Hai I have implemented Jespa SSO with ntlm authentication in Active directory with one Domain its work fine when we run the jespa app in the same system logged as the active directory user.But when we access the same app from the other system in same user of the domain the SSO doesn't work fine.The SSO doesn't starts the authorisation when we access it from the outer system with same network and the same domain.
My web.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<display-name>Jespa Examples</display-name>
<filter>
<filter-name>HttpSecurityFilter</filter-name>
<filter-class>jespa.http.HttpSecurityFilter</filter-class>
<init-param>
<!--
The properties.path parameter instructs the HttpSecurityService to load
properties from the named file. This file will be automatically reloaded
within 5 seconds after being modified without restarting the application
server. See The Jespa Operator's Manual for details.
-->
<param-name>properties.path</param-name>
<param-value>/WEB-INF/example_ntlm.prp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>HttpSecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
And my property file contains the following code
# To use this example edit the properties.path init-param in the web.xml
#
# This example HttpSecurityService properties file uses the
# NtlmSecurityProvider to authenticate and authorize clients with an Active
# Directory authority.
#
# Note: This is the equivalent of example_ntlm_web.xml but loaded
# indirectly with the HttpSecurityService properties.path property in
# the web.xml.
provider.classname = jespa.ntlm.NtlmSecurityProvider
http.parameter.username.name = username
http.parameter.password.name = password
http.parameter.logout.name = logout
#http.parameter.anonymous.name = anon
fallback.location = /jespa/Login.jsp
excludes = /Login.jsp
#groups.allowed = BUSICORP\\Domain Admins
#
# NtlmSecurityProvider properties
#
jespa.log.path = C:/Users/spartan/Desktop/jespa.log
jespa.log.level = 4
jespa.account.canonicalForm = 3
# Replace the following with properties determined in Step 1 of Installation
jespa.bindstr = HealthSystem.local
jespa.dns.servers = 127.0.0.1
#jespa.dns.site = Default-First-Site-name
jespa.service.acctname = hari$#HealthSystem.local
jespa.service.password = Spartan#1234
Anyone help me out to figure out the mischellaneous behaviour of jespa in my webapp
Related
I have created a Cloud Scheduler job with target to App Engine HTTP. The target URL is /admin/task/create-documents
I have an App Engine flexible running with java 8.
It works fine, but now I would like to secure the access to the servlet called by the Cloud Scheduler job (/admin/task/create-documents) to GCP developers only (usually referenced as 'admin'). I assumed the Cloud Scheduler job is considered as 'admin'.
Option 1 - didn't work
I tried to modify the web.xml file as for the standard environment, as mentioned here, but with no success:
The web.xml file:
<?xml version="1.0" encoding="utf-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
</web-app>
Option 2 - didn't work
I tried to modify the app.yaml by adding login: admin to the handlers section, as mentioned in the documentation here, but with no success either.
The app.yaml file:
runtime: java
env: flex
threadsafe: true
runtime_config:
jdk: openjdk8
server: jetty9
handlers:
- url: /admin/.*
script: auto
login: admin
- url: /.*
script: auto
secure: always
env_variables:
JETTY_ARGS: -Djava.util.logging.config.file=WEB-INF/logging.properties
network:
instance_tag: no-ip
name: my-network
subnetwork_name: my-subnet
But I also noticed that the login parameter is deprecated, as mentioned here and here. They mention IAM policies but I'm not sure how I should configure them.
How do I secure the Cloud Scheduler job endpoint to 'admin' only?
You can't by configuration. You need to implement the check in your code.
You can add a static value to the URL like https://my-url.appspot.com/admin/task/create-documents?key=my_secret or use OIDC authentication with Cloud Scheduler to provide a JWT token to your endpoint.
In both case, you will have to check if the secret (content on the JWT) is the expected one or not.
I want to use mod_auth_openidc for authentication only, by using what is set in REMOTE_USER.
Currently, I have this:
<Location />
# reverse proxy to app
# authorization not controlled by web server, but by app
Require all granted
</Location>
The user accesses an url hosted by the app that logs them in. When logged in, there's additional info on every page, and access is allowed to some urls that otherwise return 401.
Now I want to add OIDC to this, so I tried adding the following:
OIDCRedirectURI https://<hostname>/oidc/redirect_uri
<Location /oidc>
ProxyPass "!"
AuthType openid-connect
Require valid-user
</Location>
Accessing "/oidc" successfully redirects to the provider, then redirects back to /oidc, which doesn't exist in the app, so apache goes 404.
If I go anywhere else, no REMOTE_USER is set and so the user is not authenticated. (I have a debug-page that dumps headers and environment variables and other sundry for this.)
I found this question: Optional or anonymous authentication with mod_auth_openidc, which mentions OIDCUnAuthAction, but it is unclear how to use it.
If I change the first location-block to:
<Location />
# reverse proxy to app
# authorization not controlled by web server, but by app
Require all granted
OIDCUnAuthAction pass
</Location>
.. then the user is no longer redirected.
If I in addition add OIDCUnAuthAction auth to the second Location-block, the redirect is back and the user is back to being redirected to /oidc and not being authenticated anywhere else.
<Location /oidc>
ProxyPass "!"
AuthType openid-connect
Require valid-user
OIDCUnAuthAction auth
</Location>
If I keep the last version of the /oidc-block and change the first block to
<Location />
# reverse proxy to app
# authorization not controlled by web server, but by app
AuthType openid-connect
Require valid-user
OIDCUnAuthAction pass
</Location>
.. that doesn't change anything.
If I do force login everywhere, with
<Location />
# reverse proxy to app
# authorization not controlled by web server, but by app
AuthType openid-connect
Require valid-user
</Location>
then accessing any page redirects me to the provider, which redirects me to where I came from. On the debug-page I see that there are lots of claims headers, but REMOTE_USER is either not set, or set in such a way that it cannot be dumped (it's not visible to the app), so the user is not authenticated.
If I use OIDCAuthNHeader Foo it turns up together with the other http headers, prefixed with HTTP_, but then the app can't find it since it isn't named REMOTE_USER...
I'm at my wits end. How is this supposed to work? Can it work at all?
Hello i have two deployment War in my TomEE Plume but there is not running aparently and i dont have any idea why that is happen.
Master configuration .properties:
engine.name=corp-000
# The class name for the JDBC Driver
db.driver=org.hsqldb.jdbcDriver
# The JDBC URL used to connect to the database
db.url=jdbc:jdbc:hsqldb:hsql://localhost:9001/db1
# The user to login as who can create and update tables
db.user=sa
# The password for the user to login as
db.password=
registration.url=
sync.url=http://localhost:8080/symmetricNodoPadre/corp-000/sync
# Do not change these for running the demo
group.id=corp
external.id=000
# Don't muddy the waters with purge logging
job.purge.period.time.ms=7200000
# This is how often the routing job will be run in milliseconds
job.routing.period.time.ms=5000
# This is how often the push job will be run.
job.push.period.time.ms=10000
# This is how often the pull job will be run.
job.pull.period.time.ms=10000
# Kick off initial load
initial.load.create.first=true
My slave configuration .properties
engine.name=$(hostName)
# The class name for the JDBC Driver
db.driver=org.hsqldb.jdbcDriver
# The JDBC URL used to connect to the database
db.url=jdbc:jdbc:hsqldb:hsql://localhost:9002/db2
# The user to login as who can create and update tables
db.user=sa
# The password for the user to login as
db.password=
# The HTTP URL of the root node to contact for registration
registration.url=http://localhost:8080/symmetricNodoPadre/corp-000/sync
# Do not change these for running --the demo
group.id=store
external.id=$(hostName)
# This is how often the routing job will be run in milliseconds
job.routing.period.time.ms=5000
# This is how often the push job will be run.
job.push.period.time.ms=10000
# This is how often the pull job will be run.
job.pull.period.time.ms=10000
And The web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>SymmetricDS</display-name>
<context-param>
<param-name>autoStart</param-name>
<param-value>true</param-value>
</context-param>
<!-- To turn on multi server mode in a war deployment uncomment this. The engines directory
is controlled by -Dsymmetric.engines.dir=/path/to/dir. The default value is "engines"
<context-param>
<param-name>multiServerMode</param-name>
<param-value>true</param-value>
</context-param>
-->
<!-- To specify the name of the properties file to use in a war deployment uncomment this. -->
<context-param>
<param-name>singleServerPropertiesFile</param-name>
<param-value>/symmetricNodoPadre/WEB-INF/classes/symmetric.properties</param-value>
</context-param>
<!-- In order to use extension points defined in an existing spring context turn this setting on
<context-param>
<param-name>useWebApplicationContext</param-name>
<param-value>true</param-value>
</context-param>
-->
<context-param>
<param-name>deploymentType</param-name>
<param-value>server</param-value>
</context-param>
<context-param>
<param-name>contextClass</param-name>
<param-value>
org.springframework.web.context.support.AnnotationConfigWebApplicationContext
</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>org.jumpmind.symmetric.web.rest</param-value>
</context-param>
<listener>
<listener-class>org.jumpmind.symmetric.web.SymmetricContextListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>SymmetricServlet</servlet-name>
<servlet-class>org.jumpmind.symmetric.web.SymmetricServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>rest</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<init-param>
<param-name>contextClass</param-name>
<param-value>
org.springframework.web.context.support.AnnotationConfigWebApplicationContext
</param-value>
</init-param>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>org.jumpmind.symmetric.web.rest</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>SymmetricServlet</servlet-name>
<url-pattern>/sync/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>rest</servlet-name>
<url-pattern>/api/*</url-pattern>
</servlet-mapping>
</web-app>
Obviusly in the slave Web.xml i put the other path that means symmetricNodoHijo/WEB-INF/classes/symmetric.properties
Does useServiceAccountCredential works with P12 file. I am trying to use it in Java and get error com.google.appengine.repackaged.com.google.api.client.http.HttpResponseException‌​: 302 Found
Yes it does. You need to have an AppEngine app serving the remote API. E.g., you would have a python app, with the following lines in app.yaml:
- url: /remoteapi.*
script: google.appengine.ext.remote_api.handler.application
Or java app with the following in web.xml:
<servlet>
<display-name>Remote API Servlet</display-name>
<servlet-name>RemoteApiServlet</servlet-name>
<servlet-class>com.google.apphosting.utils.remoteapi.RemoteApiServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>RemoteApiServlet</servlet-name>
<url-pattern>/remote_api</url-pattern>
</servlet-mapping>
Please note that depending on your client, it might call a bit different url, e.g. /remote_api
Also, if you have deployed the AppEngine app in a module, take that into account in the client code, you would have:
RemoteApiOptions raoptions = new RemoteApiOptions()
.server("my-module-dot-my-project.appspot.com", 443)
.useServiceAccountCredential("my-service-account-id", "my-p12-file.p12");
RemoteApiInstaller installer = new RemoteApiInstaller();
installer.install(raoptions);
Hope that helps!
I am trying to deploy a web service in Tomcat7 using maven.
Below I provide some configuration info:
web.xml
...
<servlet-mapping>
<servlet-name>CXFServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>
...
pom.xml
...
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>tomcat-maven-plugin</artifactId>
<version>1.1</version>
<configuration>
<url>http://localhost:8080/manager/text</url>
<server>TomcatServer</server>
<path>/services/userinfo</path>
...
Given the <url-pattern>/services/*</url-pattern> and <path>/services/userinfo</path> configuration, the URL http://localhost:8080/services/userinfo shows 404.
If using instead <url-pattern>/*</url-pattern> everything works as expected (i.e. http://localhost:8080/services/userinfo shows the list of available methods).
The question:
Why /services/* doesn't work in my case?
The path in your tomcat-maven-plugin configuration
<path>/services/userinfo</path>
defines where you are deploying the webapp (the context root). In this case, you are deploying it to
http://localhost:8080/services/userinfo
Check out the webapps directory in your Tomcat installation.
Since you are defining the CXFServlet mapping as /services/*, the CXF service list would show at
http://localhost:8080/services/userinfo/services/
When you re-defined the mapping to /*, it just appeared to work as expected, but that was only because the context root you used and the service listing path you expected were the same.