I'm trying to monitor Tomcat in Java program but I don't how I should pass the username and password to JMXProxyServlet. Does any one have any idea how to do this?
So your monitoring software will be written in Java. You can configure your manager webapp to use HTTP BASIC authentication and a MemoryRealmDatabase (which is how it's set up by default). Then,
Enable a user in tomcat-users.xml with the manager-jmx role.
Verify that HTTP BASIC authentication is working using a regular web browser.
Set an 'Authorization' HTTP header along with your HTTP request to JMXProxyServlet. The value of that header should be base64(username + ":" + password).
Various HTTP helper libraries (like Apache httpclient) have specialized methods to help you do this, or you can use HttpURLConnection directly.
Related
I have an Apache server that handles authentication and authorization before forwarding requests to a second server.
Users accessing the server from a browser are authenticating with LDAP and the authorization checks to see that username is present within a defined file.
I also have a Java application that can access the server (at a different endpoint), which currently hardcodes a username and a password into a request URL and leverages Basic Authentication over SSL.
Rather than use Basic Authentication, is it possible to configure Apache to accept a keystore/truststore from the Java application and authenticate/authorize on the certificate's CN and a password? If so, can anyone cite an example?
You can configure Apache to request client certificate authentication and use +FakeBasicAuth SSLOption in order to preserve compatibility with your current setup.
If the Java application can be restrained to certain URLs then you can require certificate authentication, otherwise make it optional as you do not want your other clients to have to authenticate with certificates.
There are good examples of this in the SSL/TLS - How-To in the Apache documentation.
I have a web application which requires username and password authentication to enter.
What I am doing is, authenticate a user from a stand alone Java app, which would do so by making Http request to the server using username and password. Then I would retrieve JSESSIONID cookie from response of server.
Now what I want is to use this JSESSIONID to continue session on browser i.e. to let user navigate pages of my web app which would be opened by my stand alone java app which I use for authentication.
Is this possible? Or is there any other way to do so.
Cookie can be changed using below mentioned methods.
Cookie cookie = new Cookie("JSESSIONID", NEWSESSIONID);
response.addCookie(cookie);
From your application you can send JSESSIONID as parameter while opening browser first time and reset your cookie using above method either in filter or servlet. This will reset your cookie in client side once you send response back. Next request on wards you will be able to access the session created previously.
It's possible but it's not that simple.
Since web applications don't share sessions, what you're looking for is a Single Sign On (SSO) solution, which involves an "Identity Provider" (IdM) that authenticates users for one or more "Service Providers" (SP). In this case, your servlet is the IdM and your web app is an SP.
Depending on your deployment, the following are third-party, open-source SSO libraries that you may be able to use:
Kerberos
PicketLink (for JBOSS)
OpenAM (for Tomcat)
If you don't want to use a third-party library, you may also be able to modify your servlet to be the IdM. Either way, I suggest reading a little about Security Assertion Markup Language (SAML) before deciding on a solution. SAML is a popular method that the above libraries implement.
We are having a application which returns logged in username (Windows NTLM) and we normally pass to all other applications to check authentication part.
I would like to know is it possible to pass username from application which returns username
and pass to our new web application which is developed using Spring 3? So that we could leverage the use of Spring Security features
If it is possible, how could I use this?
As we already have a application which returns Windows user, management discourages the usage of Kerberos and other SSO methods.
Any help or insight is highly helpful and beneficial.
Thanks
The simplest way to solve your problem is the following:
1) Install Apache Web Server and configure to use NTLM authentication using modntlm
http://modntlm.sourceforge.net/
(Similar you can use Kerberos authentication using mod_auth_kerb using http://modauthkerb.sourceforge.net/)
2) Configure mod_jk to your Selvlet container (JBoss or Tomcat)
http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html
After the successful authentication Apache sends the REMOTE_USER header to the servlet container.
The header (according the name) contains a user name of the authenticated user
Ensure you configure tomcatAuthentication="false" to allow Apache to allow apache to send the REMOTE_USER header
3) Implement and configure in Spring Security your own PreAuthenticatedProcessingFilter:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6167
It should be very similar to the Request-Header Authentication filter:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6295
In addition, you should omit a domain name from the user name.
The user name is sent in the REMOTE_USER header after NTLM or Kerberos authentication.
You cab bind your username with application URL like "localhost:port/somename/j_spring_check?j_username=your username".
Today's there is more and more web services developed for internal use to connect applications together. We do not have an ESB to control and secure this web services so I guess on what is a good way to secure them.
We have try to setup Two-Way SSL but we are not able to control the authorization on a particular web service.
My need is to be able to control which application is calling my web service and is this application authorized to call it.
I don't like WS-Trust and Ws-Security because this alter the original SOAP message but it seems that they are no other solution.
Any idea?
Thanks
In your question you mention that you do not want to modify the current SOAP message - that means message level security is out.
So you need to go ahead with transport level security.
Even with two way SSL you wil be able to authorize users based on the thumbprint of the user certificate - how to do that depends on the stack you use.
Other option are..
Basic Authentication over HTTPS
2-legged OAuth
The difference is, 2-legged oauth supports non-repudiation while basic auth does not.
Irrespective of the mechanism you use to authenticate, you can use XACML for fine grained authorization...
you can use the http basic authentication over https. It lets back end application to know the user and hence possible to do authorization.
This link[1] shows how I have done a similar thing with WSO2 ESB. But depending on your stack there may be a way.
[1] http://wso2.org/library/articles/2011/06/securing-web-service-integration
My need is to be able to control which application is calling my web
service and is this application authorized to call it.
i feel that what you want is an authorization mechanism at your Service provider side.
if you do not want to do any encryption on your soap messages, you may consider to add new parameters to soap msg. e.g. client sents <applicationId> and <password> (or an encrypted AppId, PassWord string ) as new parameter to WS, at the WS provider side, WS checks if the application has right to call.
but this brings the changes to Client and Service implementation.
Or you could check the client IP of the request, to decide that it is from which application. If your applications have fixed Ip Addresses.
I'm trying to extract information from an URL using my Java code. But the URL has a pop-up authentication scheme. How would I know the authentication scheme used? I have the credentials for it.
A browser typically shows an authentication "popup" when the server responds to an HTTP request with a "401 Unauthorized" response message. The response header includes a "WWW-Authentication" header which tells you the authentication scheme to use (among other things).
There are various ways to deal with this in a Java application, depending on how you are attempting to fetch the web resource associated with the URL. For instance, if you are using HttpUrlConnection, you can extract the "WWW-Authentication" header, parse it, and extract the authentication scheme.
Normally the authentication is based on HTTP. There are several techniques to use (HTTP basic authentication Kerberos NTLM and so on) Each of this technologies applies additional information into HTTP header. So the authentification is not URL based but HTTP Header based.
Please give us more information about your problem, to help you