I followed this article and created simplest websocket echo application. Although article is about Glassfish, I successfully run my app under Jetty 9, as they are using standard javax.websocket API in article.
It works just fine, but now I want to secure websocket connection. I googled around and found most examples are written as standalone Java application (with public static void main() method). They create new ConnectionFactory and starts server from their code (like here for example).
But I want to run my app under Jetty as a container, so I want to just specify some options in web.xml or something, to secure my connection. So I found this article and modified my web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected resource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<!-- https -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
The problem is it doesn't work. Probably because article is about Glassfish again.
How it is does NOT work:
My IDE (IDEA) shows red all tags inside <security-constraint>, that means schema validation is failed and these tags can not be contained inside <security-constraint>
When I try to open index.html over HTTPS I get error ssl_error_rx_record_too_long in browser and also there are two errors in Jetty output:
Illegal character 0x16 in state=START for buffer HeapByteBuffer
and
badMessage: 400 Illegal character 0x16 for HttpChannelOverHttp
So.. What I am doing wrong? How to make secured websocket via Jetty or application configuration?
The security constraint tag you described is mostly used for specify BASIC authentication mode in application server.
I guess you want to enable HTTPS and not authentication. For enabling HTTPS you may follow this article: https://wiki.eclipse.org/Jetty/Howto/Configure_SSL
Related
We have a web application built upon Spring Framework 3.2.x (3.2.12-RELEASE at moment) and Spring Security 3.2.x (i.e 3.2.5-RELEASE)
Security is implemented with classical Spring approach. In web.xml we load ApplicationContext and springSecurityFilterChain
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath*:META-INF/spring/applicationContext*.xml
</param-value>
</context-param>
...
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
As of a change in requirements, we are trying to investigate on how to permit different HttpSessions per tab (or window) within the same browser: in this scenario the same physical user can log in the application using two separate app-users.
I can understand that this is not possibile using JSESSIONID cookie approach. I'm trying using Spring Session (Spring Session and Spring Security
and Spring Session Multiple Session) but i can't manage doing it, having difficulties mixing my XML configuration with the JavaConfig approach shown in links before, Tomcat does not even start with a lot of errors.
I'm new with mixing XML and JavaConfig approch, so..can anyone give me an hint in how to proceed with Spring Session?
Are there other ways to fulfill my requirement?
Spring Session project actually contains a few sample projects that demonstrate usage with Spring XML config. Look for the samples with -xml suffix in the sample name.
Generally speaking, what you need to do is manually register appropriate #Configuration class as a #Bean. For example, if you want to use Spring Session backed by Redis, register RedisHttpSessionConfiguration. You'll find the correct #Configuration class to use by looking at appropriate #Enable*HttpSession annotation (in this case #EnableRedisHttpSession) and determining which class is imported via #Import annotation.
I have a problem and I believe it boils down to a misfit with our load-balancer, webserver(ihs), https configuration and Java EE form security with j_security_check.
I understand that when a client tries to hit a secure page, the server (websphere) sends a redirect with the url of the signin form, which is what we see in our dev & tst environment. However the production set up has a webserver (ihs), which consumes the https url, knocks out the s and forwards the http url to websphere (known as ssl offloading). When Websphere replies with the redirect it does that without https but with http://server-name/loginform
and I see a browser error that it can't access the http://server-name/loginform.
The relevant part of web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Whitelist</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>authenticated-users</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>login</web-resource-name>
<url-pattern>/keepalive</url-pattern>
<url-pattern>/signin</url-pattern>
<url-pattern>/signin/error</url-pattern>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-role>
<description>Any LDAP authenticated user</description>
<role-name>authenticated-users</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/signin</form-login-page>
<form-error-page>/signin/error</form-error-page>
</form-login-config>
</login-config>
I'm wondering whether that's a misconfiguration on the java side (my responsibility), I expect the url in form-login-page (/login) to be relative on the browser. But I also think that the load-balancer should automatically convert a http call to https call (someone else's responsibility). I hope someone has suggestions.
You should provide a bit more information in your question such as what load balancer are you using, is it going straight to WAS or via IHS, how your web application is configured (web.xml).
So here are some general hints that might be useful for you.
Redirecting to SSL in WebSphere
If you already have security configured and login form correctly being displayed in http, you just need to add the following to web.xml:
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This will ensure that WebSphere will generate redirect to https when client is trying to access protected pages.
SSL offloading
If your load balancer is configured to offload SSL and froward request to WebSphere using plain http, then you need to configure WebSphere to be aware of that. This is done by configuring httpsIndicatorHeader custom property, and adding custom header in load balancer.
I have a JAX-RS web service deployed on IBM WebSphere and I want to secure this WS when it receives the requests (delegated from other server).
So I use the basic auth and set the username and password on BasicAuthSecurityHandler object and delegate the request to other server.
Now when the other server receives the request I use Federated repository in WAS under Global security and do the authentication.
If I comment out the auth-constraint in the deployment descriptor, the authentication is not taking place.
I want to do only authentication and no authorization.
I tried using #PermitAll annotation on the Jax-WS method but the authorization is also happening before the Jax-WS method is executed.
So is there any way I can skip the authorization and still do the authentication?
I dont have any rules associated to my users, so I want to skip the authorization.
<security-constraint id="SecurityConstraint_1">
<display-name>RESTSecurity</display-name>
<web-resource-collection id="WebResourceCollection_1">
<web-resource-name>DelegateReqComApp</web-resource-name>
<description>
Protection area for Rest resource /addresses
</description>
<url-pattern>/rest/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!-- Authorization Constraint commented out -->
<auth-constraint id="AuthConstraint_1">
<description>
Used to guard resources under this url-pattern
</description>
<role-name>iapawas012</role-name>
</auth-constraint>
</security-constraint>
Create the auth-constraint and map iapawas012 role to the special subject ALL_AUTHENTICATED. It basically says that any user, which successfully authenticates is authorized to invoke your service.
You can do it either in the web admin console on the Enterprise Application > yourApplication > Security role to user/group mapping or via binding file ibm-application-bnd.xml in the EAR in META-INF folder:
<?xml version="1.0" encoding="UTF-8"?>
<application-bnd
xmlns="http://websphere.ibm.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_2.xsd"
version="1.2">
<security-role name="iapawas012">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
When I do a http get on my websphere liberty profile v8.5.5 (let's assume http://my.domain.com) I'm presented with a nice page that says amongs other things
"Welcome to the WebSphere Application Server V8.5 Liberty Profile"
It looks like this http://rdt1.demos.ibm.com/
How do I configure my server to not display this page and perhaps redirect my request to a login page on https?
Is this a configuration related to a new context root of a new app to be installed? Like this answer below?
How to make "HTTPS redirect" work on WebSphere Application Server Liberty Profile?
I feel like this should be something configured on server.xml but I can't find any reference to this.
Thanks in advance!
You can turn that page off by adding the following to your server.xml file:
<httpDispatcher enableWelcomePage="false" />
http://www-01.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSRTLW_9.0.0/com.ibm.websphere.wlp.nd.multiplatform.doc/autodita/rwlp_metatype_4ic.html#mtFile119
edit:
I should clarify, the other answer is also correct. If you install an application with "/" as the context root, it will be used instead of the main page.
If you add something like the following to that application's web.xml:
<security-constraint>
<display-name>Some constraint</display-name>
<web-resource-collection>
<web-resource-name>All</web-resource-name>
<description>All URLs</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>All users</description>
<role-name>User</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
You will get the https redirect that you're asking for.
Additional edit (per comment), the following is a more complete example of how to set up the redirect:
How to make "HTTPS redirect" work on WebSphere Application Server Liberty Profile?
Just create your application and in the server.xml specify context root as follows:
<webApplication id="MyApp" location="MyApp.war" name="MyApp" contextRoot="/"/>
If you want to redirect to login page and ssl, then you will need to do all steps in the post you quoted and of course provide login page in your application.
If you want just to disable the welcome page, add to server.xml fragment provided by ebullient or even extend it by adding some javascript code which would make the redirect:
<httpDispatcher enableWelcomePage="false" appOrContextRootMissingMessage='<script>document.location.href="/MyApp/";</script>'></httpDispatcher>
What could be the reason for the error: Error 403: SRVE0190E: File not found: /index.jsp.
I am deploying in websphere.
The war is working fine in local (using tomcat). But gives the error when deploying on websphere 6.1.
Please help.
I haven't ever seen SRVE0190E with 403... only 404, which is the standard HTTP status code for not-found.
Some initial things to verify:
Verify your web app is actually deployed.
Verify your web app is started. It may deployed but not yet started (red X in the list of applications)
Verify your web app is deployed to the correct application server, if for example there is a deployment manager instance or a cluster.
Verify you are accessing the server via the HTTP port that matches the correct application server. For example, http://[server]:9060/ibm/console may be your admin console URL but http://[server]:9060/yourapp/ would likely yield SRVE0190E or 404. In this case you probably want http://[server]:9080 /yourapp/. These are the default port values but your server may be configured differently.
Verify you have mapped the web app to the web server, if there is an IHS (Apache) server in front of WAS in your topology. I doubt this is the case because SRVE0190E comes from Application Server.
I got the same problem when I followed this Spring framework tutorial: https://crunchify.com/simplest-spring-mvc-hello-world-example-tutorial-spring-model-view-controller-tips/.
Running this sample code on Websphere 8.5, I got the same error message: Error 403: SRVE0190E: File not found: /index.jsp.
But there was no error when running at Tomcat server.
(In fact, there still had a issue: this index.jsp page could not render JSP code which encapsulated by <% ... %>.)
Finally, I found out the problem was web.xml, it set "/index.jsp" as url-pattern in servlet-mapping, but the servlet definition (both XML file and Java code) does not deal with this url-pattern.
If I removed <url-pattern>/index.jsp</url-pattern>, than everything worked fine.
Here is the origin web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
...
...
<servlet>
<servlet-name>crunchify</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>crunchify</servlet-name>
<url-pattern>/welcome.jsp</url-pattern>
<url-pattern>/index.jsp</url-pattern>
<url-pattern>/welcome.html</url-pattern>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
</web-app>