I'm trying to map user groups using ibm-application-bnd.xml. Put it into META-INF folder. On try to access secure page get next message:
[08.05.15 17:42:21:242 MSK] 00000084 WebCollaborat A SECJ0129E: ... GET в null:/loginmodule/date/, Authorization failed, Not granted any of the required roles: user-role
When I try configure it with ibm console it works. All configuration WAS writes into ibm-application-bnd.xmi instead of ibm-application-bnd.xml.
What do I wrong?
Using Websphere AS 8.5.5 with Java 1.6
ibm-application-bnd.xml:
<?xml version="1.0" encoding="UTF-8"?>
<application-bnd xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/dxml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_2.xsd"
xmlns="http://websphere.ibm.com/xml/ns/javaee" version="1.2">
<security-role name="user-role">
<group name="user-group" />
</security-role>
</application-bnd>
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Constraint</display-name>
<web-resource-collection>
<web-resource-name>secrets</web-resource-name>
<description />
<url-pattern>/date/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user-role</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>user-role</role-name>
</security-role>
<servlet>
<servlet-name>date</servlet-name>
<servlet-class>ru.servlet.TimeServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>date</servlet-name>
<url-pattern>/date/*</url-pattern>
</servlet-mapping>
</web-app>
WebSphere Application Server uses XML for EE 5+ only, and that decision is made on a per-deployment descriptor basis. If ibm-application-bnd.xmi is being used, then I suspect your application.xml has version="1.4" or lower, so try again after updating to an EE 5 XML header (remove doctype, add xmlns, add xmlns:xsi, add xsi:schemaLocation, update version attribute).
I had to change the version in my ear POM maven-ear-plugin. Because default it generates a 1.3 application.xml so the Websphere server only expect a ibm-application-bnd.xmi file and not a ibm-application-bnd.xml file
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-ear-plugin</artifactId>
<configuration>
<version>6</version>
<security>
<security-role>
<role-name>manager</role-name>
</security-role>
</security>
<modules>
<webModule>
<groupId>${project.groupId}</groupId>
<artifactId>my-war</artifactId>
<contextRoot>/my-app</contextRoot>
</webModule>
</modules>
</configuration>
Thanks to bkail
Related
I have the following security configuration in my web.xml. I am using IBM WAS and opted for AD Authentication for my app. As part of AD configuration I have Mapped the TEST role to an AD Group. Now each time i do a deployment, the mapping is vanishing. Is there way to persist the mapping?
<security-role>
<description>Test</description>
<role-name>TEST</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>/test/*</url-pattern>
<url-pattern>/rock/index.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>TEST</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/rock/signon/login.html</form-login-page>
<form-error-page>/rock/signon/login.html</form-error-page>
</form-login-config>
</login-config>
There are two ways to do this
using ibm-application-bnd.xml and application.xml in ear/META-INF
configuring the WAS script to make the changes.
I have not explored the second option, but i resolved the deployment problem using the first approach
ibm-application-bnd.xml
<?xml version="1.0" encoding="UTF-8"?>
<application-bnd xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_2.xsd"
xmlns="http://websphere.ibm.com/xml/ns/javaee"
version="1.2">
<security-role name="ROLE">
<group name="LDAP GROUP" />
</security-role>
</application-bnd>
application.xml
<?xml version="1.0" encoding="UTF-8"?>
<application xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/application_6.xsd" version="6">
<display-name>rest-ear</display-name>
<module>
<web>
<web-uri>rest-1.0.0-SNAPSHOT.war</web-uri>
<context-root>/rest</context-root>
</web>
</module>
<security-role>
<role-name>ROLE</role-name>
</security-role>
</application>
I am trying to merge two wars and thereby the web.xml files using the maven uber war cargo-maven2-plugin. The merge on all the tags (filters, servlet) happens as desired, but for <context-param> it's only merging the first element defined in the web.xml on R.H.S. I want to keep all context-param on the web.xml on L.H.S merge all the <context.param> elements defined in my web.xml on R.H.S. Any help would be appreciated. Here is my code
web.xml on R.H.S
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- ** SPRING ** -->
<context-param>
<param-name>contextInitializerClasses</param-name>
<param-value>com.myorg.context.MyApplicationContextInitializer</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:conf/spring/*.xml</param-value>
</context-param>
<context-param>
<description>Location(s) to search for the Log4J config file</description>
<param-name>log4jConfigLocation</param-name>
<param-value>file:/dir/path/log4j.xml /WEB-INF/log4j.xml</param-value>
</context-param>
<context-param>
<description>
Boolean flag indicating whether internal Log4J debugging statements should be written. Log4J
will write debugging messages to System.out and error messages to System.err.
</description>
<param-name>log4jConfigDebug</param-name>
<param-value>false</param-value>
</context-param>
**
merge.xml
**
<?xml version="1.0"?>
<uberwar>
<wars>
<war>org.forgerock.openam:openam-server</war>
<war>com.myorg.xyz.addons:my-sso-addons-web</war>
</wars>
<merges>
<merge>
<type>web.xml</type>
<parameters>
<default>
<!-- Preserve execution order of filter-mappings -->
<tag name="context-param">
<strategy name="ChooseByName">
<default>
<strategy name="Preserve" />
</default>
<choice name="contextInitializerClasses">
<strategy name="Overwrite" />
</choice>
<choice name="contextConfigLocation">
<strategy name="Overwrite" />
</choice>
<choice name="log4jConfigLocation">
<strategy name="Overwrite" />
</choice>
</strategy>
</tag>
<tag name="filter-mapping">
<strategy name="Preserve"/>
</tag>
</default>
</parameters>
</merge>
</merges>
</uberwar>
pom.xml
<!-- other entries are here -->
<packaging>uberwar</packaging>
<build>
<plugins>
<!-- merges openam-server with openam-addons-web-common -->
<plugin>
<groupId>org.codehaus.cargo</groupId>
<artifactId>cargo-maven2-plugin</artifactId>
<extensions>true</extensions>
<configuration>
<!-- merges the wars -->
<descriptor>src/assembly/merge.xml</descriptor>
<configuration>
<type>existing</type>
<home>${jboss.home}/aclsso</home>
</configuration>
<deployer>
<type>installed</type>
</deployer>
<deployables>
<deployable>
<groupId>${project.groupId}</groupId>
<artifactId>${project.artifactId}</artifactId>
<type>war</type>
<properties>
<context>openam</context>
</properties>
</deployable>
</deployables>
</configuration>
</plugin>
</plugins>
</build>
Well, the problem in this particular case was the difference in the xmlns version, and schema location at the top of web.xml. The first war had version=2.4, while the second one had version=3.0. Keeping both the web.xml schemas in sync by using the following resolved the issue (I have no idea why it merged the filter, servlet tags, and failed on merging all the context-param tags though).
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="3.0" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
I
I've followed this tutorial http://blog.gamatam.com/2009/11/jdbc-realm-setup-with-glassfish-v3.html
The problem is that I get login dialog again and again like pass is wrong (and never page), but I clearly see values in DB. Pass is MD5 of the word 'admin'.
So how to debug it?
Here are the settings and printscreens: http://codepad.org/jHNRpAta
And here is web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<security-constraint>
<display-name>Constraint1</display-name>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>USER</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>security</realm-name>
</login-config>
<security-role>
<description/>
<role-name>USER</role-name>
</security-role>
<security-role>
<description/>
<role-name>ADMIN</role-name>
</security-role>
</web-app>
And here is glassfish-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
<security-role-mapping>
<role-name>USER</role-name>
<group-name>USER</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>ADMIN</role-name>
<group-name>ADMIN</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</glassfish-web-app>
I am developing my first application in spring security. My applicationContext-security.xml file looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<!--
- Namespace-based OpenID configuration
-->
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http>
<intercept-url pattern="/**" access="ROLE_USER"/>
<intercept-url pattern="/index.xhtml*" filters="none"/>
<logout/>
<openid-login login-page="/index.xhtml" authentication-failure-url="/index.xhtml?login_error=true">
<attribute-exchange>
<openid-attribute name="email" type="http://schema.openid.net/contact/email" required="true" count="2"/>
<openid-attribute name="name" type="http://schema.openid.net/namePerson/friendly" />
</attribute-exchange>
</openid-login>
<remember-me token-repository-ref="tokenRepo"/>
</http>
<b:bean id="tokenRepo"
class="org.springframework.security.web.authentication.rememberme.InMemoryTokenRepositoryImpl" />
<authentication-manager alias="authenticationManager"/>
<user-service id="userService">
<user name="http://user.myopenid.com/" authorities="ROLE_SUPERVISOR,ROLE_USER" />
</user-service>
</b:beans>
and Web.xml file is:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">
<display-name>Spring Security OpenID Demo Application</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext-security.xml
</param-value>
</context-param>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/classes/log4j.properties</param-value>
</context-param>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>openid.root</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<welcome-file-list>
<welcome-file>faces/index.xhtml</welcome-file>
</welcome-file-list>
</web-app>
Clean and Build of the application is successful, but when I try to deploy the application jetty 7 gives me following error:
SEVERE: Context initialization failed
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.springframework.org/schema/security]
Offending resource: ServletContext resource [/WEB-INF/applicationContext-security.xml]
at org.springframework.beans.factory.parsing.FailFastProblemReporter.error(FailFastProblemReporter.java:68)
at org.springframework.beans.factory.parsing.ReaderContext.error(ReaderContext.java:85)
at org.springframework.beans.factory.parsing.ReaderContext.error(ReaderContext.java:80)
Tried everything but can't solve this error. Any help would be appreciated.
EDIT
I tried added 3.0.2 version of the Spring-Security and got this:
Context initialization failed
org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 13 in XML document from ServletContext resource [/WEB-INF/applicationContext-security.xml] is invalid;
nested exception is org.xml.sax.SAXParseException; lineNumber: 13; columnNumber: 11; cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'http'.
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:396)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:334
You need a spring-security-config.jar on your classpath.
The exception means that the security: xml namescape cannot be handled by spring "parsers". They are implementations of the NamespaceHandler interface, so you need a handler that knows how to process <security: tags. That's the SecurityNamespaceHandler located in spring-security-config
I had the same problem. The only thing that solved it was merge the content of META-INF/spring.handler and META-INF/spring.schemas of each spring jar file into same file names under my META-INF project.
This two threads explain it better:
maven assembly plugin and spring namespace handlers
Thread: unable to locate Spring NamespaceHandler for XML schema namespace
In my case, this was caused by custom manifest entries added by the maven-jar-plugin.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>2.6</version>
<configuration>
<archive>
<index>true</index>
<manifest>
<addClasspath>true</addClasspath>
</manifest>
<manifestEntries>
<git>${buildNumber}</git>
<build-time>${timestamp}</build-time>
</manifestEntries>
</archive>
</configuration>
</plugin>
Removing the following entries fixed the problem
<index>true</index>
<manifest>
<addClasspath>true</addClasspath>
</manifest>
I'd like to protect a single .jsp-page from anonymous access. I'm trying to do that the following way:
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>
t-webapp</display-name>
<servlet>
<servlet>
<description>
</description>
<display-name>
ZServlet</display-name>
<servlet-name>ZServlet</servlet-name>
<servlet-class>
a.b.c.d.application.t.ZServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>ZServlet</servlet-name>
<url-pattern>/ZServlet</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>
TTests</display-name>
<web-resource-collection>
<web-resource-name>TTests</web-resource-name>
<url-pattern>/ttests.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<description>
TServletRoles</description>
<role-name>role_admin1</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>
role_admin1</description>
<role-name>role_admin1</role-name>
</security-role>
But whenever I'm accessing ttests.jsp, I'm getting access immediately - without having to fill username/password... what am I missing?
Thanks a lot!
The first step would be to make sure that global security is enabled on your websphere profile with the Enable application security check box checked.