I have deployed a Webservice on JBossAS 5.1 GA. To use HTTP Basic Authentication, The SBC class is annotated the following way:
#Stateless
#SecurityDomain(value = "MyWSSecurity")
#RolesAllowed(value = "WebserviceUser")
#WebContext(contextRoot="/MyWS", urlPattern="/*", authMethod="BASIC", transportGuarantee="NONE", secureWSDLAccess=true)
#WebService(endpointInterface = "MyWS")
public class MyWSImpl implements MyWS {
public String doSomething() {
return "something";
}
}
Generally this works fine. But the following szenario bothers me.
User who is in role WebserviceUser calls the service.
The role Webservice is now taken AWAY from the user.
Problem: He still can call the service.
I guess this happens, because user credentials and roles are stored in HttpSession object on the server side. After server restart the user is denied from calling the service.
What can I do about that?
Regards
EDIT: The problem does not apply only to JBOSSWS EJB3 webservices, but to anything using JAAS authentication.
Found 2 solutions that are appropriate for me.
Solution 1) Change the Default timeout for the JAAS Cache
You can do this by editing $JBOSS_HOME/server/default/conf/jboss-service.conf. Locate the part of the file, where JaasSecurityManager MBean is configured and change the attribute DefaultCacheTimeout to an acceptable small value (60 seconds is fine for me). If you want to disable caching of security credentials entirely, set the value to 0.
<!-- JAAS security manager and realm mapping -->
<mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
<!--
skipped some configuration
-->
<!-- DefaultCacheTimeout: Specifies the default timed cache policy timeout
in seconds.
If you want to disable caching of security credentials, set this to 0 to
force authentication to occur every time. This has no affect if the
AuthenticationCacheJndiName has been changed from the default value.
-->
<attribute name="DefaultCacheTimeout">60</attribute>
<!-- DefaultCacheResolution: Specifies the default timed cache policy
resolution in seconds. This controls the interval at which the cache
current timestamp is updated and should be less than the DefaultCacheTimeout
in order for the timeout to be meaningful. This has no affect if the
AuthenticationCacheJndiName has been changed from the default value.
-->
<attribute name="DefaultCacheResolution">30</attribute>
<!--
skipped some configuration
-->
</mbean>
Solution 2: Call method flushAuthenticationCache("MyWSSecurity") on JaasSecurityManager MBean, whenever a user's role changes.
Regards
Related
I succeedeed in creating my own OAuth2 server using JCache as token store but I'm facing an issue when moving to JPA.
My configuration is :
"--users","test=test",
"--roles","test=test",
"--oauth2-provider","jpa",
"--oauth2-jpa-database-driver","org.h2.Driver",
"--oauth2-jpa-database-url","jdbc:h2:mem:oauth",
"--oauth2-jpa-database-username","sa",
"--oauth2-jpa-database-password",""
But I got exception below during OpenJPA bootstrap :
here was an error while setting up the configuration plugin option "MetaDataFactory".
The plugin was of type "org.apache.openjpa.persistence.jdbc.PersistenceMappingFactory".
Setter methods for the following plugin properties were not available in that type: [
org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken,
org.apache.cxf.rs.security.oauth2.common.OAuthPermission,
org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken,
org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant,
org.apache.cxf.rs.security.oauth2.common.UserSubject].
Possible plugin properties are:
[AnnotationParser, ClasspathScan, FieldOverride, Files, JAR_FILE_URLS, MAPPING_FILE_NAMES, MODE_ALL, MODE_ANN_MAPPING, MODE_MAPPING, MODE_MAPPING_INIT, MODE_META, MODE_NONE, MODE_QUERY, PERSISTENCE_UNIT_ROOT_URL, Repository, Resources, STORE_DEFAULT, STORE_PER_CLASS, STORE_VERBOSE, StoreDirectory, StoreMode, Strict, Types, URLs, XMLAnnotationParser, XMLParser].
Ensure that your plugin configuration string uses key values that correspond to setter methods in the plugin class.
I suppose I missed something in configuration...
Any help would be appreciated.
Tx
Using --oauth2-jpa-properties you can set any persistence unit properties you want, I guess you will have to override openjpa.MetaDataFactory default value which is set to jpa(Types=org.apache.cxf.rs.security.oauth2.common.Client,org.apache.cxf.rs.security.oauth2.common.OAuthPermission,org.apache.cxf.rs.security.oauth2.common.UserSubject,org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant,org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken,org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken).
You can also check if your configuration is properly propagated and if there is no classpath conflict (another persistence.xml with an oauth2 unit?) because I just retested and your configuration seems to work.
Romain
I am trying to create a REST API with wso2 API_Manager to gather data from a Postgres database (learning purpose). I struggle doing so and I would like to know whether:
I did not understand wso2 components' roles properly (new techno and subject for me)
or there is an error in the way I configured the manager.
System setup
I used this official docker image, added postgres jdbc jar in /repository/components/lib/ and added the following in /repository/conf/datasources/master-datasources.xml:
<datasource>
<name>s0m3dAtabas3</name>
<description>The db used for testing purposes</description>
<definition type="RDBMS">
<configuration>
<url>jdbc:postgresql://sandor_postgres:5432/s0m3dAtabas3</url>
<driverClassName>org.postgresql.Driver</driverClassName>
<username>s0m3us3rfr0mdAtAMaj0r</username>
<password>N0t5uchAs1mple1</password>
<maxActive>80</maxActive>
<minIdle>5</minIdle>
<maxWait>60000</maxWait>
<defaultAutoCommit>false</defaultAutoCommit>
<testOnBorrow>true</testOnBorrow>
<validationInterval>30000</validationInterval>
</configuration>
</definition>
</datasource>
I made sure than the postgres' container named sandor_postgres is accessible from wso2's with these credentials. In this database, I have a table called something. The image comes with the following UIs:
admin
publisher
store
Graphical API creation
I first followed the WorldBank tutorial which seemed crystal clear (though I am not quite sure where the data came from). I then tried to adapt it.
Step 1: Design
I used the database name as context (s0m3dAtabas3) v.1.0.0. Since the table is called something, the url pattern I end up with is /s0m3dAtabas3/1.0.0/something
Step 2: Implement
This is where things start to be confusing. No matter the resource path I use in the Endpoint (end point type REST), I get a 404 and the logs are not very helpful
http://192.168.8.111:8280 -> 404
http://192.168.8.111:8280/something -> 404
http://192.168.8.111:9443/tried_several -> Invalid - Error connecting to backend
http://192.168.8.111:8243/tried_several -> Invalid - Error connecting to backend
INFO - InboundDBSyncRequestEvent Running DB sync task.
INFO - LogMediator STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = /s0m3dAtabas3/1.0.0
INFO - CarbonAuthenticationUtil 'admin#carbon.super [-1234]' logged in at [2019-10-29 11:42:31,030+0000]
INFO - CarbonAuthenticationUtil 'admin#carbon.super [-1234]' logged in at [2019-10-29 11:42:31,197+0000]
INFO - LogMediator STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = /s0m3dAtabas3/bullshit
INFO - CarbonAuthenticationUtil 'admin#carbon.super [-1234]' logged in at [2019-10-29 11:48:30,649+0000]
INFO - CarbonAuthenticationUtil 'admin#carbon.super [-1234]' logged in at [2019-10-29 11:48:30,790+0000]
INFO - LogMediator STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = /
INFO - InboundDBSyncRequestEvent Running DB sync task.
INFO - LogMediator STATUS = Message dispatched to the main sequence. Invalid URL., RESOURCE = /
Did I miss some important configuration step or wso2 API Manager is not the standalone component I thought it was and requires another component to achieve what I am looking for?
It seems there is a misunderstanding in the concept-wise.
Here is the basic idea of a typical API Management solution.
You have a web service (REST, SOAP, etc...) which you need to expose as a managed API. Now, you can front your service with API Manager and expose it as a managed API with security, rate limiting, managed life cycle etc.
In your case, it seems you don't have such a service, but only have a database table. So, before using API Manager to front your service, you first need to expose your table as a service. For that purpose, I'd suggest you use the data service component of WSO2 EI 7.0.0. See [1] for how to do that. Once you have your service ready, you can use API Manager to expose it as a managed API.
[1] https://ei.docs.wso2.com/en/latest/micro-integrator/use-cases/tutorials/sending-a-simple-message-to-a-datasource/
I'm having an issue where I cannot prevent the shutdown strategy in camel from logging my full URL. This is a problem because the URL has a password in it.
Neither of the .logMask() calls suppress this log line. How can I go about preventing this from being logged?
context.addRoutes(new RouteBuilder() {
#Override
public void configure() {
from(uriString)
.logMask()
.process(exchange -> {
Message in = exchange.getIn();
// Doing some business logic here
})
.toD("direct:someOtherRoute")
.logMask();
}
});
The line being logged:
kafka://MY-TOPIC-NAME?saslJaasConfig=passwordThatShouldNotBeLogged&otherParams...
Edit: The full url is being logged both on startup and shutdown.
Okay this information is logged by Camel. But we have fixed this for next releases (2.25.0 onwards, and the 3.x branches).
For your current version, you cannot prevent this. However you can configure the logging level for that shutdown class to be WARN level.
You can also patch your Camel version yourself, this is the commit
https://github.com/apache/camel/commit/f60e4a73935bea211eec38823698d73bd1d0bd62
If your sensitive endpoint parameters are for SSL configuration, you can register the SSL configuration in the Camel Context and only reference it in the endpoint parameters.
kafka://MY-TOPIC-NAME?sslContextParameters=#ssl
See the Camel-Kafka Docs (section SSL Configuration) for details.
I'm trying to configure SSL for Kafka Connect REST API (2.11-2.1.0).
The problem
I tried two configurations (worker config):
with listeners.https. prefix
listeners=https://localhost:9000
listeners.https.ssl.keystore.location=/mypath/keystore.jks
listeners.https.ssl.keystore.password=mypassword
listeners.https.ssl.key.password=mypassword
and without listeners.https. prefix
listeners=https://localhost:9000
ssl.keystore.location=/mypath/keystore.jks
ssl.keystore.password=mypassword
ssl.key.password=mypassword
Both configurations starts OK, and show following exception when trying to connect to https://localhost:9000 :
javax.net.ssl.SSLHandshakeException: no cipher suites in common
In log, I see that SslContextFactory was created with any keystore, but with ciphers:
210824 ssl.SslContextFactory:350 DEBUG: Selected Protocols [TLSv1.2, TLSv1.1, TLSv1] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
210824 ssl.SslContextFactory:351 DEBUG: Selected Ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, ...]
210824 component.AbstractLifeCycle:177 DEBUG: STARTED #10431ms SslContextFactory#42f8285e[provider=null,keyStore=null,trustStore=null]
What I did
As I know that password from keystore is absolutely correct, I digged into source code, and started to debug.
Finally, I find out that neither plain ssl.* nor prefixed listeners.https.ssl.* configurations are not taken into account, and it turns that there is not possibility to configure SSL for Kafka Connect REST API currently.
Call sequence is:
RestServer.createConnector
SSLUtils.createSslContextFactory
AbstractConfig.valuesWithPrefixAllOrNothing
Last method is the reason of troubles.
If we have listeners.https. properties, they cannot be returned, because they filtered out at line 254 (since WorkerConfig contains no properties with the prefix).
Otherwise, if we have unprefixed ssl. properties, they also not returned, because values field contains only known properties from the same WorkerConfig (values are result of ConfigDef.parse).
Am I missing something, and has anyone successfully configured SSL for kafka connect rest api ?
Try export KAFKA_OPTS=-Djava.security.auth.login.config=/apps/kafka/conf/kafka/kf_jaas.conf where kf_jaas.conf contains ZooKeeper client authentication
I haven't test Connect REST API, but KafkaTemplate send and recieves messages with ssl.
From your configuration i may assume two problems:
you not specified the truststore (for certificate chain check)
you used absolute path, but spring keystore-location interprets as
relative to /webapp
I tried test application from examples:
https://memorynotfound.com/spring-kafka-and-spring-boot-configuration-example/
and
https://gist.github.com/itzg/e3ebfd7aec220bf0522e23a65b1296c8
Tested with springboot 2.0.4.RELEASE, used kafka library
<dependency>
<groupId>org.springframework.kafka</groupId>
<artifactId>spring-kafka</artifactId>
</dependency>
and this my application.properties content:
spring.application.name=my-stream-app
spring.kafka.bootstrap-servers=localhost:9093
spring.kafka.ssl.truststore-location=kafka.server.truststore.jks
spring.kafka.ssl.truststore-password=123456
spring.kafka.ssl.keystore-location=kafka.server.keystore.jks
spring.kafka.ssl.keystore-password=123456
spring.kafka.ssl.key-password=123456
spring.kafka.properties.security.protocol=SSL
spring.kafka.consumer.group-id=properties test-consumer-group
app.topic.foo=test
fragment of kafka server configuration:
listeners=SSL://localhost:9093
ssl.truststore.location=/home/legioner/kafka.server.truststore.jks
ssl.truststore.password=123456
ssl.keystore.location=/home/legioner/kafka.server.keystore.jks
ssl.keystore.password=123456
ssl.key.password=123456
Was considering an application, to try to improve the response time. When I came across the following excerpt from the file "jboss-4.2.3.GA \ server \ default \ conf \ login-config.xml"
<application-policy name="domainroles">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName">java:jdbc/PostgreAPP</module-option>
<module-option name="principalsQuery">select "TX_PASS" from appbd."TB_SYSTEM" where "NM_SYSTEM"=?</module-option>
<module-option name="rolesQuery">select "NM_TRANSACTION" || "CD_OPTION", 'Roles' from appbd."TB_TRANSATION" where "ID_TR" in (select "ID_TR" from appbd."TB_TR_SYSTEM" where "ID_SYSTEM" in (select "ID_SYSTEM" from appbd."TB_SYSTEM" where "NM_SYSTEM" = ?))</module-option>
</login-module>
</authentication>
</application-policy>
My question is, each incoming request the webservice when the JBOSS will check if the user can access that particular service, it does a select on the database or it already carries all while starting the server?
If I change the SELECT by a properties file will have a significant improvement in performance?
Note: The application receives 5000 requests per minute.
Thank you
The JaasSecurityManagerService caches authentication results to avoid constant access of the security store associated with login modules. The default cache policy is a time based policy that is controlled by the DefaultCacheTimeout attribute.
<!-- JAAS security manager and realm mapping -->
<mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
name="jboss.security:service=JaasSecurityManager">
<attribute name="SecurityManagerClassName">org.jboss.security.plugins.JaasSecurityManager</attribute>
<attribute name="DefaultUnauthenticatedPrincipal">anonymous</attribute>
<!-- DefaultCacheTimeout: Specifies the default timed cache policy timeout
in seconds.
If you want to disable caching of security credentials, set this to 0 to
force authentication to occur every time. This has no affect if the
AuthenticationCacheJndiName has been changed from the default value.
-->
<attribute name="DefaultCacheTimeout">1800</attribute>
<!-- DefaultCacheResolution: Specifies the default timed cache policy
resolution in seconds. This controls the interval at which the cache
current timestamp is updated and should be less than the DefaultCacheTimeout
in order for the timeout to be meaningful. This has no affect if the
AuthenticationCacheJndiName has been changed from the default value.
-->
<attribute name="DefaultCacheResolution">60</attribute>
</mbean>
DefaultCacheTimeout: Specifies the default timed cache policy timeout in seconds. The default value is 1800 seconds (30 minutes).
The value you use for the timeout is a tradeoff between frequent
authentication operations and how long credential information may be
out of sync with respect to the security information store. If you
want to disable caching of security credentials, set this to 0 to
force authentication to occur every time. This has no affect if the
AuthenticationCacheJndiName has been changed from the default value.
About change to a properties file, depends on amount of user, roles, filesystem etc.
Also the database will cache consecutive queries.