I have successfully applied an authentication constraint in conf/web.xml to all pages on my Tomcat 9 server using Kerberos, as follows:
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Content</web-resource-name>
<description>Authentication Required</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
<security-role>
<role-name>USER_ROLE</role-name>
</security-role>
</web-app>
Everything is working as expected, including Kerberos.
Now I want to exclude all pages under /services from the security constraint so they can be accessed without any authentication. I would prefer to do it in conf/web.xml because there will be multiple applications deployed under /services and I would rather not configure each individually.
Based on other Stackoverflow answers, I added this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Public</web-resource-name>
<description>No Authentication Required</description>
<url-pattern>/services/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Regardless of which order the security constraints are applied, I get a 401 error for the applications under /services when I test them using curl. If I remove the original security constraint, I can access the /services applications just fine.
The second security constraint is being ignored. Why would this be happening?
Related
I have a spring MVC rest application that is deployed as a war file to IBM WebSphere application server v 8.5, i want to secure some of the rest api in this application, hence, i used the application web.xml and declare the security role i want, then i enabled the application security from the WAS console, but for some reason my security roles are ignored and i can access all rest API that are supposed to be secured, any help is appreciated.
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>LBS_System</web-resource-name>
<url-pattern>/LBS/*</url-pattern>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Administrators</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>defaultWIMFileBasedRealm</realm-name>
</login-config>
<security-role>
<role-name>Administrators</role-name>
</security-role>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<resource-ref>
<res-ref-name>jdbc/MoictDB</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
</resource-ref>
<persistence-unit-ref>
<persistence-unit-ref-name>persistence/MoICTAppUnit</persistence-unit-ref-name>
<persistence-unit-name>MoICTAppUnit</persistence-unit-name>
</persistence-unit-ref>
</web-app>
You should not include your context-root (LBS in your case) in the url-pattern. It is relative to your application context-root. The /* pattern protects all urls, but only in your application, not others. So if you just want to protect for example rest api, it is usually mapped to some sub path e.g. /LBS/rest/something, in that case you would put /rest/* in the pattern.
You should not include context-root in any mappings and url patterns in the web.xml, especially that application might be deployed under different context-root and in that case it would be broken.
I have a Dynamic Web Project with JAAS, it has a LoginModule.
Now, I have a ROLE and I give to it a privileges like this:
<security-constraint>
<display-name>PRIVILEGES</display-name>
<web-resource-collection>
<web-resource-name>PRIVATE</web-resource-name>
<url-pattern>/usuario/*</url-pattern>
<url-pattern>/Data</url-pattern> <-- This is a Servlet. (JAAS Protect it)
<url-pattern>/getEstudent</url-pattern> <-- RequestMapping from Spring.(JAAS does not protect it)
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>USER1</role-name>
</auth-constraint>
I have integrated this with Spring. And I want to protect this url "getEstudiante". But the JAAS does not protect it.
How to do to protect a "requestmapping" from a Controller?, Thanks.
The following are the tags I am using in my web.xml file.
What is web-resource-name?
<security-constraint>
<web-resource-collection>
<web-resource-name>profile</web-resource-name>
<url-pattern>/profile/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I found a page in the Java EE 6 docs which seems to answer your question, and explains some other tags beside:
A web resource collection consists of the following subelements:
web-resource-name is the name you use for this resource. Its use is optional.
I am trying to configure Tomcat 7 JDBC realm configuration.
I have followed this tutorial completely:
http://www.avajava.com/tutorials/lessons/how-do-i-use-a-jdbc-realm-with-tomcat-and-mysql.html
I get the basic authentication pop-up, but even if I enter correct credentials, user is not authenticated.
I don't get any error message.
Tutorial specifies Tomcat 5.5 but I am using Tomcat 7.
I have just changed the connectionPasword and connectionName and the name of dynamic web project.
Here is server.xml JDBC realm configuration
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://localhost:3306/tomcat_realm"
connectionName="root"
connectionPassword="root"
userTable="tomcat_users"
userNameCol="user_name"
userCredCol="password"
userRoleTable="tomcat_users_roles"
roleNameCol="role_name" />
Here is web.xml
<servlet>
<servlet-name>TestServlet</servlet-name>
<servlet-class>test.TestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TestServlet</servlet-name>
<url-pattern>/test</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>dude</role-name>
</auth-constraint>
<user-data-constraint>
<!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
All I can see is, I get this message regarding security:
Security role name dude used in an <auth-constraint> without being defined in a <security-role>
Can you please help me sort this out? Is this issue related to Tomcat 7?
Per the Java Servlet Spec, you need to define the dude role as a security role. To do this, add the <security-role> element to your web.xml, as shown below:
<servlet>
<!-- ... -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>dude</role-name>
</auth-constraint>
<!-- ... -->
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>dude</role-name>
</security-role>
This would allow GET/POST requests to any user having the dude role.
I'll suggest you don't include the <http-method> elements as they don't work as you might expect. Including this element for GET and POST means that the security constrain applies only to these two methods; any other method is allowed. Here is what the Servlet Spec says:
The sub-element web-resource-collection identifies a subset of the resources and HTTP methods on those resources within a Web application to which a security constraint applies.
See this reference for details.
I can't seem to get Weblogic's session replication to work.
I have set-up in my web.xml such that all requests require Admin credentials:
<security-constraint>
<web-resource-collection>
<web-resource-name>redirect</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>myrealm</realm-name>
<form-login-config>
<form-login-page>
/login.jsp
</form-login-page>
<form-error-page>
/login.jsp
</form-error-page>
</form-login-config>
</login-config>
In my weblogic.xml, I have setup:
<session-descriptor>
<persistent-store-type>replicated_if_clustered</persistent-store-type>
</session-descriptor>
My test case is with two managed servers.
Navigate to my webpage.
Bring down one managed server. (The one that I am currently connected to)
Failover occurs and I am asked for my credentials.
I expect failover to occur seemlessly, without having me to relog in.
Try to enable session replication option in Weblogic admin console...
Logon to admin
console -> goto cluster -> goto advanced -> tick Session replication.
Note : It's not a good practise to touch .xml files to change any property....