I'm trying to set a container managerd security a realm for my web app (JSF 2.1 + hibernate). I have noticed that Tomcat 7 can only use one type of realm at a time.
To use Tomcat in netbeans (7.0) i have to create an accout of manager-script role. In addition to work with Tomcat manager I also need another role. This is a big problem for me because the tables I'm using for JDBCRealm are viewes from actual tables that store users and roles and I would like not to store both of the roles in the same db that my program uses.
Is there a way to make JDBCRealm and UserDBRealm work together? That would be a relief.
here is the code from server.config:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://localhost:3306/realm?user=login&password=pass"
userTable="users"
userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles"
roleNameCol="role_name" />
tomcat uses only the last one he finds in the file. They work fine separetly
Use a CombinedRealm (doc, javadoc):
Realm implementation that contains one or more realms. Authentication
is attempted for each realm in the order they were configured. If any
realm authenticates the user then the authentication succeeds. When
combining realms usernames should be unique across all combined
realms.
Maybe you are already using the LockOutRealm (doc, javadoc) which is a subclass of CombinedRealm and it's in the default config of Tomcat.
Related
I am trying to implement custom authentication using the new ASP.NET Identity in an MVC 5 project.
I have a single username and password that I want to use to restrict which pages of the website the user can see via [Authorize] tags on controllers and views. (Easy)
I am migrating from a FormsAuthentication model whereby this was as simple as putting the credentials in the web.config.
Because I only have a single username and password I don't want to use a database as the UserStore, instead I want ASP.NET Identity to retrieve the username and password from a custom configurationsection in the web.config (don't worry about that part).
After much search, I can't find a code sample that doesn't rely on a database for ASP.NET Identity authentication.
So i'm looking for a code sample that at the point of authentication, the user can put in custom code to check the username & password against the credentials in the custom ConfigurationSection of the web.config.
Can someone please point me in the right direction thanks.
Update : I've tried looking at this code sample but it doesn't even compile out of the box.. poor.
http://code.msdn.microsoft.com/Simple-Aspnet-Identiy-Core-7475a961
Update : The reason that I don't want to use FormsAuthentication is that I am writing a NuGet package that will be installed into a web application. One of the things the NuGet package will do is create a custom ConfigurationSection in the web.config that includes (among other things) a single username and password. I thought this would be safer as it wouldn't alter any existing FormsAuthentication settings currently in the target web application.
Update : I think I have got it working. Will post findings soon.
-- Lee
You don't have to migrate to Identity framework, FormsAuthentication still works. And Andrew is correct, using Identity framework makes little sense here, since it is all about managing users.
However, if you insist on using it, you can implement your own UserManager and IUserStore. Some guidance can be found in Scott K. Allen blog post. See the links on the bottom - samples of implementations - you can take some of these and convert to your needs.
I would imagine your IUserStore will be simple, because there is only one user and most of the methods don't have to be implemented. And for the ones required (I think you'll need FindUserById and related) you'll need to reach to web.config via ConfigurationManager
I would like to create (implement by my own) authentication mechanism which will be
plugged into my Java EE application.
As far as I know I have to implement LoginModule and connect this implementation with
container mechanisms somehow. But the problem is that I don't know how to do it.
Maybe You know where I can find sample code or tutorial about it?
In other words I would like to force container to call my classes whenever methods:
authenticate, login, and logout are called.
Sample implementation:
HttpServletRequest.login method will successfully authenticate only users with even numer of letters in login.
I believe the container independent way of doing this is to use JASPIC (JSR 196). Unfortunately it doesn't appear simple, robust, or particularly well documented. Here is a reference: http://arjan-tijms.blogspot.com/2012/11/implementing-container-authentication.html.
After reading about JAAS, you should implement your login module basing on org.jboss.security.auth.spi.AbstractServerLoginModule (from org.picketbox/picketbox maven artifact). Then deploy the module with your app, and create a proper security domain and realm in WildFly's standalone.xml, like such:
<security-domain name="myDomain" cache-type="default">
<authentication>
<login-module code="com.example.TestLoginModule" flag="required"
module="deployment.sample.jar"/>
</authentication>
</security-domain>
...
<security-realm name="MyRealm">
<authentication>
<jaas name="myDomain"/>
</authentication>
</security-realm>
Look out for different behaviour on different JBoss AS versions. 7.1.1 will not allow you to deploy the login module, you would have to create a separate jboss module and bind it with org.picketbox and jboss.security modules.
Additional reading:
https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration
https://docs.jboss.org/author/display/WFLY8/Security+Realms
http://java.dzone.com/articles/creating-custom-login-modules (it is a little outdated, but the gives the main idea)
You should research JAAS.
Wikipedia gives a good overview:
http://en.m.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service
This will provide all the info and tutorials you need:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/
Tutorial with sample app:
http://download.java.net/jdk8/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html
And check this out in SO:
JAAS for human beings
HornetQs default SecurityManager (HornetQSecurityManagerImpl) will check users/roles that are stored in the hornetq-users.xml. I want use LDAP for authenticating users; I have two ways:
Using Jass, and use it with LDAP for authenticating users.
Implementing SecurityManager interface manualy, and using LDAP in my own security manager implementation.
Which one is better? Other approaches? What should i do? (experience, sample)
I'd say it's always better to use something that's ready and tested. Using JAAS with Ldap will give you an easier path as that should work nicely.
On the hornetq's distribution there's an example showing how to configure JAAS. You can just get the distribution zip at http://www.jboss.org/hornetq/downloads.html and refer the the examples that are part of hornetq already.
I'm using JBoss AS7 + JSF 2.1
I'm trying to use a Database login module to authenticate users on a specific resource in my web application. In standalone.xml there are 3 security domains: "other", "jboss-web-policy" and "jboss-ejb-policy".
Should I put my database login module in the "other" security domain?
Or I should define a new custom security domain and put my database login module in it?
Either way, how will I tell JBoss which security-domain/login module it should use for my application?
Thanks in advance.
The two options you mention would be valid, but from my point of view it's better to create a new security domain for your applications (it's more clear).
On the other hand, answering your second question, you've to specify the security domain for your application inside the application meta files (not in jboss, but in your application).
In case you've a war file you've to set it in the file WEB-INF/jboss-web.xml, it would look something similar to:
<jboss-web>
<security-domain>java:/jaas/your-domain</security-domain>
</jboss-web>
On the other hand, if you've an ejb-jar module, the file META-INF/jboss.xml would look like:
<jboss>
<security-domain>java:/jaas/your-domain</security-domain>
</jboss>
And if you've an ear file, the file META-INF/jboss-app.xml would look something similar to:
<jboss-app>
<security-domain>java:/jaas/your-domain</security-domain>
</jboss-app>
I've been a little puzzled with this as I have not seen many examples that gave me the complete picture. The best explanation I found so far is this.
By defining a security role in web.xml such as "admin" for example, and having my login form with all the necessary fields (i.e j_security_check as action, and fields j_username, j_password), how/where does the actual authentication occur?
I plan to use a custom authentication using username/passwords (hashes) stored in the database. When the user submits the form, how do I make the Java EE Web Container invoke my sevlet/bean method do perform the actual authentication? I didn't notice any place to add a hook to my code in web.xml which would do the actual authentication.
By defining a security role in web.xml such as "admin" for example, and having my login form with all the necessary fields (i.e j_security_check as action, and fields j_username, j_password), how/where does the actual authentication occur?
In the servlet implementation, the servletcontainer. In Tomcat for example, it's done by the AuthenticatorBase class (source code here).
I plan to use a custom authentication using username/passwords (hashes) stored in the database. When the user submits the form, how do I make the Java EE Web Container invoke my sevlet/bean method do perform the actual authentication? I didn't notice any place to add a hook to my code in web.xml which would do the actual authentication.
If you'd like to keep using container managed authentication, but instead want to check the login against a database, then you need to configure the so-called "realm" accordingly. It's unclear which servletcontainer you're using, but in for example Tomcat, the documentation is available here: Tomcat 6.0 Realm HOW-TO.
If you really want to have your own homegrown authentication system invoked instead, then you need to drop the container managed security and homegrow it further. Which is not recommended.
The actual authentication is doing via either two ways:
Via a Server Proprietary way, e.g. the *LoginModules in JBoss, or the Tomcat one BalusC mentioned. These are different for each Server.
Via JASPIC, which was introduced in Java EE 6.
JASPIC pretty much has standardized the proprietary methods, but it's a fairly low-level API and unfortunately only available for full profile Java EE 6 and 7 implementations.
See Implementing container authentication in Java EE with JASPIC for more details.