I'm trying to integrate Web SSO via JAAS in my web application under Apache Tomcat.
I've worked through Apache documentation and other stuff to get inside.
Common approach is to implement login module, configure web application (web.xml to be exact), configure server (jaas.config, server.xml) as described at http://jakarta.apache.org/slide/howto-jaas.html.
On my company environment I've faced issue with configuring server. Configuring environment variables as proposed by Apache is even worse.
Is there any way to make all configuration inside my web application?
PS. I do know about Spring security framework.
Thanks.
You are looking for http://spnego.sourceforge.net. There is a filter which does true SSO and JAAS.
There is a way to implement all security inside web app, except the security realm properties files (or LDAP / DB if you prefer). Read up on Java security. Also about tomcat's SSO valve
Related
I have a CPE Java API application using Spring Boot & running on Tomcat server and my CPE (5.5.2) is running in Container on WAS server. I am having a hard time setting up a security between the two. Can somebody please help me/guide me to setup security?
If you work with CPE through Java API (RMI over Corba, not WSI) you connect to WAS JVM and you need to use JEE ways to authenticate subject in WAS security context.
WAS as JEE-based container use JAAS spec to provide Authentication.
So you need to know how to enable support JAAS to Spring, read it
https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/jaas.html
After it, you need to know how to get a connection to FN ObjectStore through FN Java API (jace.jar). There is a samples you need to obtain security context and put created Subject and connect to FN after it https://www.ibm.com/support/knowledgecenter/en/SSNW2F_5.1.0/com.ibm.p8.ce.dev.ce.doc/sec_procedures.htm#sec_procedures_obtain_login_context
But also you need to configure your JVM in the right way to work with WAS JAAS configuration. How to enable JAAS configuration for your JVM, look at this link https://www.ibm.com/support/knowledgecenter/SSNW2F_5.1.0/com.ibm.p8.ce.dev.ce.doc/gs_concepts.htm#jaas_config_files
Good luck ˆ))
i have a multiple domains on my centos vps (domains running on apache http server via virtual host configurations). and also same vps, i want to add my new domain but that domain will route my spring boot application (application is a jar file also inside embedded tomcat ). i couldn't find any configuration for embedded tomcat specific domains and ports.
standalone Tomcat i can make configuration via server.xml file like this image
also this short tutorial shows configuration for stadalone tomcat Tomcat Virtual Host Configuration
But how can i do that configuration for embedded Tomcat ? Any suggestion ?
With Spring Boot embedded Tomcat, you are hosting only one application per servlet container. So I don't believe that Tomcat's concept of Virtual Hosts make sense at all.
If you have to host your app on shared Tomcat instance, just build WAR without embedded container.
It depends. 2 ways to deploy your project.jar as you want to :
First way : You can use the "apache web server" and his own "mod_proxy" in order to serve as many Spring webapps you want to, each on a specific port configured with "php-fpm" and with a proxy defined to route requests from/to your namebased VirtualHost configuration.
Nowadays, with Spring Boot 2.5, all you have to do is to set the property server.port in your application.properties file, and use it accordingly with mod_proxy directives.
If you are using profile, you can either set one port to dev or prod or test or whatever properties file you need.
Another way to proceed : you can use the apache web server "mod_jk" bridge module to configure multiple load-balancers for your Virtualhosts too.
Choose your path, young Jedi ;)
This response is certainly not for the OP, 7 years later, but for other people whom are using any web search engine like Google. They will come here and see "something is impossible". It is not true.
I am searching for a security framework that allows role based security for OSGi services as well as CXF webservices.
Some time ago I already used spring security but as we now switched to blueprint it is not an option anymore as far as I understood. To configure the access rules I would like to mainly use the standard #RolesAllowed annotation. So what are my best starting points? I also thought about implementing this myself as a blueprint extension but I would prefer an existing solution.
I would suggest you go with Apache Shiro instead, http://shiro.apache.org/ .
It provides easy API's for authentication, authorization, cryptography, and session management. It can also be easily deployed inside a OSGI container. Some pros of Apache Shiro are listed here Apache Shiro vs Java EE native APIs
In the mean time I created a blueprint extension for authorization based on JAAS and Java EE annoations (#RolesAllowed, #PermitAll, #DenyAll). You can add the extension to any blueprint file. It will then scan all beans for these annoations and intercept calls if they are found. It uses an existing JAAS context to get the roles of the user.
So prerequisite for this is doing a JAAS login. I have also created a CXF JAASAuthentication feature that logs in a user based on basic auth or ws security username principal. The module works together with the Apache Karaf JAAS support. So all karaf users and roles apply.
I will create a tutorial to show how to use all of this once the aries blueprint release that includes the authorization module is out. In the mean time I would be happy if you try it out and report any problems you have.
Btw. another approach for karaf is the role based access control for OSGi services that is built into karaf 3+. It does not work with annotations but is also easy to use. See
http://coderthoughts.blogspot.de/2013/10/role-based-access-control-for-karaf.html
For a pet project I would like to have an embedded Jetty run a Spring Web MVC app. I've used Spring in web containers (where it's easy to tell "where to start") and I've used embedded Jetty without Spring.
It feels a bit like the chicken or the egg problem if I want both to work together. What is the best way to organize the project? In other words, what shall I put in main()? Should it be a Spring app that happens to have Jetty as a bean (what about contexts then?)? Or should I start Jetty alone and plug Spring in via servlet listener? What are the caveats?
Jetty in a Spring container is used to start webapp, springified or not. The webapp and your webapp don't have the same Spring context without tricks.
So, you have to create a Jetty server in your main, add your webapp and start the server. The best way is using a web.xml like a common Java EE server, and add this descriptor to your Jetty server.
I think it is more reasonable to start Jetty alone and plug Spring in via servlet listener in web.xml. Let Spring manager all the app specific beans and let jetty focus on running your app, and maybe some day you can deploy you app to antoher servlet container without changing anything.
This is one way to embed Jetty in Spring
http://www.springbyexample.org/examples/embedded-spring-web-services.html
This is related to Tomcat 6 with JAASRealm and a custom JAAS module for security.
Other Application Servers seem to support the mapping of application role names (in web.xml) to actual groups of the underlying security realm by using with server specific deployment descriptors - as mentioned in the Java EE 5 Tutorial.
Does Tomcat have a similar mechanism?
Edit: This thread seems to talk of the same requirement, but unfortunately doesn't have a definitive answer.
A request for enhancement to JBoss Web (with tomcat under the hood) has been made to address this same issue.
you can check $CATALINA_HOME/conf/tomcat-users.xml there you can add and manage roles .. you can use the GUI provided by tomcat you can check
GUI Administration
and Tomcat Roles Management