I have a secure web service (message authentification over ssl) bundeled in a war and I'm trying to use jdbcRealm to authentificate the user.
The jdbcRealm work fine with other ear apps but not for this .war
Actually glassfish is still using the fileRealm despite the configuration done in the web.xml
web.xml:
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Area</web-resource-name>
<url-pattern>/xoxoServer/secondWS/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<!--<auth-constraint>
<role-name>EMPLOYEE</role-name>
</auth-constraint>-->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>my_realm</realm-name>
</login-config>
</web-app>
In the console I get this :
FIN: [Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /secondWS POST)
FIN: JMAC: UnsupportedCallback : javax.security.auth.callback.NameCallback
FIN: JMAC: In PasswordValidationCallback Processor
FIN: jmac login user [test] into realm: file using JAAS module: fileRealm
FIN: Login module initialized: class com.sun.enterprise.security.auth.login.FileLoginModule
FIN: JAAS authentication aborted.
INFO: SEC5046: Audit: Authentication refused for [test].
INFO: SEC1201: Login failed for user: test
How to fix this ?
Thanks.
ps:I'm using Glassfish 3.1.2.2 b5 with jdk6
I solved this by:
packaging the war into an ear
adding the realm in the glassfish-application.xml ( in the ear)
Related
I have inherited a war file that uses jetty. I want to disable HTTP methods options.
I'm not familiar with the jetty server. Please help me in disabling HTTP methods in step
That's supported by the standard Servlet spec.
Edit the war's WEB-INF/web.xml and add a security constraint against the url-patterns to reject OPTIONS method on.
Example.
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<!-- ... other configurations ... -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted HTTP Methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
</web-app>
I'm trying implement a web service for two endpoints and getting this error
"404 Not Found: Invalid Request" when tried accessing the service after deploying onto the apache toncat 8.
Below are my web service implementation classes, sun-jaxws.xml and web.xml
WebImplementation1.java
package com.ws.soap.services;
import javax.jws.WebService;
#WebService(endpointInterface = "com.ws.soap.services.WebServiceImpl1")
public class WebServiceImpl1 {
public String printMessage() {
return "Hello from WebServiceImpl1 ";
}
}
WebServiceImplementation2.java
package com.ws.soap.services;
import javax.jws.WebService;
#WebService(endpointInterface = "com.ws.soap.services.WebServiceImpl2")
public class WebServiceImpl2 {
public String displayMessage() {
return "Hello from WebServiceImpl2 ";
}
}
sun-jaxws.xml
<?xml version="1.0" encoding="UTF-8"?>
<endpoints xmlns="http://java.sun.com/xml/ns/jax-ws/ri/runtime"
version="2.0">
<endpoint name="WebServiceImpl1" implementation="com.ws.soap.services.WebServiceImpl1"
url-pattern="/impl1" />
<endpoint name="WebServiceImpl2" implementation="com.ws.soap.services.WebServiceImpl2"
url-pattern="/impl2" />
</endpoints>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>JAX-WS-Tomcat</display-name>
<listener>
<listener-class>
com.sun.xml.ws.transport.http.servlet.WSServletContextListener
</listener-class>
</listener>
<servlet>
<servlet-name>sayhello</servlet-name>
<servlet-class>com.sun.xml.ws.transport.http.servlet.WSServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>sayhello</servlet-name>
<url-pattern>/impl1</url-pattern>
<url-pattern>/impl2</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
</web-app>
Using the exact code supplied (plus the JAX-WS RI jars downloaded from https://jax-ws.java.net/), I was able to create a webapp and successfully access the service endpoints /impl1 and /impl2. Be advised the <url-pattern> and <endpoint ... url-pattern="/impl1"> directives state the resource path to the JAX-WS endpoints within the context path of the enclosing web application.
So, if the name of the webapp is MyWebServices (MyWebServices.war with no other files/code than described in the post, deployed to Tomcat 8) and you have <url-pattern>/impl1</url-pattern> in web.xml, and with a default Tomcat instance listening on port 8080, your web service endpoint would be http://localhost:800/MyWebServices/impl1 with the WSDL available via http://localhost:800/MyWebServices/impl1?wsdl
If you want to customize your context path of your webapp (e.g. you don't want /MyWebServices/... you can use the techniques described in this SO question.
For example, my local Tomcat 8 is running on port 8081:
I'm learning JAX-RS using Jersey and deploy on JBoss EAP 6.3. I'm developing a test application that offers Webservices consumed by different clients. I correctly setted up the basic authentication system based on Roles and username/password (Realm correctly configured and UP&Running). Everything works fine when my client application consume the WS.
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>testWS</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Realm</realm-name>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Pages</web-resource-name>
<url-pattern>/test/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>role-admin</role-name>
</auth-constraint>
</security-constraint>
<context-param>
<param-name>resteasy.scan</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<param-name>resteasy.scan.providers</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<param-name>resteasy.scan.resources</param-name>
<param-value>false</param-value>
</context-param>
<servlet>
<description>Admin test</description>
<servlet-name>Admin Servlet</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>com.test.webservice.utils.AuthPackageClasses</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Admin Servlet</servlet-name>
<url-pattern>/test/*</url-pattern>
</servlet-mapping>
</web-app>
My second step is to consume the same webservices by a web dashboard which require a login form. My idea is to have a free WS to consume the login and return back some token inside the Cookie in the Response; the same token is stored in my Database.
Other WS must be consumed by the web dashboard injecting the Cookie and the server must validate the token stored in the Cookie.
How can I achieve to authenticate the User coming from two different authentication systems?
Should I redesign my whole authentication system and setup a listener:
if ther's a token in the Cookie -> validate the token
otherwise validate basic authentication
Is there a way to achieve this by configuring the web.xml?
What if I want to implement a third authentication system? My problem is to have the same context-root and validate the caller by different ways.
I want to achieve webservice security something like this
(http://docs.oracle.com/cd/E24329_01/web.1211/e24983/secure.htm - example is for javaee)
But inside tomcat + jersey application. Is it possible to do so ?
As far as I can see, tomcat does have annotation-api which can work in this case. Unable to figure out how.
package samples.helloworld;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.annotation.Security.RolesAllowed;
#Path("/helloworld")
#RolesAllowed({"ADMIN", "ORG1"})
public class helloWorld {
#GET
#Path("sayHello")
#Produces("text/plain")
#RolesAllows("ADMIN")
public String sayHello() {
return "Hello World!";
}
}
As described in the link above, you should secure your Rest WebServices. Example of Web.xml
<web-app>
<servlet>
<servlet-name>RestServlet</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>RestServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Orders</web-resource-name>
<url-pattern>/orders</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
</web-app>
I have quite simple task to accomplish - I have to set up the security for web services ( basic authentication with hardcoded in WLES user id and password). I set the web.xml (see code fragment below) but I have tough time configuring WebLogic. I added IdentityAssertionAuthenticator Authentication Provider, set it as Required, modified DefaultAuthenticator as Optional and I went to deployed application's security and set the role to "thisIsUser" and at some point it worked, but not anymore (I redeployed war file and set web service security the same way but no avail.) I'd greatly appreciate for all your help.
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="PC3-WS" version="2.5">
<display-name>PC3-WS</display-name>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>PC3-WS</web-resource-name>
<url-pattern>/PC3-WS</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>basicGroup</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>basicGroup</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
</web-app>
weblogic.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="PC3-WS" version="2.5">
<display-name>PC3-WS</display-name>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>PC3-WS</web-resource-name>
<url-pattern>/PC3-WS</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>basicGroup</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>basicGroup</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
</web-app>
The list of authenticators:
DefaultAuthenticator
DefaultIdentityAssert
Now I have exception:
WS spec-version:2.5], request: weblogic.servlet.internal.ServletRequestImpl#23e1aca[
GET /PC3-WS/MetadataService?WSDL HTTP/1.1
User-Agent: Java1.6.0_22
Accept: text/html, image/gif, image/jpeg, */*; q=.2
Connection: Keep-Alive
]] Root cause of ServletException.
java.lang.NullPointerException
at weblogic.wsee.jaxws.JAXWSDeployedServlet.init(JAXWSDeployedServlet.java:45)
at javax.servlet.GenericServlet.init(GenericServlet.java:241)
at weblogic.servlet.internal.StubSecurityHelper$ServletInitAction.run(StubSecurityHelper.java:283)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
Truncated. see log file for complete stacktrace
>
java.lang.RuntimeException: weblogic.testclient.WsdlParseFailedException: Unable to parse WSDl at: http://192.168.1.3:7001/PC3-WS/MetadataService?WSDL
at weblogic.testclient.ConnectionState.createWsdl(ConnectionState.java:69)
at Controller.refreshWsdl(Controller.java:641)
at Controller.begin(Controller.java:451)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:879)
at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:809)
at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:478)
at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:306)
at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:336)
at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:52)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2044)
at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:91)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2116)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:556)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:853)
at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:631)
at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:158)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:183)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3683)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused by: weblogic.testclient.WsdlParseFailedException: Unable to parse WSDl at: http://192.168.1.3:7001/PC3-WS/MetadataService?WSDL
at weblogic.testclient.ConnectionState.createWsdlFromHttpUrl(ConnectionState.java:199)
at weblogic.
testclient.ConnectionState.createWsdl(ConnectionState.java:60)
... 38 more
This is the way to secure a Web Service with basic HTTP Auth, in WLES 10.3.3.
In WLES Admin Console go to Security Realm --> MyRealm and create:
New user: user/12345678
New group: basicGroup
Add the user to the group
In web.xml add the security settings (path, basic type):
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="PC3-WS" version="2.5">
<display-name>PC3-WS</display-name>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>PC3-WS</web-resource-name>
<url-pattern>/PC3-WS</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>basicGroup</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>Authenticated</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
</web-app>
In weblogic.xml map the application role with server role (it is mandatory):
<?xml version="1.0" encoding="UTF-8"?>
<wls:weblogic-web-app
xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-web-app"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.1/weblogic-web-app.xsd">
<wls:weblogic-version>10.3.3</wls:weblogic-version>
<wls:context-root>PC3-WS</wls:context-root>
<wls:security-role-assignment>
<wls:role-name>Authenticated</wls:role-name>
<wls:principal-name>users</wls:principal-name>
</wls:security-role-assignment>
</wls:weblogic-web-app>
Build and deploy application.
Restart WLES.
You can test with SoapUI, passing userId and password in lower section called "Authentication and Security-related settings"
Go to File-->Preferences and in "HTTP Settings" check "Authenticate Preemptively"
Now you can run your web services from soapUI.
Can you provide the complete web.xml & weblogic.xml files?
Why do you have to configure IdentityAssertionAuthenticator if you just doing BASIC authentication?
Also can you provide what authenticator's you have in the Summary of Servers >myrealm >Providers (from console)
Finally you can enable the debugs to trace if authentication is getting trigged
On the console navigate to
Summary of Servers > %your_server% > Debug
expand weblogic > security and enable
DebugSecurity
atn > DebugSecurityAtn
Just ensure you have the logs in DEBUG mode. Test the app and have look at server log it should provide details on what's happening.