I am trying to protect certain resources within a Web-App that's deployed in my weblogic server (12c) through Admin Console. Given below are the steps I followed to accomplish this
Security Realms -> my realm (Default Realm) -> Change Security Model Default to "Custom Roles and Policies". Did not restart the server after saving my changes as it prompted me that no restart is necessary
Navigated to Home -> Configure Applications -> my app -> Security -> URL Patterns -> Policies and I am not able to add 'URLPatterns'.
It says that I cannot modify security policies if I am using DD Only or Custom Roles.
Where am I going wrong? Any help is appreciated.
Thanks!
I was to protect the resources by adding security constraint to the web.xml as shown below and then create a security group and user name in the default realm within weblogic
<security-constraint>
<display-name>Restricted GET To Employees</display-name>
<web-resource-collection>
<web-resource-name>Restricted Access - Get Only</web-resource-name>
<url-pattern>/restricted/employee/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Employee</role-name>
</auth-constraint>
</security-constraint>
Related
We are currently testing azure web-app functionality for our own apache application. The application works with non security, but the application itself needs direct active directory access via ldap.
Example settings inside the application:
<ldap>
<connectionUrl>wehavenoidea:389</connectionUrl>
<roleBase>OU=AADDC Users,DC=ourdomain,DC=onmicrosoft,DC=com</roleBase>
<userPattern>{0},OU=AADDC Users,DC=ourdomain,DC=onmicrosoft,DC=com</userPattern>
<roleSearch>member={0}</roleSearch>
<useIndirectLookup>1</useIndirectLookup>
<indirectAdminDN>CN=AdminUser,OU=AADDC Users,DC=ourdomain,DC=onmicrosoft,DC=com</indirectAdminDN>
<indirectAdminPassword>ourpassword</indirectAdminPassword>
<indirectUserBase>DC=ourdomain,DC=onmicrosoft,DC=com</indirectUserBase>
<indirectSearchFilter>sAMAccountName={0}</indirectSearchFilter>
<rolemap>
<role target="Admin">Admin</role>
<role target="Accounting">Accounting</role>
</rolemap>
</ldap>
I have set up the app registration inside azure active directory with the required permissions. I can't find the connection url for the AD though.
Does anybody here know how to set this up?
Kind regards
Is it possible to use JAX-RS2 security roles in MF adapters?
E.g.:
securityContext.isUserInRole("MyTestRole")
This method returns always false in my adapter. I added in "mfp" app (mfp-server.war) in server.xml (LibertyProfile):
<security-role name="MyTestRole">
<group name="MyLDAPGroup" />
</security-role>
and I am logged in to user that is assigned to "MyLDAPGroup".
Or maybe in MF adapters we should use some other mechanism to specify roles?
You may want to check the following links:
Implementing a JAX-RS resource & security configuration of a JAX-RS resource in MFP v8.0:
https://www.ibm.com/support/knowledgecenter/en/SSHSCD_8.0.0/com.ibm.worklight.dev.doc/devref/t_impl_java_adapter_JAXRS.html
Security framework in MFP v8.0:
https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/authentication-and-security
Hy everybody,
I want to implement a programmatic authentication with jsf.
I already configured glassfish authentication realm, and setted in web.xml:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>authJdbcRealm</realm-name>
<form-login-config>
<form-login-page>/home.xhtml</form-login-page>
<form-error-page>/loginError.xhtml</form-error-page>
</form-login-config>
</login-config>
home.xhtml has a form that access a managed bean with following method as action attribute:
public String login()
{
FacesContext context = FacesContext.getCurrentInstance();
ExternalContext externalContext = context.getExternalContext();
HttpServletRequest request = (HttpServletRequest) externalContext.getRequest();
{
request.login(customer.getUsername(),customer.getPassword());
}
catch (ServletException e)
{
errorMessage(e.toString(),e.getMessage());
}
return null;}
getPassword() returns plain text (not the sha256-digest, that should be performed by the auth realm). Although a j_security_check form works without problem, with the programmatic way I always get a ServeletException, with this StackTrace:
INFO: JACC Policy Provider: Failed Permission Check,
context(TravelDream/TravelDreamWeb_war)-
permission(("javax.security.auth.AuthPermission" "createLoginContext.jdbcRealm"))
WARNING: WEB9102: Web Login Failed: com.sun.enterprise.security.auth.login.common.LoginException:
Login failed: access denied ("javax.security.auth.AuthPermission" "createLoginContext.jdbcRealm")
Any ideas about what's wrong?
Option 1:
Disable the Security Manager option from the admin console, then Save and restart server.
You can find this option in Configurations -> server-config -> Security
Option 2:
If security manager is required to be enabled. Grant permission to the application by adding a new codeBase in server.policy. i.e.:
grant codeBase "file:[domain_dir]/applications/[application_name]-" {
permission javax.security.auth.AuthPermission "createLoginContext.jdbcRealm";
permission javax.security.auth.AuthPermission "doAsPrivileged";
};
N.B:
Do not delete anything from this file, just add the permissions shown above
server.policy is found in [domain_dir]/config/
[domain_dir] and [application_name] is to be substituted by your own domain directory name and application name
More information can be found in the application server documentation (PDF)Glassfish server application development guide
How do you secure remote EJBs from unauthenticated principal in JBoss-5.1.0.GA application server? After configuring my ejb security I can still access the remote EJBs with a JNDI lookup without principal and credentials passed in? This is a security risk. Essentially I want to disable all unauthenticated JNDI lookup on remote EJBs.
Here is my server/conf/login-config.xml configruation:
<application-policy name="<my security domain name>">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName">**java:jdbc/<my datasource name>**</module-option>
<module-option name="principalsQuery"><my users query></module-option>
<module-option name="rolesQuery"><my roles query></module-option>
<module-option name="debug">true</module-option>
</login-module>
</authentication>
</application-policy>
Here is my jboss.xml configruation in my ejb jar:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss PUBLIC
"-//JBoss//DTD JBOSS 5.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss_5_0.dtd">
<jboss>
<security-domain><my security domain name from login-config></security-domain>
</jboss>
Here is how i do a a JNDI lookup to access my beans as a client
Note the principal and credentials are not being passed in to the context
Hashtable<String, String> props = new Hashtable<String, String>();
props.put(Context.INITIAL_CONTEXT_FACTORY,"org.jnp.interfaces.NamingContextFactory");
props.put(Context.URL_PKG_PREFIXES,"org.jboss.naming:org.jnp.interfaces");
props.put(Context.PROVIDER_URL,"jnp://localhost:1099");
//props.put(Context.SECURITY_PRINCIPAL,"");
//props.put(Context.SECURITY_CREDENTIALS,"");
ctx = new InitialContext(props);
ctx.lookup("<earname>/<ejb interface definition>/remote">
What is the issue?
When no/wrong principal/credentials are passed the user is authenticated as an anonymous principal and has full access to the remote EJBs via JNDI
What I tried already to fix the issue:
i deleted the following line from all login modules in my server/conf/login-config.xml but it had no effect
<module-option name="unauthenticatedIdentity">anonymous</module-option>
i deleted following line from server/conf/jboss-service.xml thinking it will resolve the issue, but it had no effect
<attribute name="DefaultUnauthenticatedPrincipal">anonymous</attribute>
i deleted application policy "client-login" from login-config.xml that is in there by default since i am using a DatabaseLoginModule
My jboss-ejb-policy and jboss-web-policy in server/depoly/security/security-policies-jboss-beans.xml are extending my DatabaseLoginModule policy in login-config.xml
I have no security related annotations in my ejb classes/interfaces
Other things to note
I tested this scenario in Jboss-as-7.1.1.final and i get EjbAccessException: invalid User which is correct (you add this to the jboss-ejb3.xml it will secure all EJBs via the security domain)
<assembly-descriptor>
<s:security>
<ejb-name>*</ejb-name>
<s:security-domain><security domain name here></s:security-domain>
</s:security>
</assembly-descriptor>
the issue here is NOT authorization but authentications all ejb security annotations do not help
what i want to do is prevent the anonymous principal completely from making JNDI call
I have enabled TRACE logging on org.jboss.security and i can see that when ever i call the JNDI i get the following hit in the logs
Principal: anonymous:callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null]; policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration#1f51a2f;
I have verified all my configurations work and the DatabaseLoginModule works when i use the programmatic login through WebAuthetication
Even when passing the initial context a valid principal/credential from database the anonymous principal is used indicating that the principal/credential is not even processed by the context
I can probably secure my EJBs through #RolesAllowed #DeclareRoles ... but like i mentioned this would be an authorization concern not authentication and also if I have many roles and EJBs this would not be good as far as maintainability
How can I disable/prevent unauthenticated anonymous JNDI lookup for the entire application like it automatically does in JBoss 7.1.1? I know I can upgrade my application server as one solution but I don't have the option to do so. This should be possible and easy to do in Jboss 5.1.0. but i have looked for the answer everywhere and I can't find it? Thanks for your help.
I am new to openAM. I am trying to use openAM (954) to secure my web service using J2EE agent 3.0. I have deployed my webservice (using CXF) on Glass fish 3.1.x.
I have created necessary configuration given in URL http://docs.oracle.com/cd/E19575-01/820-4803/ghuqg/index.html
I want to authenticate using user id and password. I am passing this information (userid/password) using SOAP header. But when I try to access my web service in browser it gives access forbidden message.
Are there any additional configurations required? Please let me know, I am not able to find any other information on this anywhere.
Following is the request we are sending. I am not sure about UsernameToken wsu:Id whether it is correct? How do we get this value from OpenAM dynamically at each time when we send the request.
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-27777511" xmlns:wsu="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>amadmin</wsse:Username>
<wsse:Password Type="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Amit4001</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<demo:greetPerson>
<!--Optional:-->
<arg0>Ashish</arg0>
</demo:greetPerson>
Please help me solve this issue.
I want to authenticate using user id and password. I am passing this information (userid/password) using SOAP header. But when I try to access my web service in browser it gives access forbidden message.
I'm currently struggling to learn OpenAM as well and I think your specific problem is that you have not yet set up a policy (not a policy agent) after users have successfully authenticated.
If you haven't try the following steps:
Navigate to Access Control -> YourRealm -> Policies -> New Policy
Name: yourpolicyname
Rules (click new):
Name: URLPolicy
Resource Name: http:// your-webservice-url/*
Check allow get and post
Name: GetUrlPolicy
Resource Name: http:// your-webservice-url /* ? *
Check allow get and post
Subjects (click new)
Type = OpenAM Identity Subject
Name: UserAccess
Add users you want to be able to authenticate
You have to add in the * ? * if you have any GET parameters in your web page.
Hope that helps, I know the documentation around is terrible.
For your agent policy, in the Global tab: General section > Agent Filter Mode, remove ALL and add SSO_ONLY (leave Map Key blank and Map Value as SSO_ONLY). Note that this configuration isn't hot-swappable, so OpenAM has to be restarted to apply.
Here is a procedure for installing the agent on the server you want to protect:
http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/jee-install-guide/index/chap-glassfish.html
Here is a good procedure for configuring the agent policy centrally on the OpenAM server:
http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/admin-guide/index/chap-agents.html#create-agent-profiles
You might want to also control which URIs (webapps) to protect instead of the entire website. To do that, in the agent policy:
Application tab: Not Enforced URI Processing section > add the URI to protect, for example: /application1/*
Application tab: Not Enforced URI Processing section > check the "Invert Not Enforced URIs" checkbox so that it will actually enforce the "Not Enforced URI" values