You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by at...@apache.org on 2011/09/23 13:37:04 UTC
svn commit: r1174672 - in /portals/jetspeed-2/portal/trunk: components/jetspeed-deploy-tools/src/main/java/org/apache/jetspeed/tools/deploy/ components/jetspeed-portal/src/main/java/org/apache/jetspeed/tools/pamanager/servletcontainer/ jetspeed-install...

Author: ate
Date: Fri Sep 23 11:37:04 2011
New Revision: 1174672

URL: http://svn.apache.org/viewvc?rev=1174672&view=rev
Log:
JS2-1258: Harden default/demo Jetspeed security configuration by disabling usage of the Tomcat Manager and force change password on demo admin user

Modified:
    portals/jetspeed-2/portal/trunk/components/jetspeed-deploy-tools/src/main/java/org/apache/jetspeed/tools/deploy/JetspeedContextRewriter.java
    portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/tools/pamanager/servletcontainer/TomcatManager.java
    portals/jetspeed-2/portal/trunk/jetspeed-installer/etc/tomcat/conf/tomcat-users.xml
    portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/deployment.xml
    portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties
    portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/j2-ui-seed.xml
    portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/min/j2-ui-seed.xml

Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-deploy-tools/src/main/java/org/apache/jetspeed/tools/deploy/JetspeedContextRewriter.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-deploy-tools/src/main/java/org/apache/jetspeed/tools/deploy/JetspeedContextRewriter.java?rev=1174672&r1=1174671&r2=1174672&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-deploy-tools/src/main/java/org/apache/jetspeed/tools/deploy/JetspeedContextRewriter.java (original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-deploy-tools/src/main/java/org/apache/jetspeed/tools/deploy/JetspeedContextRewriter.java Fri Sep 23 11:37:04 2011
@@ -64,6 +64,12 @@ public class JetspeedContextRewriter
                     }
                 }
                 
+                // Security measurement: restrict/reduce deployment of non-privileged Tomcat applications only
+                if (root.hasAttribute("privileged"))
+                {
+                    root.setAttribute("privileged", "false");
+                }
+                
                 if (root.hasAttribute("docBase"))
                 {
                     // set Context docBase

Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/tools/pamanager/servletcontainer/TomcatManager.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/tools/pamanager/servletcontainer/TomcatManager.java?rev=1174672&r1=1174671&r2=1174672&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/tools/pamanager/servletcontainer/TomcatManager.java (original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/tools/pamanager/servletcontainer/TomcatManager.java Fri Sep 23 11:37:04 2011
@@ -47,7 +47,7 @@ import org.slf4j.LoggerFactory;
  */
 public class TomcatManager implements ApplicationServerManager
 {
-    private static final String DEFAULT_MANAGER_APP_PATH = "/manager";
+    private static final String DEFAULT_MANAGER_SCRIPT_PATH = "/manager";
     protected static final Logger log = LoggerFactory.getLogger("deployment");
 
     private String hostUrl;
@@ -56,11 +56,10 @@ public class TomcatManager implements Ap
     private String password;
     
     
-    private String managerAppPath = DEFAULT_MANAGER_APP_PATH;
-    private String stopPath = managerAppPath + "/stop";
-    private String startPath = managerAppPath + "/start";
-    private String deployPath = managerAppPath + "/deploy";
-    private String undeployPath = managerAppPath + "/undeploy";
+    private String stopPath;
+    private String startPath;
+    private String deployPath;
+    private String undeployPath;
     private HttpClient client;
 
     private HttpMethod start;
@@ -73,6 +72,15 @@ public class TomcatManager implements Ap
 
     public TomcatManager(String hostName, int hostPort, String userName, String password) throws IOException
     {
+        this (hostName, hostPort, userName, password, DEFAULT_MANAGER_SCRIPT_PATH);
+    }
+    
+    public TomcatManager(String hostName, int hostPort, String userName, String password, String managerScriptPath) throws IOException
+    {
+        this.stopPath = managerScriptPath + "/stop";
+        this.startPath = managerScriptPath + "/start";
+        this.deployPath = managerScriptPath + "/deploy";
+        this.undeployPath = managerScriptPath + "/undeploy";
         this.hostUrl = hostName;
         this.hostPort = hostPort;
         this.userName = userName;

Modified: portals/jetspeed-2/portal/trunk/jetspeed-installer/etc/tomcat/conf/tomcat-users.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/jetspeed-installer/etc/tomcat/conf/tomcat-users.xml?rev=1174672&r1=1174671&r2=1174672&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/jetspeed-installer/etc/tomcat/conf/tomcat-users.xml (original)
+++ portals/jetspeed-2/portal/trunk/jetspeed-installer/etc/tomcat/conf/tomcat-users.xml Fri Sep 23 11:37:04 2011
@@ -23,9 +23,20 @@
   <user username="both" password="tomcat" roles="tomcat,role1"/>
   <user username="role1" password="tomcat" roles="role1"/>
 -->
-  <role rolename="tomcat"/>
-  <role rolename="manager"/>
-  <role rolename="admin"/>
-  <user name="tomcat" password="tomcat" roles="tomcat" />  
-  <user username="j2deployer" password="j2deployer" roles="admin,manager,tomcat"/>
+<!-- Jetspeed:
+    
+  To allow the Jetspeed PortletApplicationManager portlet access to the
+  Tomcat manager to start, stop and undeploy portlet applications, a
+  user with role "manager-script" needs to be defined, as well as
+  configuring this user and its password in 
+  $CATALINA_BASE/webapps/jetspeed/WEB-INF/conf/jetspeed.properties
+  or more preferred the sibling /override.properties file:
+  
+    application.server.manager.name=<manager user>
+    application.server.manager.password=<manager password>
+    
+  and here in tomcat-users.xml:
+  
+  <user username=<manager user> password=<manager password> roles="manager-script"/> 
+-->
 </tomcat-users>

Modified: portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/deployment.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/deployment.xml?rev=1174672&r1=1174671&r2=1174672&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/deployment.xml (original)
+++ portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/deployment.xml Fri Sep 23 11:37:04 2011
@@ -39,6 +39,9 @@
     <constructor-arg index="3">
       <value>${application.server.manager.password}</value>
     </constructor-arg>
+    <constructor-arg index="4">
+      <value>${application.server.manager.script.path}</value>
+    </constructor-arg>
   </bean>
 
   <bean id="deployFactory" class="org.apache.jetspeed.tools.deploy.JetspeedDeployFactory">

Modified: portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties?rev=1174672&r1=1174671&r2=1174672&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties (original)
+++ portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties Fri Sep 23 11:37:04 2011
@@ -175,9 +175,13 @@ autodeployment.apps.internal.path=${appl
 #----'--------------------------------------------------------------------------------------------------------
 application.server.host=localhost
 application.server.port=8080
-# demo Tomcat user name/password having role manager (specify in $TOMCAT_BASE/conf/tomcat-users.xml)
-application.server.manager.name=j2deployer
-application.server.manager.password=j2deployer
+# Path to access the Tomcat manager, see: http://tomcat.apache.org/tomcat-6.0-doc/manager-howto.html
+# Note: For default Tomcat 7+ this should be adjusted to: /manager/script 
+application.server.manager.script.path=/manager
+# Tomcat user name/password having role "manager-script" for access to the Tomcat Manager
+# By default these are undefined (disabled Tomcat Manager access)
+application.server.manager.name=
+application.server.manager.password=
 
 #-------------------------------------------------------------------------
 # A S S E M B L Y (note may move this to class path)

Modified: portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/j2-ui-seed.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/j2-ui-seed.xml?rev=1174672&r1=1174671&r2=1174672&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/j2-ui-seed.xml (original)
+++ portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/j2-ui-seed.xml Fri Sep 23 11:37:04 2011
@@ -303,7 +303,7 @@
 	</Groups>
 	<Users>
 		<User name="admin">
-			<credentials password="admin" enabled="TRUE" requiresUpdate="FALSE"/>
+			<credentials password="admin" enabled="TRUE" requiresUpdate="TRUE"/>
 			<roles>user,admin</roles>
 			<groups>engineering,finance,marketing</groups>
 			<preferences>

Modified: portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/min/j2-ui-seed.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/min/j2-ui-seed.xml?rev=1174672&r1=1174671&r2=1174672&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/min/j2-ui-seed.xml (original)
+++ portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/seed/min/j2-ui-seed.xml Fri Sep 23 11:37:04 2011
@@ -295,7 +295,7 @@
 	<Groups/>
 	<Users>
 		<User name="admin">
-			<credentials password="admin" enabled="TRUE" requiresUpdate="FALSE"/>
+			<credentials password="admin" enabled="TRUE" requiresUpdate="TRUE"/>
 			<roles>user,admin</roles>
 			<groups></groups>
 			<preferences>



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org