Tomcat 7 JNDI Realm credential password update availability

["John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco)" <jb...@cisco.com>]

Hello,

We have a Tomcat 7 server running on Linux that must use LDAP over SSL to connect to an AD server for user authentication. This
configuration we have working. The issue is the credentials used to connect to the AD server must have the password updated
every 180 days, and therefore updated in the JNDI Realm configuration. Is there a way to update the password in server.xml
that would allow it to be recognized as changed without restarting the Tomcat server. Or some other configuration what ever
it may be that would achieve this. The goal is to update the password and have it recognized as updated with no down time for
the application running on the server.

Any thoughts would be appreciated.
Thanks
-John

Re: Tomcat 7 JNDI Realm credential password update availability

[André Warnier <aw...@ice-sa.com>]

John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote:
> Hello,
> 
> We have a Tomcat 7 server running on Linux that must use LDAP over SSL to connect to an AD server for user authentication. This
> configuration we have working. The issue is the credentials used to connect to the AD server must have the password updated
> every 180 days, and therefore updated in the JNDI Realm configuration. Is there a way to update the password in server.xml
> that would allow it to be recognized as changed without restarting the Tomcat server. Or some other configuration what ever
> it may be that would achieve this. The goal is to update the password and have it recognized as updated with no down time for
> the application running on the server.
> 
> Any thoughts would be appreciated.

The real issue there, is that the password must be updated every 180 days.
That means that to connect to the AD server, you are probably using a "normal user 
account", to which this kind of policy applies.
You should probably request a special "service account", of which the password does not 
run out.
Yes, such a "service account" is probably harder to get, and you will probably have to go 
through some administrative burdens to get it, but that is the right way to run for your 
Tomcat, which is a "service", and which should not be submitted to the same kind of 
policies as a normal user.





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 7 JNDI Realm credential password update availability

[PÉNET LUDOVIC <l....@senat.fr>]

John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco)
a écrit :
> Hello,
>
> We have a Tomcat 7 server running on Linux that must use LDAP over SSL to
> connect to an AD server for user authentication. This
> configuration we have working. The issue is the credentials used to
> connect to the AD server must have the password updated
> every 180 days, and therefore updated in the JNDI Realm configuration. Is
> there a way to update the password in server.xml
> that would allow it to be recognized as changed without restarting the
> Tomcat server. Or some other configuration what ever
> it may be that would achieve this. The goal is to update the password and
> have it recognized as updated with no down time for
> the application running on the server.

I use the following solution in a production system :
* derive your own, custom MyRealm class from JNDIRealm. You will typically
have to put it in the same package (org.apache.catalina.realm) to get
access to some base methods and attributes.
* overload key methods, such as authenticate and getRoles to perform your
configuration tweaking before forwarding to the base methods.
* tweaking typically includes checking the last modification date of a
configuration file holding required info, reloading it and applying new
config only on change.
* use MyRealm instead of realm in server configuration.

May sound a bit dirty but... works and takes less than 100 lines of code.
And avoids rewriting everything from scratch.

Hope this helps,

Ludovic

|
| AVANT D'IMPRIMER, PENSEZ A L'ENVIRONNEMENT.
|


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Tomcat 7 JNDI Realm credential password update availability

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco)
> [mailto:jbeaulau@cisco.com] 
> Subject: RE: Tomcat 7 JNDI Realm credential password update availability

> So you're saying the change via JMX would update in-memory representation of the 
> server.xml conf, and be using the update credentials, but if and when restarted 
> it would use the credentials present in the actual server.xml?

Partially correct.  The update via JMX would modify the in-memory fields, but the Realm might not notice the update and would continue to use older credentials and connections based on those (need to review the code).  If Tomcat is restarted, it would use whatever is in server.xml at that time; updating via JMX does not rewrite the server.xml file.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Tomcat 7 JNDI Realm credential password update availability

["John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco)" <jb...@cisco.com>]

So you're saying the change via JMX would update in-memory representation of the server.xml conf, and be using the update credentials, but
if and when restarted it would use the credentials present in the actual server.xml?

-John 

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: Wednesday, May 13, 2015 1:28 PM
To: Tomcat Users List
Subject: Re: Tomcat 7 JNDI Realm credential password update availability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 5/13/15 2:45 PM, Mark Thomas wrote:
> On 13/05/2015 19:13, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK 
> INFORMATION INC at Cisco) wrote:
>> Hello,
>> 
>> We have a Tomcat 7 server running on Linux that must use LDAP over 
>> SSL to connect to an AD server for user authentication.
>> This configuration we have working. The issue is the credentials used 
>> to connect to the AD server must have the password updated every 180 
>> days, and therefore updated in the JNDI Realm configuration. Is there 
>> a way to update the password in server.xml that would allow it to be 
>> recognized as changed without restarting the Tomcat server. Or some 
>> other configuration what ever it may be that would achieve this. The 
>> goal is to update the password and have it recognized as updated with 
>> no down time for the application running on the server.
>> 
>> Any thoughts would be appreciated.
> 
> server.xml changes require a restart. Can you update it via JMX as 
> well? (That should work but I am going from memory rather than testing 
> it / looking at the source).

- From *my* memory, modifying things that come from server.xml via JMX often does nothing, because the component itself doesn't get re-initialized. You basically just change the in-memory representation of the configuration, but the component (Realm, in this case), just keeps doing what it was doing.

A good example is the <Connector>s, though in that case, the "Connector" is just configuration that gets used to generate a
Protocol+Endpoint so maybe I'm just thinking of this special case.

Ultimately, JMX is the *right* way to do this, provided that the Realm notices that the configuration has changed and actually uses that configuration.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVU7PVAAoJEBzwKT+lPKRYOJwQAMrZi9Pu+MuG25bnTbgMCBtm
gTAdkheI/ovuG2H2hjCAqUJo6x0B1piG71uOV7S0lTatTIdclUIeDR67mheZlLXx
yY0oy4pFWSsH1UJE14LnTyqXUWQWGFTD1tAMmgGrXhMhkIVlltaFkBP9fxis33xN
sjhJh8QL27jK80QL19PuVNhDLWJbAAAGhDlxHDqeCRZaxu9mC/9imWr4juTw/4vu
l1xcy4Q8+G+nwpYjKlAv3ttpgMipfOKRlYSLVpxZO45yEbJmCZWJef51CSLL4Ib/
0qxONW+aKndUJ1ZhAgc6ZSQL4N9Z+stNphD/IQhKK8I9SCdVuJrTrsdUjurpuMXZ
d89uIduDKVLsIqnUyHH019M4zWa9xs26pJ/JJv9yyTZvkCfH2X5YAAO8tJE7kTm3
HTZA8hIWD09n4VZ0P0BZurmRt2aI/pTq6+aVhig0uEC0POA5MME5WWKidTVAat09
vRqKtQYgVWP0iBB7Cd2IVcpb2sE6ZpRgsF6K4Nw+brfr68uTk/FvD6kb/7JrpTYd
Thkfyh102WQBVZxeTXOo952v1CKv0tAWdxx9/t1boRbCM9cNvDnsjKGzMgRkJ+0r
Zx0/A19ORdC7uBn87+uW8Q9CgUIuN+NQuR89OS+nQSZdhnDU8pQgLZR1hoEuYCpO
yRmNoIOIMQFnrKKPAqGC
=psQ4
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 7 JNDI Realm credential password update availability

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 5/13/15 2:45 PM, Mark Thomas wrote:
> On 13/05/2015 19:13, John Beaulaurier -X (jbeaulau - ADVANCED
> NETWORK INFORMATION INC at Cisco) wrote:
>> Hello,
>> 
>> We have a Tomcat 7 server running on Linux that must use LDAP
>> over SSL to connect to an AD server for user authentication.
>> This configuration we have working. The issue is the credentials
>> used to connect to the AD server must have the password updated 
>> every 180 days, and therefore updated in the JNDI Realm
>> configuration. Is there a way to update the password in
>> server.xml that would allow it to be recognized as changed
>> without restarting the Tomcat server. Or some other configuration
>> what ever it may be that would achieve this. The goal is to
>> update the password and have it recognized as updated with no
>> down time for the application running on the server.
>> 
>> Any thoughts would be appreciated.
> 
> server.xml changes require a restart. Can you update it via JMX as
> well? (That should work but I am going from memory rather than
> testing it / looking at the source).

- From *my* memory, modifying things that come from server.xml via JMX
often does nothing, because the component itself doesn't get
re-initialized. You basically just change the in-memory representation
of the configuration, but the component (Realm, in this case), just
keeps doing what it was doing.

A good example is the <Connector>s, though in that case, the
"Connector" is just configuration that gets used to generate a
Protocol+Endpoint so maybe I'm just thinking of this special case.

Ultimately, JMX is the *right* way to do this, provided that the Realm
notices that the configuration has changed and actually uses that
configuration.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVU7PVAAoJEBzwKT+lPKRYOJwQAMrZi9Pu+MuG25bnTbgMCBtm
gTAdkheI/ovuG2H2hjCAqUJo6x0B1piG71uOV7S0lTatTIdclUIeDR67mheZlLXx
yY0oy4pFWSsH1UJE14LnTyqXUWQWGFTD1tAMmgGrXhMhkIVlltaFkBP9fxis33xN
sjhJh8QL27jK80QL19PuVNhDLWJbAAAGhDlxHDqeCRZaxu9mC/9imWr4juTw/4vu
l1xcy4Q8+G+nwpYjKlAv3ttpgMipfOKRlYSLVpxZO45yEbJmCZWJef51CSLL4Ib/
0qxONW+aKndUJ1ZhAgc6ZSQL4N9Z+stNphD/IQhKK8I9SCdVuJrTrsdUjurpuMXZ
d89uIduDKVLsIqnUyHH019M4zWa9xs26pJ/JJv9yyTZvkCfH2X5YAAO8tJE7kTm3
HTZA8hIWD09n4VZ0P0BZurmRt2aI/pTq6+aVhig0uEC0POA5MME5WWKidTVAat09
vRqKtQYgVWP0iBB7Cd2IVcpb2sE6ZpRgsF6K4Nw+brfr68uTk/FvD6kb/7JrpTYd
Thkfyh102WQBVZxeTXOo952v1CKv0tAWdxx9/t1boRbCM9cNvDnsjKGzMgRkJ+0r
Zx0/A19ORdC7uBn87+uW8Q9CgUIuN+NQuR89OS+nQSZdhnDU8pQgLZR1hoEuYCpO
yRmNoIOIMQFnrKKPAqGC
=psQ4
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 7 JNDI Realm credential password update availability

[Mark Thomas <ma...@apache.org>]

On 13/05/2015 19:13, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK
INFORMATION INC at Cisco) wrote:
> Hello,
> 
> We have a Tomcat 7 server running on Linux that must use LDAP over SSL to connect to an AD server for user authentication. This
> configuration we have working. The issue is the credentials used to connect to the AD server must have the password updated
> every 180 days, and therefore updated in the JNDI Realm configuration. Is there a way to update the password in server.xml
> that would allow it to be recognized as changed without restarting the Tomcat server. Or some other configuration what ever
> it may be that would achieve this. The goal is to update the password and have it recognized as updated with no down time for
> the application running on the server.
> 
> Any thoughts would be appreciated.

server.xml changes require a restart. Can you update it via JMX as well?
(That should work but I am going from memory rather than testing it /
looking at the source).

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org