I would like to disable page "People" in Hudson. I don't want users to see other users. Is it possible to do?
I don't know if you can do it directly with Hudson, but you certainly be able to do it if you run Hudson within a Tomcat instance (I run mine in a Tomcat 7 without any problem).
You would define a JSP security-constraint, a bit like those ones (note: adapted for LDAP because I defer all user authentication to the webapp container of Hudson: in my case, Tomcat)
The OP asks:
You're suggesting to make changes to hudson/WEB-INF/web.xml? Could you please explicitly mention the file I have to change?
#Vincenzo: I don't! I never touch one bit of the hudson.jar. I only use it within a Tomcat instance, meaning:
I declare in <tomcat>/conf/Catalina/localhost a context for each Hudson I want to manage:
hudson-xxx -> /home/me/context/hudson-xxx.xml
(it is a link because I want to upgrade Tomcat easily, so I externalize the context definition outside of Tomcat). I define my Realm for ACL purposes:
<?xml version='1.0' encoding='utf-8'?>
<Context docBase="/home/me/hudson/hudson.war" path="/hudson-xxx">
<Realm className="org.apache.catalina.real.CombinedRealm" >
<Realm className="org.apache.catalina.real.JNDIRealm" debug="99"
connectionURL="ldap://xxxxx:389"
alternateURL="ldap://xxxxx:389"
connexionName="yyyy"
connectionPassword="zzzz"
userPattern="CN={0},OU=...,DC=..."
userRoleName="memberOf"
useSubtree="false"
roleBase="OU=...,DC=..."
roleName="cn"
roleSearch="(member={0})"
roleSubtree="false"
/>
</Realm>
<Environment name="HUDSON_XXX" value="/home/me/hudson/hudson-xxx-home" type="java.lang.String" override="false" />
</Context>
(With that context, a hudson.war stored outside of Tomcat is automatically deployed with the </tomcat>/webapps directory, and access from http://tomcat-server/hudson-xxx, with an LDAP-based authentication)
I suggests modifying the </tomcat>/conf/web.xml to add security-constraint which would prevent anybody to access the user page while letting only certain tomcat users (as defined in /conf/tomcat-users.xml.
(I haven't tested it yet)
Related
I have a webapp that is a RestEASY JAX-RS application and that uses the latest servlet specifications, such as Java EE annotations so that I don't need to create a web.xml file.
The webapp is bundled as foobar.war and dumped into the webapps directory in Tomcat. In fact the same foobar.war is deployed twice in the same Tomcat instance, once as foobar.war and the other as foobar#demo.war (which maps it to foobar/demo as you know).
I configure each mounted webapp by placing conf/Catalina/localhost/foobar.xml and conf/Catalina/localhost/foobar#demo.xml files, that look like this:
<?xml version="1.0" encoding="UTF-8"?>
<Context>
<Environment name="foo" type="java.lang.String" value="bar"/>
</Context>
In my JAX-RS application I pull in the value of foo from JNDI using java:comp/env/foo.
So now I added a Java-based Spring configuration named FooBarConfiguration. I load it in my JAX-RS application using new AnnotationConfigApplicationContext(FooBarConfiguration.class). That all works fine.
So now I've added two profiles to FooBarConfiguration, one named foo and one named bar. But now... how do I tell the webapp which Spring profile to use? (Remember that I have no web.xml file.) Obviously I have to set spring.profiles.active somewhere. But where?
Because the documentation spoke of "environment" and "JNDI", I crossed my fingers and added an environment variable to conf/Catalina/localhost/foobar.xml:
<Environment name="spring.profiles.active" type="java.lang.String" value="foo"/>
No luck.
I can't set a system property, because that will apply to all the webapps, and the idea here is that each foobar.war instance (foobar.war and foobar#demo.war) could each have a different profile specified.
I suppose I could manually pull it out of the Tomcat environment myself, using java:comp/env/spring.profiles.active, but then where do I set the value? (I thought maybe AnnotationConfigApplicationContext would have a constructor where I could set the profile, or at least have a profile setting, but that also seems to be missing.)
(Plus if I'm manually pulling out the setting from JNDI and setting it myself, I might as well switch to the more lightweight Guice and manually load the modules I want. I'm only using the humongous, clunky Spring because it promised to allow easy selection of profiles.)
How can I indicate, external to my WAR file, on a per-webapp basis, which Spring profile I'm using?
You can set active profiles in many ways. Since you were searching for it via AnnotationConfigApplicationContext constructor, the one described here in spring docs might suit you.
AnnotationConfigApplicationContext ctx = new AnnotationConfigApplicationContext();
ctx.getEnvironment().setActiveProfiles("development");
ctx.refresh();
The solution is to use AnnotationConfigWebApplicationContext instead of StandardServletEnvironment.
The trick is to get Spring to use a StandardServletEnvironment, which looks in several places including JNDI java:comp/env/... for spring.profiles.active. See http://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/#beans-property-source-abstraction .
My problem is that AnnotationConfigApplicationContext uses a StandardEnvironment, which only looks in a few places for the profile designation. Switching to a AnnotationConfigWebApplicationContext made Spring use a StandardServletEnvironment:
final AnnotationConfigWebApplicationContext webContext =
new AnnotationConfigWebApplicationContext();
webContext.register(FooBarConfiguration.class);
webContext.refresh();
Now my webapp environment configuration in conf/Catalina/localhost/foobar.xml works:
<?xml version="1.0" encoding="UTF-8"?>
<Context>
<Environment name="spring.profiles.active" type="java.lang.String" value="foo"/>
</Context>
could anyone please tell me if it is possible to define a role for tomcat user of the default app manager in a way, that he would be able to deploy only specific application? The situation is that developers can deploy only via console since the server itself is administered by third party. And dealing with it costs money (literally). The security requirement is that they should be able to deploy and undeploy just the application they are working on. The notion of multiple tomcat instances was refused. Is there any third party application which could do that? Any ideas are welcome.
Tomcat's built in Manager application does not support this. Assuming you trust your staff, I'd suggest a different approach. Use social controls rather than technical controls.
If anyone does something they shouldn't the access logs will tell you who did it and then you can take appropriate action.
Try this:
First of all, Create a new users xml database file inside [tomcat_home]/conf, lets call it tomcat-users-2.xml.
Add the following entry into the tomcat-users-2.xml file:
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<user username="[$yourUsername]" password="[$yourPassword]" roles="tomcat,manager-gui"/>
</tomcat-users>
Notice that you can add more than one user tags in the <tomcat-users>
Then in your [tomcat_home]/conf/server.xml file, find <GlobalNamingResources> tag and add (inside it):
<Resource name="UserDatabase2" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users-2.xml" />
Place the following code inside the <Host ...></Host> tags of the app you want to restrict the user to:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase2"/>
Finally you must Restart Tomcat for the changes to take effect.
For more information, check out this link
I would like to run my spring application two times, in parallel, on the same tomcat server. One time with a production profile and one time with a dev profile.
I also would like to build one single WAR for the two profiles.
I've successfully integrated profiles in my application with #Profile annotations. I've successfully deployed the two WAR files on my tomcat server.
What I need is a mean to activate a different profile on each of theses two applications, with the constraint that these two applications use a copy of the same WAR file and that the two applications should run in parallel.
So WebApplicationInitializer and web.xml seem not an option.
For the record:
To activate the dev spring profile on the application in application-dev.war
Create a file <CATALINA_BASE>/conf/Catalina/localhost/application-dev.xml
With the following content:
<Context>
<Environment name="spring.profiles.active" value="dev,server" type="java.lang.String" override="false" />
</Context>
This set the spring.profiles.active property to dev,server for the application run by application-dev.war.
Thanks to this answer: https://stackoverflow.com/a/26653238/1807667
P.S.: With autoDeploy=true in server.xml, the configuration files disappear on tomcat restart.
Solution is to add <Context reloadable="true"> in <CATALINA_BASE>/conf/context.xml but beware that according to documentation :
This feature is very useful during application development, but it
requires significant runtime overhead and is not recommended for use
on deployed production applications.
and moreover using <Context reloadable="true"> does not solve fully the issue the configuration files still disappear for some restart.
P.S.2: There is no docBase attribute in the Context element, see this question.
I have the following JNDI realm ldap "thing" that used to reside inside of META-INF/context.xml
// Obviously i changed some of the code here to hide certain key information
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="uid=admin,ou=system"
connectionPassword="<PASSWORD>"
debug="99"
roleBase="<ROLEBASE>"
roleName="cn" roleNested="true"
roleSearch="(uniqueMember={0})"
roleSubtree="true"
userBase="USERBASE"
userSearch="(mail={0})"
connectionURL="ldap://MACHINE:10389"
/>
Now that I'm nearing a production phase of my work I wanted to move this file into the $CATALINA_BASE/conf/context.xml file instead so that I can do a machine based configuration. I did this on two linux boxes no problem, however, when I do it on my development machine and try to run (in netbeans) i get this prompt
Is there something key I'm missing here? Even if i type in the correct password netbeans gets into a strange loop and won't take the password. As soon as i remove the Realm def everything works fine.
Am I doing something terribly wrong here?
I just ran into this issue as well and I was able to fix this by pasting the UserDatabaseRealm from server.xml:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
into the tomcat manager webapp context.xml
webapps\manager\META-INF\context.xml
and also the manager.xml that is found in the folder at:
%APPDATA%\NetBeans\<netbeans version>\apache-tomcat-<version>_base\conf\Catlina\localhost
I believe you only really need to paste it into the %APPDATA%\NetBeans\<netbeans version>\apache-tomcat-<version>_base\conf\Catlina\localhost\manager.xml folder but it doesn't hurt to put it in both to be safe.
For reference, this is what my manager.xml file looks like now and everything is working as expected again:
<Context docBase="${catalina.home}/webapps/manager" antiResourceLocking="false" privileged="true">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Context>
Hopefully this works for you as well! It was a pretty annoying issue that I scratched my head about for around an hour.
EDIT: Note: Of course, the location of your conf\Catalina\localhost\manager.xml file is probably different and may not be in your AppData\Roaming folder. To get the actual location you can grab it from the server properties in Tomcat. Go to Tools > Servers and look for the path listed in Catalina Base:
I have a GWT RPC application deployed to Tomcat 8, and I want the server code to load some configuration data (hostname and port to another service). Otherwise the service works fine. I have read multiple suggestions but I cant get it to work.
A snippet from my Tomcat context.xml (I'm aware that context.xml requires me to restart tomcat when changed - that is OK).
<Context reloadable="true">
<Parameter name="config_hostname" value="192.168.2.199" override="false"/>
<Parameter name="config_port" value="8888" override="false"/>
In my service implementation I have a setup() method. In that I try to access the config by:
String hostname = getServletConfig().getInitParameter("config_hostname");
String port = getServletConfig().getInitParameter("config_port");
however that doesnt work. Can anyone put me on the right track?
----------------------- update -------------------
I have tried putting the info in web.xml like this
<web-app>
<context-param>
<param-name>hostname</param-name>
<param-value>192.168.2.199</param-value>
</context-param>
</web-app>
and using it like this (both works!) :
String h1=getServletConfig().getServletContext().getInitParameter("hostname");
String h2=getServletContext().getInitParameter("hostname");
however I don't want to put it in web.xml since I want to have a different setting for each deployment. Tomcat have conf/server.xml och conf/context.xml and I have tried those but I get NULL in the above calls then.
Which is the best way of storing server-side configurations? Please be detailed in your answer.
I have read doumentation at http://tomcat.apache.org/tomcat-8.0-doc/jndi-resources-howto.html but I obviously don't understand it.
I found the answer here in the tomcat docs at /docs/config/context.html
The syntax in context.xml should be (I was correct from the beginnig here):
<Context>
<Parameter name="hostname" value="<some-ip-address>" override="false"/>
</Context>
and the call to read it should be:
getServletConfig().getServletContext().getInitParameter("hostname");
OR
getServletContext().getInitParameter("hostname");
I'm sure I have a lot more to learn (for example to have separat params for separate web applications in Tomcat, but this is good for now).