I know that there are alot of topics about this. But I dont get my auth running...
Here my code:
tomcat-users.xml
<role rolename="user"/>
<user username="user" password="geheimu" roles="user"/>
<role rolename="admin"/>
<user username="admin" password="geheima" roles="admin,user"/>
server.xml
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<servlet>
<servlet-name>Jersey REST Service</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
<param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>Jersey REST Service</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<!-- <welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Estate Service</web-resource-name>
<url-pattern>/rest/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>estate</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
Rest Resource
#Path("/estate")
#RolesAllowed("admin")
public class EstateResourceBean {
...
So when the login pops up and i enter admin, geheima i get unautohrized :(
Is there something wrong with tomcat?
Related
I know this is a duplicate, but this question has not been answered yet!
If a REST servlet ist loaded my ServerEndpoint is not loaded. If I rename web.xml the socket is working as expected. I run this application on tomcat9. This is my Endpoint:
#ServerEndpoint(value = "/talk/{BenutzerID}/{Grad}/{Accesskey}")//, encoders = MessageEncoder.class, decoders = MessageDecoder.class)`
public class talk {
//static Set<Session> peers = Collections.synchronizedSet(new HashSet<Session>());
public talk()
{
System.out.println("Talk started! " + this.getClass().toString());
}
#OnOpen
public void onOpen(#PathParam("BenutzerID") Long BenutzerID,
#PathParam("Grad") long Kontaktgrad,
#PathParam("Accesskey") String Accesskey,
Session session) {
And this is my web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<display-name>Archetype Created Web Application</display-name>
<servlet>
<servlet-name>jersey-serlvet</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>jersey-serlvet</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
</web-app>
After cleaning Tomcat the websocket worked.
I am trying add basic authorization for my Rest webservice. on weblogic i have created the same user under default security realm . when i executing my rest client without passing authorization it is returning HTTP 200 means application is consuming the request. however in case i pass authorization then it validates the username password. i want my service to work with authorization only. Can someone please let me know what i am missing or if i am doing anything wrong?
in web.xml i have below:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>PP</display-name>
<servlet>
<servlet-name>jersey-servlet</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>com.att.eddpp.preprocessing</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>wl-dispatch-policy</param-name>
<param-value>PP-work-manager</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>jersey-servlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>PP</web-resource-name>
<url-pattern>/PP/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>PPRST</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>PPRST</role-name>
</security-role>
</web-app>
in weblogic.xml i have added
<?xml version="1.0" encoding="UTF-8"?>
<wls:weblogic-web-app
xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-web-app"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.7/weblogic-web-app.xsd">
<wls:weblogic-version>12.1.3</wls:weblogic-version>
<wls:context-root>PP</wls:context-root>
<wls:security-role-assignment>
<wls:role-name>PPRST</wls:role-name>
<wls:principal-name>PPRST</wls:principal-name>
</wls:security-role-assignment>
</wls:weblogic-web-app>
Your constraint is for /PP/* but you jersey resource is under /* . I think that's the problem.
I have put in place a samlWebSso20 config using the Liberty Buildpack on Bluemix and the ADFS idp from my customer.
I have a single web application deployed on the Liberty instance.
I am using the Server Directory option to push on Bluemix as explained here
Here is my server.xml:
<?xml version="1.0" encoding="UTF-8"?>
<server description="johan">
<featureManager>
<feature>webProfile-7.0</feature>
<feature>samlWeb-2.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
<samlWebSso20 id="defaultSP" nameIDFormat="unspecified"
spCookieName="my_cookie"
idpMetadata="${server.config.dir}/resources/security/FederationMetadata.xml"
userIdentifier="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
sessionNotOnOrAfter="2h">
</samlWebSso20>
<keyStore id="defaultKeyStore" password="***" />
<webApplication context-root="/" location="MySampleApp.war" name="MySampleApp" type="war">
<security-role name="any-authenticated">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
<security-role name="administrators">
<user name="user1#customer.com" />
<user name="user2#customer.com" />
</security-role>
</webApplication>
And here is the web.xml of the app deployed on Liberty
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-constraint>
<display-name>SampleAppServicesConstraint</display-name>
<web-resource-collection>
<web-resource-name>SampleAppServices</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>any-authenticated</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>SampleAppAdminConstraint</display-name>
<web-resource-collection>
<web-resource-name>SampleAppAdmin</web-resource-name>
<url-pattern>/admin</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrators</role-name>
</auth-constraint>
</security-constraint>
<display-name>SampleApp</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
When I hit the /admin route of the SampleApp, I get redirected to the ADFS login page. I then log in with user1#customer.com and get redirected to my app. However, I get a 403 even though the user is in the 'administrators' role.
Below is the error message in the logs:
[AUDIT ] CWWKS9104A: Authorization failed for user user1#customer.com while invoking MySampleApp on /admin. The user is not granted access to any of the required roles: [administrators].
Note that if I change the AuthConstraint role from administrators to any_authenticated for the /admin route, user1#customer.com can then access the admin page.
Could someone please share some experience and explain what I am doing wrong.
Thanks
Change
<security-role name="administrators">
<user name="user1#customer.com" />
<user name="user2#customer.com" />
</security-role>
To
<security-role name="administrators">
<user name="user1#customer.com" access-id="user:<issuer name here> /user1#customer.com"/>
<user name="user2#customer.com" access-id="user:<issuer name here> /user1#customer.com"/>
</security-role>
where is the issuer name as appeared in SAML.
I'm writing an administration webapp to be deployed on Wildfly.
It's gonna be used by the same users that have access to the Administration Console (http://localhost:9990/).
It would be great if I could just declare that my app should use HTTP Basic auth in the ManagementRealm, just like the Console does.
The naive, optimistic try did not work:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Panel</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ManagementRealm</realm-name>
</login-config>
</web-app>
This does not trigger the HTTP Basic login dialog at all.
Is there any simple way to plug my app into the ManagementRealm?
I found that I need to create a security domain that's linked with the ManagementRealm. The configuration is spread over three places:
1) A new security domain needs to be added that delegates to ManagementRealm using RealmDirect login module:
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
....
<security-domain name="management" cache-type="default">
<authentication>
<login-module code="RealmDirect" flag="required">
<module-option name="realm" value="ManagementRealm"/>
</login-module>
</authentication>
</security-domain>
This can be done via jboss-cli:
/subsystem=security/security-domain=management:add(cache-type=default)
/subsystem=security/security-domain=management/authentication=classic:add(\
login-modules=[{\
"code"=>"RealmDirect", "flag"=>"required", \
"module-options"=>[("realm"=>"ManagementRealm")]\
}])
2) The app need to reference this security domain using WEB-INF/jboss-web.xml:
<jboss-web>
<security-domain>management</security-domain>
</jboss-web>
3) Than a straightforward web.xml to turn on HTTP Basic login dialog:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-role>
<role-name>*</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Panel</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>[message show in login dialog]</realm-name>
</login-config>
</web-app>
Wildfly won't follow the security-constraint unless you bind it to a security role:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Panel</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ManagementRealm</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
</web-app>
This will make basic auth load but then you have the problem where ManagementRealm is only bound to the management ports in your standalone.xml, so you will have to change that. You may need to remove ApplicationRealm so it doesn't conflict.
<management-interfaces>
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
I'm trying to read an XML file from my local machine. However, the following code:
$datasourceXmlFilePath=$configuration.config.mondrian.DataSources.filePath
$webXmlFilePath=$configuration.config.mondrian.web.'web-app'.filePath
if(!(Test-Path($datasourceXmlFilePath)))
{
Write-Host "Datasource.xml not found. Exiting the script" -ForegroundColor red
exit
}
if(!(Test-Path($webXmlFilePath)))
{
Write-Host "Web.xml not found. Exiting the script" -ForegroundColor red
exit
}
[xml]$datasourceXml=Get-Content $datasourceXmlFilePath
Write-Host "XML created"
[xml]$webl= Get-content $webXmlFilePath
Write-Host "XML Created"
Keeps giving me the following error:
XML created
Cannot convert value "System.Object[]" to type "System.Xml.XmlDocument". Error: "The remote server returned an error: (407) Pr
oxy Authentication Required."
At line:20 char:11
+ [xml]$webl <<<< = Get-content $webXmlFilePath
+ CategoryInfo : MetadataError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : RuntimeException
Both the XML's are well formed, and I'm stumped as to why one file is successfully read and why the other is not. I tried changing the location of the second xml file, but still got the same result.
I'm using WindowsPowershell_ise v1.0,running on a windows 7 machine.
The xml file for which the problem is occuring is:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<display-name>Mondrian</display-name>
<description/>
<!-- optional? now in JPivot by default -->
<context-param>
<param-name>contextFactory</param-name>
<param-value>com.tonbeller.wcf.controller.RequestContextFactoryImpl</param-value>
</context-param>
<context-param>
<param-name>connectString</param-name>
<!--<param-value>Provider=Mondrian;Jdbc=jdbc:mysql://localhost:3306/foodmart?user=root&password=;Catalog=/WEB-INF/queries/FoodMart.xml;JdbcDrivers=com.mysql.jdbc.Driver</param-value>-->
<param-value>Provider=Mondrian;Jdbc='jdbc:sqlserver://172.25.37.213;user=QwikSilver_user;password=Newuser123;databaseName=FoodMart;';Catalog=/WEB-INF/queries/FoodMart.xml;JdbcDrivers=com.microsoft.sqlserver.jdbc.SQLServerDriver</param-value>
</context-param>
<!-- optional
<context-param>
<param-name>chartServlet</param-name>
<param-value>/path/to/chartServlet</param-value>
</context-param>
-->
<filter>
<filter-name>JPivotController</filter-name>
<filter-class>com.tonbeller.wcf.controller.RequestFilter</filter-class>
<init-param>
<param-name>errorJSP</param-name>
<param-value>/error.jsp</param-value>
<description>URI of error page</description>
</init-param>
<init-param>
<param-name>busyJSP</param-name>
<param-value>/busy.jsp</param-value>
<description>This page is displayed if a the user clicks
on a query before the previous query has finished</description>
</init-param>
<!--
<init-param>
<param-name>forceExtension</param-name>
<param-value>.faces</param-value>
<description>replace .jsp with .faces</description>
</init-param>
-->
</filter>
<filter-mapping>
<filter-name>JPivotController</filter-name>
<url-pattern>/testpage.jsp</url-pattern>
</filter-mapping>
<listener>
<listener-class>mondrian.web.taglib.Listener</listener-class>
</listener>
<!-- resources initializer -->
<listener>
<listener-class>com.tonbeller.tbutils.res.ResourcesFactoryContextListener</listener-class>
</listener>
<servlet>
<servlet-name>MDXQueryServlet</servlet-name>
<servlet-class>mondrian.web.servlet.MdxQueryServlet</servlet-class>
<init-param>
<param-name>connectString</param-name>
<!--<param-value>Provider=Mondrian;Jdbc=jdbc:mysql://localhost:3306/foodmart?user=root&password=;Catalog=/WEB-INF/queries/FoodMart.xml;JdbcDrivers=com.mysql.jdbc.Driver</param-value>-->
<param-value>Provider=Mondrian;Jdbc='jdbc:sqlserver://172.25.37.213;user=QwikSilver_user;password=Newuser123;databaseName=FoodMart;';Catalog=/WEB-INF/queries/FoodMart.xml;JdbcDrivers=com.microsoft.sqlserver.jdbc.SQLServerDriver</param-value>
</init-param>
</servlet>
<servlet>
<servlet-name>MondrianXmlaServlet</servlet-name>
<servlet-class>mondrian.xmla.impl.DynamicDatasourceXmlaServlet</servlet-class>
<!--<servlet-class>mondrian.xmla.impl.DefaultXmlaServlet</servlet-class>-->
<init-param>
<param-name>DataSourcesConfig</param-name>
<param-value>file:D:\setups\apache-tomcat-6.0.24\webapps\mondrian\WEB-INF\datasources.xml</param-value>
</init-param>
<!--
This is an example of how to add a callback to the XML/A servlet.
It must implement mondrian.xmla.XmlaRequestCallback.
<init-param>
<param-name>Callbacks</param-name>
<param-value>com.example.MyCallbackClass;com.example.SomeOtherCallback</param-value>
</init-param>
-->
</servlet>
<!-- jfreechart provided servlet -->
<servlet>
<servlet-name>DisplayChart</servlet-name>
<servlet-class>org.jfree.chart.servlet.DisplayChart</servlet-class>
</servlet>
<!-- jfreechart provided servlet -->
<servlet>
<servlet-name>GetChart</servlet-name>
<display-name>GetChart</display-name>
<description>Default configuration created for servlet.</description>
<servlet-class>com.tonbeller.jpivot.chart.GetChart</servlet-class>
</servlet>
<servlet>
<servlet-name>Print</servlet-name>
<display-name>Print</display-name>
<description>Default configuration created for servlet.</description>
<servlet-class>com.tonbeller.jpivot.print.PrintServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>DisplayChart</servlet-name>
<url-pattern>/DisplayChart</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Print</servlet-name>
<url-pattern>/Print</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>GetChart</servlet-name>
<url-pattern>/GetChart</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MDXQueryServlet</servlet-name>
<url-pattern>/mdxquery</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MondrianXmlaServlet</servlet-name>
<url-pattern>/xmla</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<taglib>
<taglib-uri>http://www.tonbeller.com/wcf</taglib-uri>
<taglib-location>/WEB-INF/wcf/wcf-tags.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://www.tonbeller.com/jpivot</taglib-uri>
<taglib-location>/WEB-INF/jpivot/jpivot-tags.tld</taglib-location>
</taglib>
</web-app>
Any help would be appreciated.
I had a similar problem loading an XML. I didn't require proxy access but had trouble with circumventing it, initially I tried this:
set-itemproperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -name ProxyEnable -value 0
It worked as a user but not as administrator.
So I tried this:
[System.Net.WebRequest]::DefaultWebProxy = $null