When using WAS we use the j2c credentials store to hold external system's users & passwords.
WAS provides some proprietary apis to get this information.
The benefit of using this instead of a local file that:
- the WAS admin can add/modify credentials having no knowledge of the application structure.
- it is managed in a central way for the whole cluster
- WAS stores it among other own credentials in a folder that is supposed to be secure (at SO level)
- Devs do not need to know about production passwords
Now we are coding for JBOSS and we wonder if there is any similar API in JBoss to get users/passwords by code.
Thank you!!
We have found the solution. JBoss has a "vault" that is explained in the security guide.
Basically it lets you cypher everything you want in the server configuration file (i.e. standadlone.xml). Then it decyphers it when starting the server.
We simple added a JNDI String to the server xml config file with the cyphered credentials. When we get that JNDI value from our code, credentials are already in plain text.
Quite an elegant solution from JBoss dev team.
Related
I have a JSF 2 project and am using Eclipse Inigo as IDE, and deploying to Tomcat 6 (which is running in a a virtual machine in VirtualBox to mimic the target environment). I am not using Eclipse to deploy. Right now I'm simply exporting a .war file and deploying it from the Tomcat manager screen. I am using HSQLDB to store users, passwords, and user roles. One project requirement that is causing me confusion is that my web app must be fully self-contained. That is to say, I deliver a .war file and they plug it in without additional configuration to Tomcat.
I've read a ton on configuring my project for form authentication, including: SO question 1, SO question 2, SO question 3, Tomcat Realm config, Java EE 6 security, and more. Those sources really helped understand how to configure my project. I thought I was almost there. However, when I deploy the web app and try to access a restricted page I always get the login error page. I attempt login with one of various users in the DB with the role required, and I think the DB is set up according to the Tomcat Documentation.
All the tutorials I've read differ from my situation in one way or another:
Uses Glassfish instead of Tomcat
Uses BASIC authentication instead of FORM
Stores users, passwords, and roles in tomcat-users.xml instead of relational DB tables
Declares roles in server.xml instead of somewhere within the .war file.
Point 4 especially is preventing me from getting a full understanding of what is and is not possible (out of the box).
I will edit this question later to post code (web.xml, etc.), but first I wanted to ask a question similar to the one in the 'SO question 2' (above), in which the OP asks whether it's possible to do form authentication without defining something in the application server. In one of the answers it sort of sounds like it is not possible, but it's not quite definitive.
So, is it possible to implement form authentication without modifying files in the server (specifically server.xml and tomcat-users.xml as so many tutorials show)? Can form authentication with a DataSourceRealm be done with the requirement of the .war being fully self contained? If so, how? Can I include additional .xml files in my .war that would do the trick? Can I include everthing I need in web.xml and context.xml?
I've tried including everything in web.xml and context.xml, but it is not working. I thought I had things configured properly except for not having anything in the server.xml file.
I'll leave it at that for now. If what I need is possible, I'll edit with code to try to figure out what I'm doing wrong, otherwise, I'll save the trouble. Also, if what I need is not possible using form authentication, can anyone recommend a good alternative to achieve the same in a self-contained .war? (I'm throwing around the term 'self-contained .war' for lack of a better way to describe it...if there's a better or more precise term, let me know.)
Unfortunately, you can not do it.
Realms are configured in the server.xml file so if you want to authenticate a user against database you have to configure it in the server.xml file.
If you want to authenticate a user against database and ensure all your configuration will be within your WAR file please consider to use the Spring Security framework: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html
It is the great and simple framework that solves a lot of authentication / authorization problems.
According to the above documentation, to create the initial configuration I need to open a web browser. This is sound really weird to me. I would like to script the deploy of OpenAM and it seems impossible.
https://wikis.forgerock.org/confluence/display/openam/Deploy+OpenAM
My actual script do the following
Download openam
extract openam
copy .war in tomcat webapp
extract administration tools
extract configuration tool
extract diagnostic tool
download opendj
lauch the setup of opendj with all args
Now I would like to launch the configuration tool of openam with the configuration file I would like to use but it seems OpenAM must be already configured;
The configuration tool require $HOME/openam/boostrap file where $HOME/openam is the configuration folder that should exists once you have already configure it.
Is this true ? To use configuration tool you must already have configured your service ?
Of course not ... 'configurator tool' is meant to initially configure OpenAM.
For the sake of simplicity, you should not use an external data store.
If you really want to use an external configuration store (OpenDJ or Oracle DSEE are the only supported ones currently), the external config store must be up and running before launching 'configurator tool'.
OpenDJ can be configurated in an automated way as well.
If you do not need an external configuration store, just deploy the OpenAM web-app and use 'configurator tool'
Some helpful links:
Using the CLI
configurator.jar documentation
Automated installation and configuration of OpenAM
I have ran in my computer
aspnet_regiis -pe "connectionStrings" -app "/MyApp" -site "MySite"
And it created an encripted < connectionStrings > xml element in web config
Now every time that I delpoy my app to a new environment
web.config is being "web transformed" into a new web.config and then deployed.
I understand that the encryption is unique per machine.
I tried to copy the encrypted value and it didnt work.
Do I need to run "aspnet_regiis -pe... " command evey time I deploy and on every machine?
Is there a better practice?
what/where is the unique key in my computer that my machine uses in the encription?
Do I need to guard it for potential attacks?
thanks.
1) Yes, I would recommend deploying the unencrypted web.config file to the new server, then running your encryption command as part of the "deployment process".
2) The OS and Framework should be guarding the default encryption key for you already. You can learn more about the internals of all this at the following link:
http://msdn.microsoft.com/en-us/library/dtkwfdky%28v=vs.100%29.aspx
"This walkthrough uses the default RsaProtectedConfigurationProvider provider that is specified in the Machine.config file and named "RsaProtectedConfigurationProvider". The RSA key container that is used by the default RsaProtectedConfigurationProvider provider is named "NetFrameworkConfigurationKey"."
Keep in mind that the key that is used to encrypt/decrypt the web.config file is not the machine key (it is separate). However if you're deploying to a web farm you'll want to also ensure that the machine keys are consistent or you'll see strange errors arise.
I am aware of weblogic templates, but out of curiosity I wanted to know, Is it ok to copy a domain in weblogic in situations where we need to have the same configuration? I have already done the same and have been successful in testing my application.
You can get away with doing this, but there are a couple of more reliable (and scriptable) ways to migrate the same configuration through the development team, or to create new deployment environments.
The domain template builder lets you build your own custom domain template from an existing domain: http://download.oracle.com/docs/cd/E13179_01/common/docs92/tempbuild/starttb.html
There's a couple of ways to get it done with WLST, as well:
You can use configToScript to spit out an entire WLST script (and properties file) to recreate the exact configuration you've got, or...
You can use readDomain and writeDomain in offline mode to recreate an existing configuration in a new domain:
readDomain: http://download.oracle.com/docs/cd/E13222_01/wls/docs92/config_scripting/reference.html#wp1003638
writeDomain: http://download.oracle.com/docs/cd/E13222_01/wls/docs92/config_scripting/reference.html#wp1003688
It's okay to copy the domains over and it worked exceptionally well prior to WebLogic 9.2. However, there are some weird bugs that pop up for versions that are using the portal for the console.
Also, after copying the file you would want to make sure that all listen addresses and ports have been modified accordingly so that your local managed server doesn't attempt to connect to the production administration server on startup.
I am planning on using a local repository, using only TortoiseSVN's "create repository here" feature.
The repo is created and I can read and write to it just fine. The problem is that I can't get authentication to work. I thought I wanted Windows authentication, but I actually want the simple text-file based authentication so I can force the current system user (i.e. any person can be using the same Windows account and I want to differentiate between them) to provide their name and password. I haven't found any information on how to do this without svnserve running.
So far, I have modified svnserve.conf like this:
anon-access = read
auth-access = write
password-db = passwd
realm = LocalOnly
I didn't mess with the [sasl] section.
I also modified passwd:
[users]
harry = teH0wLIpW0gyQ
I am trying to use encrypted passwords created with a simple perl script. However, regardless of what I do with the repo (i.e. including writing to the repo), I am never prompted for a password.
I tried clearing TortoiseSVN's authentication cache since I do connect to a remote repo, but this didn't matter at all.
Has anyone tried this and succeeded? Or is it not possible without svnserve?
Not possible without svnserve - it takes care of the challenge/response.
Try Subversion Edge. you can edit the file you are mentioning using the GUI provided by the tool. It uses its own http server(not svnserve or IIS).
Unfortunately your best bet with a local repository is to use your file system permissions. A simple and free option for a server (that's easy to manager) would be VisualSVN Server. You can hang it off or a workstation or drop it on a public webserver somewhere. I now have mine setup with a reverse proxy with IIS7 so it's integrated with the rest of my web site.