Hawtio unable to connect to Jolokia if Jolokia security is enabled - security
Very new to Hawtio and Jolokia. I am NOT using JBOSS or any other RedHat product, only Tomcat. I downloaded Hawtio-default.war (ver. 1.4.21) and Jolokia.war (ver. 1.2.2). I have two Tomcat (7.0.39) instances on my local machine (localhost), running on port 18080 and 38080 respectively.
The issue: If I didn't enable the security for Jolokia, I was OK to connect from Hawtio (port 18080) to Jolokia (port 38080) without any problem. However, if I enabled the security for Jolokia, I was NOT able to connect and always got below error (tried in both FF and Chrome):
This is the details of I have done:
1. Deployed Hawtio.war to Tomcat running on port 18080.
2. deployed Jolokia.war to Tomcat running on port 38080.
3. Without enabling security for Jolokia, I was able to connect from Hawtio (port 18080), without proxy, to Jolokia (port 38080). Success.
4. Then, I tried to enable security for Jolokia by uncommenting the section in its web.xml to make it look like this:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>UserDatabase</realm-name>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Jolokia-Agent Access</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Jolokia</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>Jolokia</role-name>
</security-role>
and in tomcat/conf/user-tomat.xml file, I added:
<role rolename="Jolokia"/>
<user username="admin" password="hawtorwhat" roles="Jolokia"/>
Add username/password and role to tomcat-users.xml file as:
restarted both Tomcat instances.
Tried to goto Jolokia directly http://localhost:38080/jolokia, it prompted me for username and password. After I typed in admin and hawtorwhat, I was shown below message in my browser. So it looked like OK to directly remote connect to a security-enabled Jolokia.
launched http://localhost:18080/hawtio, clicked on "Connect" tab, provided same info plus username and password for localhost port 38080 (without proxy), un-success. the error was always the same (different error for different browser, strange, no previous hawtio plug-in for Chrome):
In FireFox:
Cannot Connect: [Exception... "Failure" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: http://localhost:18080/hawtio/app/app.js?6f7be3a9a9f2ffe8 :: .send :: line 8" data: no]
In Chrome:
Cannot Connect: NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'http://localhost:38080/jolokia-war-1.2.2/?maxDepth=2&maxCollectionSize=500&ignoreErrors=true&canonicalNaming=false'.
I also tried check 'use proxy', it didn't work regardless with or without security enabled. Error message was as:
java.net.UnknownHostException: http
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:178)
java.net.PlainSocketImpl.connect(PlainSocketImpl.java:157)
java.net.SocksSocketImpl.connect(SocksSocketImpl.java:391)
java.net.Socket.connect(Socket.java:579)
java.net.Socket.connect(Socket.java:528)
java.net.Socket.<init>(Socket.java:425)
java.net.Socket.<init>(Socket.java:208)
io.hawt.web.OpenShiftProtocolSocketFactory.createSocket(OpenShiftProtocolSocketFactory.java:36)
org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:122)
org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
io.hawt.web.ProxyServlet.executeProxyRequest(ProxyServlet.java:418)
io.hawt.web.ProxyServlet.doPost(ProxyServlet.java:273)
javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
io.hawt.web.RedirectFilter.process(RedirectFilter.java:66)
io.hawt.web.RedirectFilter.doFilter(RedirectFilter.java:38)
My IE (ver. 9) doesn't seem to support html5, leave it out for now...
I read docs and others internet posts for both Hawio and Jolokia, not sure what I missed. Based on #3 and #7 above, Jolokia seemed to be running fine. What else should I do? Is any config or additional files that I need to add anywhere? Please help. Also, how am i going to debug this?
Thank you,
---misterxy
Related
Apache module is not enabled
Attempting to use directives for an Apache module that is not enabled will result in apachectl configtest messages like the following:Example Error Output (13)Permission denied: AH00957: HTTP: attempt to connect to 127.0.0.1:9090 (127.0.0.1) failed The Apache error log may have more information. I tried verifying logs and searched the error in online but unable to find anything. Can someone please help with the same.
Running Derby as a server on Linux using JDK11
I am at my wits end!
I have a minimal install of Ubuntu Server 18.04 and OpenJDK 11 (headless).
Downloaded, to a local folder are the java 9+ binaries for Derby (db-derby-10.15.2.0-bin)
Path and Environment settings are all correct!
When I start the server startNetworkServer -h 0.0.0.0, I get an error when doing a simple connect using the ij command line tool
ij> connect 'jdbc:derby://localhost:1527/dbname;create=true';
ERROR XJ041: DERBY SQL error: ERRORCODE: 40000, SQLSTATE: XJ041, SQLERRMC: Failed to create database 'dbname', see the next exception for details.::SQLSTATE: XBM01::SQLSTATE: XJ001
The derby.log file makes reference to:
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getenv.SOURCE_DATE_EPOCH")
Looking further into this error, I learned that I somehow need a security.profile. I found this website that seemed to be the answers to my problems. https://www.javacodegeeks.com/2020/04/apache-derby-database-jvm-security-policy.html
Following these pretty straight-forward instructions, I get:
java.security.AccessControlException: access denied
org.apache.derby.shared.common.security.SystemPermission( "engine", "usederbyinternals" )
For the next person who has this strange problem (it seems to happen with some regularity, here's a simple workaround, copied from this FAQ page at Chalmers Institute of Technology:
Q: When we try to create a database in Derby and the database explorer in NetBeans, we get one or more of the following error(s):
An error occurred while creating the database:
java.sql.NonTransientConnectionException: DERBY SQL error: ERRORCODE:
40000, SQLSTATE: XJ041, SQLERRMC: ...
Caused by: java.security.AccessControlException: access denied
("java.lang.RuntimePermission" "getenv.SOURCE_DATE_EPOCH")
A: This is some kind of missconfiguration in the JVM with a very aggressive security policy that doesn't allow applications to fetch the time on the system (since epoch). The solution is to edit ~/.java.policy or [java.home]/lib/security/java.policy and add the following:
grant {
permission java.lang.RuntimePermission "getenv.SOURCE_DATE_EPOCH", "read";
};
If you are on Windows you can read about where this policy file is supposed to be located here;
https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html
Apache-Derby is a database management system prepared for a multi-user environment, therefore, when you execute the startNetworkServer -h 0.0.0.0 instruction, you are telling it by default to take certain security into account, and that is why it does not let you do an insecure connection such as ij> connect 'jdbc:derby://172.16.17.31:1527/BBDD_server;create=true'; because you are connecting without specifying username and password, so you should either connect by specifying username + password, or start the server without any security: startNetworkServer -h 0.0.0.0 -noSecurityManager More help: https://db.apache.org/derby/docs/10.4/adminguide/tadminnetservopen.html https://db.apache.org/derby/docs/10.4/adminguide/tadminnetservbasic.html
can't start prestodb server over https with a custom password authenticator
I'm using presto 0.206 and trying to config it to run over https with a password authenticator that i wrote.
I get the following error -
2018-10-29T16:24:45.974+0200 INFO main com.facebook.presto.server.security.PasswordAuthenticatorManager -- Loading password authenticator --
2018-10-29T16:24:45.976+0200 INFO main Bootstrap PROPERTY DEFAULT RUNTIME DESCRIPTION
2018-10-29T16:24:45.980+0200 INFO main com.facebook.presto.server.security.PasswordAuthenticatorManager -- Loaded password authenticator v3io --
2018-10-29T16:24:45.989+0200 INFO main com.facebook.presto.server.PrestoServer ======== SERVER STARTED ========
2018-10-29T16:24:45.989+0200 ERROR Announcer-0 io.airlift.discovery.client.Announcer Cannot connect to discovery server for announce: Announcement failed for https://192.168.224.157:8889
2018-10-29T16:24:45.990+0200 ERROR Announcer-0 io.airlift.discovery.client.Announcer Service announcement failed after 9.44ms. Next request will happen within 0.00s
looks like my plugin ("v3io") is loaded successfully but something is wrong with the https config
config.properties -
coordinator=true
node-scheduler.include-coordinator=true
http-server.https.enabled=true
http-server.https.port=8889
query.max-memory=5GB
query.max-memory-per-node=1GB
discovery-server.enabled=true
discovery.uri=https://192.168.224.157:8889
node.internal-address=192.168.224.157
http-server.https.keystore.path=/opt/presto-server-0.206/keystore.jks
http-server.https.keystore.key=password
http-server.authentication.type=PASSWORD
Change the discovery.uri value to be http not https. I don’t think it supports HTTPS.
Enabling non root user to run tomcat with port 443
I am trying to run tomcat with https as a non-root user. Configured server.xml with required port modification and added SSL configuration. However when I execute sudo systemctl restart tomcat get following error in catalina.out org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio-443"] java.net.SocketException: Permission denied at sun.nio.ch.Net.bind0(Native Method) at sun.nio.ch.Net.bind(Net.java:433) at sun.nio.ch.Net.bind(Net.java:425)
Follow this post Resolution point number 5 works better # setcap cap_net_bind_service+ep /path/to/bin/java
Tomcat server is not starting
I am using jdbc in form based authentication but when i add realm tag with connection properties in server.xml file, tomcat is not starting: <Realm className="org.apache.catalina.realm.JDBCRealm" driverName="oracle.jdbc.driver.OracleDriver" connectionURL="jdbc:oracle:thin:#localhost:1521:XE" connectionName="system" connectionPassword="system" userTable="users" userNameCol="username" userCredCol="password" userRoleTable="user_roles" roleNameCol="rolename"/>