I have setup kerberos + OpenLDAP authentication for my Apache 2.4 CentOS 7 machine fine. I'm now trying to setup SSO using Kerberos + OpenLDAP for Tomcat 7. For this I've selected SPNEGO. I believe I have all of the LDAP and Kerberos settings working as needed.
Now when browsing to the webapp that has SPNEGO Authentication enabled I'm getting a 401, this is because my user agent isn't sending a WWW-Negotation header. I was expecting this as I haven't got to this point yet.
My question is specific to logging in. In Apache 2.4 I have setup SSO and if no key is present it uses basic authentication and works perfectly, as expected it grants me a TGT after providing credentials and is valid for the entire session.
I'd like to have Tomcat 7 present me with a login prompt on fail such as the 401 error message I'm getting now.
Additionally, I've also setup AJP. Just for testing, I thought I'd try to AJP from Apache to Tomcat with SSO enabled. While watching my kerberos logs, it is infact authenticating when I view the webapp but am still presented with a 401.
tldr;
How can I make Tomcat 7 prompt for a username and password if needed? And is there a way using AJP to stay authenticated from Apache to a webapp over the AJP tunnel?
The following is a snippet of my Tomcat 7 logs, please let me know what other information is needed.
Apr 28, 2016 12:58:08 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Security checking request GET /helloworld/
Apr 28, 2016 12:58:08 AM org.apache.catalina.realm.RealmBase findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[all]' against GET /index.jsp --> true
Apr 28, 2016 12:58:08 AM org.apache.catalina.realm.RealmBase findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[all]' against GET /index.jsp --> true
Apr 28, 2016 12:58:08 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling hasUserDataPermission()
Apr 28, 2016 12:58:08 AM org.apache.catalina.realm.RealmBase hasUserDataPermission
FINE: User data constraint has no restrictions
Apr 28, 2016 12:58:08 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling authenticate()
Apr 28, 2016 12:58:08 AM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate
FINE: No authorization header sent by client
Apr 28, 2016 12:58:08 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Failed authenticate() test
Related
I have implemented an Java interface for OAuth2 of the Withings API (http://developer.withings.com/oauth2/). Initially, there will be processed the Authorization Token (http://developer.withings.com/oauth2/img/OauthDiagram.jpg) that will be sent from the Withings backend to my server. With the Authorization Token I successfully get an Access Token and a Refresh Token. In turn, with the Access Token I can get the actual data from the resource server.
The Refresh Token can successfully be used to get a new Access Token BUT ONLY roughly within 4 Hours. "Refresh Token" in http://developer.withings.com/oauth2/#tag/glossary describes that the Refresh Token will be "valid for one year". So I don't know where is my fault.
This is a cut-out of the log where the mechanism works at 2 PM but not a 6 PM.
The App was granted access to user data with USER_ID at roughly 2 PM.
Aug 08, 2019 2:00:46 PM UserAccessData renewAccessToken
INFORMATION: Withings refresh access token request: grant_type=refresh_token&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&refresh_token=REFRESH_TOKEN&redirect_uri=REDIRECT_URI
Aug 08, 2019 2:00:46 PM UserAccessData renewAccessToken
INFORMATION: Withings refresh access token response: {"access_token":"ACCESS_TOKEN","expires_in":10800,"token_type":"Bearer","scope":"user.info,user.metrics,user.activity","refresh_token":"REFRESH_TOKEN","userid":USER_ID}
[...]
Aug 08, 2019 6:00:45 PM UserAccessData renewAccessToken
INFORMATION: Withings refresh access token request: grant_type=refresh_token&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&refresh_token=REFRESH_TOKEN&redirect_uri=REDIRECT_URI
Aug 08, 2019 6:00:46 PM UserAccessData renewAccessToken
INFORMATION: Withings refresh access token response: {"errors":[{"message":"invalid_grant: Invalid Params: invalid refresh_token"}]}
Aug 08, 2019 6:00:46 PM AccessTokenUpdaterTask run
SEVERE: UserAccessData of User with UserID USER_ID could not be renewed and refreshed properly
I don't know which Java snippet I should provide, because e. g. the renewAccessToken-Method works at 2 PM. Is that probably a misconfiguration at Withings backend (I think that they use GuzzleHTTP, because that is stated in their User-Agent when sending notifications to my server)? They don't answer E-Mails to their provided partner-Email (http://developer.withings.com/oauth2/#tag/FAQ).
After refreshing/initial registration the REFRESH_TOKEN in the 'Withings refresh access token response'
{"access_token":"ACCESS_TOKEN","expires_in":10800,"token_type":"Bearer","scope":"user.info,user.metrics,user.activity","refresh_token":"REFRESH_TOKEN","userid":USER_ID}
is the same for 4 Hours, but will ALSO be renewed and sent back in that response when requesting a new access token after these 4 Hours. So one have to save the ACCESS_TOKEN AND the REFRESH_TOKEN from that response when requesting a new access token.
I'm working through an EJB tutorial where my client program invokes a method via remote stateless EJB to add a book. Upon exit the client retrieves and prints all the books from the EJB (I know it's not a good idea to store data in a list within a stateless EJB). All of this works fine, except the initial RMI also returns the following exception (I've included the full output from the client test as well).
Client output:
Nov 29, 2016 11:34:29 PM org.jboss.ejb.client.EJBClient <clinit>
INFO: JBoss EJB Client version 2.1.4.Final
**********************
Welcome to Book Store
**********************
Options
1. Add Book
2. Exit
Enter Choice: 1
Enter book name: Some book
Nov 29, 2016 11:34:44 PM org.xnio.Xnio <clinit>
INFO: XNIO version 3.4.0.Final
Nov 29, 2016 11:34:44 PM org.xnio.nio.NioXnio <clinit>
INFO: XNIO NIO Implementation Version 3.4.0.Final
Nov 29, 2016 11:34:44 PM org.jboss.remoting3.EndpointImpl <clinit>
INFO: JBoss Remoting version 4.0.21.Final
Nov 29, 2016 11:34:45 PM org.jboss.ejb.client.remoting.VersionReceiver handleMessage
INFO: EJBCLIENT000017: Received server version 2 and marshalling strategies [river]
Nov 29, 2016 11:34:45 PM org.jboss.ejb.client.remoting.RemotingConnectionEJBReceiver associate
INFO: EJBCLIENT000013: Successful version handshake completed for receiver context EJBReceiverContext{clientContext=org.jboss.ejb.client.EJBClientContext#4f7d0008, receiver=Remoting connection EJB receiver [connection=org.jboss.ejb.client.remoting.ConnectionPool$PooledConnection#271053e1,channel=jboss.ejb,nodename=slave01:server01]} on channel Channel ID 87a6ebda (outbound) of Remoting connection 64bfbc86 to /127.0.0.1:8133 of endpoint "client-endpoint" <64bf3bbf>
Nov 29, 2016 11:34:45 PM org.jboss.ejb.client.remoting.RemotingConnectionClusterNodeManager getEJBReceiver
INFO: Could not create a connection for cluster node ClusterNode{clusterName='ejb', nodeName='slave01:server01', clientMappings=[ClientMapping{sourceNetworkAddress=/0:0:0:0:0:0:0:0, sourceNetworkMaskBits=0, destinationAddress='0.0.0.0', destinationPort=8080}], resolvedDestination=[Destination address=0.0.0.0, destination port=8080]} in cluster ejb
java.net.ConnectException: Connection refused
at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method)
at sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:717)
at org.xnio.nio.WorkerThread$ConnectHandle.handleReady(WorkerThread.java:321)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:294)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:430)
at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:153)
at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:133)
at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:78)
at org.jboss.ejb.client.remoting.RemotingConnectionManager.getConnection(RemotingConnectionManager.java:51)
at org.jboss.ejb.client.remoting.RemotingConnectionClusterNodeManager.getEJBReceiver(RemotingConnectionClusterNodeManager.java:79)
at org.jboss.ejb.client.ClusterContext$EJBReceiverAssociationTask.call(ClusterContext.java:469)
at org.jboss.ejb.client.ClusterContext$EJBReceiverAssociationTask.call(ClusterContext.java:443)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
**********************
Welcome to Book Store
**********************
Options
1. Add Book
2. Exit
Enter Choice: 2
Book(s) entered so far: 2
1. test1
2. Some book
***Using second lookup to get library stateless object***
Book(s) entered so far: 2
1. test1
2. Some book
So everything with the client, other than the exception, appears to work correctly. I suspect this issue has something to do with the zero'd out node addresses, but I'm not certain. The client properties file is below (in case that configuration is incorrect).
jboss-ejb-clients.properties:
endpoint.name=client-endpoint
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false
invocation.timeout=3000
reconnect.tasks.timeout=2000
# User Credentials
username=user
password=pass
# Remote Connections
remote.connections=h1,h2
remote.connection.h1.host=127.0.0.1
remote.connection.h1.port=8133
remote.connection.h1.username=user
remote.connection.h1.password=pass
remote.connection.h2.host=127.0.0.1
remote.connection.h2.port=8134
remote.connection.h2.username=user
remote.connection.h2.password=pass
# Cluster
remote.clusters=ejb
remote.cluster.ejb.connect.timeout=2500
remote.cluster.ejb.max-allowed-connected-nodes=2
remote.cluster.ejb.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false
remote.cluster.ejb.connect.options.org.xnio.Options.SSL_ENABLED=false
remote.cluster.ejb.username=user
remote.cluster.ejb.password=pass
After extensive research (and a good amount of trial and error with test code), I found a book on Safari (Java EE 7 Development with WildFly) that lead me in the right direction. I had to drop the jboss-ejb-clients.properties file and add the ejb-client configuration found in the answer here to my main client class.
I am working on Spring web MVC. I am using Spring tools suite and pivotal server. I did not found any server log messages in STS. Console only show the server startup message. I want to view all the server message, error and exceptions. Currently I am unable to view any server error messages and errors.
The console is showing the message like this-
Nov 19, 2016 1:08:21 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1312 ms
Nov 19, 2016 1:08:26 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 5332 ms
i see the question is old but I came across the same issue just now and didn't want to let this one go unanswered ;)
I found an solution from pivotal themselves. But it has a little typo in it: The first line in the logging.properties is
handlers= java.util.logging.ConsoleHandler.level= INFO
but should rather be just
handlers= java.util.logging.ConsoleHandler
This should do the trick.
And if you would still want to keep the default catalina, localhost, etc. files of the tcServer additional to the console output you can modify or copy the logging.properties file found inside of your tcServer - base instance ({pivotal-tc-server-folder}/base-instance/conf/).
Here are many configurations but the one concerning the console output, which is otherwise only in the catalina-{date}.log is in the line
.handlers = 1catalina.org.apache.juli.AsyncFileHandler
just change it to
.handlers = 1catalina.org.apache.juli.AsyncFileHandler, java.util.logging.ConsoleHandler
and you'll have both: logs and console output.
Best regards,
Uwe
I'm running a kubernetes cluster in which I am deploying a "cloud native hazelcast" following the instructions on the kubernetes-hazelcast github page. Once I have a number of hazelcast instances running, I try to connect a java client to one of the instances but for some reason the connection fails.
Some background
Using a kubernetes external endpoint I can connect to hazelcast from outside the kubernetes cluster. When I do a REST call with curl kubernetes-master:32469/hazelcast/rest/cluster, I get a correct response from hazelcast with it's cluster information. So I know my endpoint works.
The hazelcast-kubernetes deployment uses the hazelcast-kubernetes-bootstrapper which allows some configuration by setting environment variables with the replication controller, but I'm using all defaults. So my group and password are "someGroup" and "someSecret".
The java client
My Java client code is really straightforward:
ClientConfig clientConfig = new ClientConfig();
clientConfig.getNetworkConfig().setConnectionAttemptLimit(0);
clientConfig.getNetworkConfig().setConnectionTimeout(10000);
clientConfig.getNetworkConfig().setConnectionAttemptPeriod(2000);
clientConfig.getNetworkConfig().addAddress("kubernetes-master:32469");
clientConfig.getGroupConfig().setName("someGroup");
clientConfig.getGroupConfig().setPassword("someSecret")
HazelcastInstance client = HazelcastClient.newHazelcastClient(clientConfig);
When start my client this is the log output of the hazelcast container
2016-07-05 12:54:38.143 INFO 5 --- [thread-Acceptor] com.hazelcast.nio.tcp.SocketAcceptor : [172.16.15.4]:5701 [someGroup] [3.5.2] Accepting socket connection from /172.16.29.0:54333
2016-07-05 12:54:38.143 INFO 5 --- [ cached4] c.h.nio.tcp.TcpIpConnectionManager : [172.16.15.4]:5701 [someGroup] [3.5.2] Established socket connection between /172.16.15.4:5701
2016-07-05 12:54:38.157 INFO 5 --- [.IO.thread-in-1] c.h.nio.tcp.SocketClientMessageReader : [172.16.15.4]:5701 [someGroup] [3.5.2] Unknown client type: <
And the console output of the client
jul 05, 2016 2:54:37 PM com.hazelcast.core.LifecycleService
INFO: HazelcastClient[hz.client_0_someGroup][3.6.2] is STARTING
jul 05, 2016 2:54:38 PM com.hazelcast.core.LifecycleService
INFO: HazelcastClient[hz.client_0_someGroup][3.6.2] is STARTED
jul 05, 2016 2:54:48 PM com.hazelcast.client.spi.impl.ClusterListenerSupport
WARNING: Unable to get alive cluster connection, try in 0 ms later, attempt 1 of 2147483647.
jul 05, 2016 2:54:58 PM com.hazelcast.client.spi.impl.ClusterListenerSupport
WARNING: Unable to get alive cluster connection, try in 0 ms later, attempt 2 of 2147483647.
jul 05, 2016 2:55:08 PM com.hazelcast.client.spi.impl.ClusterListenerSupport
etc...
The client just keeps trying to connect but no connection is ever established.
What am I missing?
So why won't my client connect to the hazelcast instance? Is it some configuration part I'm missing?
Not sure about the official kubernetes support, however Hazelcast has a kubernetes discovery plugin (based on the new discovery spi) that works on both, client and nodes: https://github.com/noctarius/hazelcast-kubernetes-discovery
Looking at the console logs, you have different Hazelcast versions between Node and Client? Can you either update both to be 3.6.4 i.e., the latest or just change the cluster to be 3.6.2 to match with client. 3.6.x has many configuration changes and many bug fixes as well.
My customer web application is currently on an AWS-EC2 Linux instance, running WildFly 8.2.0.Final "Tweek".
I'm not using Apache or other web servers, just accessing the application server on port 8080 (the system is forwarding to 8080 all traffic on port 80).
Application works fine everywhere, but yesterday I found a very weird issue on one of my customer's browsers. However, it's not related to the browser, because I already tried installing Firefox and Chrome, in addition to IE, and the problem is still there. The client OS is Win8.1.
The CSS and JS files are not loaded by the browser: Chrome prints this message in the console:
ERR_INVALID_CHUNKED_ENCODING
However, if I click on the file and 'Open link in new tab', I can actually see the file's content!
My static files are JSF resources, for example:
/javax.faces.resource/primefaces.css.htm?ln=primefaces&v=5.1
Response headers are, for example:
Content-Type:application/javascript
Date:Fri, 27 Mar 2015 16:32:51 GMT
ETag:W/"312861-1427473269000"
Expires:Fri, 03 Apr 2015 16:32:51 GMT
Last-Modified:Fri, 27 Mar 2015 16:21:09 GMT
I saw the content-length is also zero, which I suppose is the cause for the problem.
How to find out more info on that? What's the solution for that type of error? Thanks