where to set xpages/ibmsbt proxy configuration - xpages

I have intranet based domino 9x (running windows) server sitting behind a firewall and proxy. To make http/s requests via server side java I set the http/s.proxyHost and other jvm settings to allow my java.net calls. Works fine when doing a simple GET via java.net classes, but fails when I attempt to use the ibmsbt ProfileService call (code works fine when outside our network). Can anyone out there direct me to what is probably an obvious answer on where to configure the proxy settings (host, port, username, password)? I've seen a few references to the manaaged-bean.xml file, but it seems it is associated with some debugging proxy, and doesn't have any settings for username/password that I'm aware of.
SmartCloudFilesEndpoint config in faces-config:
<managed-bean>
<managed-bean-name>smartcloud</managed-bean-name>
<managed-bean-class>com.ibm.xsp.extlib.sbt.services.client.endpoints.SmartCloudFilesEndpoint
</managed-bean-class>
<managed-bean-scope>application</managed-bean-scope>
<!-- Endpoint URL -->
<managed-property>
<property-name>url</property-name>
<value>https://apps.na.collabserv.com</value>
</managed-property>
<managed-property>
<property-name>serviceName</property-name>
<value>SmartCloud</value>
</managed-property>
<!-- OAuth parameters -->
<managed-property>
<property-name>appId</property-name>
<value>XPagesSBT</value>
</managed-property>
<managed-property>
<property-name>credentialStore</property-name>
<value>CredStore</value>
</managed-property>
<managed-property>
<property-name>requestTokenURL</property-name>
<value>https://apps.na.collabserv.com/manage/oauth/getRequestToken</value>
</managed-property>
<managed-property>
<property-name>authorizationURL</property-name>
<value>https://apps.na.collabserv.com/manage/oauth/authorizeToken</value>
</managed-property>
<managed-property>
<property-name>accessTokenURL</property-name>
<value>https://apps.na.collabserv.com/manage/oauth/getAccessToken</value>
</managed-property>
<managed-property>
<property-name>consumerKey</property-name>
<value>xxxxxxxxxx</value>
</managed-property>
<managed-property>
<property-name>consumerSecret</property-name>
<value>xxxxxxxxxx</value>
</managed-property>

SBT currently supports this for debug purposes. You can enable this by adding below property to you endpoint.
<managed-property>
<property-name>httpProxy</property-name>
<value>IpOfProxy:PortNumberOfProxy</value>
</managed-property>
If you need to enable this for all endpoint, just add this to you sbt.properties directly
sbt.httpProxy=127.0.0.1:8888
We do not support the credentials for now as this is not required by most of the proxies used for debugging like Fiddler or Wireshark.
Can you provide me more details of your environment and I can check if we can enhance the code to work in your environment.

Try Ports -> Proxies in Server Document.

Related

How can I secure Solr 5.3.1 only admin pages

I am fairly new to Solr and I have been researching this for the past day and half and finally turning here.
I have a Solr server up and running and I had my network admin configure a rule in the firewall so that we can access it for queries from my JavaScript application. This works. The issue that I have is that the Solr admin pages is completely open to the world and I have tried everything as described in various posts with the exception of the ZooKeeper method which I don't really want to try coz I am not interested in setting up ZooKeeper and SolrCloud.
Reference post: http://muddyazian.blogspot.com/2013/11/how-to-require-password-authentication.html and some others
What I did was modify jetty.xml in /opt/solr/server/etc and added this
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Solr Admin Access</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
Then I added to web.xml in /opt/solr/server/solr-webapp/webapp/WEB-INF the config below
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Solr Admin Access</realm-name>
</login-config>
then I created a realm.properties file hashed the password according to this post Jetty/SOLR Admin Panel Password
Solr is now secure but everything is password protected, I want my queries to be open and the rest protected. I tried adding different url patterns such as /admin/* , /mycollection/dataimport/* etc but none of those seem to affect the fact that the query is also secure. Reference https://gist.github.com/jstrassburg/9777027
Following the advice of Exclude a JSP from web.xml's security-contraint you can keep your configuration as is, but expose that endpoints that you want to be public available.
So you could add a <security-constraint> like this to your web.xml, but leave out the <auth-constraint> for the matched <url-pattern>. This will make it open to the public. In addition with the basic auth for the rest of your Solr instance, you can then expose step by step the cores or handlers that shall be public.
<security-constraint>
<web-resource-collection>
<web-resource-name>mycollection</web-resource-name>
<url-pattern>/mycollection/*</url-pattern>
</web-resource-collection>
</security-constraint>
A caveat of this is that you will need to add anything that shall be public as an own URL pattern. But this may also be a plus, as you have the option to make fine grained access control to for the collections - e.g. one user per collection.

Prevent direct access to composite components by placing them inside /WEB-INF

I'm trying to define some composite components in my web application. According to the tutorials i read, i have to place the xhtml files inside a resource folder located in webcontent.
This solution is problematic, given that it would make those files available for public access from an url.
Is there a way to put this components inside the web-inf folder, and make the jsf look for the files there?
If not, is there another way to avoid direct access?
Thanks.
P.S.: I have looked into this answer, and if i understood BalusC's answer correctly, what I intend to do is possible.
"Composite components" are not exactly the same as "compositions" in the question/answer you found. The OP was clearly talking about compositions as in <ui:include> files which are including <ui:componsition> content.
You effectively want to prevent direct access to /resources. This can be achieved by adding the following security constraint entry to web.xml:
<security-constraint>
<display-name>Restrict direct access to JSF resources</display-name>
<web-resource-collection>
<web-resource-name>JSF resources</web-resource-name>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
<auth-constraint /><!-- Empty auth constraint! -->
</security-constraint>
As per the upcoming JSF 2.2, this would not be necessary anymore as it allows you to move the whole /resources folder into /WEB-INF by the following configuration entry in web.xml:
<context-param>
<param-name>javax.faces.WEBAPP_RESOURCES_DIRECTORY</param-name>
<param-value>WEB-INF/resources</param-value>
</context-param>

Tomcat6 : a way to apply a "global" accept/reject IP filter?

I've got a tomcat6 servlet container which runs various applications, such as solr. I'd like to be able to specify which IP addresses that are allowed to access the server. Is there a way to "globally", for all servlets, to specify which IP adresses that can access any of the servlets?
I solved it by editing the servlet context.xml file. Event though it isn't a "global" solution, it did the track and allows me to filter access by IP address.
<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="[IPADDRESS]"/>
</Context>

Security Realm for an application within WebSphere 7.0

We are testing using security realms with our web application. In test we will be going against Microsoft Active Directory. Production will go against a custom realm. I have the working great in Tomcat, but can't seem to get this working in WebSphere. I have created a Security Domain (foo-ldap) within WebSphere that can connect to the AD. For now I have applied foo-ldap to the server1 scope. I'm not getting redirected to authenticate.faces when hitting /servlet/LoginServlet.
Web.xml and Tomcat config included below.
Tomcat config:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://ActiveDirectorySrv:389"
connectionName="CN=ldap user,CN=Users,DC=foo,DC=com"
connectionPassword="Password1"
referrals="follow"
userBase="CN=Users,DC=foo,DC=com"
userSearch="(&(objectCategory=user)(sAMAccountName={0}))"
userSubtree="true"
userRoleName="memberOf"
roleBase="CN=Users,DC=foo,DC=com"
roleSubtree="true"
roleName="cn"
roleSearch="(member={0})"/>
Web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/servlet/LoginServlet</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Developers</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/authenticate.faces</form-login-page>
<form-error-page>/loginFailed.faces</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>Developers</role-name>
</security-role>
The issue I was running into was two fold.
The configuration for the security context exists in the web.xml. It must be present the installed war at application install time. We had the config commented out so developers wouldn't need to give credentials when debugging and I was trying to uncomment after deploying the war.
You must map roles to your security realm at install time. We have a script that deploys the applications and without modification, the roles were not mapped and the ability to map roles after install was not available. Even installing from the ibm console site, you have to select detailed install and map groups at install time or the link to map is not available.
Once I got the security installed and the redirect to the login page working, we had one other issue. I'm not sure if this is an issue with our JSF code or not, but I could not redirect to a page that used JSF within WebSphere (works fine with Tomcat). Our solution was to just use a jsp page for the authentication page.
Hope this helps someone else.

Configuring container-managed security in Weblogic

Anyone know of any guides for this? I'm a complete newbie to weblogic and to container-managed security. What I've done already is:
setup an LDAP authenticator in Weblogic
created a simple webapp in Eclipse
Configure web.xml: Added security-constraint, security-role and login-config elements. The realm name used is "myrealm" which already exists in Weblogic. The role name I used is "Admin" which is a global role in Weblogic
Create a simple jsp page "login.jsp". It doesn't actually do any logging in but just a Hello World type of thing. I set this page as form-login-page and form-error-page in login-config in web.xml
Export this webapp to a war file and deploy it in Weblogic
I test it by accessing http://weblogic-server/test/login.jsp, and I expect that I'll be asked to login using an LDAP user first. This doesn't happen, it just shows the Hello World jsp.
I've also tried adding a weblogic.xml to map the "Admin" role to a specific LDAP user (didn't work).
Any advice? It seems there's a lack of online references for this sort of thing (or I don't really know what I should be searching for)
Edit: I've also tried using BASIC auth instead of FORM (no luck)
My web.xml settings are below:
<security-constraint>
<display-name>Test SC</display-name>
<web-resource-collection>
<web-resource-name>Test WR</web-resource-name>
<url-pattern>/hello.jsp</url-pattern>
<http-method>*</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>Admin</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
The login page must do some sort of logging in, with the 2 required fields. You have protect the hello_world.jsp page in the web.xml and go to that pages, the login page will be presented.
Edit:
The order is incorrect: it should be security-constraint, login-config and security-role.
Within the web-resource-collection the value of * is invalid for http-method. If you want to protect every method just leave it away.
Note: the server logging whould have hinted the incorrect order of elements in your web.xml.

Resources