How is it possible to configure Jasig's CAS to listen only on HTTPS port (8443)?
We have application divided into two parts, portal and SSO authority (JASIG CAS). Both are running on JBoss AS7 and different machines. Portal and SSO authority are configured to redirect from HTTP (8080) port to HTTPS (8443) port by
<subsystem xmlns="urn:jboss:domain:web:1.0" default-virtual-server="default-host">
<connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" redirect-port="8443"/>
<connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" secure="true">
<ssl name="https" password="pass" certificate-key-file="/path_to_keystore.jks"/>
</connector>
<virtual-server name="default-host">
<alias name="myapp.domain.com"/>
</virtual-server>
</subsystem>
...
<socket-binding name="http" port="8080" fixed-port="true" interface="public"/>
<socket-binding name="https" port="8443" fixed-port="true" interface="public"/>
Port redirection works well on portal part, but CAS ignores the redirection and works at http (8080) as well (shows information about non-secured access).
For correct java web app SSL configuration is necessary to make some part of application secured in web.xml file. Then redirect works flawless.
<security-constraint>
<web-resource-collection>
<web-resource-name>sso secured pages</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Related
I use Jboss eap 6.4.
I'd like to have those ears deployed simultaneously but on different ports.
If I just put 2 ears into deployments I got: DuplicateServiceException: Service /app already registered.
To configure JBoss for App1.war on port 8080 and App2.war on port 8543, you should implement the following steps:
First of all, you have to add socket-binding for 8543 (as port 8080 is already defined).
<socket-binding name="http2" port="8543"/>
In web subsystem the following connectors should be declared:
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" />
<connector name="http2" protocol="HTTP/1.1" scheme="http" socket-binding="http2" />
Additionally, in web subsystem the following two virtual-servers should be declared:
<virtual-server name="host1" enable-welcome-root="false" default-web-module="App1.war">
<alias name="first.com"/>
</virtual-server>
<virtual-server name="host2" enable-welcome-root="false" default-web-module="App2.war">
<alias name="second.com"/>
</virtual-server>
Associate the appropriate virtual-server with the respective connector:
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http">
<virtual-server name="host1"/>
</connector>
<connector name="http2" protocol="HTTP/1.1" scheme="http" socket-binding="http2">
<virtual-server name="host2"/>
</connector>
The final step is to configure each application with the right jboss-web.xml in WEB-INF:
- For App1.war
<jboss-web>
<virtual-host>host1</virtual-host>
</jboss-web>
- For App2.war
<jboss-web>
<virtual-host>host2</virtual-host>
</jboss-web>
Now each application can be accessed by following the urls:
For App1.war - http://first.com:8080/App1/index.jsp
For App2.war - http://second.com:8543/App2/index.jsp
Please bear in mind that in /etc/hosts of the system, you must add the corresponding virtual-server alias names:
127.0.0.1 localhost.localdomain localhost first.com second.com
I am using JBoss 6.4 EAP access logs to debug when an item hits the server.
<subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="my.host.name"/>
<access-log pattern="%t %a %A %b %h %m %p %q %U %r">
<directory path="."/>
</access-log>
</virtual-server>
</subsystem>
However, a monitoring tool constantly hits the server every couple of seconds to check it is up and so the access log is hard to read.
I can't turn off or change the monitoring and the code in the webserver is not mine so I can't change that either.
Is it possible to filter the access log so that it only logs when a specific url is hit?
I have enabled https changing standalone.xml as follows:
<security-realms>
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="./ed.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="ed" key-password="secret" />
</ssl>
</server-identities>
</security-realm>
...
and:
<subsystem xmlns="urn:jboss:domain:undertow:1.2">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" />
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" />
Both the following links work:
http://localhost:8080
https://localhost:8443
the second actually is a secure connection.
Unfortunately, the first link doesn't redirect to the https protocol.
What have I missed?
Thank you.
Make sure you add this in your web.xml
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This will allow the redirection for any URL.
We moved (or renamed) our webapplication from http://domain.tld/webapp/... to http://domain.tld/ourWebapp/...
Now we want to redirect old urls to the new one - Most redirect solutions are handled inside the application. This however won't work, because with the wrong war-name given, the webapp is not triggered at all.
Is there a way to add redirects on the - let's say - server level, instead of handling it from within the application? (We don't want to deploy a "redirect application" listening on the old war-name.)
I found this documentation: http://www.jboss.org/jbossweb/modules/rewrite.html but it seems outdated, as it still talkes about server.xml (there is none in JBOSS AS 7.1). All the mentioned elements aren't there either and not supported it seems...
After a lot of testing, I figured out, that this is possible INSIDE the standalone.xml, right in the virtual-server subsystem. However, there are still some Issues:
Whats working so far: The following entry leads to a forward as expected:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<rewrite pattern="^/webapp/(.*?)$" substitution="/myWebapp/$1" flags="R=301,L">
</rewrite>
</virtual-server>
</subsystem>
The (outdated) docu for doing rewrites with jboss (http://www.jboss.org/jbossweb/modules/rewrite.html) states, that there are several environmnet variables that can be used.
I noticed, that the ${HTTP_} Variables are working, but using anything else gives me a 'java.lang.IllegalArgumentException'.
What I tried (and need to achieve):
<rewrite pattern="^/webapp/(.*?)$" substitution="${SERVER_PROTOCOL}://${SERVER_ADDR}:${SERVER_PORT}/myWebapp/$1" flags="R=301,L">
So basically a redirect that works independent of protocol and/or hostname.
I tried it with a "relative" Redirect (substitution="/myWebapp/$1") - This worked, but does not keep the port (requests on http://ip:8080/webapp/ are forwarded to http://ip/myWebapp/)
Any ideas on this?
Finally got it:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<rewrite pattern="^/webapp/(.*?)$" substitution="/myWebapp/$1" flags="R=301,L">
</rewrite>
</virtual-server>
</subsystem>
is working as expected and keeping the port. (Dunno, why it did not work on the first try, maybe didnt restart the server properly, etc...)
There's some explanation & examples here as well, if you have access to the RedHat site:
https://access.redhat.com/site/solutions/189423
JBoss EAP6 provided Global Rewrite valve which can be enabled in the "web" subsystem of your configuration as following:
For redirecting all http requests coming for localhost:8080/MXBeanDemo should be redirected to "www.yahoo.com/"
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
<rewrite pattern="^/MXBeanDemo(.*)" substitution="http://www.yahoo.com" flags="R"/> <!-- NOTICE -->
</virtual-server>
</subsystem>
For redirecting localhost:8080/Abcd to localhost:8080/Wxyz
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
<rewrite pattern="^/Abcd(.*)" substitution="/Wxyz" flags="R"/> <!-- NOTICE -->
</virtual-server>
</subsystem>
I am trying to redirect the traffic on non-SSL port 8080 to SSL port 8443( on Jboss 4.2.3.GA version), but its not working. when I access my webapplication on this port it stays on that port and the page gets displayed. Here is my configuration in server.xml file
<Connector port="8080" address="${jboss.bind.address}"
maxThreads="250" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"/>
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="conf/sds/keystore"/>
and here is web.xml configuration
<security-constraint>
<web-resource-collection>
<web-resource-name>SUCTR</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I have tried using default port 80 and 443 and also using the specific path in the url-pattern but still its not working. I am not sure what is it i am doing wrong here, can you please point me in the right direction.
thanks.
edit in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>App_nmae</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
edit in sever.xml
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/opt/apache-tomcat-6.0.13/.keystore"
keystorePass="changeit"/>
it is working for me ..you can try it
That looks right. I am assuming you are closing the security-constraint tag. Try changing the url pattern to "/APP_URI/*" and see if it makes a difference while accessing the app.