I have the following setup with my GWT Client - Server application:
GWT Client -(RPC)- Server - MSSQL db.
The client is running on various platforms & devices (web application, mobile phones etc..). The java server (and web application files) are hosted on Jetty. MSSQL Database is running on a different server on a different domain.
I need to find a way for the user to authenticate on the domain of the MSSQL DB after which I can allow the client to access to rest of the servers services.
I can pass the username & password pair encrypted to the server but how do I continue from there on? I spent a lot of time figuring that out today, but I just got more and more confused. I did manage to check local authentication with Kerberos on the server, but I need to authenticate remotely to a different domain. Is it even possible without setting up service for that on the remote domain, which I'm trying to avoid?
Related
I am trying setting up an websphere application server cluster and deploy an web application on it. I have successfully access the application with a web server. but i have some question, if i would access the application bypassing the web server by using 9080 to the single server, i get error when sign in servlet respond.redirect to jsp page. the session was lost, are we not suppose to access the application in cluster environment with out the web server ?
As long as you target an individual server in the cluster, you should not lose your session or suffer any other ill effects for not using/having a proxy server between you and the cluster. You should look closely at the Cookies issued through that flow and make sure they don't have a bad domain or path and that you don't get redirected back through the webserver or otherwise to another JVM.
Also verify there is no DNS-based load balancing. If you don't have session persistence/distribution/replication it won't work.
I'm trying to host web pages using Win Server 2016. Currently, I have Jira and my personal web (IIS) servers. Using AWS, I currently have "myec2.com:port1" and "myec2.com/port2" running fine. And I'm planning to buy a domain "myname.com" to be connected to "myec2.long.name.com"
What I hope to do is "myname.com/jira" and "myname.com/mypage" or "jira.myname.com" and "mypage.myname.com" can redirect to Jira server and the IIS server. Is there a way I can achieve this goal?
Thanks in advance.
If you buy a domain like myname.com you will be able to configure any number of sub-domains such as jira.myname.com or mypage.myname.com as you like.
Usually what you would do is point those sub-domains to your server's IP then handle requests to those domains by setting up a web server (like apache or nginx) and configuring a virtual host (apache) or a server block (nginx) for each one of those sub-domains.
My web application is currently configured to connect to LDAP for user validation without relying on application server settings. In other words, my applications utilizes naming params to connect to LDAP hence its agnostic to application server ie. JBoss or Websphere.
Naming params used are as follows:
ldapURL
ldapPrincipal (bind user)
ldapCredentials (bind user's password)
ldapAuthentication
ldapSearchBase
The requirement now is to allow encrypted password in the ldapCredentials naming param. I have a way out of this situation is using custom SecurityLoginModule to encrypt password and supply it to application using naming param. My application would then decrypt it and then proceed with LDAP user validation. However, this results into additional application installation step.
So I was wondering if there is a way to use application server security domain (or some other way) to store the user credentials in secured fashion on application server and later application would pick it up at the time of user validation with LDAP without writing server specific code in my application. I know that we can use security domain to perform data source connection without writing server specific code. But if I do this for LDAP then I make server talk to LDAP which is not what am looking. Basically may still continue to use Federated users instead of LDAP.
Any decent application server (including JBoss and WebSphere) have server provided LDAP registry, which you can configure and use without any application specific code, and I'd strongly suggest to utilize that instead of writing your own ldap connection code.
Regarding encryption:
for WebSphere traditional, you can plug in your own class into server infrastructure to encrypt passwords see - Plug point for custom password encryption
for WebSphere Liberty - you have out of the box support for aes and hash.
for JBoss first link in Google showed me this How do I encrypt the bindCredential password in Wildfly, but maybe JBoss experts will guide you to something different.
While running two app servers (which has mobilefirst servers hosted 7.1 version) from ibm http server, only one server runs successfully on keeping only one of the Route attribute active in the plugin-cfg.xml of the http server. In the server which is not running, the following error is seen in the messages.log.
CWWKS4001E: The security token cannot be validated. This can be for the following reasons
1. The security token was generated on another server using different keys.
2. The token configuration or the security keys of the token service which created the token has been changed.
3. The token service which created the token is no longer available.
Kindly guide in resolving the error above.
Thanks.
Sounds like your two servers have not exchanged/shared LTPA keys and IHS and the WAS Plugin are a red herring.
http://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.wlp.nd.doc/ae/twlp_sec_ltpa.html
http://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.wlp.nd.doc/ae/twlp_sec_sso.html
Note: For SSO to work across Liberty servers, full profile servers, or both, set the following resources:
The servers must use the same LTPA keys and share the same user registry.
Sounds like communication issue between two servers. Are the inbound ports opened on another server to communicate with HTTP server? if they are opened use telnet and test whether both servers (HTTP and app server) are communicating with each other.
On HTTP Server, open command prompt and enter below command.
telnet <app server ip> <app server port>
If this is not successful then you need to open ports on app server.
We are using Server 2008 R IIS 7.5 with an SQL DB on the backend. At the moment the system is working fine with three of the servers configured in a load balancing farm while communicating data back to the SQL DB. All of these servers are free standing on their own subnet with a common admin and password. The question is… is there an advantage for making one server a PDC and creating their own domain and joining the rest of the remember servers to the domain?
I investigated this when setting up a similar web farm and all of the resources I queried said that for security reasons you should definitely not join web servers in a DMZ with a domain on a private network.
Most resources also suggested that it wasn't a great idea to create a separate domain in your DMZ for the web servers.
So I opted to do the same thing and just have stand alone servers that share admin username and password and I've been running them for over a year and have no regrets about my decision.