I have two applications (ears) deployed on a JBoss 7.1.3 server. I want to access beans from both of these applications from a remote client using JNDI. However, I need password authentication for one of my applications, and want to access the other without any authentication.
For the first of my applications I defined a custom security realm and set it as the remoting-connectors security realm. The corresponding code snippets of the standalone.xml look like this:
Security Realm:
<security-realm name="CustomRealm">
<authentication>
<jaas name="CustomDomain"/>
</authentication>
</security-realm>
Remoting Subsystem:
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
<connector name="remoting-connector" socket-binding="remoting" security-realm="CustomRealm"/>
</subsystem>
What I would like to do is specify a second security realm (or better none at all) for my second application. I found pretty much the same question on the JBoss Forum but without an answer that solved my problem.
Is this possible and if so, how can I do this? Thanks in advance.
Its not possible currently due to the limitation of EJB Remoting subsytem in AS7. There is a issue opened on this already..
https://issues.jboss.org/browse/AS7-6367
Did you tried to expose this EJB as webservie? this way you can use different realm.
Related
Where I work, I'm using Jboss AS7 Server to run about 4 applications.
We just finished developing a new application for our companie's partners.
The thing is we are currently getting a couple of connections from other countries like Nigeria and France (we are located in Brazil) and are suspecting that this new application might be opening a window to possible attacks.
Also it might be possible that the recent update to AS7 might be the issue.
What I want to know is if there is an extension for the AS7 Server which allows us to see which pages were accessed in which applications that are running on the server.
The subsystem web should be able to produce an access log. In the standalone.xml, in the subsystem container :
<virtual-server name="FQDN" enable-welcome-root="false">
<alias name="FQDN"/>
<access-log pattern="%t %a %u %r %s %b %{Referer}i %{User-Agent}i %S %T %{X-Transaction-ID}i"/>
</virtual-server>
Those are standard ELF field, so you should be able to customize. Hope it helps.
I am facing an access problem when I connect to a postgres database instance on AWS/RDS. The connection is made using the library NPGSQL. Debbugging and logging, I found that the problem occurs during theauthentication. The configuration of PG_HBA made behind the curtain by RDS is set to have the password MD5 encrypted. But MD5 is not a FIPS compliant algorithm and I get the exception.
I cannot bypass FIPS compliancy because of a company domain rule. If i try to set the flag
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
in the windows registry to 0, it is set back to 1 after a while because of this policy.
Is there a way to change the encryption method for the connection password in RDP/Postgres?
Is there a way to overcome this problem some other way, for example editing the web.config file of the application?
Thank you.
I have solved bypassing the FIPS compliancy by adding the following settings in the file machine.config of the .net platform:
<configuration>
<runtime>
<enforceFIPSPolicy enabled="false"/>
</runtime>
</configuration>
I have been inspired here for the solution: https://blogs.msdn.microsoft.com/shawnfa/2008/03/14/disabling-the-fips-algorithm-check/
I'm deploying an ASP.NET MVC 2 application using Apache / mod_mono / MONO (2.8.1) that uses the built in ASP.NET authentication framework.
When I restart Apache, or use the mod_mono control panel to restart the mono server process, users are logged out. I don't want this occurring.
I'm using custom Profile / Membership / Role providers (that are backed by a Redis database), and these currently have a bare minimum implementation. I can not see where my problem fits in here however, but am I missing something obvious?
I notice that the .MONOAUTH cookie changes value when a user logs back in, so I guess there is some persistence that needs to happen that is not happening.
Any solutions or pointers to the relevant documentation would be great!
NOTE: I'm not sure if the information below differs when you're using a Membership Provider -- it may be that session state is persisted by the Membership Provider itself.
It's likely that you're using "in-process" session state storage. This means that whenever you restart the web server process, you're clearing out all the session information stored in the web server process's memory space.
To avoid wiping out session information, you can move to using an out-of-process session state server, either running as an in-memory service (see below for the Mono version) or on SQL Server. Otherwise there are also a number of unofficial custom session store providers that use alternative storage mechanisms (e.g. MongoDB etc.)
I found what you may want, which is this Mono ASP.NET Session State Server: http://manpages.ubuntu.com/manpages/gutsy/man1/asp-state2.1.html
As a first step, take a look in your web.config at the system.web -> sessionState property. If it's set to mode="InProc" then there's your problem. It should look more like:
<sessionState
mode="StateServer"
stateConnectionString="tcpip=server:port"
stateNetworkTimeout="number of seconds"/>
Solution: set the validationKey and decryptionKey manually:
<machineKey validationKey="blahblah" decryptionKey="blahblah" />
I think this is probably a bug in mono that these take on different values over server resets when auto-generated (which is the default).
I found couple of tutorials how to run multiple instances of JBoss on the same machine.
All of them mention uncommenting Service Binder and having separate service-binding.xml files for each server.
The question is why it's done like that? Is there any reason except adding additional layer of indirection?
It looks the same could be done by modification of ports in jboss-service.xml for each server. The only restriction would be that there won't be easy way to switch which instance of JBoss uses which set of ports.
You are right with modifying the ports in jboss-service.xml. This is the straightforward and genuine way to change the ports.
Unfortunately, ports are not only defined in that file, but also in other places like jboss-web's configuration etc.
Catching all those places can be error prone.
So the idea was to have a central file (service-binding.xml) that lives in the root of a server installation. You basically copy the 'default' config to server1, server2 etc and then via command line pass in the server name when starting so that the correct port-offset for all of the services is taken from service-bindings.xml and applied to the resulting runtime configuration.
JBossAS 7 takes this concept one step further to the ServiceBindingGroups, where the base ports are defined on a domain level and then per server you pick a basic group + just a port offset by name, so that there is even less work needed than in as4
I have a Java EE application running on jboss 4.2.3GA.
Login-config.xml is including the following piece of code;
<authentication>
..
<module-option name="principalsQuery">
SELECT PASSWORD FROM users WHERE USER_ID=?
</module-option>
</login-module>
</authentication>
However, I want to update this SQL with this one
select password from users where User_Id=? and Status=1
and make it enable WITHOUT restarting JBoss.
I would be glad to hear the solutions.
If you use DynamicLoginConfig, it is possible by redeploying your application while jboss is still alive; however i have figured out that without DynamicLogin it is almost not possible...