I have Jboss AS7 and CAS deployed and working.
Also I have a test application deployed "Hello World" and I need to integrate this with CAS. I mean I want to request a login through CAS to acces this app.
So, after this I need to configure this to work something like: I'll have more applications and I want to be able to login in one of my application through CAS and then, even if I change applications, it will remember me.
Can someone tell me how can I do this?
This is my web.xml:
<web-app id="simple" version="2.4">
<welcome-file-list>
<welcome-file>hello.html</welcome-file>
</welcome-file-list>
</web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<description>Protects all resources</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>
org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://127.0.0.1:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://127.0.0.1</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://127.0.0.1:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://127.0.0.1:8443/cas</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>tolerance</param-name>
<param-value>1000</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
UPDATE: After doing your instructions, i get this error when I try to deploy:
12:17:21,765 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC00001: Failed to start service jboss.deployment.unit."test.war".INSTALL: org.jboss.msc.service.StartException in service jboss.deployment.unit."test.war".INSTALL: Failed to process phase INSTALL of deployment "test.war"
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:119) [jboss-as-server-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_65]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_65]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65]
Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: JBAS018096: Error instantiating container component: authenticator.CasAuthenticator
at org.jboss.as.web.deployment.WarDeploymentProcessor.getInstance(WarDeploymentProcessor.java:386)
at org.jboss.as.web.deployment.WarDeploymentProcessor.processDeployment(WarDeploymentProcessor.java:210)
at org.jboss.as.web.deployment.WarDeploymentProcessor.deploy(WarDeploymentProcessor.java:114)
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:113) [jboss-as-server-7.1.1.Final.jar:7.1.1.Final]
... 5 more
Caused by: java.lang.ClassNotFoundException: authenticator.CasAuthenticator from [Module "deployment.test.war:main" from Service Module Loader]
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190) [jboss-modules.jar:1.1.1.GA]
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:468) [jboss-modules.jar:1.1.1.GA]
at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:456) [jboss-modules.jar:1.1.1.GA]
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398) [jboss-modules.jar:1.1.1.GA]
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:120) [jboss-modules.jar:1.1.1.GA]
at org.jboss.as.web.deployment.WarDeploymentProcessor.getInstance(WarDeploymentProcessor.java:378)
... 8 more
12:17:21,770 INFO [org.jboss.as.server] (HttpManagementService-threads - 16) JBAS015870: Deploy of deployment "test.war" was rolled back with failure message {"JBAS014671: Failed services" => {"jboss.deployment.unit.\"test.war\".INSTALL" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"test.war\".INSTALL: Failed to process phase INSTALL of deployment \"test.war\""}}
12:17:21,771 INFO [org.jboss.as.controller] (HttpManagementService-threads - 16) JBAS014774: Service status report
JBAS014777: Services which failed to start: service jboss.deployment.unit."test.war".INSTALL: org.jboss.msc.service.StartException in service jboss.deployment.unit."test.war".INSTALL: Failed to process phase INSTALL of deployment "test.war"
12:17:21,775 INFO [org.jboss.as.server.deployment] (MSC service thread 1-9) JBAS015877: Stopped deployment test.war in 3ms
try this one https://github.com/serac/java-cas-client-test & check the differences if its only for hello world proposes...
Define your login-module in the standalone.xml:
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domain name="cas" cache-type="default">
<authentication>
<login-module code="authenticator.CasLoginModule" flag="required" module="jasig">
<module-option name="ticketValidatorClass" value="org.jasig.cas.client.validation.Saml11TicketValidator"/>
<module-option name="casServerUrlPrefix" value="https://localhost:8443/cas"/>
<module-option name="roleGroupName" value="Roles"/>
<module-option name="defaultRoles" value="FOOBAR"/>
<module-option name="roleAttributeNames" value="Roles"/>
</login-module>
</authentication>
</security-domain>
You have already defined your CAS security filters in the web.xml, thats enough and should work.
Are you using CAS protocol between apps and server or CAS? Is your Jasig configured to use SAML 1.1. By default, jasig will use CAS.
If your configuration already works, you should be able to SSO. Did you create a second helloworld to test it?
For reauthentication in other applications, you are redirecting to your CAS server, which already knows that the user is authenticated. So finally, he will redirect him to the application again and provide a CAS ticket.
Related
Im trying to secure my java ee rest api by keycloak but if I try to access path that should be protected I got only Forbidden writen on screen and thats it. I have no errors in logs and do not know where to look for bug.
web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name></web-resource-name>
<description>Protects all resources</description>
<url-pattern>/pato-api/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>pato</realm-name>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>user/</web-resource-name>
<url-pattern>/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>user</role-name>
</security-role>
I do not realy know where to look keycloak is running wildfly is running database is running...
If I access secured path I got this
I am trying add basic authorization for my Rest webservice. on weblogic i have created the same user under default security realm . when i executing my rest client without passing authorization it is returning HTTP 200 means application is consuming the request. however in case i pass authorization then it validates the username password. i want my service to work with authorization only. Can someone please let me know what i am missing or if i am doing anything wrong?
in web.xml i have below:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>PP</display-name>
<servlet>
<servlet-name>jersey-servlet</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>com.att.eddpp.preprocessing</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>wl-dispatch-policy</param-name>
<param-value>PP-work-manager</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>jersey-servlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>PP</web-resource-name>
<url-pattern>/PP/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>PPRST</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>PPRST</role-name>
</security-role>
</web-app>
in weblogic.xml i have added
<?xml version="1.0" encoding="UTF-8"?>
<wls:weblogic-web-app
xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-web-app"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.7/weblogic-web-app.xsd">
<wls:weblogic-version>12.1.3</wls:weblogic-version>
<wls:context-root>PP</wls:context-root>
<wls:security-role-assignment>
<wls:role-name>PPRST</wls:role-name>
<wls:principal-name>PPRST</wls:principal-name>
</wls:security-role-assignment>
</wls:weblogic-web-app>
Your constraint is for /PP/* but you jersey resource is under /* . I think that's the problem.
I'm writing an administration webapp to be deployed on Wildfly.
It's gonna be used by the same users that have access to the Administration Console (http://localhost:9990/).
It would be great if I could just declare that my app should use HTTP Basic auth in the ManagementRealm, just like the Console does.
The naive, optimistic try did not work:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Panel</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ManagementRealm</realm-name>
</login-config>
</web-app>
This does not trigger the HTTP Basic login dialog at all.
Is there any simple way to plug my app into the ManagementRealm?
I found that I need to create a security domain that's linked with the ManagementRealm. The configuration is spread over three places:
1) A new security domain needs to be added that delegates to ManagementRealm using RealmDirect login module:
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
....
<security-domain name="management" cache-type="default">
<authentication>
<login-module code="RealmDirect" flag="required">
<module-option name="realm" value="ManagementRealm"/>
</login-module>
</authentication>
</security-domain>
This can be done via jboss-cli:
/subsystem=security/security-domain=management:add(cache-type=default)
/subsystem=security/security-domain=management/authentication=classic:add(\
login-modules=[{\
"code"=>"RealmDirect", "flag"=>"required", \
"module-options"=>[("realm"=>"ManagementRealm")]\
}])
2) The app need to reference this security domain using WEB-INF/jboss-web.xml:
<jboss-web>
<security-domain>management</security-domain>
</jboss-web>
3) Than a straightforward web.xml to turn on HTTP Basic login dialog:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-role>
<role-name>*</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Panel</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>[message show in login dialog]</realm-name>
</login-config>
</web-app>
Wildfly won't follow the security-constraint unless you bind it to a security role:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Panel</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ManagementRealm</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
</web-app>
This will make basic auth load but then you have the problem where ManagementRealm is only bound to the management ports in your standalone.xml, so you will have to change that. You may need to remove ApplicationRealm so it doesn't conflict.
<management-interfaces>
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
I know that there are alot of topics about this. But I dont get my auth running...
Here my code:
tomcat-users.xml
<role rolename="user"/>
<user username="user" password="geheimu" roles="user"/>
<role rolename="admin"/>
<user username="admin" password="geheima" roles="admin,user"/>
server.xml
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<servlet>
<servlet-name>Jersey REST Service</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
<param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>Jersey REST Service</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<!-- <welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Estate Service</web-resource-name>
<url-pattern>/rest/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>estate</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
Rest Resource
#Path("/estate")
#RolesAllowed("admin")
public class EstateResourceBean {
...
So when the login pops up and i enter admin, geheima i get unautohrized :(
Is there something wrong with tomcat?
I'm using Eclipse Helios (3.6.2) with Spring MVC 3 + Spring Security 3 + GAE. The problem is that I can't logg anything from Spring Security. No errors but no logging at all. I read that when the access is denied or a user can't logging automatically the Eclipse console should show debug messages, not my case. Here is the config:
war/WRB-INF/web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>ABM Monotributistas</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/securityContext.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Enable Spring Security debug logging -->
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<!-- Bootstrap listener to start up Spring's root WebApplicationContext -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- For concurrent session-control support -->
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<!-- MVC -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/servletContext.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
src/log4j.properties
# A default log4j configuration for log4j users.
#
# To use this configuration, deploy it into your application's WEB-INF/classes
# directory. You are also encouraged to edit it as you like.
# Configure the console as our one appender
log4j.appender.A1=org.apache.log4j.ConsoleAppender
log4j.appender.A1.layout=org.apache.log4j.PatternLayout
log4j.appender.A1.layout.ConversionPattern=%d{HH:mm:ss,SSS} %-5p [%c] - %m%n
# tighten logging on the DataNucleus Categories
log4j.category.DataNucleus.JDO=WARN, A1
log4j.category.DataNucleus.Persistence=WARN, A1
log4j.category.DataNucleus.Cache=WARN, A1
log4j.category.DataNucleus.MetaData=WARN, A1
log4j.category.DataNucleus.General=WARN, A1
log4j.category.DataNucleus.Utility=WARN, A1
log4j.category.DataNucleus.Transaction=WARN, A1
log4j.category.DataNucleus.Datastore=WARN, A1
log4j.category.DataNucleus.ClassLoading=WARN, A1
log4j.category.DataNucleus.Plugin=WARN, A1
log4j.category.DataNucleus.ValueGeneration=WARN, A1
log4j.category.DataNucleus.Enhancer=WARN, A1
log4j.category.DataNucleus.SchemaTool=WARN, A1
#Spring security debug logging
log4j.logger.org.springframework.security = DEBUG, A1
war/WRB-INF/logging.properties
# A default java.util.logging configuration.
# (All App Engine logging is through java.util.logging by default).
#
# To use this configuration, copy it into your application's WEB-INF
# folder and add the following to your appengine-web.xml:
#
# <system-properties>
# <property name="java.util.logging.config.file" value="WEB-INF/logging.properties"/>
# </system-properties>
#
# Set the default logging level for all loggers to WARNING
.level = WARNING
Inside my project I have my "applicationContext-security.xml" configuration file. (Which I assume you must have to have been able to set up Spring Security properly)
I have the following code which seems to give me outputs to console when ever a login was a success or denied.
<!-- Automatically receives AuthenticationEvent messages -->
<b:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/>
I hope this is what you're after.