You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2015/02/09 03:10:47 UTC
directory-fortress-realm git commit: FC-56 - Add Tomcat Setup Notes
Repository: directory-fortress-realm
Updated Branches:
refs/heads/master cbb8e8feb -> c51013b23
FC-56 - Add Tomcat Setup Notes
Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/commit/c51013b2
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/tree/c51013b2
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/diff/c51013b2
Branch: refs/heads/master
Commit: c51013b23ff83f309623b023adb00b73467bd351
Parents: cbb8e8f
Author: Shawn McKinney <sm...@apache.org>
Authored: Sun Feb 8 20:10:29 2015 -0600
Committer: Shawn McKinney <sm...@apache.org>
Committed: Sun Feb 8 20:10:29 2015 -0600
----------------------------------------------------------------------
README.txt | 1 -
TOMCAT-GLOBAL-SECURITY-NOTES.txt | 274 +++++++++++++++
TOMCAT-SETUP-NOTES.txt | 338 -------------------
build.xml | 2 +-
impl/pom.xml | 133 +++++---
pom.xml | 4 +-
proxy/pom.xml | 6 +-
.../fortress/realm/tomcat/package.html | 2 +-
8 files changed, 363 insertions(+), 397 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/c51013b2/README.txt
----------------------------------------------------------------------
diff --git a/README.txt b/README.txt
index 91603a3..f10d4ca 100755
--- a/README.txt
+++ b/README.txt
@@ -31,7 +31,6 @@ a. Internet access to retrieve source code from Apache Fortress Rest GIT and bin
b. Java SDK Version 7 or beyond installed to target environment
c. Apache Maven installed to target environment
-
_________________________________________________________________________________
###################################################################################
# SECTION 1: Instructions to clone source from Fortress Realm Git Repo:
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/c51013b2/TOMCAT-GLOBAL-SECURITY-NOTES.txt
----------------------------------------------------------------------
diff --git a/TOMCAT-GLOBAL-SECURITY-NOTES.txt b/TOMCAT-GLOBAL-SECURITY-NOTES.txt
new file mode 100644
index 0000000..4a172d5
--- /dev/null
+++ b/TOMCAT-GLOBAL-SECURITY-NOTES.txt
@@ -0,0 +1,274 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+___________________________________________________________________________________
+###################################################################################
+INSTRUCTIONS TO ENABLE GLOBAL TOMCAT SECURITY WITH FORTRESS REALM
+Last updated: February 8, 2015
+
+--------------------------------------------------------------
+###################################################################################
+# Guidelines & Tips
+###################################################################################
+
+- This document describes how to enable Fortress Realm to provide security for
+ Tomcat server.
+
+- In the document that follows, replace "[version]" with Fortress Realm version label.
+ For example - if Fortress Realm 1.0 release, change fortress-realm-proxy-[version].jar to fortress-realm-proxy-1.0.jar
+
+- Restart Tomcat server after any changes to Tomcat config, Fortress config or lib files.
+
+- Common misconfiguration issues related to Fortress, LDAP and Tomcat are located in section III.
+___________________________________________________________________________________
+###################################################################################
+# SECTION 0. Prerequisites for Fortress Realm installation and usage with Tomcat
+###################################################################################
+a. Internet access to retrieve source code from Apache Fortress Realm GIT and binary dependencies from online Maven repo.
+
+b. Java SDK Version 7 or beyond installed to target environment
+
+c. LDAP server installed. (see README in Apache Fortress Core)
+
+d. Apache Tomcat 7 or greater installed to local machine.
+_________________________________________________________________________________
+###################################################################################
+# SECTION 1: Prepare Machine
+###################################################################################
+a. Follow instructions in README.txt to build and install fortress realm.
+
+b. copy fortress-realm-proxy-[version].jar to TOMCAT_HOME/lib/
+
+c. Configure Fortress Realm for target LDAP server
+
+Copy the fortress.properties, created during [directory-fortress-core] setup, to this package's resource folder.
+
+# cp [directory-fortress-core]/config/fortress.properties [directory-fortress-enmasse]/src/main/resources
+
+Where [directory-fortress-core] is base folder of the fortress core source package and [directory-fortress-enmasse] is the current package's home folder.
+
+_________________________________________________________________________________
+###################################################################################
+# SECTION 2: Enable Tomcat Realm
+###################################################################################
+a. edit TOMCAT_HOME/conf/server.xml
+
+b. comment out entrt to UserDatabase:
+
+ <!--Resource name="UserDatabase" auth="Container"
+ type="org.apache.catalina.UserDatabase"
+ description="User database that can be updated and saved"
+ factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+ pathname="conf/tomcat-users.xml" /-->
+
+c. add the following:
+
+ <Realm className="org.apache.directory.fortress.realm.tomcat.Tc7AccessMgrProxy"
+ debug="0"
+ resourceName="UserDatabase"
+ containerType="Tomcat7"
+ realmClasspath="[directory-fortress-core]/config:[directory-fortress-core]/impl/target/fortress-realm-impl-uber-[version].jar"
+ defaultRoles=""
+ />
+
+Where [directory-fortress-core] is base folder of the fortress core source package.
+Where [directory-fortress-realm] is base folder of the fortress realm source package.
+
+d. restart tomcat
+
+e. view the server logs to ensure there are no errors.
+
+f. verify that sentry started successfully by viewing following message in catalina.log:
+
+org.apache.directory.fortress.realm.tomcat.Tc7AccessMgrProxy J2EE Tomcat7 policy agent initialization successful
+_________________________________________________________________________________
+###################################################################################
+# SECTION 3: Test with Tomcat Manager App
+###################################################################################
+
+Note: this section provides instructions for using the Tomcat Manager application to test Fortress Realm.
+This is not necessary if you have your own Java EE security enabled web application to test with.
+
+a. Enable Tomcat Manager application. note: check the Tomcat documentation on how to do this.
+
+b. Verify/enable role name. Edit TOMCAT_HOME/webapps/manager/WEB-INF/web.xml
+
+ <!-- Security roles referenced by this web application --/>
+ <security-role/>
+ <description/>
+ The role that is required to log in to the Manager Application
+ </description/>
+ <role-name/>manager</role-name/>
+ </security-role/>
+
+c. run fortress-core load file TomcatManagerUser.xml
+
+d. Test logon onto the Tomcat Manager app.
+
+ Enter URL to manager web app:
+ http://localhost:8080/manager/html
+
+ Enter creds (tcmanager, password) into basic logon form
+ Verify authentication/authorization success to web app.
+
+_________________________________________________________________________________
+###################################################################################
+# SECTION 4: Common troubleshooting tips:
+###################################################################################
+
+-------------------------------------------------------------------------------------------
+i. - Server can't find config files (realmClasspath="/fortressSentry-1.0.0/conf/")
+-------------------------------------------------------------------------------------------
+Jul 15, 2011 8:21:16 PM us.jts.sentry.tomcat.Tc7AccessMgrProxy initialize
+INFO: us.jts.sentry.tomcat.Tc7AccessMgrProxy.initialize - instantiate policy agent name: us.jts.sentry.tomcat.TcAccessMgrImpl
+2011-07-15 20:21:17,053 (FATAL) us.jts.configuration.Config static init: Error, null configuration file: fortress.properties
+Jul 15, 2011 8:21:17 PM us.jts.sentry.tomcat.Tc7AccessMgrProxy startInternal
+SEVERE: us.jts.sentry.tomcat.Tc7AccessMgrProxy.startInternal caught Throwable=java.lang.ExceptionInInitializerError
+java.lang.ExceptionInInitializerError
+ at us.jts.sentry.J2eePolicyMgrFactory.<clinit>(J2eePolicyMgrFactory.java:32)
+ at us.jts.sentry.tomcat.TcAccessMgrImpl.<init>(TcAccessMgrImpl.java:35)
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
+ at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
+ at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
+ at java.lang.Class.newInstance0(Class.java:355)
+ at java.lang.Class.newInstance(Class.java:308)
+ at us.jts.sentry.tomcat.Tc7AccessMgrProxy.initialize(Tc7AccessMgrProxy.java:112)
+ at us.jts.sentry.tomcat.Tc7AccessMgrProxy.startInternal(Tc7AccessMgrProxy.java:236)
+ at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
+ at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1026)
+ at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:291)
+ at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
+ at org.apache.catalina.core.StandardService.startInternal(StandardService.java:443)
+ at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
+ at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:727)
+ at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
+ at org.apache.catalina.startup.Catalina.start(Catalina.java:620)
+ at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
+ at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
+ at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
+ at java.lang.reflect.Method.invoke(Method.java:597)
+ at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:303)
+ at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:431)
+Caused by: java.lang.RuntimeException: us.jts.configuration.Config static init: Error, null configuration file: fortress.properties
+ at us.jts.configuration.Config.<clinit>(Config.java:51)
+ ... 25 more
+
+ACTION:
+
+Ensure step 3c points to Fortress sentry configuration folder.
+
+-------------------------------------------------------------------------------------------
+ii. - Server can't find proxy jar (Realm className="us.jts.sentry.tomcat.TcAccessMgrProxy")
+-------------------------------------------------------------------------------------------
+INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/lib/jvm/java-6-sun-1.6.0.22/jre/lib/i386/server:/usr/lib/jvm/java-6-sun-1.6.0.22/jre/lib/i386:/usr/lib/jvm/java-6-sun-1.6.0.22/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib
+Apr 22, 2011 10:24:04 PM org.apache.tomcat.util.digester.Digester startElement
+SEVERE: Begin event threw exception
+java.lang.ClassNotFoundException: us.jts.sentry.tomcat.TcAccessMgrProxy
+
+ACTION:
+
+Ensure step 1c copied the Fortress sentry proxy jar to TOMCAT_HOME/lib folder.
+
+-------------------------------------------------------------------------------------------
+iii. - Server can't find binaries (realmClasspath="...FORTRESS_HOME/lib/fortressSentry-[version].jar")
+-------------------------------------------------------------------------------------------
+Apr 22, 2011 10:22:25 PM us.jts.sentry.tomcat.TcAccessMgrProxy initialize
+SEVERE: Fortress Tomcat Realm.initialize java.lang.ClassNotFoundException=java.lang.ClassNotFoundException: us.jts.sentry.tomcat.TcAccessMgrImpl
+Apr 22, 2011 10:22:25 PM us.jts.sentry.tomcat.TcAccessMgrProxy start
+SEVERE: Fortress Tomcat Realm.start caught Exception=java.lang.RuntimeException: Fortress Tomcat Realm.initialize java.lang.ClassNotFoundException=java.lang.ClassNotFoundException: us.jts.sentry.tomcat.TcAccessMgrImpl
+java.lang.RuntimeException: Fortress Tomcat Realm.initialize java.lang.ClassNotFoundException=java.lang.ClassNotFoundException: us.jts.sentry.tomcat.TcAccessMgrImpl
+ at us.jts.sentry.tomcat.TcAccessMgrProxy.initialize(TcAccessMgrProxy.java:118)
+
+ACTION:
+
+Ensure step 3c configuration points fortressSentry jar, i.e. FORTRESS_HOME/lib/fortressProxyTomcat[version].jar.
+
+-------------------------------------------------------------------------------------------
+iv. - Incompatible Tomcat Proxy jar loaded for Tomcat 7 and beyond
+-------------------------------------------------------------------------------------------
+
+The Tomcat realm base class changed between Tomcat version's 6 and 7. If you are running Tomcat7 and see error that looks like this:
+
+Jun 4, 2011 3:01:41 PM org.apache.tomcat.util.digester.Digester startElement
+SEVERE: Begin event threw error
+java.lang.VerifyError: class us.jts.sentry.tomcat.TcAccessMgrProxy overrides final method start.()V
+ at java.lang.ClassLoader.defineClass1(Native Method)
+ at java.lang.ClassLoader.defineClassCond(ClassLoader.java:632)
+ at java.lang.ClassLoader.defineClass(ClassLoader.java:616)
+ at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:141)
+ at java.net.URLClassLoader.defineClass(URLClassLoader.java:283)
+ at java.net.URLClassLoader.access$000(URLClassLoader.java:58)
+ at java.net.URLClassLoader$1.run(URLClassLoader.java:197)
+ at java.security.AccessController.doPrivileged(Native Method)
+ at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
+ at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
+ at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
+ at org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRule.java:144)
+ at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1282)
+ at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:501)
+ at com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:179)
+ at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1343)
+ at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2755)
+ at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:648)
+ at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:511)
+ at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:808)
+ at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
+ at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:119)
+ at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1205)
+ at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:522)
+ at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1543)
+ at org.apache.catalina.startup.Catalina.load(Catalina.java:554)
+ at org.apache.catalina.startup.Catalina.load(Catalina.java:595)
+ at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
+ at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
+ at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
+ at java.lang.reflect.Method.invoke(Method.java:597)
+ at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262)
+ at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430)
+
+ACTION:
+
+You have the wrong Tomcat Proxy jar on the server's classpath. You need to get the proxy jar that is compatible with Tomcat version 7 and beyond.
+Ensure step 3c configuration points fortressProxyTomcat7-[version].jar, i.e. FORTRESS_HOME/lib/fortressProxyTomcat7-[version].jar.
+
+-------------------------------------------------------------------------------------------
+v. - Incompatible Tomcat Proxy jar loaded for Tomcat 6 and before
+-------------------------------------------------------------------------------------------
+
+The Tomcat realm base class changed between Tomcat version's 6 and 7. If you are running Tomcat 4, 5 or 6 and see error that looks like this:
+
+SEVERE: An exception or error occurred in the container during the request processing
+java.lang.RuntimeException: us.jts.sentry.tomcat.Tc7AccessMgrProxyauthenticate detected Fortress Tomcat7 Realm not initialized correctly. Check your Fortress Realm configuration
+ at us.jts.sentry.tomcat.Tc7AccessMgrProxy.authenticate(Tc7AccessMgrProxy.java:161)
+ at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:259)
+ at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:449)
+ at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
+ at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
+ at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
+ at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
+ at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852)
+ at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
+ at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
+ at java.lang.Thread.run(Thread.java:662)
+
+
+ACTION:
+
+You have the wrong Tomcat Proxy jar on the server's classpath. You need to get the proxy jar that is compatible with Tomcat version 6 and before:
+Ensure step 3c configuration points fortressProxyTomcat-[version].jar, i.e. FORTRESS_HOME/lib/fortressProxyTomcat-[version].jar.
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/c51013b2/TOMCAT-SETUP-NOTES.txt
----------------------------------------------------------------------
diff --git a/TOMCAT-SETUP-NOTES.txt b/TOMCAT-SETUP-NOTES.txt
deleted file mode 100644
index 1d3a793..0000000
--- a/TOMCAT-SETUP-NOTES.txt
+++ /dev/null
@@ -1,338 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
---------------------------------------------------------------
-Apache Directory Fortress Realm Setup Notes for Tomcat App Sever
-last updated: October 31, 2014
---------------------------------------------------------------
-###################################################################################
-# Guidelines & Tips
-###################################################################################
-
-- In the document that follows, replace "[version]" with Fortress version label.
- For example - if Fortress 1.0 release, change fortressProxyTomcat-[version].jar to fortressProxyTomcat-1.0.jar
-
-- Restart Tomcat server after any changes to Tomcat config, Fortress config or lib files.
-
-- You (usually) do NOT need to restart Tomcat after changes to the LDAP data, i.e. users, passwords, roles.
-
-- Steps I - III below are mandatory.
-
-- Step IV is optional, for testing purposes.
-
-- Common misconfiguration issues related to Fortress, LDAP and Tomcat are located in section III.
-
-- Tomcat 7 and beyond uses a different proxy jar. Take special note of this difference in Step I.C.
-
-###################################################################################
-# Summary of installation steps to be completed before Tomcat can use Fortress LDAP
-###################################################################################
-I. Extract Fortress Java Sentry binaries and config to target server
-a. copy tar or zip to server
-b. unzip tar or zip package
-c. copy fortressProxyTomcat[version].jar to TOMCAT_HOME/lib/
-
-II. Configure Fortress Java Sentry for target LDAP server
-a. edit Fortress properties file located in FORTRESS_HOME/conf folder
-b. update ldap host info
-c. update ldap dn info
-d. update ldap admin creds
-e. update ldap connection pool levels
-
-III. Configure Tomcat to use Fortress Java Sentry
-a. edit TOMCAT_HOME/conf/server.xml
-b. comment out old UserDatabase config
-c. add Sentry Proxy
-d. restart Tomcat
-e. Verify success
-
-IV. Test Tomcat Security (Optional)
-a. Enable Tomcat Manager Web app
-b. Verify/enable role constraint
-c. Add role to LDAP
-d. Add test user to LDAP
-e. Assign test user the Manager role
-f. logon Manager app
-
-###################################################################################
-# I. Instructions to extract Fortress Java Sentry Package to Target System
-###################################################################################
-
-a. Copy fortressSentryDist-1.0.0[version].zip to hard drive on target server
-env.
-
-b. Extract the zip. The location for archive can vary according to requirements. The location
-for package will be referred to as "FORTRESS_HOME" later in these instructions.
-
-###################################################################################
-# II. Instructions to configure Fortress Java Sentry to use Target System LDAP
-###################################################################################
-
-Note: the 'dist' ant target on this project will set these properties using build.properties settings.
-
-a. Edit the FORTRESS_HOME properties file located in $FORTRESS_HOME/conf/fortress.properties
-
-b. Set the LDAP Host and port properties:
-
-host=localhost (host or ip)
-port=389
-
-c. Set the LDAP admin creds:
-
-admin=cn=Manager\,dc=jts\,dc=com
-adminPw=secret
-
-d. Set the LDAP connection pool info:
-
-note: the min/max will vary according to anticipated load on your Tomcat server. For busy systems, the max number of
-ldap connections may be much higher.
-
-minUserConn=1
-maxUserConn=10
-minConn=1
-maxConn=10
-
-###################################################################################
-# III. Instructions to configure Tomcat to use Fortress Java Sentry
-###################################################################################
-
-a. Load the Proxy jar onto server classpath.
-
-if Tomcat 7 and beyond:
- Copy the proxy jar located, FORTRESS_HOME/proxy/fortressProxyTomcat7-[version].jar to the Tomcat Server's lib folder.
- /opt/apache-tomcat-7.0.21/lib$ sudo cp /home/smckinn/JavaTools/sentry/fortressSentry[version]/proxy/fortressProxyTomcat7-[version].jar .
-
-else
- Copy the proxy jar located, FORTRESS_HOME/proxy/fortressProxyTomcat-[version].jar to the Tomcat Server's lib folder.
- /opt/apache-tomcat-6.0.24/lib$ sudo cp /home/smckinn/JavaTools/sentry/fortressSentry-[version]/proxy/fortressProxyTomcat-[version].jar .
-
-note: This is the only Fortress binary or configuration artifact that will reside directly on Tomcat's server classpath.
-
-b. Edit the Tomcat server.xml in the /conf.
-c. Comment out existing "UserDatabase" config (if present)
-d. Add the following to Tomcat's server.xml file:
-
-<sentry className="us.jts.sentry.tomcat.TcAccessMgrProxy"
- debug="0"
- resourceName="UserDatabase"
- containerType="Tomcat6"
- realmClasspath="/FORTRESS_HOME/conf:/FORTRESS_HOME/lib/fortressSentry-[version].jar"
- />
-
-note: "FORTRESS_HOME" will point to root folder of Fortress Java sentry package. i.e. /home/user/fortressSentry-1.0.0 or /usr/local/fortressSentry-1.0.0. These
-packages will remain off the Tomcat server classpath but must be correct or server will fail to initialize.
-
-save and exit.
-
-e. Restart Tomcat server
-
-smckinn@smckinnlt-lr01:/opt/apache-tomcat-6.0.24/bin$ sudo ./startup.sh
-
-f. verify that sentry started successfully by viewing following message in catalina.log:
-
-smckinn@smckinnlt-lr01:/opt/apache-tomcat-6.0.24/bin$ tail -f -n10000 ../logs/catalina.out
-
-...
-INFO: us.jts.sentry.tomcat.TcAccessMgrProxy J2EE policy agent initialization successful
-
-If Tomcat 7 and beyond:
-
-INFO: us.jts.sentry.tomcat.Tc7AccessMgrProxy J2EE Tomcat7 policy agent initialization successful
-
--------------------------------------------
-Common troubleshooting tips:
--------------------------------------------
-
--------------------------------------------------------------------------------------------
-i. - Server can't find config files (realmClasspath="/fortressSentry-1.0.0/conf/")
--------------------------------------------------------------------------------------------
-Jul 15, 2011 8:21:16 PM us.jts.sentry.tomcat.Tc7AccessMgrProxy initialize
-INFO: us.jts.sentry.tomcat.Tc7AccessMgrProxy.initialize - instantiate policy agent name: us.jts.sentry.tomcat.TcAccessMgrImpl
-2011-07-15 20:21:17,053 (FATAL) us.jts.configuration.Config static init: Error, null configuration file: fortress.properties
-Jul 15, 2011 8:21:17 PM us.jts.sentry.tomcat.Tc7AccessMgrProxy startInternal
-SEVERE: us.jts.sentry.tomcat.Tc7AccessMgrProxy.startInternal caught Throwable=java.lang.ExceptionInInitializerError
-java.lang.ExceptionInInitializerError
- at us.jts.sentry.J2eePolicyMgrFactory.<clinit>(J2eePolicyMgrFactory.java:32)
- at us.jts.sentry.tomcat.TcAccessMgrImpl.<init>(TcAccessMgrImpl.java:35)
- at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
- at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
- at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
- at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
- at java.lang.Class.newInstance0(Class.java:355)
- at java.lang.Class.newInstance(Class.java:308)
- at us.jts.sentry.tomcat.Tc7AccessMgrProxy.initialize(Tc7AccessMgrProxy.java:112)
- at us.jts.sentry.tomcat.Tc7AccessMgrProxy.startInternal(Tc7AccessMgrProxy.java:236)
- at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
- at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1026)
- at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:291)
- at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
- at org.apache.catalina.core.StandardService.startInternal(StandardService.java:443)
- at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
- at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:727)
- at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
- at org.apache.catalina.startup.Catalina.start(Catalina.java:620)
- at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
- at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
- at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
- at java.lang.reflect.Method.invoke(Method.java:597)
- at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:303)
- at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:431)
-Caused by: java.lang.RuntimeException: us.jts.configuration.Config static init: Error, null configuration file: fortress.properties
- at us.jts.configuration.Config.<clinit>(Config.java:51)
- ... 25 more
-
-ACTION:
-
-Ensure step 3c points to Fortress sentry configuration folder.
-
--------------------------------------------------------------------------------------------
-ii. - Server can't find proxy jar (Realm className="us.jts.sentry.tomcat.TcAccessMgrProxy")
--------------------------------------------------------------------------------------------
-INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/lib/jvm/java-6-sun-1.6.0.22/jre/lib/i386/server:/usr/lib/jvm/java-6-sun-1.6.0.22/jre/lib/i386:/usr/lib/jvm/java-6-sun-1.6.0.22/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib
-Apr 22, 2011 10:24:04 PM org.apache.tomcat.util.digester.Digester startElement
-SEVERE: Begin event threw exception
-java.lang.ClassNotFoundException: us.jts.sentry.tomcat.TcAccessMgrProxy
-
-ACTION:
-
-Ensure step 1c copied the Fortress sentry proxy jar to TOMCAT_HOME/lib folder.
-
--------------------------------------------------------------------------------------------
-iii. - Server can't find binaries (realmClasspath="...FORTRESS_HOME/lib/fortressSentry-[version].jar")
--------------------------------------------------------------------------------------------
-Apr 22, 2011 10:22:25 PM us.jts.sentry.tomcat.TcAccessMgrProxy initialize
-SEVERE: Fortress Tomcat Realm.initialize java.lang.ClassNotFoundException=java.lang.ClassNotFoundException: us.jts.sentry.tomcat.TcAccessMgrImpl
-Apr 22, 2011 10:22:25 PM us.jts.sentry.tomcat.TcAccessMgrProxy start
-SEVERE: Fortress Tomcat Realm.start caught Exception=java.lang.RuntimeException: Fortress Tomcat Realm.initialize java.lang.ClassNotFoundException=java.lang.ClassNotFoundException: us.jts.sentry.tomcat.TcAccessMgrImpl
-java.lang.RuntimeException: Fortress Tomcat Realm.initialize java.lang.ClassNotFoundException=java.lang.ClassNotFoundException: us.jts.sentry.tomcat.TcAccessMgrImpl
- at us.jts.sentry.tomcat.TcAccessMgrProxy.initialize(TcAccessMgrProxy.java:118)
-
-ACTION:
-
-Ensure step 3c configuration points fortressSentry jar, i.e. FORTRESS_HOME/lib/fortressProxyTomcat[version].jar.
-
--------------------------------------------------------------------------------------------
-iv. - Incompatible Tomcat Proxy jar loaded for Tomcat 7 and beyond
--------------------------------------------------------------------------------------------
-
-The Tomcat realm base class changed between Tomcat version's 6 and 7. If you are running Tomcat7 and see error that looks like this:
-
-Jun 4, 2011 3:01:41 PM org.apache.tomcat.util.digester.Digester startElement
-SEVERE: Begin event threw error
-java.lang.VerifyError: class us.jts.sentry.tomcat.TcAccessMgrProxy overrides final method start.()V
- at java.lang.ClassLoader.defineClass1(Native Method)
- at java.lang.ClassLoader.defineClassCond(ClassLoader.java:632)
- at java.lang.ClassLoader.defineClass(ClassLoader.java:616)
- at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:141)
- at java.net.URLClassLoader.defineClass(URLClassLoader.java:283)
- at java.net.URLClassLoader.access$000(URLClassLoader.java:58)
- at java.net.URLClassLoader$1.run(URLClassLoader.java:197)
- at java.security.AccessController.doPrivileged(Native Method)
- at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
- at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
- at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
- at org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRule.java:144)
- at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1282)
- at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:501)
- at com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:179)
- at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1343)
- at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2755)
- at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:648)
- at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:511)
- at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:808)
- at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
- at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:119)
- at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1205)
- at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:522)
- at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1543)
- at org.apache.catalina.startup.Catalina.load(Catalina.java:554)
- at org.apache.catalina.startup.Catalina.load(Catalina.java:595)
- at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
- at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
- at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
- at java.lang.reflect.Method.invoke(Method.java:597)
- at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262)
- at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430)
-
-ACTION:
-
-You have the wrong Tomcat Proxy jar on the server's classpath. You need to get the proxy jar that is compatible with Tomcat version 7 and beyond.
-Ensure step 3c configuration points fortressProxyTomcat7-[version].jar, i.e. FORTRESS_HOME/lib/fortressProxyTomcat7-[version].jar.
-
--------------------------------------------------------------------------------------------
-v. - Incompatible Tomcat Proxy jar loaded for Tomcat 6 and before
--------------------------------------------------------------------------------------------
-
-The Tomcat realm base class changed between Tomcat version's 6 and 7. If you are running Tomcat 4, 5 or 6 and see error that looks like this:
-
-SEVERE: An exception or error occurred in the container during the request processing
-java.lang.RuntimeException: us.jts.sentry.tomcat.Tc7AccessMgrProxyauthenticate detected Fortress Tomcat7 Realm not initialized correctly. Check your Fortress Realm configuration
- at us.jts.sentry.tomcat.Tc7AccessMgrProxy.authenticate(Tc7AccessMgrProxy.java:161)
- at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:259)
- at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:449)
- at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
- at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
- at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
- at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
- at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852)
- at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
- at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
- at java.lang.Thread.run(Thread.java:662)
-
-
-ACTION:
-
-You have the wrong Tomcat Proxy jar on the server's classpath. You need to get the proxy jar that is compatible with Tomcat version 6 and before:
-Ensure step 3c configuration points fortressProxyTomcat-[version].jar, i.e. FORTRESS_HOME/lib/fortressProxyTomcat-[version].jar.
-
-
-###################################################################################
-# IV. Instructions to test Tomcat Security
-###################################################################################
-
-a. enable Tomcat Manager application. note: check the Tomcat documentation on how to do this.
-
-b. verify/enable role name. Edit TOMCAT_HOME/webapps/manager/WEB-INF/web.xml
-
- <!-- Security roles referenced by this web application -->
- <security-role>
- <description>
- The role that is required to log in to the Manager Application
- </description>
- <role-name>manager</role-name>
- </security-role>
-
-c. Add Role to access Tomcat Manager application:
-
-Note: If Fortress 'init-slapd' ant task was run this data will already be loaded into the directory.
-
-If Tomcat 7 and beyond:
- Add Role named "manager-gui":
-else if Tomcat 6 and before:
- Add Role named "manager":
-
-d. Add User named "tcmanager": (or whatever you want to nanme it)
-
-e. Assign Test User "tcmanager" Role "manager", (if Tomcat 7 this role is "manager-gui")
-
-f. Test logon onto the Tomcat Manager app.
-
-i. Enter URL to manager web app:
-http://localhost:8080/manager/html
-ii. enter creds (tcmanager, password) into basic logon form
-iii. verify authentication/authorization success to web app.
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/c51013b2/build.xml
----------------------------------------------------------------------
diff --git a/build.xml b/build.xml
index 58eb70e..04185a4 100644
--- a/build.xml
+++ b/build.xml
@@ -350,7 +350,7 @@
depends="clean,build-jar-tcproxy,build-jar-tc7proxy,build-jar-impl, build-jar-distro,build-jar-distro-jboss,javadoc">
<copy todir="${dist.dir}" file="${basedir}/LICENSE.txt"/>
<copy todir="${dist.dir}" file="${basedir}/NOTICE.txt"/>
- <copy todir="${dist.dir}" file="${basedir}/TOMCAT-SETUP-NOTES.txt"/>
+ <copy todir="${dist.dir}" file="/TOMCAT-GLOBAL-SECURITY-NOTES.txt"/>
</target>
<!-- ############### create distribution packages ############################ -->
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/c51013b2/impl/pom.xml
----------------------------------------------------------------------
diff --git a/impl/pom.xml b/impl/pom.xml
index e84f2cb..6f07a85 100644
--- a/impl/pom.xml
+++ b/impl/pom.xml
@@ -18,65 +18,90 @@
under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <parent>
- <groupId>org.apache.directory</groupId>
- <artifactId>fortress-realm</artifactId>
- <version>1.0-RC40-SNAPSHOT</version>
- </parent>
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.directory</groupId>
+ <artifactId>fortress-realm</artifactId>
+ <version>1.0-RC40-SNAPSHOT</version>
+ </parent>
- <artifactId>fortress-realm-impl</artifactId>
- <name>Apache Fortress Realm Implementation</name>
- <packaging>jar</packaging>
- <description>
- Implementation classes for the Fortress Realm Component.
- </description>
+ <artifactId>fortress-realm-impl</artifactId>
+ <name>Apache Fortress Realm Implementation</name>
+ <packaging>jar</packaging>
+ <description>
+ Implementation classes for the Fortress Realm Component.
+ </description>
- <properties>
- <fortress-core.version>1.0-RC40-SNAPSHOT</fortress-core.version>
- </properties>
+ <properties>
+ <fortress-core.version>1.0-RC40-SNAPSHOT</fortress-core.version>
+ </properties>
- <dependencies>
- <dependency>
- <groupId>org.apache.directory.junit</groupId>
- <artifactId>junit-addons</artifactId>
- <scope>test</scope>
- <version>0.1</version>
- </dependency>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.directory.junit</groupId>
+ <artifactId>junit-addons</artifactId>
+ <scope>test</scope>
+ <version>0.1</version>
+ </dependency>
- <dependency>
- <groupId>${project.groupId}</groupId>
- <artifactId>fortress-realm-proxy</artifactId>
- <version>${project.version}</version>
- <scope>provided</scope>
- </dependency>
+ <dependency>
+ <groupId>${project.groupId}</groupId>
+ <artifactId>fortress-realm-proxy</artifactId>
+ <version>${project.version}</version>
+ <scope>provided</scope>
+ </dependency>
- <dependency>
- <groupId>${project.groupId}</groupId>
- <artifactId>fortress-core</artifactId>
- <version>${fortress-core.version}</version>
- </dependency>
+ <dependency>
+ <groupId>${project.groupId}</groupId>
+ <artifactId>fortress-core</artifactId>
+ <version>${fortress-core.version}</version>
+ </dependency>
- </dependencies>
-
- <build>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-compiler-plugin</artifactId>
- <version>3.1</version>
- <configuration>
- <source>1.7</source>
- <target>1.7</target>
- </configuration>
- </plugin>
+<!--
+ <dependency>
+ <groupId>org.apache.directory.api</groupId>
+ <artifactId>api-all</artifactId>
+ <version>1.0.0-M28</version>
+ </dependency>
+-->
+
+ </dependencies>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <version>3.1</version>
+ <configuration>
+ <source>1.7</source>
+ <target>1.7</target>
+ </configuration>
+ </plugin>
+
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jar-plugin</artifactId>
+ <version>2.5</version>
+ </plugin>
+
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-shade-plugin</artifactId>
+ <executions>
+ <execution>
+ <phase>package</phase>
+ <goals>
+ <goal>shade</goal>
+ </goals>
+ </execution>
+ </executions>
+ <configuration>
+ <finalName>${artifactId}-uber-${version}</finalName>
+ </configuration>
+ </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-jar-plugin</artifactId>
- <version>2.5</version>
- </plugin>
- </plugins>
- </build>
+ </plugins>
+ </build>
</project>
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/c51013b2/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 2bb827f..e76b1a6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -323,9 +323,10 @@
</plugins>
</build>
+<!--
<dependencyManagement>
<dependencies>
- <!-- Project sub-modules dependencies -->
+ <!– Project sub-modules dependencies –>
<dependency>
<groupId>org.apache.directory</groupId>
<artifactId>fortress-core</artifactId>
@@ -340,6 +341,7 @@
</dependencies>
</dependencyManagement>
+-->
<dependencies>
<!-- for Java5 findbugs annotations are required in each module at compile time -->
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/c51013b2/proxy/pom.xml
----------------------------------------------------------------------
diff --git a/proxy/pom.xml b/proxy/pom.xml
index a51aba3..9a608f0 100644
--- a/proxy/pom.xml
+++ b/proxy/pom.xml
@@ -35,6 +35,9 @@
</description>
<dependencies>
+
+<!--
+
<dependency>
<groupId>org.apache.directory.junit</groupId>
<artifactId>junit-addons</artifactId>
@@ -45,8 +48,9 @@
<dependency>
<groupId>org.apache.directory.api</groupId>
<artifactId>api-all</artifactId>
- <version>1.0.0-M26</version>
+ <version>1.0.0-M28</version>
</dependency>
+-->
<dependency>
<groupId>org.apache.tomcat</groupId>
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/c51013b2/proxy/src/main/java/org/apache/directory/fortress/realm/tomcat/package.html
----------------------------------------------------------------------
diff --git a/proxy/src/main/java/org/apache/directory/fortress/realm/tomcat/package.html b/proxy/src/main/java/org/apache/directory/fortress/realm/tomcat/package.html
index 6472a6b..21f3412 100644
--- a/proxy/src/main/java/org/apache/directory/fortress/realm/tomcat/package.html
+++ b/proxy/src/main/java/org/apache/directory/fortress/realm/tomcat/package.html
@@ -23,7 +23,7 @@
its own jar file.
The Realm Jars used in Tomcat include:
<ol>
- <li>fortressProxyTomcat-[version].jar or </li>
+ <li>fortress-realm-proxy-[version].jar or </li>
<li>fortressSentry-[version].jar and configuration artifacts</li>
</ol>