I'm currently trying to redirect my http to https on wildfly 10.
In Standalone.xml I have the following configuration:
<management>
<security-realms>
<security-realm name="SSLRealm">
<server-identities>
<keystore path="/home/vagrant/key-cert.pem keystore-password="password"/>
</security-realm>
</security-realms>
</management>
<subsystem xmlns="urn:jboss:domain:undertow:3.1">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="SSLRealm" enable-http2="true"/>
</server>
</subsystem>
The rest of document is untouched.
What i'm missing?
Kind regards.
Related
I have a web application that we install via a Wix MSI project. The web.config includes the authentication nodes below. Everything installs correctly but after installation, I get the error message:
"The configuration section cannot be used at this path". This is due to the configuration locking in applicationHost.config .
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="true" />
<windowsAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
How can I override the applicationHost.config settings during the installation? I do install required Windows Features during the install, but am I missing one?
This is the solution that worked for me, calling appcmd from a custom action, before InstallFinalize.
<CustomAction Id="UnlockAnonymousAuthentication"
Execute="deferred"
Impersonate="no"
Return="check"
Directory="TARGETDIR"
ExeCommand="[SystemFolder]inetsrv\appcmd unlock config /section:anonymousAuthentication" />
<CustomAction Id="UnlockBasicAuthentication"
Execute="deferred"
Impersonate="no"
Return="check"
Directory="TARGETDIR"
ExeCommand="[SystemFolder]inetsrv\appcmd unlock config /section:basicAuthentication" />
<CustomAction Id="UnlockWindowsAuthentication"
Execute="deferred"
Impersonate="no"
Return="check"
Directory="TARGETDIR"
ExeCommand="[SystemFolder]inetsrv\appcmd unlock config /section:windowsAuthentication" />
<InstallExecuteSequence>
<Custom Action="UnlockAnonymousAuthentication" Before="InstallFinalize"><![CDATA[NOT Installed]]></Custom>
<Custom Action="UnlockBasicAuthentication" Before="InstallFinalize"><![CDATA[NOT Installed]]></Custom>
<Custom Action="UnlockWindowsAuthentication" Before="InstallFinalize"><![CDATA[NOT Installed]]></Custom>
</InstallExecuteSequence>
Hope this helps someone.
Here is currently a way to do this directly using the WiX IIS extension WebDirProperties element:
https://wixtoolset.org/documentation/manual/v3/xsd/iis/webdirproperties.html
Something similar to this should work. Notice the critical piece is the WebDirProperties
element that specifies the
AnonymousAccess="yes" BasicAuthentication="no" WindowsAuthentication="no" which modify
the IIS properties you are looking to change during installation.
<?xml version="1.0" encoding="UTF-8"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi"
xmlns:iis="http://schemas.microsoft.com/wix/IIsExtension" >
<Fragment>
<!-- Install to default web site -->
<iis:WebSite Id="DefaultWebSite" Description='Default Web Site'>
<iis:WebAddress Id="AllUnassigned" Port="80" />
</iis:WebSite>
<!-- References the installation folder specified in the Product.wxs file under the INSTALLFOLDER -->
<DirectoryRef Id="WEB_INSTALLFOLDER">
<!-- Configure virtual dir -->
<Component Id="VirtualDirectoryComponent"
Guid="{INSERT-YOUR-OWN-GUID-2C27-427A-A7B1-DA4DBCC79117}"
KeyPath="yes" >
<iis:WebVirtualDir Id="VirtualDirectory"
Alias="[WEB_DIRECTORY_ALIAS]" Directory="WEB_INSTALLFOLDER"
WebSite="DefaultWebSite">
<iis:WebDirProperties Id="VirtualDirectoryProperties"
AnonymousAccess="yes" BasicAuthentication="no"
WindowsAuthentication="no" />
<iis:WebApplication
Id="MyWebApplication"
Name="MyWebApplication" />
</iis:WebVirtualDir>
</Component>
</DirectoryRef>
</Fragment>
</Wix>
Today I started to implement SSL in my Java EE project. Everything worked fine until I tried to directly access a protected area with an logged out customer. Instead of being redirected to the log in page, a single question mark appeared.
This behavior only produces FireFox, IE works fine
Without SSL, also FireFox works fine.
I'm using Tomcat 7.0 and JSF 2.1
The protected pages are:
Everything within SubDir /admin needs role ADMIN to be accessible
Everything within SubDir /customer needs role CUST to be accessible
The strange thing is that this question mark is displayed only by accessing some of the pages in SubDir /customer ! By trying to access all others (including those in /admin) the Login page is displayed correctly (All pages are structured in the same way).
Finally, I brought the web site up and running correctly by using the TCP port 443 instead of 8443. Now both browsers correctly display the login page before someone is able to access a protected page.
So my question. Does anyone have any idea why this behavior occurs if port 8443 is used? And is there a way that port 8443 can still be used?
Below you can find the tomcats server.xml file.
Thanks in advance!
<?xml version="1.0" encoding="UTF-8"?>
<Server
port="8005"
shutdown="SHUTDOWN" >
<Listener
SSLEngine="on"
className="org.apache.catalina.core.AprLifecycleListener" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource
name="UserDatabase"
auth="Container"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml"
type="org.apache.catalina.UserDatabase" />
</GlobalNamingResources>
<Service name="Catalina" >
<Connector
connectionTimeout="20000"
port="8080"
protocol="HTTP/1.1"
redirectPort="443" />
<Connector
SSLEnabled="true"
clientAuth="false"
keystoreFile="C:\Program Files (x86)\apache-tomcat-7.0.30\conf\BookStore.keystore"
keystorePass="myPwd"
maxThreads="200"
port="443"
protocol="HTTP/1.1"
scheme="https"
secure="true"
sslProtocol="TLS" />
<Connector
port="8009"
protocol="AJP/1.3"
redirectPort="443" />
<Engine
name="Catalina"
defaultHost="localhost" >
<Realm className="org.apache.catalina.realm.LockOutRealm" >
<Realm
className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" />
</Realm>
<Realm
className="org.apache.catalina.realm.JDBCRealm"
connectionURL="jdbc:mysql://localhost/bookstore?user=bookstore&password=book$tore"
driverName="org.gjt.mm.mysql.Driver"
roleNameCol="role"
userCredCol="pwd"
userNameCol="eMail"
userRoleTable="roles"
userTable="customer" />
<Host
name="localhost"
appBase="webapps"
autoDeploy="true"
unpackWARs="true" >
<Valve
className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
pattern="%h %l %u %t "%r" %s %b"
prefix="localhost_access_log."
suffix=".txt" />
<Context
docBase="BookStore"
path="/BookStore"
reloadable="true"
source="org.eclipse.jst.jee.server:BookStore" />
</Host>
</Engine>
</Service>
</Server>
That question mark appears when you're trying to use http on a https connection. You can't see what protocol you are using because the default settings within FF hide the protocol.
Enter about:config within the browser url and look for browser.urlbar.trimURLs, and set it to false. Now you'll see the http:// in front of your browser url. Switch it to httpS and the question mark will disappear.
Edit: The url you are trying to access is shown in the tab, it's http instead of https.
I have the following settings:
1. Tomcat server.xml
<Server port="8005" shutdown="SHUTDOWN">
<Service name="Catalina">
<Connector port="8080"
maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75"
useBodyEncodingForURI="true" enableLookups="false"
redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
<Connector port="8009"
enableLookups="false" redirectPort="8443"
protocol="AJP/1.3" />
2. worker.properties
[channel.socket:localhost:8009]
info=Ajp13 worker, connects to tomcat instance using AJP 1.3 protocol
tomcatId=localhost:8009
3. IIS
Has a website with port 80 that have isapiredirect filter enabled.
My initial guest is
"port HTTP80->HTTP8009->HTTPS8443"
"port HTTP8080->HTTP8443"
Your AJP Connector (8009) is not HTTP, it uses the AJP protocol
If a clients connects via IIS, the flow will be
IIS Http80 -> Tomcat AJP 8009
or via Https
IIS Https443 -> Tomcat AJP 8009
As far as I know the AJP13 protocol does not support encryption of the data involed in IIS to Tomcat communications, but you can set a parameter to let tomcat know that the front webserver is HTTPS so that request.isSecure() returns true.
Your connectors on pour 8080/8443 on tomcat will only be used if you connect directly to tomcat.
Is there a way to secure a build project node in cruisecontrol? I would like to restrict the use of force build to specific users.
This can be done by adding a <security> tag in the project config.
<project name="TestProject">
<security type="defaultProjectSecurity" defaultRight="Deny">
<permissions>
<rolePermission name="TestProjectAdmin" ref="FractionFactionAdmin" />
</permissions>
</security>
</project>
<internalSecurity>
<cache type="inMemoryCache" duration="30" mode="sliding"/>
<users>
<passwordUser name="user1" password="change"/>
<passwordUser name="user2" password="change"/>
</users>
<permissions>
<rolePermission name="TestProjectAdmin" defaultRight="Allow" forceBuild="Allow" viewProject="Allow" startProject="Allow">
<users>
<userName name="user1"/>
<userName name="user2"/>
</users>
</rolePermission>
</permissions>
</internalSecurity>
try like this
I have a WCF service hosted in IIS 5.1 on my development XP machine. The service cannot connect to sql server DB with integrated security=true. The same service works fine when hosted in a console app. I have unchecked Anonymous access and checked the Integrated Windows Authentication in IIS
These are my setting in Web.Config
<connectionStrings>
<add name="CADISEntities" connectionString="metadata=res://*/UDI.CADISEntities.csdl|res://*/UDI.CADISEntities.ssdl|res://*/UDI.CADISEntities.msl;provider=System.Data.SqlClient;provider connection string="Data Source=DBSQLP404;Initial Catalog=CadisCustom;Integrated Security=True;MultipleActiveResultSets=True"" providerName="System.Data.EntityClient" />
</connectionStrings>
I have tried changing to Integrated security to SSPI and Trusted Connection =Yes, but no luck. Below is the Config settings.
<service behaviorConfiguration="CADISBehaviour" name="GlobalInvestors.FIPA.BLL.UDI.CADISSecurities">
<endpoint binding="basicHttpBinding" bindingConfiguration="CADISBinding"
contract="GlobalInvestors.FIPA.BLL.UDI.ICADISSecurities" />
</service>
<basicHttpBinding>
<binding name="CADISBinding" closeTimeout="01:30:00" openTimeout="01:30:00"
receiveTimeout="01:30:00" sendTimeout="01:30:00" maxBufferSize="65536000"
maxBufferPoolSize="52428800" maxReceivedMessageSize="65536000">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" proxyCredentialType="Ntlm" />
</security>
</binding>
</basicHttpBinding>
and in client
<endpoint address="http://ainaost4.amerus.corp.tld/FIPA/BLLHost/CADIS.svc"
behaviorConfiguration="Behavior" binding="basicHttpBinding"
bindingConfiguration="BasicHttpBinding_ICADISSecurities" contract="CADISEntities.ICADISSecurities"
name="BasicHttpBinding_ICADISSecurities">
<!--<identity>
<userPrincipalName value="AINAOST4\ASPNET" />
</identity>-->
</endpoint>
<binding name="BasicHttpBinding_ICADISSecurities" closeTimeout="01:30:00"
openTimeout="01:30:00" receiveTimeout="01:30:00" sendTimeout="01:30:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="655360000" maxBufferPoolSize="655360000" maxReceivedMessageSize="655360000"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" proxyCredentialType="Ntlm"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
Without setting Impersonation in the code I get "The underlying provider failed on Open" setting Impersonation in the code and I get "Cannot Initialize SSPI"
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
Tried googling and found that Application pool cannot be set in IIS 5.1.
Any suggestion to fix the issue would be greatly appreciated.
fixed the issue by giving fully qualified sql server name in the connection string