You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomee.apache.org by gollum <ch...@gmail.com> on 2013/10/10 00:40:11 UTC
REST service with JAAS auth trouble (TomEE+ 1.5.2)
Hi,
I'm trying limit access to a RESTful web service resource. While this works
fine using the UserDatabase file "tomcat-users.xml", I cannot get it to work
with a JAAS Realm.
I use a web browser for testing. The behavior with the UserDatabase method
is that when I navigate to the resource, the browser prompts me for
credentials and then allows access. However, when I configure the service to
use a JAAS realm, the browser just keeps prompting for credentials over and
over, no matter what I enter. I get no access denied message or whatever and
the logger remains silent, too.
Can anybody give me some pointers on what I'm doing wrong? Here's my config:
*web.xml:*
*server.xml:*
*login.config:*
*users.properties:*
*groups.properties:*
*tomcat-users.xml:*
*SecureService.java:*
--
View this message in context: http://openejb.979440.n4.nabble.com/REST-service-with-JAAS-auth-trouble-TomEE-1-5-2-tp4665513.html
Sent from the OpenEJB User mailing list archive at Nabble.com.
Re: REST service with JAAS auth trouble (TomEE+ 1.5.2)
Posted by gollum <ch...@gmail.com>.
Ok, finally got it running ...
Just got the latest 1.6.0 snapshot and retried ... Did not work either, but
fortunately this time I got an exception trace when I tried to access
http://localhost/secure/api/hello
java.lang.SecurityException: $CATALINA_BASE/conf/login.config (No such file
or directory)
Seems like the bash syntax for variable expansion is not a good idea on a
windows machine ...
Another problem was that TomEE was installed in C:\Program Files\... which
needs to be quoted.
So I changed the statement in setenv.bat from
set
CATALINA_OPTS=-Djava.security.auth.login.config=$CATALINA_BASE/conf/login.config
to
set
CATALINA_OPTS=-Djava.security.auth.login.config="%CATALINA_BASE%\conf\login.config"
This finally did it. Thx Romain, saved my day again.
--
View this message in context: http://openejb.979440.n4.nabble.com/REST-service-with-JAAS-auth-trouble-TomEE-1-5-2-tp4665513p4665571.html
Sent from the OpenEJB User mailing list archive at Nabble.com.
Re: REST service with JAAS auth trouble (TomEE+ 1.5.2)
Posted by Romain Manni-Bucau <rm...@gmail.com>.
works on trunk with:
┌( rmannibucau @ ubuntu )─( 1.7.0_40 -:- 3.1.0 )
└( /tmp/apache-tomee-plus-1.6.0-SNAPSHOT )·> cat conf/groups.properties
manager-gui=tomee
┌( rmannibucau @ ubuntu )─( 1.7.0_40 -:- 3.1.0 )
└( /tmp/apache-tomee-plus-1.6.0-SNAPSHOT )·> cat conf/users.properties
tomee=tomee
*Romain Manni-Bucau*
*Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
*Blog: **http://rmannibucau.wordpress.com/*<http://rmannibucau.wordpress.com/>
*LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
*Github: https://github.com/rmannibucau*
2013/10/12 Romain Manni-Bucau <rm...@gmail.com>
> Hi
>
> maybe test on our snapshot, we had issues using logged user in the same
> request as the login
>
> *Romain Manni-Bucau*
> *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> *Blog: **http://rmannibucau.wordpress.com/*<http://rmannibucau.wordpress.com/>
> *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> *Github: https://github.com/rmannibucau*
>
>
>
> 2013/10/12 gollum <ch...@gmail.com>
>
>> Ok, maybe I've misused the term "login" here. What I'm trying to do in
>> first
>> place is not to login into a session or so. I just want to restrict access
>> to a url for a defined set of users.
>>
>> My first test case was this simple REST service that does nothing but
>> returning the callers user name:
>>
>> @Stateless
>> @Path("/api")
>> @Produces({MediaType.TEXT_PLAIN})
>> public class SecureService {
>>
>> @Resource
>> SessionContext ctx;
>>
>> @GET
>> @Path("/hello")
>> public Response hello() {
>> Principal principal = ctx.getCallerPrincipal();
>> return Response.ok("Hello "+principal.getName()).build();
>> }
>> }
>>
>> This service is packaged and deployed as "secure.war"
>> When addressing the service at http://localhost/secure/api/hello the
>> browser
>> should prompt me for credentials, and after entering "admin:admin" the
>> service should reply with "Hello admin", which is true when I define
>> tomcat-users.xml as authentication realm in server.xml.
>> However, when I set up a JAAS PropertiesLogin realm like posted above, I
>> cannot access that url. The web browser just keeps prompting for
>> credentials, over and over.
>> The web.xml for this service is included in my first post.
>>
>> As another test, I tried to configure the TomEE built in manager webapp in
>> the same way, but the results are the same.
>>
>>
>>
>>
>> --
>> View this message in context:
>> http://openejb.979440.n4.nabble.com/REST-service-with-JAAS-auth-trouble-TomEE-1-5-2-tp4665513p4665567.html
>> Sent from the OpenEJB User mailing list archive at Nabble.com.
>>
>
>
Re: REST service with JAAS auth trouble (TomEE+ 1.5.2)
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Hi
maybe test on our snapshot, we had issues using logged user in the same
request as the login
*Romain Manni-Bucau*
*Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
*Blog: **http://rmannibucau.wordpress.com/*<http://rmannibucau.wordpress.com/>
*LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
*Github: https://github.com/rmannibucau*
2013/10/12 gollum <ch...@gmail.com>
> Ok, maybe I've misused the term "login" here. What I'm trying to do in
> first
> place is not to login into a session or so. I just want to restrict access
> to a url for a defined set of users.
>
> My first test case was this simple REST service that does nothing but
> returning the callers user name:
>
> @Stateless
> @Path("/api")
> @Produces({MediaType.TEXT_PLAIN})
> public class SecureService {
>
> @Resource
> SessionContext ctx;
>
> @GET
> @Path("/hello")
> public Response hello() {
> Principal principal = ctx.getCallerPrincipal();
> return Response.ok("Hello "+principal.getName()).build();
> }
> }
>
> This service is packaged and deployed as "secure.war"
> When addressing the service at http://localhost/secure/api/hello the
> browser
> should prompt me for credentials, and after entering "admin:admin" the
> service should reply with "Hello admin", which is true when I define
> tomcat-users.xml as authentication realm in server.xml.
> However, when I set up a JAAS PropertiesLogin realm like posted above, I
> cannot access that url. The web browser just keeps prompting for
> credentials, over and over.
> The web.xml for this service is included in my first post.
>
> As another test, I tried to configure the TomEE built in manager webapp in
> the same way, but the results are the same.
>
>
>
>
> --
> View this message in context:
> http://openejb.979440.n4.nabble.com/REST-service-with-JAAS-auth-trouble-TomEE-1-5-2-tp4665513p4665567.html
> Sent from the OpenEJB User mailing list archive at Nabble.com.
>
Re: REST service with JAAS auth trouble (TomEE+ 1.5.2)
Posted by gollum <ch...@gmail.com>.
Ok, maybe I've misused the term "login" here. What I'm trying to do in first
place is not to login into a session or so. I just want to restrict access
to a url for a defined set of users.
My first test case was this simple REST service that does nothing but
returning the callers user name:
@Stateless
@Path("/api")
@Produces({MediaType.TEXT_PLAIN})
public class SecureService {
@Resource
SessionContext ctx;
@GET
@Path("/hello")
public Response hello() {
Principal principal = ctx.getCallerPrincipal();
return Response.ok("Hello "+principal.getName()).build();
}
}
This service is packaged and deployed as "secure.war"
When addressing the service at http://localhost/secure/api/hello the browser
should prompt me for credentials, and after entering "admin:admin" the
service should reply with "Hello admin", which is true when I define
tomcat-users.xml as authentication realm in server.xml.
However, when I set up a JAAS PropertiesLogin realm like posted above, I
cannot access that url. The web browser just keeps prompting for
credentials, over and over.
The web.xml for this service is included in my first post.
As another test, I tried to configure the TomEE built in manager webapp in
the same way, but the results are the same.
--
View this message in context: http://openejb.979440.n4.nabble.com/REST-service-with-JAAS-auth-trouble-TomEE-1-5-2-tp4665513p4665567.html
Sent from the OpenEJB User mailing list archive at Nabble.com.
Re: REST service with JAAS auth trouble (TomEE+ 1.5.2)
Posted by gollum <ch...@gmail.com>.
I don't understand what you mean. I'm testing the config against the default
manager webapp that is deployed to ~/manager. The only thing I've done is to
configure TomEE to use the JAAS ProptertiesLogin instead of the UserDatabase
realm that points to tomcat-users.xml ... Do I have to add any code to
handle login into the manager app? Am I missing something?
--
View this message in context: http://openejb.979440.n4.nabble.com/REST-service-with-JAAS-auth-trouble-TomEE-1-5-2-tp4665513p4665565.html
Sent from the OpenEJB User mailing list archive at Nabble.com.
Re: REST service with JAAS auth trouble (TomEE+ 1.5.2)
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Whats the code handling the log in?
Le 12 oct. 2013 16:26, "gollum" <ch...@gmail.com> a écrit :
> Yes, the login property is set in the setenv.bat script:
> set
>
> CATALINA_OPTS=-Djava.security.auth.login.config=$CATALINA_BASE/conf/login.config
>
> I've also looked through the mail-list archive that smithh032772 googled
> for
> me, but there is nothing that I haven't read before.
>
> To eliminate any misconfiguration in my webapp's web.xml, I test my TomEE
> configuration against http://localhost:8080/manager now, but the behavior
> is
> the same as with my webapp.
>
> I can login using the UserDatabase:
>
> tomcat-users.xml:
> <tomcat-users>
> <role rolename="manager-gui"/>
> <user username="admin" password="admin" roles="manager-gui"/>
> </tomcat-users>
>
> server.xml:
> <Realm className="org.apache.catalina.realm.LockOutRealm">
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/>
> </Realm>
>
> But I cannot login with a JAAS realm:
>
> groups.properties:
> manager-gui=admin
>
> users.properties:
> admin=admin
>
> Both JAAS realms defined in server.xml
>
> <Realm className="org.apache.catalina.realm.JAASRealm"
> appName="PropertiesLogin"
>
>
> userClassNames="org.apache.openejb.core.security.AbstractSecurityService$User"
>
>
> roleClassNames="org.apache.openejb.core.security.AbstractSecurityService$Group">
> </Realm>
>
> and
>
> <Realm className="org.apache.catalina.realm.JAASRealm"
> appName="PropertiesLogin"
> userClassNames="org.apache.openejb.core.security.jaas.UserPrincipal"
> roleClassNames="org.apache.openejb.core.security.jaas.GroupPrincipal">
> </Realm>
>
> don't work for me.
>
>
>
> --
> View this message in context:
> http://openejb.979440.n4.nabble.com/REST-service-with-JAAS-auth-trouble-TomEE-1-5-2-tp4665513p4665563.html
> Sent from the OpenEJB User mailing list archive at Nabble.com.
>
Re: REST service with JAAS auth trouble (TomEE+ 1.5.2)
Posted by gollum <ch...@gmail.com>.
Yes, the login property is set in the setenv.bat script:
set
CATALINA_OPTS=-Djava.security.auth.login.config=$CATALINA_BASE/conf/login.config
I've also looked through the mail-list archive that smithh032772 googled for
me, but there is nothing that I haven't read before.
To eliminate any misconfiguration in my webapp's web.xml, I test my TomEE
configuration against http://localhost:8080/manager now, but the behavior is
the same as with my webapp.
I can login using the UserDatabase:
tomcat-users.xml:
<tomcat-users>
<role rolename="manager-gui"/>
<user username="admin" password="admin" roles="manager-gui"/>
</tomcat-users>
server.xml:
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
But I cannot login with a JAAS realm:
groups.properties:
manager-gui=admin
users.properties:
admin=admin
Both JAAS realms defined in server.xml
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="PropertiesLogin"
userClassNames="org.apache.openejb.core.security.AbstractSecurityService$User"
roleClassNames="org.apache.openejb.core.security.AbstractSecurityService$Group">
</Realm>
and
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="PropertiesLogin"
userClassNames="org.apache.openejb.core.security.jaas.UserPrincipal"
roleClassNames="org.apache.openejb.core.security.jaas.GroupPrincipal">
</Realm>
don't work for me.
--
View this message in context: http://openejb.979440.n4.nabble.com/REST-service-with-JAAS-auth-trouble-TomEE-1-5-2-tp4665513p4665563.html
Sent from the OpenEJB User mailing list archive at Nabble.com.
Re: REST service with JAAS auth trouble (TomEE+ 1.5.2)
Posted by Thiago Veronezi <th...@veronezi.org>.
Did you set the "java.security.auth.login.config" property?
http://tomee.apache.org/tomee-jaas.html
[]s,
Thiago.
On Wed, Oct 9, 2013 at 8:00 PM, Howard W. Smith, Jr. <smithh032772@gmail.com
> wrote:
> seems like you posted twice. while waiting for one of the committers to
> respond, you can search mail-list archives for the following:
>
> site:openejb.979440.n4.nabble.com rest jaas tomee[1]
>
>
> [1]
> http://lmgtfy.com/?q=site%3Aopenejb.979440.n4.nabble.com+rest+jaas+tomee
>
>
>
> On Wed, Oct 9, 2013 at 6:40 PM, gollum <ch...@gmail.com> wrote:
>
> > Hi,
> > I'm trying limit access to a RESTful web service resource. While this
> works
> > fine using the UserDatabase file "tomcat-users.xml", I cannot get it to
> > work
> > with a JAAS Realm.
> > I use a web browser for testing. The behavior with the UserDatabase
> method
> > is that when I navigate to the resource, the browser prompts me for
> > credentials and then allows access. However, when I configure the service
> > to
> > use a JAAS realm, the browser just keeps prompting for credentials over
> and
> > over, no matter what I enter. I get no access denied message or whatever
> > and
> > the logger remains silent, too.
> > Can anybody give me some pointers on what I'm doing wrong? Here's my
> > config:
> >
> > *web.xml:*
> >
> > *server.xml:*
> >
> > *login.config:*
> >
> > *users.properties:*
> >
> > *groups.properties:*
> >
> > *tomcat-users.xml:*
> >
> > *SecureService.java:*
> >
> >
> >
> >
> >
> > --
> > View this message in context:
> >
> http://openejb.979440.n4.nabble.com/REST-service-with-JAAS-auth-trouble-TomEE-1-5-2-tp4665513.html
> > Sent from the OpenEJB User mailing list archive at Nabble.com.
> >
>
Re: REST service with JAAS auth trouble (TomEE+ 1.5.2)
Posted by "Howard W. Smith, Jr." <sm...@gmail.com>.
seems like you posted twice. while waiting for one of the committers to
respond, you can search mail-list archives for the following:
site:openejb.979440.n4.nabble.com rest jaas tomee[1]
[1] http://lmgtfy.com/?q=site%3Aopenejb.979440.n4.nabble.com+rest+jaas+tomee
On Wed, Oct 9, 2013 at 6:40 PM, gollum <ch...@gmail.com> wrote:
> Hi,
> I'm trying limit access to a RESTful web service resource. While this works
> fine using the UserDatabase file "tomcat-users.xml", I cannot get it to
> work
> with a JAAS Realm.
> I use a web browser for testing. The behavior with the UserDatabase method
> is that when I navigate to the resource, the browser prompts me for
> credentials and then allows access. However, when I configure the service
> to
> use a JAAS realm, the browser just keeps prompting for credentials over and
> over, no matter what I enter. I get no access denied message or whatever
> and
> the logger remains silent, too.
> Can anybody give me some pointers on what I'm doing wrong? Here's my
> config:
>
> *web.xml:*
>
> *server.xml:*
>
> *login.config:*
>
> *users.properties:*
>
> *groups.properties:*
>
> *tomcat-users.xml:*
>
> *SecureService.java:*
>
>
>
>
>
> --
> View this message in context:
> http://openejb.979440.n4.nabble.com/REST-service-with-JAAS-auth-trouble-TomEE-1-5-2-tp4665513.html
> Sent from the OpenEJB User mailing list archive at Nabble.com.
>