Tomcat configuration whit LDAP - tomcat7

Users and roles are created in ApacheDS and are visible on ArcGIS Manager.
Link to free wms service works, after changing service security to private QGIS throws an error - forbidden.
Windows server 2012 R2
ArcGIS Server 10.5
ApacheDS 2.0.0-M23
Apache-tomcat 7.0.65
Web Adaptor Java Windows 105_154008
Windows firewall - off
How to properly configure Tomcat to allow secure acces to services?
ApacheDS configuration:
users:
cn: username1
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: username1
uid: username1
userPassword: userpassword
groups:
cn: Administrators
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: cn=username1,ou=users,ou=system
ArcGIS Server Security - Configuration Settings
1.User and Role Management - Users from an existing enterprise system (LDAP or Windows Domain) and roles from ArcGIS Server's built-in store
2.Enterprise Store Type - LDAP
3.LDAP User Store:
Host name: vms12
Port: 10389
Base DN: ou=system
URL: ldap://vms12:10389/ou=system
RDN attribute: uid
Administrator's DN: uid=admin,ou=system
4.Authentication Tier - Web Tier
Tomcat configuration:
C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\server.xml
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://localhost:10389"
connectionName="uid=admin,ou=system"
connectionPassword="password"
userBase="ou=system"
userSubtree="true"
userSearch="(uid={0})"
roleBase="ou=system"
roleName="cn"
roleSearch="(uniquemember={0})"
roleSubtree="true"
/>
</Realm>
<Host name="localhost" appBase="webapps"
C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>WMS Services</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Administrators</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>WMS services</realm-name>
</login-config>
<security-role>
<description>
The role that is required to access the HTML Manager pages
</description>
<role-name>Administrators</role-name>
</security-role>

Related

Liberty server 19.0.0.9 -how to authorize unauthenticated user

I have new problem with container security . On the server i have two ears first call service from second. On service there is #RolesAllowed("Authenticated"). My configuration in server.xml looks like this:
<featureManager>
<feature>jndi-1.0</feature>
<feature>distributedMap-1.0</feature>
<feature>localConnector-1.0</feature>
<feature>wasJmsClient-2.0</feature>
<feature>jdbc-4.1</feature-->
<feature>javaMail-1.5</feature>
<feature>json-1.0</feature>
<feature>adminCenter-1.0</feature>
<feature>appSecurity-2.0</feature>
<feature>beanValidation-2.0</feature>
<feature>cdi-2.0</feature>
<feature>jsf-2.3</feature>
<feature>mdb-3.2</feature>
<feature>ejbHome-3.2</feature>
<feature>ejbLite-3.2</feature>
<feature>ejbRemote-3.2</feature>
<feature>jca-1.7</feature>
<feature>concurrent-1.0</feature>
<feature>jms-2.0</feature>
<feature>appClientSupport-1.0</feature>
<feature>ldapRegistry-3.0</feature>
</featureManager>
<basicRegistry id="basic" realm="customRealm">
<user password="{xor}Ozo5Kiw6LQ==" name="defuser" />
</basicRegistry>
Both ears contains identical configuration
<application-bnd>
<security-role name="All Role">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
The second ear contains ibm-application-ibd.xml file but i can not edit it. Best would be to override it.
When i call service from second ear i still get exception :
Caused by: javax.ejb.EJBAccessException: CWWKS9400A: Authorization failed for user UNAUTHENTICATED while invoking
Eny ideas ?
Liberty allows you to override application binding files using the server config element application-bnd, see IBM KnowledgeCenter topic https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.liberty.autogen.base.doc/ae/rwlp_config_enterpriseApplication.html#application-bnd and https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_sec_rolebased.html for details.
According to my experience configuring the authentication with Websphere Liberty, the login showed up only for restricted pages only, so the app needs to definen some security constraint in the web.xml like this example:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured API</web-resource-name>
<url-pattern>/s/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>user</role-name>
</security-role>

Springboot digest authentication support

I need to implement HTTP digest authentication for my Springboot Application. I have tried configuring this from Tomcat setup (How to use digest authentication in Tomcat 8.5? ut since Springboot doesn't generate any web.xml, I couldn't configure this. Can someone, please, give a piece of advice as for is there any alternative?
Steps Followed
1.generated sha -256 password
digest.bat -s 0 -a sha-256 tomcat
2. updated tomcat user file
<role rolename="admin-gui"/>
<user username="tomcat" password="ce066452368a3498047a43323cff46a00222945691d728747a2283273506a0a7"
roles="manager-gui,manager,admin"></user>
3. updated tomcat conf/server.xml
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
<CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="SHA-256" />
</Realm>
</Realm>
4. updated tomcat conf/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>MySecureResource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin-gui</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin-gui</role-name>
</security-role>
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>UserDatabase</realm-name>
</login-config>

Configuring Liberty with httpProxyRedirect

I am attempting to redirect traffic on insecure port to secure port as described here:
https://www.ibm.com/support/knowledgecenter/en/SSD28V_9.0.0/com.ibm.websphere.liberty.autogen.core.doc/ae/rwlp_config_httpProxyRedirect.html
Instead both ports are available and I see nothing in the logs. It's as if the httpProxyRedirect isn't being configured at all.
<?xml version="1.0" encoding="UTF-8"?>
<server description="CAST Liberty Server">
<!-- Enable features -->
<featureManager>
<feature>webProfile-7.0</feature>
</featureManager>
<application id="app" context-root="/" type="war" location="${war.name}">
<classloader apiTypeVisibility="spec, ibm-api, api, third-party" />
</application>
<httpProxyRedirect id="defaultHttpProxyRedirect" httpPort="${http.port}" httpsPort="${https.port}" />
<keyStore id="defaultKeyStore" password="pass" />
<httpEndpoint host="*" httpPort="${http.port}" httpsPort="${https.port}" id="defaultHttpEndpoint" />
<applicationMonitor updateTrigger="mbean" />
</server>
Most likely, you are missing the security-constraints in the web.xml. This configuration tells the server which URLs need to be accessed over a secure transport and then re-directs qualifying requests from the non-secure port to the secure port. This tutorial may help: https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html
Also, keep in mind that the httpProxyRedirect configuration in the server.xml is intended for redirecting when you have a proxy server in front of your application server. For example, you may have your proxy server on the main "www.ibm.com" host - listening on HTTP port 80 and HTTPS port 443. But that host may route some requests to your Liberty application server on some other host (like "app1host.internal.ibm.com") that listens on different ports (i.e. HTTP port 9080 and HTTPS port 9443). In that case, just using the security-constraints in the web.xml would attempt to redirect the client request on the Liberty server from 9080 to 9443 but on the www.ibm.com host - where nothing is listening on those ports. In this case, you should configure httpProxyRedirect like this:
<httpProxyRedirect httpPort="80" httpsPort="443" host="www.ibm.com" />
With the configuration, a client HTTP request to a secured URL will get redirected to www.ibm.com on port 443, where the proxy server will forward the request to app1host.internal.ibm.com port 9443.
Hope this helps,
Andy
This is the security constraint that i am using in my web.xml and it works well for both Tomcat and IBM Websphere 8.5.5.15:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Note: make sure that you put it after your <servlet-mapping>.

IBM Liberty client certificate authentication

I am trying to configure my liberty server for client certificate authentication by these steps:
http://www.ibm.com/support/knowledgecenter/SS7K4U_liberty/com.ibm.websphere.wlp.zseries.doc/ae/twlp_sec_clientcert.html
My liberty configuration:
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>webProfile-7.0</feature>
<feature>restConnector-1.0</feature>
<feature>localConnector-1.0</feature>
<feature>monitor-1.0</feature>
<feature>jsp-2.3</feature>
<feature>adminCenter-1.0</feature>
<feature>ssl-1.0</feature>
</featureManager>
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint"
httpPort="9081"
httpsPort="9444" />
<application id="Sample" name="Sample" type="war" location="Sample.war"/>
<keyStore id="defaultKeyStore" location="key.jks" type="JKS" password="{xor}EzY9Oi0rJg==" />
<keyStore id="defaultTrustStore" location="truststore.jks" type="JKS" password="{xor}EzY9Oi0rJg==" />
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" clientAuthenticationSupported="true"/>
<webAppSecurity allowFailOverToBasicAuth="true" />
<auth-method>CLIENT-CERT</auth-method>
<basicRegistry id="basic">
<user identity="CN=Admin,O=myOrg,C=country" name="Admin" password="admin" />-->
</basicRegistry>
<administrator-role>
<user>Admin</user>
</administrator-role>
</server>
From java client I get:
CWWKX0229E: There was a problem with the user credentials provided. The server responded with code 401 and message 'Unauthorized'
I think my user mapping is wrong. Can somebody give me an example how to map client certificate with the liberty user?
Is the intent to login to web application using the certificate rather than user/password? You need to define the CLIENT-CERT in web.xml. You will have to install the certificate on your browser from where application will be accesses. Also, Liberty server will need to have the signer certificate in the trust store. You may also define certificate filter if the certificate DN name does match exactly to registry user.
Below command can be added to server.xml so that basic authentication can be use if client certificate authentication did not succeed.
You may also want to confirm that your application does work with basic authentication.
More details at:
http://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_sec_clientcert.html

Tomcat Realm security-constraint disable for localhost

I have added security-constraint to protect some folders of the app.
<security-constraint>
<web-resource-collection>
<web-resource-name>panel</web-resource-name>
<url-pattern>/secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>super</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Panel</realm-name>
</login-config>
I added proper user SUPER to tomcat-users, this is all seems to be working fine when I deploy the app. However when I run it locally from exclipse via maven, using tomcat7:run, my local setup does not have tomcat-users.xml file, so basically I am not sure how to configure users locally. Security works but no users defined.
Can u please tell me how to pass or specify custom tomcat-sers.xml file for the mavens tomcat plugn
I got it, if anybody ever needs it.
In pom.xml find your plugin block for tomcat7-maven-plugin and specify in configuration custom tomcat-users.xml path.
<configuration>
<tomcatUsers>path/tomcat-users.xml</tomcatUsers>
</configuration>

Resources