I am currently exploring out security in Tomcat and I just have one item that I don't get, or maybe I am missing a basic HTTP concept.
In the example project in Tomcat, I already configured SSL security like this
and then created my own certificate.
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/jsp/security/protected/*</url-pattern>
......
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
......
</auth-constraint>
<!-- must use SSL for secure transport -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
All is working fine and whenever I access a secured resource I am being redirected to https.
Now I was testing this locally and I am using Google Chrome Dev Tools and
while I was exploring the Network exchanges, I still see that my user name and password are still passed as plain text. My first thought is that they would be encrypted as something
There's no issue in here right? I can see in my network tab that my details are passed in plain text but others wont be able to see this, right?
As you are using Chrome's builtin tools to inspect the traffic it most probably shows the content before SSL-encryption takes place - you would not be able to read a single thing in that post otherwise.
If you want to see what's really "on the wire" you could capture the traffic using e.g. wireshark.
With HTTPS the data are encrypted in the communication channel. End points are not protected. That means that output is probably before you send it, or in the other side when you receive it.
Related
I am fairly new to Solr and I have been researching this for the past day and half and finally turning here.
I have a Solr server up and running and I had my network admin configure a rule in the firewall so that we can access it for queries from my JavaScript application. This works. The issue that I have is that the Solr admin pages is completely open to the world and I have tried everything as described in various posts with the exception of the ZooKeeper method which I don't really want to try coz I am not interested in setting up ZooKeeper and SolrCloud.
Reference post: http://muddyazian.blogspot.com/2013/11/how-to-require-password-authentication.html and some others
What I did was modify jetty.xml in /opt/solr/server/etc and added this
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Solr Admin Access</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
Then I added to web.xml in /opt/solr/server/solr-webapp/webapp/WEB-INF the config below
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Solr Admin Access</realm-name>
</login-config>
then I created a realm.properties file hashed the password according to this post Jetty/SOLR Admin Panel Password
Solr is now secure but everything is password protected, I want my queries to be open and the rest protected. I tried adding different url patterns such as /admin/* , /mycollection/dataimport/* etc but none of those seem to affect the fact that the query is also secure. Reference https://gist.github.com/jstrassburg/9777027
Following the advice of Exclude a JSP from web.xml's security-contraint you can keep your configuration as is, but expose that endpoints that you want to be public available.
So you could add a <security-constraint> like this to your web.xml, but leave out the <auth-constraint> for the matched <url-pattern>. This will make it open to the public. In addition with the basic auth for the rest of your Solr instance, you can then expose step by step the cores or handlers that shall be public.
<security-constraint>
<web-resource-collection>
<web-resource-name>mycollection</web-resource-name>
<url-pattern>/mycollection/*</url-pattern>
</web-resource-collection>
</security-constraint>
A caveat of this is that you will need to add anything that shall be public as an own URL pattern. But this may also be a plus, as you have the option to make fine grained access control to for the collections - e.g. one user per collection.
This might belong on serverfault, so please move if it does.
We just discovered that you can get to a list of SOLR indexes by going to: http://example.com:8983/solr/ this then allows you access to the SOLR admin for each index. This strikes us as... a bad thing. Luckily though, this is locked down to only be accessbile from a certain IP (our office IP via the firewall), but still means the janitor can get access to our SOLR collections. not ideal.
One way to circumvent it has been to remove the admin folder, however this still allows people access to http://example.com:8983/solr/ which isn't ideal.
I've read through the SOLR documentation on security, but can't seem to fully lock down access to /solr/*. It might be very well a case of looking at the wrong part of the documentation.
Using the code from the documentation:
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/core1/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>core1-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>
and replacing <url-pattern>/core1/*</url-pattern> with an actual solr collection name does mean that when visiting http://example.com:8983/solr/collection_name/ it will ask me for a login and password, however, when just trying to lock down /solr/* or even * I get no such luck.
I'm using the built in solr that came with CF9
Is this a remote Solr server or is it on the same server as CF9, if on the same server as CF9 then you can just tell Solr to listen on 127.0.0.1. There was a patch for this for CF 9.0.0 back in 2010: http://www.adobe.com/support/security/bulletins/apsb10-04.html
If it is a remote solr server, then you can use your network firewall, or a local firewall (windows firewall or iptables) to limit access to this port (and possibly this server) to only the CF server.
In my project, I am using SSL but it works for all pages.I want to use it for only a login page, after that page it should revert to HTTP protocol. How can i do that? I found a way below, but it does not work.
<security-constraint>
<web-resource-collection>
<web-resource-name>Notify page, accessed internally by application</web-resource-name>
<url-pattern>/Login.xhtml</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Site</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
My project is a JSF 2.0 project, I am using Eclipse Helios and Tomcat 7.0.
Thanks.
That's not possible. When the session is created by HTTPS request, then it is not available to HTTP requests. Your best bet is to create a non-secure cookie yourself during login and maintain the login by that instead.
Map<String, Object> properties = new HashMap<String, Object>();
properties.put("secure", false);
externalContext.addResponseCookie(name, value, properties);
But think once again about this, what's the point of the HTTPS login then? If you go back to HTTP after HTTPS and you want to keep the user logged-in, then you're required to set the session cookie unsecure. This way hackers will still be able to sniff the session ID in the cookie to do a session fixation hack. With login over HTTPS you only prevent that hackers learn about the actual username/password, but that has no point anymore once a hacker figures the session ID in the cookie.
I'd say, forget the switch and stick to HTTPS all the time after login.
I have a Tomcat 5.5 server and i deploy a application on it.
I have something like this http://tocatServer:8088/MyApp
I want to limit the acces of users at this address by putting an username and password, but i need help. I know that i must add roles on web.xml, i try it but without success.
If possible i want to send the URL like this
http://username:password#tocatServer:8088/MyApp
This url is sent from a java swing application for getting license from the serlet
Thanks
To restrict the access to a webapp (or to a folder in the webapp URL) in Tomcat:
in webapps/MyApp/WEB-INF/web.xml add
<security-constraint>
<web-resource-collection>
<web-resource-name>
Entire webapp
</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>member</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<!-- pay attention: BASIC in insecure, use it only for test, search for a more secure method -->
<auth-method>BASIC</auth-method>
<realm-name>Text reported when prompting the user for un and pw</realm-name>
</login-config>
and in conf/tomcat-users.xml add
<role rolename="member"/>
<user username="bubi" password="bubi" roles="member"/>
Then reload the webapp and maybe restart Tomcat too.
Source: O'Reilly's Top Ten Tomcat Configuration Tips - 5. Configuring Basic Authentication
About the second question, I don't know how to realize it.
Anyone know of any guides for this? I'm a complete newbie to weblogic and to container-managed security. What I've done already is:
setup an LDAP authenticator in Weblogic
created a simple webapp in Eclipse
Configure web.xml: Added security-constraint, security-role and login-config elements. The realm name used is "myrealm" which already exists in Weblogic. The role name I used is "Admin" which is a global role in Weblogic
Create a simple jsp page "login.jsp". It doesn't actually do any logging in but just a Hello World type of thing. I set this page as form-login-page and form-error-page in login-config in web.xml
Export this webapp to a war file and deploy it in Weblogic
I test it by accessing http://weblogic-server/test/login.jsp, and I expect that I'll be asked to login using an LDAP user first. This doesn't happen, it just shows the Hello World jsp.
I've also tried adding a weblogic.xml to map the "Admin" role to a specific LDAP user (didn't work).
Any advice? It seems there's a lack of online references for this sort of thing (or I don't really know what I should be searching for)
Edit: I've also tried using BASIC auth instead of FORM (no luck)
My web.xml settings are below:
<security-constraint>
<display-name>Test SC</display-name>
<web-resource-collection>
<web-resource-name>Test WR</web-resource-name>
<url-pattern>/hello.jsp</url-pattern>
<http-method>*</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>Admin</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
The login page must do some sort of logging in, with the 2 required fields. You have protect the hello_world.jsp page in the web.xml and go to that pages, the login page will be presented.
Edit:
The order is incorrect: it should be security-constraint, login-config and security-role.
Within the web-resource-collection the value of * is invalid for http-method. If you want to protect every method just leave it away.
Note: the server logging whould have hinted the incorrect order of elements in your web.xml.