You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by at...@apache.org on 2011/09/23 13:37:04 UTC
svn commit: r1174672 - in /portals/jetspeed-2/portal/trunk:
components/jetspeed-deploy-tools/src/main/java/org/apache/jetspeed/tools/deploy/
components/jetspeed-portal/src/main/java/org/apache/jetspeed/tools/pamanager/servletcontainer/
jetspeed-install...
Author: ate
Date: Fri Sep 23 11:37:04 2011
New Revision: 1174672
URL: http://svn.apache.org/viewvc?rev=1174672&view=rev
Log:
JS2-1258: Harden default/demo Jetspeed security configuration by disabling usage of the Tomcat Manager and force change password on demo admin user
Modified:
portals/jetspeed-2/portal/trunk/components/jetspeed-deploy-tools/src/main/java/org/apache/jetspeed/tools/deploy/JetspeedContextRewriter.java
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/tools/pamanager/servletcontainer/TomcatManager.java
portals/jetspeed-2/portal/trunk/jetspeed-installer/etc/tomcat/conf/tomcat-users.xml
portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/deployment.xml
portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties
portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/j2-ui-seed.xml
portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/min/j2-ui-seed.xml
Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-deploy-tools/src/main/java/org/apache/jetspeed/tools/deploy/JetspeedContextRewriter.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-deploy-tools/src/main/java/org/apache/jetspeed/tools/deploy/JetspeedContextRewriter.java?rev=1174672&r1=1174671&r2=1174672&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-deploy-tools/src/main/java/org/apache/jetspeed/tools/deploy/JetspeedContextRewriter.java (original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-deploy-tools/src/main/java/org/apache/jetspeed/tools/deploy/JetspeedContextRewriter.java Fri Sep 23 11:37:04 2011
@@ -64,6 +64,12 @@ public class JetspeedContextRewriter
}
}
+ // Security measurement: restrict/reduce deployment of non-privileged Tomcat applications only
+ if (root.hasAttribute("privileged"))
+ {
+ root.setAttribute("privileged", "false");
+ }
+
if (root.hasAttribute("docBase"))
{
// set Context docBase
Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/tools/pamanager/servletcontainer/TomcatManager.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/tools/pamanager/servletcontainer/TomcatManager.java?rev=1174672&r1=1174671&r2=1174672&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/tools/pamanager/servletcontainer/TomcatManager.java (original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/tools/pamanager/servletcontainer/TomcatManager.java Fri Sep 23 11:37:04 2011
@@ -47,7 +47,7 @@ import org.slf4j.LoggerFactory;
*/
public class TomcatManager implements ApplicationServerManager
{
- private static final String DEFAULT_MANAGER_APP_PATH = "/manager";
+ private static final String DEFAULT_MANAGER_SCRIPT_PATH = "/manager";
protected static final Logger log = LoggerFactory.getLogger("deployment");
private String hostUrl;
@@ -56,11 +56,10 @@ public class TomcatManager implements Ap
private String password;
- private String managerAppPath = DEFAULT_MANAGER_APP_PATH;
- private String stopPath = managerAppPath + "/stop";
- private String startPath = managerAppPath + "/start";
- private String deployPath = managerAppPath + "/deploy";
- private String undeployPath = managerAppPath + "/undeploy";
+ private String stopPath;
+ private String startPath;
+ private String deployPath;
+ private String undeployPath;
private HttpClient client;
private HttpMethod start;
@@ -73,6 +72,15 @@ public class TomcatManager implements Ap
public TomcatManager(String hostName, int hostPort, String userName, String password) throws IOException
{
+ this (hostName, hostPort, userName, password, DEFAULT_MANAGER_SCRIPT_PATH);
+ }
+
+ public TomcatManager(String hostName, int hostPort, String userName, String password, String managerScriptPath) throws IOException
+ {
+ this.stopPath = managerScriptPath + "/stop";
+ this.startPath = managerScriptPath + "/start";
+ this.deployPath = managerScriptPath + "/deploy";
+ this.undeployPath = managerScriptPath + "/undeploy";
this.hostUrl = hostName;
this.hostPort = hostPort;
this.userName = userName;
Modified: portals/jetspeed-2/portal/trunk/jetspeed-installer/etc/tomcat/conf/tomcat-users.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/jetspeed-installer/etc/tomcat/conf/tomcat-users.xml?rev=1174672&r1=1174671&r2=1174672&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/jetspeed-installer/etc/tomcat/conf/tomcat-users.xml (original)
+++ portals/jetspeed-2/portal/trunk/jetspeed-installer/etc/tomcat/conf/tomcat-users.xml Fri Sep 23 11:37:04 2011
@@ -23,9 +23,20 @@
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
-->
- <role rolename="tomcat"/>
- <role rolename="manager"/>
- <role rolename="admin"/>
- <user name="tomcat" password="tomcat" roles="tomcat" />
- <user username="j2deployer" password="j2deployer" roles="admin,manager,tomcat"/>
+<!-- Jetspeed:
+
+ To allow the Jetspeed PortletApplicationManager portlet access to the
+ Tomcat manager to start, stop and undeploy portlet applications, a
+ user with role "manager-script" needs to be defined, as well as
+ configuring this user and its password in
+ $CATALINA_BASE/webapps/jetspeed/WEB-INF/conf/jetspeed.properties
+ or more preferred the sibling /override.properties file:
+
+ application.server.manager.name=<manager user>
+ application.server.manager.password=<manager password>
+
+ and here in tomcat-users.xml:
+
+ <user username=<manager user> password=<manager password> roles="manager-script"/>
+-->
</tomcat-users>
Modified: portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/deployment.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/deployment.xml?rev=1174672&r1=1174671&r2=1174672&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/deployment.xml (original)
+++ portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/deployment.xml Fri Sep 23 11:37:04 2011
@@ -39,6 +39,9 @@
<constructor-arg index="3">
<value>${application.server.manager.password}</value>
</constructor-arg>
+ <constructor-arg index="4">
+ <value>${application.server.manager.script.path}</value>
+ </constructor-arg>
</bean>
<bean id="deployFactory" class="org.apache.jetspeed.tools.deploy.JetspeedDeployFactory">
Modified: portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties?rev=1174672&r1=1174671&r2=1174672&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties (original)
+++ portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties Fri Sep 23 11:37:04 2011
@@ -175,9 +175,13 @@ autodeployment.apps.internal.path=${appl
#----'--------------------------------------------------------------------------------------------------------
application.server.host=localhost
application.server.port=8080
-# demo Tomcat user name/password having role manager (specify in $TOMCAT_BASE/conf/tomcat-users.xml)
-application.server.manager.name=j2deployer
-application.server.manager.password=j2deployer
+# Path to access the Tomcat manager, see: http://tomcat.apache.org/tomcat-6.0-doc/manager-howto.html
+# Note: For default Tomcat 7+ this should be adjusted to: /manager/script
+application.server.manager.script.path=/manager
+# Tomcat user name/password having role "manager-script" for access to the Tomcat Manager
+# By default these are undefined (disabled Tomcat Manager access)
+application.server.manager.name=
+application.server.manager.password=
#-------------------------------------------------------------------------
# A S S E M B L Y (note may move this to class path)
Modified: portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/j2-ui-seed.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/j2-ui-seed.xml?rev=1174672&r1=1174671&r2=1174672&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/j2-ui-seed.xml (original)
+++ portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/j2-ui-seed.xml Fri Sep 23 11:37:04 2011
@@ -303,7 +303,7 @@
</Groups>
<Users>
<User name="admin">
- <credentials password="admin" enabled="TRUE" requiresUpdate="FALSE"/>
+ <credentials password="admin" enabled="TRUE" requiresUpdate="TRUE"/>
<roles>user,admin</roles>
<groups>engineering,finance,marketing</groups>
<preferences>
Modified: portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/min/j2-ui-seed.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/min/j2-ui-seed.xml?rev=1174672&r1=1174671&r2=1174672&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/min/j2-ui-seed.xml (original)
+++ portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/min/j2-ui-seed.xml Fri Sep 23 11:37:04 2011
@@ -295,7 +295,7 @@
<Groups/>
<Users>
<User name="admin">
- <credentials password="admin" enabled="TRUE" requiresUpdate="FALSE"/>
+ <credentials password="admin" enabled="TRUE" requiresUpdate="TRUE"/>
<roles>user,admin</roles>
<groups></groups>
<preferences>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org