What is the equivalent code in JBOSS 7 for Weblogic's login security module code Authenticate.authenticate()
I recommend you toroughfully read JBOSS excellent migration guide .
WebLogic provides a proprietary ServletAuthentication class to perform programmatic login. In JBoss AS 7, you can use the standard Java EE6 Servlet 3.0 HttpServletRequest.login() method to perform programmatic login or you can define a element in the web.xml file.
To enable programmatic login, you must replace the WebLogic proprietary code with one of the following:
You can add the following annotations to the Servlet class that performs the authentication.
// Imports for annotations
import javax.annotation.security.DeclareRoles;
import javax.servlet.annotation.WebServlet;
import javax.servlet.annotation.HttpConstraint;
import javax.servlet.annotation.ServletSecurity;
#WebServlet("/securedUrlPattern")
#ServletSecurity(#HttpConstraint(rolesAllowed = { "myRole" }))
#DeclareRoles("myRole")
public class SecuredServlet extends HttpServlet {
//Rest of code
}
If you prefer not to use the standard servlet, you can instead add a element containing a dummy URL pattern to the web.xml file. This notifies JBoss to create a default Authenticator. Failure to create a element in the web.xml file may result in the error message "No authenticator available for programmatic login".
Another reason we should choose JBOSS over Weblogic
Related
I'm trying to upgrade an old web app from JSF 2.1.1-FCS to 2.2.14 running in the Tomcat 8.5 Servlet 3.1 container.
The Mojarra JSF minimum requirements (for the latest version I guess, the page doesn't seem clear) says among other things that CDI 1.2 is required with 2.0 recommended.
I added cd-api-2.0 and weld-servlet-shaded-3.0.0.Final along with the other dependencies. Things seem to work until I test some URLs we've been using a long time. Our application has been using a cid parameter. Weld uses the same parameter to track conversations. As a result we get the WELD-000321: No conversation found to restore for id error.
I would like to call the org.jboss.weld.context.http.HttpConversationContext.setParameterName(String cid) as early as possible to modify the value for this web application.
What is the best way to change this value in a Servlet 3.1 Container Context like the one provided by Tomcat 8.5?
Initialize WELD_CONTEXT_ID_KEY in web.xml
Using the web.xml context-param WELD_CONTEXT_ID_KEY allowed me to override the Weld CDI conversation parameter key name from cid to a value of my choosing so I could preserve the legacy usage of cid in my upgraded application and avoid the WELD-000321 error.
<context-param>
<param-name>WELD_CONTEXT_ID_KEY</param-name>
<param-value>customValue</param-value>
</context-param>
This was the simplest solution, but I didn't make the association between that context parameter name and the conversation parameter key or error WELD-000321 when first reading the Weld documentation.
Or set programmatically
I was also able to override the parameter name / context id key programmatically from a custom ServletContextListener.contextInitialized method based on the SO example for getting rid of the NonexistentConversationException. Since I'm on Tomcat 8.5 (Servlet 3.1) I was able to use either #WebListener or the listener element in web.xml. It didn't seem to matter if my web.xml web-app version was the old 2.5 or if I updated it to 3.1.
package ssce;
import java.util.UUID;
import javax.inject.Inject;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.annotation.WebListener;
import org.jboss.weld.context.http.HttpConversationContext;
#WebListener
public class MyServletContextListener implements ServletContextListener {
#Inject
private HttpConversationContext conversationContext;
#Override
public void contextInitialized(ServletContextEvent sce) {
hideConversationScope();
}
#Override
public void contextDestroyed(ServletContextEvent sce) {
}
/**
* "Hide" conversation scope by replacing its default "cid" parameter name
* by something unpredictable.
*/
private void hideConversationScope() {
conversationContext.setParameterName(UUID.randomUUID().toString());
}
}
I need to completely bypass security (authentication / authorization) for certain endpoints in my spring boot 2.0 app--endpoints like "/version" and "/robots.txt"--but keep security in place for all other endpoints.
To complicate matters, I'm working in a project that's a part of a much larger project. My company has another group that has supplied a library that makes use of spring security. This is only relevant because it means I cannot simply override a spring security class to make this work--those classes have already been overridden with code I don't control.
Is there a way to configure spring boot 2.0 to bypass authentication for certain endpoints?
In sprint boot 1.5, we could specify this in our application.yml file:
security.ignored: /version
but in spring boot 2.0 this no longer works.
Federico's answer is correct. I added the following class to my Spring Boot 2.0 class:
package com.example.demo;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
#Configuration
public class DemoConfigurer extends WebSecurityConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception{
http.authorizeRequests().antMatchers("/version").permitAll();
super.configure(http);
}
}
}
Despite adding OWIN authentication to my MVC site I keep getting redirected to /Account/Login even though I have set authentication to none in the web.config and changed the Owin LoginPath to /Login/
I have also noticed that the Startup.cs ConfigureAuth(IAppBuilder app) never gets hit.....
I have added the following packages
Microsoft.Owin
Microsoft.Aspnet.Identity.Owin
Microsoft.Owin.Security
Microsoft.Owin.Security.Cookies
Microsoft.Owin.Security.Oauth
Owin
Do I need to configure OWIN to use my Startup.cs class or should it just work?
You should take a look at OWIN Startup Class Detection
Every OWIN Application has a startup class where you specify
components for the application pipeline. There are different ways you
can connect your startup class with the runtime, depending on the
hosting model you choose (OwinHost, IIS, and IIS-Express). The startup
class shown in this tutorial can be used in every hosting application.
You connect the startup class with the hosting runtime using one of
the these approaches:
Naming Convention: Katana looks for a class named Startup in namespace matching the assembly name or the global namespace.
OwinStartup Attribute: This is the approach most developers will take to specify the startup class. The following attribute will
set the startup class to the TestStartup class in the StartupDemo
namespace.
[assembly: OwinStartup(typeof(StartupDemo.TestStartup))]
The OwinStartup attribute overrides the naming convention. You can also specify a friendly name with this attribute, however, using a
friendly name requires you to also use the appSetting element in the
configuration file.
There are a few other things in addition to the above, which you will find at the link provided.
So far I have:
installed and started sbt.sample-1.0.0.20140125-1133.ear on my WebSphere Application
Server,
added an URL resource for the SBT Properties file.
The Social Business Toolkit Samples app runs fine and I'm able to connect to my IBM Connections and retrieve some ActivityStream entries.
When I first loaded the application, I noticed this error:
Exception stack trace: com.ibm.websphere.naming.CannotInstantiateObjectException: A NameNotFoundException occurred on an indirect lookup on the name java:comp/env/url/ibmsbt-managedbeansxml. The name java:comp/env/url/ibmsbt-managedbeansxml maps to a JNDI name in deployment descriptor bindings for the application performing the JNDI lookup. Make sure that the JNDI name mapping in the deployment descriptor binding is correct. If the JNDI name mapping is correct, make sure the target resource can be resolved with the specified name relative to the default initial context.
In the Samples application's ibm-web-bnd.xml file I found this line:
<resource-ref name="url/ibmsbt-managedbeansxml" binding-name="url/ibmsbt-managedbeansxml" />
And in the web.xml:
<resource-ref>
<description>Reference to a URL resource which points to the managed bean configuration for the Social Business Toolkit.</description>
<res-ref-name>url/ibmsbt-managedbeansxml</res-ref-name>
<res-type>java.net.URL</res-type>
<res-auth>Container</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
I'm wondering, why should there be an URL resource to the JSF Application Configuration Resource File (managed-beans.xml) in the first place? According to the Java EE documentation the JavaServer Faces implementation will look for it in the /WEB-INF/ folder.
Does the SBT uses JavaServer Faces technology somewhere? Or can I choose not to use the managed-beans.xml file in my own applications that use the SBT?
I wouldn't recommend you consider them related. managed-beans.xml had a prior name, and it's just a set of configuration objects. The project itself does not use Java Server Faces.
I just read the documentation again, more carefully than the first time, and I think I now have a better understanding of what I asked in my second question. From the documentation:
In a web application SBTFilter (HTTP servlet filter) is responsible
for initializing the application using servlet context. Application
does the initialization like loading the managed beans and properties
factories.
The sample app is a web application. I think in my own application I can choose to use com.ibm.commons.runtime.impl.app.ApplicationStandalone instead of com.ibm.commons.runtime.impl.servlet.ApplicationServlet and then configure an endpoint programmatically. Or alternatively do not use an Application at all, like so:
RuntimeFactory runtimeFactory = new RuntimeFactoryStandalone();
Application application = runtimeFactory.initApplication(null);
Context.init(application, null, null);
I want to know the authentication type if it is ldap realm or jdbc realm
I am not getting any solution in this problem
So i proposed to read the web.xml file from the jsf project
What i want is to read this file in the ejb project by an ejb bean
Is there any other solution other than my proposal
If you know the name of the realm you can get an instance of it and check the type with instanceof like this:
import com.sun.enterprise.security.auth.realm.Realm;
//...
Realm realm = Realm.getInstance("realmName");
if (realm instanceof JDBCRealm) {
// do something
}
If you don't have the name you may try your solution but I can't say if it will work because I think it will be difficult to get access to the ServletContext inside an EJB.