I have added security-constraint to protect some folders of the app.
<security-constraint>
<web-resource-collection>
<web-resource-name>panel</web-resource-name>
<url-pattern>/secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>super</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Panel</realm-name>
</login-config>
I added proper user SUPER to tomcat-users, this is all seems to be working fine when I deploy the app. However when I run it locally from exclipse via maven, using tomcat7:run, my local setup does not have tomcat-users.xml file, so basically I am not sure how to configure users locally. Security works but no users defined.
Can u please tell me how to pass or specify custom tomcat-sers.xml file for the mavens tomcat plugn
I got it, if anybody ever needs it.
In pom.xml find your plugin block for tomcat7-maven-plugin and specify in configuration custom tomcat-users.xml path.
<configuration>
<tomcatUsers>path/tomcat-users.xml</tomcatUsers>
</configuration>
Related
I have new problem with container security . On the server i have two ears first call service from second. On service there is #RolesAllowed("Authenticated"). My configuration in server.xml looks like this:
<featureManager>
<feature>jndi-1.0</feature>
<feature>distributedMap-1.0</feature>
<feature>localConnector-1.0</feature>
<feature>wasJmsClient-2.0</feature>
<feature>jdbc-4.1</feature-->
<feature>javaMail-1.5</feature>
<feature>json-1.0</feature>
<feature>adminCenter-1.0</feature>
<feature>appSecurity-2.0</feature>
<feature>beanValidation-2.0</feature>
<feature>cdi-2.0</feature>
<feature>jsf-2.3</feature>
<feature>mdb-3.2</feature>
<feature>ejbHome-3.2</feature>
<feature>ejbLite-3.2</feature>
<feature>ejbRemote-3.2</feature>
<feature>jca-1.7</feature>
<feature>concurrent-1.0</feature>
<feature>jms-2.0</feature>
<feature>appClientSupport-1.0</feature>
<feature>ldapRegistry-3.0</feature>
</featureManager>
<basicRegistry id="basic" realm="customRealm">
<user password="{xor}Ozo5Kiw6LQ==" name="defuser" />
</basicRegistry>
Both ears contains identical configuration
<application-bnd>
<security-role name="All Role">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
The second ear contains ibm-application-ibd.xml file but i can not edit it. Best would be to override it.
When i call service from second ear i still get exception :
Caused by: javax.ejb.EJBAccessException: CWWKS9400A: Authorization failed for user UNAUTHENTICATED while invoking
Eny ideas ?
Liberty allows you to override application binding files using the server config element application-bnd, see IBM KnowledgeCenter topic https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.liberty.autogen.base.doc/ae/rwlp_config_enterpriseApplication.html#application-bnd and https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_sec_rolebased.html for details.
According to my experience configuring the authentication with Websphere Liberty, the login showed up only for restricted pages only, so the app needs to definen some security constraint in the web.xml like this example:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured API</web-resource-name>
<url-pattern>/s/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>user</role-name>
</security-role>
I need to implement HTTP digest authentication for my Springboot Application. I have tried configuring this from Tomcat setup (How to use digest authentication in Tomcat 8.5? ut since Springboot doesn't generate any web.xml, I couldn't configure this. Can someone, please, give a piece of advice as for is there any alternative?
Steps Followed
1.generated sha -256 password
digest.bat -s 0 -a sha-256 tomcat
2. updated tomcat user file
<role rolename="admin-gui"/>
<user username="tomcat" password="ce066452368a3498047a43323cff46a00222945691d728747a2283273506a0a7"
roles="manager-gui,manager,admin"></user>
3. updated tomcat conf/server.xml
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
<CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="SHA-256" />
</Realm>
</Realm>
4. updated tomcat conf/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>MySecureResource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin-gui</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin-gui</role-name>
</security-role>
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>UserDatabase</realm-name>
</login-config>
I have a dev machine running Lucee with Tomcat on Mac OS X El Capitan. Lucee is running fine, but when I bring up my dev site, mapped to admin.local, I have to type in "admin.local:8080/index.cfm". For some reason entering the URL as "admin.local:8080" just brings up a 404. Is there something I need to do to get Lucee/Tomcat to serve index.cfm by default?
UPDATE:
The web.xml for Tomcat does include the following:
<servlet-mapping>
<servlet-name>CFMLServlet</servlet-name>
<url-pattern>*.cfc</url-pattern>
<url-pattern>*.cfm</url-pattern>
<url-pattern>*.cfml</url-pattern>
<url-pattern>/index.cfc/*</url-pattern>
<url-pattern>/index.cfm/*</url-pattern>
<url-pattern>/index.cfml/*</url-pattern>
<!-- url-pattern>*.cfm/*</url-pattern !-->
<!-- url-pattern>*.cfml/*</url-pattern !-->
<!-- url-pattern>*.cfc/*</url-pattern !-->
<!-- url-pattern>*.htm</url-pattern !-->
<!-- url-pattern>*.jsp</url-pattern !-->
</servlet-mapping>
In order for your web server to handle the index.cfm files without specifying it in the URL you will need to add that as a default document for your web server. You mentioned you are using Apache, one approach for that web server is to add index.cfm to the DirectoryIndex within the httpd.conf file.
Here is an example of how to do that - https://stackoverflow.com/a/7977774/1636917
I just added index.cfm to welcome file list in web.xml, it helps
<web-app ...
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>index.cfm</welcome-file>
</welcome-file-list>
</web-app>
I have a project that is used as a base for a number of different webapps. I'm trying to run it in "test" mode using the jetty-maven plugin.
The project is a multi-module project. The Filter is located in another module, which is a dependency of the module I'm trying to run, specified like so:
<dependency>
<groupId>my.example.test</groupId>
<artifactId>test</artifactId>
<version>X.X.X</version>
<scope>test</scope>
</dependency>
The filter class from that dependency is then added as a filter in web.xml:
<filter>
<filter-name>test</filter-name>
<filter-class>my.example.test.test.TestFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>test</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Finally, the project is started via a call to the jetty-maven plugin (mvn jetty:run-forked) which is set up like this:
<plugin>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-maven-plugin</artifactId>
<version>9.2.2.v20140723</version>
<configuration>
<webApp>
<contextPath>/test</contextPath>
<descriptor>src/test/webapp/WEB-INF/web.xml</descriptor>
</webApp>
<useTestScope>true</useTestScope>
<jvmArgs>some arguments</jvmArgs>
<jettyXml>jetty.xml,jetty-ssl.xml,jetty-https.xml</jettyXml>
<stopKey>stopJetty</stopKey>
<stopPort>12345</stopPort>
</configuration>
</plugin>
The project runs and displays the index.html file, but the filter is never applied to any request. Is it possible to run a test-scope app the way I have it set up? What else could I be missing?
If the server started, without an error, then the filter was there.
Perhaps you could add logging to the filter init() or doFilter() to verify that it actually got run.
Also, if you are using javax.websocket, then those HTTP/1.1 WebSocket Upgrade requests will not be filterable.
I try to integrate the new features of spring 3.1 using annotations to specify the configuration information for the web application.
I set up the maven-jetty-plugin version 8.0.4.v20111024 to run my app.
While starting jetty using the mvn jetty:run command, everything seems to be ok and set up correctly.
But when accessing the app through the browser, there is just the output of the default servlet.
It seems to be a simular issue, that tomcat had in previous versions (<=7.0.14)
https://issues.apache.org/bugzilla/show_bug.cgi?id=51278
Currently, I can not use jetty and I had to switch to the tomcat-plugin to deploy my application to tomcat.
Has anyone any suggestions, how to overwrite the jetty default servlet, when no web.xml is available?
You do it by overriding the default jetty config, put this in your plugin:
<configuration>
<scanIntervalSeconds>0</scanIntervalSeconds>
<webAppConfig>
<defaultsDescriptor>src/main/resources/webdefault.xml</defaultsDescriptor>
</webAppConfig>
</configuration>
Copy the webdefault file from Jetty, and comment out this part:
<!-- <servlet-mapping> -->
<!-- <servlet-name>default</servlet-name> -->
<!-- <url-pattern>/</url-pattern> -->
<!-- </servlet-mapping> -->