Tomcat authentication configured inside the war - security

I have to deploy a war to a tomcat but I cannot modify anything outside the war itself.
Now I need to add authentication and authorization to the application.
The basic authentication would be enough but I cannot edit the tomcat-user.xml file, nor I can depend on absoulute paths as suggestend here: How do I provide basic http authentication for static tomcat webapps without changing tomcat-users.xml?
I just need to use a single user/password that can be configured in a file inside the war (it's a simple application with short lifetime and really low security requirements).
What is the simplest way to do this?
Thanks
Andrea

I seems that a solution is to use spring security with basic authentication.
See: Spring Security HTTP Basic Authentication
In my original case I didn't want to include spring security but I still don't know any other way to obtain this result.

Related

Worklight HTTP Adapter not working with Kerberos

My team and I are currently doing a Worklight mobile project. One of our requirements is to retrieve data from MS CRM and Sharepoint via web service calls. The authentication mechanism that we are to make use of is Kerberos / Spnego.
We followed the instructions documented here, where we inserted the following into our HTTP adapter:
<authentication>
<spnego stripPortOffServiceName="true"/>
</authentication>
In addition, as mentioned in the same IBM site we have included the krb5.conf file into the ../server/conf directory in the project files.
However after invoking the adapter procedure, we encountered an error:
Runtime: Failed to create Kerberos login context
As there are very limited documentation around regarding Worklight working with Kerberos, we were unable to solve this issue. Hence we would like to seek for some help on this community. Is there something that we missed out on?
Unfortunately this type of configuration is not tested often at all and there are no more documentation on this subject matter. This will be discussed to see if documentation and testing can be improved.
The workaround that is currently used (by Desmond) is to continue using NTLM instead.

Is there any solution for OpenAM+Winstone?

I'm trying to apply OpenAM to our Web Applications for SSO.
From the last month I got familiar with OpenAM, so I thought that I'm almost getting to the end.
But another constraint has arisen.
One Application has deeper dependency to Winstone Servlet Container, but it's not on OpenAM's Java EE Agents lists.
My solution was 'Using Apache Web Server : Apache+Winstone', but my colleague rejected my suggestion.
Is there any other solution for OpenAM+Winstone?
(I could not find it with Googling. In fact I didn't know Winstone itself until my colleague said that.)
If you don't need J2EE security in your application you could just use the 'servlet-filter' part of the 'J2EE Agent' filter (e.g. Tomcat Agent). You just need to specify a JVM option to point to the boostrap directory and add the agent libs to the classpath.

Users in hawt.io in an standalone java app

I would like to know how can I have users for hawt.io when using it in an standalone java app. I believe that you need to define a realm like containers do, but is there any guide or easy way to do this? I just want to protect my hawt.io instance with user and password.
You can use Jetty or Tomcat as the embedded web server to run hawtio standalone. Then you can use their security out of the box. And its just like securing any other WAR web application, eg setup their realm, and setup web.xml stuff.
For example this is done in the Apache ActiveMQ distribution which has an embedded Jetty server for the web consoles and WebSocket support.

Best way to add Custom LoginModule to my web application

I need to implement User lockout in my web application which uses DatabaseServerLoginModule and JBoss5. I am planning to write a custom login module class to achieve this. My next question is: where should I put my custom login module class? After some research I found couple of solutions:
Deploy the login module class in a JAR as a standalone module, independent of the webapp
Deploy the login module class as a part of the webapp in a JAR inside WEB-INF/lib/
My web application will be packaged and shipped to the customer and customers install this package and JBoss separately on a Server. My question is: Where should I put my custom login module class?
Any suggestions will be really helpful.
If I were the data center, I would expect two packages:
One containing the login module
and another one for the real application
Reasons
The data center might have special responsibilities regarding sensitive user data, authentication etc. So in case of a login module, they might even have a special internal review process (this is normally not applied on an ordinary application). In order to avoid this review with each application update, a separate package is preferred. In order to have a quick review, a small package is better.
There might be other applications which use the same login module
A data center must be paranoid: An application which ships with it's own authentication could be abused to install a back door. Again internal or legal requirements may not even allow it.

Reuse Custom Security Test in Worklight

There are several Custom Security Tests have been created and deployed. It is no issue in one Worklight project to consume the customSecurityTest. But when other Worklight project also try to consume the same customSecurityTest. Got 401 Unauthorized error. The response on client side looks like /*-secure-
{"challenge.s":{"wl_antiXSRFRealm":{"WL-Instance-Id":"guhao08ggi00es5ec9r2mfshp3"}}}*/.
If the customSecurityTest could not be reused, it will defeat the whole purpose of reuse the security framework. Please help to solve it. Thanks!
Jerry
If you have two separate projects, you'll need to copy your securityTests.
There is no sharing (at large) between projects.
If you have two applications of the same project, you could use the same securityTests in both.
I have to say that this limitation is not any defeat of the security framework's purpose...

Resources