How to change tomcat-users.xml when using Eclipse? - eclipse

tomcat 7.0 + JSF 2
I get 403 error right after logging in with correct credentials (wrong credentials directs to login.xhtml as expected). I've created new user in apache, rebooted the webservice and still cant connect with it.
tomcat-users.xml
<tomcat-users>
<user name="lala" password="lala!!!" roles="admin-gui,manager-gui" />
<role rolename="administrator"/>
<user username="admin" password="admin" roles="administrator"/>
</tomcat-users>
Why I can login only with lala and not with admin(i've added it manually). any idia why?
and a realm in server.xml (tomcat conf)
under <host>:
<Realm className="com.bannerplay.beans.Admin">
in the project's welcome file (login.xhtml) i've used j_security_check (form-based authentication)
<form method="post" action="j_security_check">
<p>
Enter user ID and password:<br/> <br/>
User ID <input type="text" name="j_username"/>
Password <input type="password" name="j_password"/> <br/><br/>
<input type="submit" value="Login"/>
</p>
</form>
and defined web.xml like that:
...
<security-constraint>
<display-name>Admin</display-name>
<web-resource-collection>
<web-resource-name>BannerPlay administration Tool</web-resource-name>
<description/>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>com.bannerplay.beans.Admin</realm-name>
<form-login-config>
<form-login-page>/faces/login.xhtml</form-login-page>
<form-error-page>/faces/login.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>administrator</role-name>
</security-role>
Project Tree:
when trying to access localhost:8080/myProject/ i get to login.xhtml , when typing correct credentials( the 'lala' user works, not the admin ) i get 403.
when trying to access localhost:8080/myProject/main.xhtml i'm re-directed to login page again.(after correct credentials)
I've tried to add "administrator" role to user lala, but has the same results.
what should i do? thanks

The solution is NOT to change the tomcat-users.xml file from the hard drive. It must be changed from eclipse. after changing it from HD I noticed it keeps coming back to old version of the file,instead of keeping my changes. this happens after running the project. Change it from eclipse and problem solved.

Related

JBoss not redirecting to Keycloak

I have JBoss EAP 7
So I have done:
unzip keycloak-eap7-adapter-dist-3.2.1.Final.zip
and
./bin/jboss-cli.sh --file=adapter-install-offline.cli
and added the <security-constraint> element to web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Admins</web-resource-name>
<url-pattern>/admin/*</url-pattern>
...
<security-role>
<role-name>admin</role-name>
...
and in my standalone.xml, I have:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="snack.war">
<realm>Netzportal</realm>
<resource>netzportal</resource>
<public-client>true</public-client>
<auth-server-url>http://localhost:8180/auth</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>
</secure-deployment>
</subsystem>
And in the keycloak admin console I have registered the web application as client. The client opens at http://localhost:10080/czo/login.xhtml. So I have entered http://localhost:10080/czo/* as Valid Redirect URIs.
But when the application is running and I open http://localhost:10080/czo/login.xhtml, I do not get redirected to keycloak (which is also running)
You seems to be missing following entry ( since it does not appear in your listed web.xml configuration) which actually tell which kind of authentication to use for login
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>Netzportal</realm-name>
</login-config>
For more details on configuration check the docs.
I had the same problem, after a lot of suffering, I found that the web.xml file in the wrong folder

Shibboleth integration

currently We have CAS SSO to our existing .net application, but now client is asking for Shibboleth SSO instead CAS. I'm totally new to Shibboleth.
Client has given the below details:
entityid= urn:mace:incommon:xxx.edu
metadata URL for test environment is:
https://shibboleth-test.xxx.edu/idp/shibboleth
By using guidelines from Shibboleth site, below are the steps i followed.
Installed Shibbolth Service provider (shibboleth-sp-2.6.1.4-win64.msi)
Installed Java with JCE
Installed Shibboleth Idp (in which jetty also checked)(shibboleth-identity-provider-3.3.3-x64.msi)
Web Application with self signed certificate
attached my Shibboleth2.xml file
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180"> <InProcess logger="native.logger"> <ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="2" name="shibboleth-test.xxx.edu" scheme="https" port="443" />
</ISAPI> </InProcess> <RequestMapper type="Native"> <RequestMap> <Host name="shibboleth-test.xxx.edu" scheme="https" port="443">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap></RequestMapper><ApplicationDefaults entityID="urn:mace:incommon:xxx.edu" REMOTE_USER="eppn persistent-id targeted-id" cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2"> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https"> <SSO entityID=""urn:mace:incommon:xxx.edu" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 SAML1 </SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 <my system IP">/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root#localhost"
helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <!-- Map to extract attributes from SAML assertions. --> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
Problems I'm facing......
When i try to access https://shibboleth-test.xxx.edu/Shibboleth.sso/Status
getting error no metadataprovider available.
Noticed Problems:
1.when i try to add Metadataprovider Shibboleth daemon 2 service is getting
stopped and unable to start.if i remove it's is running.
2.Shibboleth Idp 3 deamon is getting stopped very frequently
When i run 'SC interrogate shibd_idp' in command prompt, results are
control service failed 1062
the service has not been started.
I donno what is wrong with my work.
Can any one please tell me what are the steps to be followed to accomplish this integration.
Thanks in advance,
Hema
There will be a tag in shibboleth2.xml called metadata provider, you will need to open that.
If you have done this but shill service is not getting started then you can check the log and give additional info in question.
Another reason I can think of is connection problem. Try downloading idP's metadata and store it physically in the SP configuration folder. Manually map the file, using following tag
<MetadataProvider type="XML" file="partner-metadata.xml"/>
All the issues has been resolved after we upgraded from Shibboleth 2.6 to 3.0.2. we are getting the Shibboleth Identity provider login page.We are able to see the attributes in Session.Now we are working on how to retrieve the attributes in our application and how to redirect to our application home page.Currently we created 1 sample html page under secure folder in our application. once we logged in we are able to this html page.But when i tried to redirect to our application home page, it's giving 500 error. Can any one knows like how to redirect to our app home page and retrieve the attributes in the application.

How to configure a User before creating a database?

I would like my code to be FIPS compliant but the default username and passwords in Orient 2.2.13 are not. I tried specifying the user name and password when I get an OrientGraphFactory but that didn't fix the problem. I'm trying to log on as admin with my own 16 char password but it looks like Orient reverts to using admin : admin.
How can I configure a user before the database is created to make OrientDB FIPS compliant?
You can set a user through the config/orientdb-server-config.xml configuration file, in the <users> element, like below:
<users>
<user name="root" password="{PBKDF2WithHmacSHA256}55F3DEAE:DLJEJFDKY8:65536" resources="*" />
<user name="guest" password="{PBKDF2WithHmacSHA256}B36E7993C961:C8C8B36F3:65536" resources="connect,server.listDatabases,server.dblist" />
</users>
Hope it helps
Regards

what is default password for Role-Based Access Control (RABC) JBOSS EAP 6.3?

I am using JBOSS EAP 6.3, working with domain mode, I have installed and create user admin with passowrd xxx. I am able to login management console
Now I want to enable Role-Based Access Control (RABC) in JBOSS. I have modified domain.xml to enable RABC
<management>
<access-control provider="rbac">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
</include>
</role>
</role-mapping>
</access-control>
</management>
Now the problem is I am trying to open management console using same user and passoword but it shows below error
what should be default credential for RBAC profile or I need to add user again after enabling RBAC?
In order to bypass this error, you have to define a role-mapping from the groups or users defined in the realm to the desired roles.
For example, to grant SuperUser access to the user admin you have already created, use the following JBoss CLI command:
/core-service=management/access=authorization/role-mapping=SuperUser/include=user-admin:add(type=USER,name=admin)
You will see the following result in the domain.xml:
<access-control provider="rbac">
<role-mapping>
<role name="SuperUser">
<include>
<user name="admin"/>
</include>
</role>
</role-mapping>

JBoss authentication issue

I am newbie to JBoss and I have the application running in JBoss 6.2.
We usually have the login set up using JSF. It's showing a screen with username and password (created by JSF) and that's an internal part of the application and that works fine.
But I came to know there is basic authentication setup available in JBoss. We can configure it in a way that it requires to pass through authentication.
I searched on the internet and I found a way to introduce it like below:
D:\workspace_Csmart\jboss-eap-6.2\bin>add-user
What type of user do you wish to add?
a) Management User (mgmt-users.properties)
b) Application User (application-users.properties)
(a): b
Enter the details of the new user to add.
Using realm 'ApplicationRealm' as discovered from the existing property files.
Username : prabhu
User 'prabhu' already exits, would you like to update the existing user password and roles
Is this correct yes/no? yes
Password :
Re-enter Password :
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[user]: prabhu
Updated user 'prabhu' to file 'D:\workspace_Csmart\jboss-eap-
6.2\standalone\configuration\application-users.properties'
Updated user 'prabhu' to file 'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-users.properties'
Updated user 'prabhu' with groups prabhu to file 'D:\workspace_Csmart\jboss-eap-6.2\standalone\configuration\application-roles.prope
Updated user 'prabhu' with groups prabhu to file 'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-roles.propertie
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? yes
To represent the user add the following to the server-identities definition <secret value="cHJhYmh1QDEyMw==" />
And you see the user and password is updated in properties, so I ran the server with my local setup and it's up and running. But I didn't see any popup asking JBoss basic credentials. It's just directly going to the login page: http://10.17.195.15:8080/Proj/home.xhtml
Do I have to do anything with standalone.xml? security tag?
I would really appreciate it if anyone can point out what I am missing here? What do I need to do to make it work for JBoss Basic Authentication? Thanks!
1) First you need to move all your jsf files (that need protection) in some folder, for example secured folder.
2) Create index.jsf that redirects to protected start page and place it outside secured folder.
3) Create logout.jsf which does session.invalidate() and redirects to index.jsf page.
<html>
<body>
<%
if(session!=null)
{
session.invalidate();%>
<jsp:forward page="index.jsp" />
<%
} else{
%>
Logged Out Successfully....
<% }%>
</body>
</html>
4) Add security constraints to web.xml.
<security-constraint>
<web-resource-collection>
<web-resource-name>MySecureResources</web-resource-name>
<description>Some Description</description>
<url-pattern>/secured/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>TestRole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>TestRole</role-name>
</security-role>
5) Create jboss-web.xml file inside projects WEB_INF folder.
<?xml version="1.0"?>
<!DOCTYPE jboss-web PUBLIC
"-//JBoss//DTD Web Application 5.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
<jboss-web>
<security-domain>java:/jaas/BasicAuthWebAppPolicy</security-domain>
<context-root>/basicSecurityWebApp</context-root>
</jboss-web>
6) Create a file with some name like basicSecurityWebApp-roles.properties. and place it in WEB_INF/classes folder. Define role there and assign that role to some user.
TestUserOne=TestRole
7) Create another file with some name like basicSecurityWebApp-users.properties and place it in WEB-INF/classes folder and define username and password.
TestUserOne=TestPassword
8) Now you should modify login-config.xml in $PROFILE/conf/ folder. Add application-policy with the same name as BasicSecurityWebApp.
<application-policy name="BasicAuthWebAppPolicy">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties">basicSecurityWebApp-users.properties</module-option>
<module-option name="rolesProperties">basicSecurityWebApp-roles.properties</module-option>
</login-module>
</authentication>
9) Deploy application to JBoss.
10) Now every time you have to access our website you have to enter user and password you provided in credentials file (username as “TestUserOne” and password as “TestPassword”).
For more details see This
Yes. This somehow helped me to solve this I just did following things:
Under WebContent folder:
step1: change in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<description>Protects all resources</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>prabhu</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>prabhu</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name></realm-name>
</login-config>
step2 : change in jboss-web.xml
<jboss-web>
<context-root>C-SMART</context-root>
<security-domain>java:/jaas/other</security-domain>
</jboss-web>
step 3 : creating user and password for jboss basic authentication
D:\workspace_Csmart\jboss-eap-6.2\bin>add-user
What type of user do you wish to add?
a) Management User (mgmt-users.properties)
b) Application User (application-users.properties)
(a): b
Enter the details of the new user to add.
Using realm 'ApplicationRealm' as discovered from the existing property files.
Username : prabhu
User 'prabhu' already exits, would you like to update the existing user password and roles
Is this correct yes/no? yes
Password :
Re-enter Password :
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[prabhu]: prabhu
Updated user 'prabhu' to file 'D:\workspace_Csmart\jboss-eap-6.2\standalone\configuration\application-users.properties'
Updated user 'prabhu' to file 'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-users.properties'
Updated user 'prabhu' with groups prabhu to file 'D:\workspace_Csmart\jboss-eap-6.2\standalone\configuration\application-roles.properties'
Updated user 'prabhu' with groups prabhu to file 'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-roles.properties'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? yes
To represent the user add the following to the server-identities definition <secret value="cHJhYmh1QDEyMw==" />
Press any key to continue . . .
Step 4: verified above user changes reflected in following files
'D:\workspace_Csmart\jboss-eap-6.2\standalone\configuration\application-users.properties'
'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-users.properties'
'D:\workspace_Csmart\jboss-eap-6.2\standalone\configuration\application-roles.properties'
'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-roles.properties'
And its worked fine for me.. Thanks all your help..