This is related to Tomcat 6 with JAASRealm and a custom JAAS module for security.
Other Application Servers seem to support the mapping of application role names (in web.xml) to actual groups of the underlying security realm by using with server specific deployment descriptors - as mentioned in the Java EE 5 Tutorial.
Does Tomcat have a similar mechanism?
Edit: This thread seems to talk of the same requirement, but unfortunately doesn't have a definitive answer.
A request for enhancement to JBoss Web (with tomcat under the hood) has been made to address this same issue.
you can check $CATALINA_HOME/conf/tomcat-users.xml there you can add and manage roles .. you can use the GUI provided by tomcat you can check
GUI Administration
and Tomcat Roles Management
Related
I've started learning Spring Boot coming from a NodeJS/Express background and I'm wondering what's the difference between the server that we create ourselves in an express app that listens on a certain port, and the Tomcat server in a spring application also called a container ? Why can't we do the same in a spring boot application where we create the server ourselves ?
const app = express();
app.listen(3000, () => console.log("Server listening on port 3000"));
Welcome to the Spring Ecosystem. We hope you enjoy your stay!
My first bit of advice, forget everything you know about Express because Spring is very different. I have not used Express in a while, but I remember it had a very programmatic approach. While that is possible in Spring, the most popular approach is declarative with annotations. Or, if you are old and like old technology, you can configure everything with XML.
What's Tomcat? Tomcat is a implementation of various Jakarta EE (formally Java EE) specifications. Depending on the Spring Boot version, you may see packages that start with jakarta or javax. Tomcat implements, Jakarta Servlet, Server Pages, Expression Language, WebSocket, Annotations, and Authentications. You can read more about each specification here. Note: Spring Boot by itself does not necessary use all of these modules and mostly Spring has many abstraction layers on top of them anyway, so you rarely will work with Tomcat directly. Specifically, spring-boot-starter-tomcat is the Spring module that uses Tomcat, and is most often included as a transitive dependency through spring-boot-starter-web.
Now, to answer your question...
Spring Boot Web configures Tomcat for you. You can definitely override this behavior! One basic way is through configuration properties. Anything under server.tomcat. A good IDE should autocomplete and show you the options. You can also change the address and port of the Tomcat server with server.address and server.port. Another popular property developers change is server.error.whitelabel.enabled. They set it to false and provide their own error page. Here is a great example. By the way, Baeldung offers a lot of free Spring tutorials and guides. It is a great place to get started. They also offer paid courses with certifications.
FYI, you do not have to use Tomcat. Read more here.
I have a CPE Java API application using Spring Boot & running on Tomcat server and my CPE (5.5.2) is running in Container on WAS server. I am having a hard time setting up a security between the two. Can somebody please help me/guide me to setup security?
If you work with CPE through Java API (RMI over Corba, not WSI) you connect to WAS JVM and you need to use JEE ways to authenticate subject in WAS security context.
WAS as JEE-based container use JAAS spec to provide Authentication.
So you need to know how to enable support JAAS to Spring, read it
https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/jaas.html
After it, you need to know how to get a connection to FN ObjectStore through FN Java API (jace.jar). There is a samples you need to obtain security context and put created Subject and connect to FN after it https://www.ibm.com/support/knowledgecenter/en/SSNW2F_5.1.0/com.ibm.p8.ce.dev.ce.doc/sec_procedures.htm#sec_procedures_obtain_login_context
But also you need to configure your JVM in the right way to work with WAS JAAS configuration. How to enable JAAS configuration for your JVM, look at this link https://www.ibm.com/support/knowledgecenter/SSNW2F_5.1.0/com.ibm.p8.ce.dev.ce.doc/gs_concepts.htm#jaas_config_files
Good luck ˆ))
I'm using Arquillian to deploy a Java EE WAR on Payara embedded for functional testing with Graphene. Everything works fine.
However, I'd like to know whether it's possible to test user authentication for #RolesAllowed protected RESTful methods. Afaik there's no way around creating users on the Java EE server and in GlassFish and Payara that's done in the web admin UI:
I didn't find anything about a Payara RESTful or similar API for Payara admin tasks.
There seems to be nothing created on the filesystem by the drone driver so that there's no access to the asadmin command.
According to sudo netstat -tupln | grep java the Payara embedded process only opens port 8181 (HTTP) and 8182 (can't be opened in browser).
My question is similar to How to test login with Arquillian - Java EE 7 whose answer doesn't work because CommandRunner isn't injected and a comment says the interface has changed - whatever that means.
The approach in Embedded Glassfish, security and Arquillian questions doesn't work because it's unclear which Server class is used and none of the available ones match all method names (I tried all that pop up in NetBeans autocompletion).
I'm aware of the possbility to replace the embedded with a remote instance, but that's not part of the question.
I'm using Payara 4.1.2.174.
The preferred way to configure the embedded GlassFish/Payara is to configure a standalone Payara Server instance interactivey first (using Admin console or asadmin commands), copy the configuration from the domain (domain1) into test resources and then point the Arquillian container to the configuration.
The documentation of the Arquillian GlassFish embedded container describes that you can use the property instanceRoot to point to the whole domain directory or configurationXml to just point to the domain.xml in that directory.
In fact, the answer in your last link (https://stackoverflow.com/a/24967309/784594) explains precisely this scenarios and provides a ste-by-step guide. You shouldn't be using any Server class to configure the server, you can skip that step - if you secure your REST endpoint using basic HTTP authentication, you just need to send user and password in request headers.
I am searching for a security framework that allows role based security for OSGi services as well as CXF webservices.
Some time ago I already used spring security but as we now switched to blueprint it is not an option anymore as far as I understood. To configure the access rules I would like to mainly use the standard #RolesAllowed annotation. So what are my best starting points? I also thought about implementing this myself as a blueprint extension but I would prefer an existing solution.
I would suggest you go with Apache Shiro instead, http://shiro.apache.org/ .
It provides easy API's for authentication, authorization, cryptography, and session management. It can also be easily deployed inside a OSGI container. Some pros of Apache Shiro are listed here Apache Shiro vs Java EE native APIs
In the mean time I created a blueprint extension for authorization based on JAAS and Java EE annoations (#RolesAllowed, #PermitAll, #DenyAll). You can add the extension to any blueprint file. It will then scan all beans for these annoations and intercept calls if they are found. It uses an existing JAAS context to get the roles of the user.
So prerequisite for this is doing a JAAS login. I have also created a CXF JAASAuthentication feature that logs in a user based on basic auth or ws security username principal. The module works together with the Apache Karaf JAAS support. So all karaf users and roles apply.
I will create a tutorial to show how to use all of this once the aries blueprint release that includes the authorization module is out. In the mean time I would be happy if you try it out and report any problems you have.
Btw. another approach for karaf is the role based access control for OSGi services that is built into karaf 3+. It does not work with annotations but is also easy to use. See
http://coderthoughts.blogspot.de/2013/10/role-based-access-control-for-karaf.html
I'm trying to integrate Web SSO via JAAS in my web application under Apache Tomcat.
I've worked through Apache documentation and other stuff to get inside.
Common approach is to implement login module, configure web application (web.xml to be exact), configure server (jaas.config, server.xml) as described at http://jakarta.apache.org/slide/howto-jaas.html.
On my company environment I've faced issue with configuring server. Configuring environment variables as proposed by Apache is even worse.
Is there any way to make all configuration inside my web application?
PS. I do know about Spring security framework.
Thanks.
You are looking for http://spnego.sourceforge.net. There is a filter which does true SSO and JAAS.
There is a way to implement all security inside web app, except the security realm properties files (or LDAP / DB if you prefer). Read up on Java security. Also about tomcat's SSO valve