"/>
</security-role>
where is the issuer name as appeared in SAML.
It is part of web.xml from app which runs on JBoss
<security-constraint>
<web-resource-collection>
<web-resource-name></web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>User manual should be accesable for user</web-resource-name>
<url-pattern>/User Manual.pdf</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
As you can see admin has access to all content, and user should have access only to user manual file 'User Manual.pdf'. But it does not work, only admin have access.
This can be fixed by renaming file to 'User_Manual.pdf' and changing <url-pattern> to '/User_Manual.pdf'
My question is can this be fixed somehow to use spaces in file names?
I know that there are alot of topics about this. But I dont get my auth running...
Here my code:
tomcat-users.xml
<role rolename="user"/>
<user username="user" password="geheimu" roles="user"/>
<role rolename="admin"/>
<user username="admin" password="geheima" roles="admin,user"/>
server.xml
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<servlet>
<servlet-name>Jersey REST Service</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
<param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>Jersey REST Service</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<!-- <welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Estate Service</web-resource-name>
<url-pattern>/rest/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>estate</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
Rest Resource
#Path("/estate")
#RolesAllowed("admin")
public class EstateResourceBean {
...
So when the login pops up and i enter admin, geheima i get unautohrized :(
Is there something wrong with tomcat?