I have the following in the tomcat-users.xml:
<tomcat-users>
<role rolename="admin"/>
<role rolename="manager"/>
<user username="aname" password="apassword" roles="admin,manager"/>
</tomcat-users>
If I go to http://localhost:8080/manager/html, I'm asked about username and password (as far as I understand, about these from the tomcat-users.xml), but when I enter them, I get:
403 Access Denied
You are not authorized to view this page.
If you have already configured the Manager application to allow access and you have used your browsers back button...
What could be a reason of such a behavior? Thanks in advance.
To use the web administration gui you have to add the gui role.
In [Tomcat installation path]/conf/tomcat-users.xml you can define role and affect them to user. For example :
<tomcat-users>
<role rolename="admin"/>
<role rolename="admin-gui"/>
<role rolename="manager"/>
<role rolename="manager-gui"/>
<user username="name" password="pwd" roles="admin,admin-gui,manager,manager-gui"/>
</tomcat-users>
Note :
You may not have any default username and password defined here so it's always good to take the time to do this configuration or you'll encounter issue when using Tomcat integrated in IDE like NetBeans. Indeed it will require these credentials in order to use it properly.
Related
I am using Linux Web Apps for Azure together with a SQL Azure Database.
I can save my SQL Azure Database password (for argument's sake, let us say it is pass123) in META-INF/context.xml and this works successfully
<Context>
<Resource name="jdbc/myDB" type="javax.sql.DataSource" auth="Container"
factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDriver" initialSize="30"
maxActive="100" validationQuery="SELECT 1"
validationQueryTimeout="1000"
testOnBorrow="true"
url="jdbc:sqlserver://exampleserver.database.windows.net:1433;database=exampledb;encrypt=true;hostNameInCertificate=westeurope1-a.control.database.windows.net;
loginTimeout=10;user=myuser;
password=pass123"
/>
</Context>
I however would like the password to be encrypted and not stored in plaintext in the context.xml file. So I did the following - based on https://learn.microsoft.com/en-us/azure/app-service/containers/configure-language-java#data-sources:
I added two Web App/Configuration/Application Settings
CATALINA_OPTS and THEDBPASSWORD
I set CATALINA_OPTS to be "$CATALINA_OPTS -Ddbpassword={THEDBPASSWORD}"
I set THEDBPASSWORD to be the password of the user
I then changed my context.xml to be password={dbpassword} instead of password=pass123
I then however get the following error in the log (and the application fails to start)
Error: Could not find or load main class "$CATALINA_OPTS -Ddbpassword=pass123" -Ddbpassword=pass123
Any ideas?
I solved it by doing the following:
I had forgotten the $ in context.xml
So context.xml needed to be password=${dbpassword}
I also changed the CATALINA_OPTS to be -Ddbpassword=pass123
I dispensed with the THEDBPASSWORD variable
I am sure this is not the only way or the best way of doing this, but at least it works.
I was partly inspired by Tomcat 8 - context.xml use Environment Variable in Datasource
Using below method query a token result in universal app:
AcquireTokenAsync(string resource, string clientId, Uri redirectUri, PromptBehavior promptBehavior);
No problem in F5 debug mode, but hit error when installed the app manually by a published store app package.
the error message:
authentication_ui_failed: The browser based authentication dialog failed to
complete. The system cannot locate the resource specified. (Exception
from HRESULT: 0x800C0005)
Please check the capabilities of your universal app. Following capabilities must be enabled for AAD browser authentication UI popup to be shown:
Enterprise Authentication
Internet(Client & Server)
Private Networks(Client & Server)
Shared User Certificates
If you want to enable them from the package.appxmanifest xml file of your app you should have following entries inside Capabilities tag as below which corresponds to above capabilities in the same order:
<uap:Capability Name="enterpriseAuthentication"/>
<Capability Name="internetClient" />
<Capability Name="privateNetworkClientServer" />
<uap:Capability Name="sharedUserCertificates" />
Hope this helps!
I got the same error message, although my problem was that I was using wrong redirectURI.
Need to use the one generated by:
redirectURI = Windows.Security.Authentication.Web.WebAuthenticationBroker.GetCurrentApplicationCallbackUri();
I'm trying to implement a logout functionality for my Worklight app. Specifically, the Desktop Browser webpage environment.
My authenticationConfig.xml is as follows:
<resource id="MyApp" securityTest="MyAppTest">
<urlPatterns>/apps/services/www/MyApp/*</urlPatterns>
</resource>
<customSecurityTest name="MyAppTest">
<test realm="MyAppRealm" isInternalUserID="true"/>
</customSecurityTest>
<realm name="MyAppRealm" loginModule="MyAppLogin">
<className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
<parameter name="login-page" value="login.html" />
<onLoginUrl>/apps/services/www/MyApp/desktopbrowser/default/index.html</onLoginUrl>
</realm>
<loginModule name="MyAppLogin">
<className> com.worklight.core.auth.ext.RDBMSLoginModule </className>
<parameter name="dsJndiName" value="jdbc/myapp"/>
<parameter name="principalsQuery">
SELECT user_id, password, display_name FROM users WHERE user_id=?
</parameter>
</loginModule>
So far I have tried using Worklight client APIs
WL.Client.logout("MyAppRealm", {onSuccess: WL.Client.reloadApp});
WL.Client.logout(null, {onSuccess: WL.Client.reloadApp});
but that didn't work with errors around "realm is not defined". Could anyone please suggest why I might be seeing "realm is not defined" error?
Alternatively is there a different way to logout the user from my app (accessing the session directly?).
The Login Module that you are using is no longer exist in Worklight framework (com.worklight.core.auth.ext.RDBMSLoginModule).
More information about how to use login modules can be found here:
http://www.ibm.com/developerworks/mobile/worklight/getting-started.html#security
(Look for Form-Based authentication, Adapter-Based authentication and Custom Authenticator and Login Module).
You can also look here:
http://pic.dhe.ibm.com/infocenter/wrklight/v6r1m0/topic/com.ibm.worklight.dev.doc/dev/r_security_framework.html
I have an issue with the linkout of my application (say App2) on another application (say App1).
Both are web applications and so both are creating there own JSESSION IDs. The linkout opens in a pop up and single sign on works (siteminder passing the sm user cookie), but as soon as I perform any transaction on the linked application I am thrown out stating the session is either timed out or invalid.
I looked at the cookies present on the browser and found that both the JSESSION IDs are present. The only difference is in the domain scope of both the JSESSION IDs. App1 application has domain scope of say abc.com whereas App2 has app2.abc.com
I tried changing the name of the JSESSION ID cookie of App2 but the application did not work with the renamed JSESSION cookie.
Any suggestion on how can I fix this ?
Note : The environment for App2 is was5
Regards
AVN
You should use different cookie name in config.xml. Change any one of the app to use different cookie name other than JSESSIONID. Something like following.
War:
<?xml version="1.0" encoding="UTF-8"?>
<weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90">
<session-descriptor>
<cookie-name>APP1SESSIONID </cookie-name>
</session-descriptor>
</weblogic-web-app>
Ear:
<?xml version="1.0" encoding="UTF-8"?>
<weblogic-application xmlns="http://www.bea.com/ns/weblogic/90">
<session-descriptor>
<cookie-name>APP1SESSIONID </cookie-name>
</session-descriptor>
</weblogic-application>
Now you will have both the cookies and it will not overwrite one another.
I am just learning all this stuff (CCNet), and have a simple working
ccnet.config, that successfully executes through the localhost/ccnet
service. I am trying to get security set up so that users in other
locations can use cctray. I added this to the ccnet.config file
(copied and modified from one of the security examples (internalSecurity)....
<cruisecontrol>
<internalSecurity>
<users>
<!-- Authenticated users -->
<passwordUser name="account1" display="me (Installer)"
password="%account1"/>
</users>
<permissions>
<!-- Roles -->
<rolePermission name="Releasers" forceBuild="Allow"
defaultRight="Allow" viewProject="Allow">
<users>
<userName name="account1"/>
</users>
</rolePermission>
</permissions>
</internalSecurity>
<project name="test project">
Now, when I click on the 'force' button on http://localhost/ccnet/ViewFarmReport.aspx,
I get the following exception message..."Request processing has failed
on the remote server. Permission to execute ViewProject has been
denied. I am not sure what is happening here. I am logged onto the
server as 'account1', and, I have added viewProject="Allow" to the
rollPermission name="Releasers".
look at the docs here for security setup :
http://www.cruisecontrolnet.org/projects/ccnet/wiki/Security_scenarios
CCNet config looks right. You might try restarting the CCNET executable in order for it to pick up the config changes. Depends on how CCNET is set up in your case usually it needs a restart at the CCNET service on Windows.