This content has been marked as final.
Show 1 reply
-
1. Re: Securing statis content in external dirs
boekhoffm Apr 13, 2006 5:38 AM (in response to uglyhead69)Hi. I am trying to do the same as you. I have updated
.../server/all/deploy/jbossweb-tomcat55.sar/server.xml with:<Context path="/photos" docBase="l:/photos" override="true" />
Yes it works, but how to secure it?
What I've found is that if you create <external-path>/WEB-INF/web.xml
with just this in it:<web-app> <security-constraint> <web-resource-collection> <web-resource-name>Share Guests</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>McbShareRoles</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>This is the title</realm-name> </login-config> <security-role> <role-name>McbShareRoles</role-name> </security-role> </web-app>
and if you create "users.properties" and "roles.properties" in the
.../server/all/conf directory (see the .../conf/props/jmx*.properties
files for the syntax)
and if you check that the "other" JAAS thing is in place in
server/all/conf/login-config.xml (I think the names of the property
files are defaulted but I altered my version to be explicit):... <application-policy name="other"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required" > <module-option name="usersProperties">users.properties</module-option> <module-option name="rolesProperties">roles.properties</module-option> <module-option name="unauthenticatedIdentity">anonymous</module-option> </login-module> </authentication> </application-policy>
and if you check that the "other" thing is the default thing for Tomcat, in
.../server/all/deploy/jbossweb-tomcat55.sar/META-INF/jboss-service.xml:... <attribute name="DefaultSecurityDomain">java:/jaas/other</attribute> ...
and if you want to be really pedantic and sure, you create
<external-directory>/WEB-INF/jboss-web.xml:<jboss-web> <security-domain>java:/jaas/other</security-domain> </jboss-web>
If you do all the above, you will find that the browser prompts you for
credentials. Unfortunately, nothing you enter will allow access as the
authentication always fails, with the following in the log:2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate() 2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResources(jndi.properties) 2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jnp.interfaces.NamingContextFactory, false) 2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories 2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jnp.interfaces.NamingContextFactory) 2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: org.jboss.mx.loading.UnifiedClassLoader3@b0ede5{ url=file:/E:/java-common/jboss-4.0.4.CR2-from-zipfile/server/all/deploy/jbossweb-tomcat55.sar/ ,addedOrder=11} 2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent 2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.java.javaURLContextFactory, false) 2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories 2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.java.javaURLContextFactory) 2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: org.jboss.mx.loading.UnifiedClassLoader3@b0ede5{ url=file:/E:/java-common/jboss-4.0.4.CR2-from-zipfile/server/all/deploy/jbossweb-tomcat55.sar/ ,addedOrder=11} 2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent 2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.ENCFactory, false) 2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories 2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.ENCFactory) 2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: org.jboss.mx.loading.UnifiedClassLoader3@b0ede5{ url=file:/E:/java-common/jboss-4.0.4.CR2-from-zipfile/server/all/deploy/jbossweb-tomcat55.sar/ ,addedOrder=11} 2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent 2006-04-12 21:24:12,203 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
So... Then I tried putting the WEB-INF tree into a new directory (hoping
that the "context.xml" described at the end of this rant would work):
.../server/all/deploy/name-of-my-external-directory.war
Well, lo and behold, the authentication bit works no worries.
Unfortunately, there is nothing to see because the "context.xml" is not
picked up and there are no files in
.../server/all/deploy/name-of-my-external-directory.war (only the
WEB-INF directory).
Here is what comes out in the log when the authentication works:2006-04-12 20:34:36,781 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate() 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResources(jndi.properties) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jnp.interfaces.NamingContextFactory, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jnp.interfaces.NamingContextFactory) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.java.javaURLContextFactory, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.java.javaURLContextFactory) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.naming.ENCFactory, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.naming.ENCFactory) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.plugins.JaasSecurityManagerService$SecurityDomainObjectFactory, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.plugins.JaasSecurityManagerService$SecurityDomainObjectFactory) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent Lo and behold it starts working here! 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(javax.naming.Context, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.Proxy, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.Object, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.Throwable, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(javax.naming.NamingException, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.RuntimeException, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.Error, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.UndeclaredThrowableException, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.ClassNotFoundException, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.NoSuchMethodException, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.NoSuchMethodError, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.NoClassDefFoundError, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.reflect.InvocationHandler, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.Class, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(javax.naming.Name, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(java.lang.String, false) 2006-04-12 20:34:36,797 DEBUG [org.jboss.security.plugins.JaasSecurityManager.other] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@1553743 2006-04-12 20:34:36,797 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@19f1bac 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.plugins.JaasSecurityManagerService$DefaultCacheObjectFactory, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.plugins.JaasSecurityManagerService$DefaultCacheObjectFactory) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent 2006-04-12 20:34:36,797 DEBUG [org.jboss.security.plugins.JaasSecurityManager.other] CachePolicy set to: org.jboss.util.TimedCachePolicy@d1e832 2006-04-12 20:34:36,797 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@d1e832 2006-04-12 20:34:36,797 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added other, org.jboss.security.plugins.SecurityDomainContext@e34094 to map 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] loadClass(org.jboss.security.auth.spi.UsersRolesLoginModule, false) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Searching local repositories 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] findClass(org.jboss.security.auth.spi.UsersRolesLoginModule) 2006-04-12 20:34:36,797 DEBUG [org.apache.catalina.loader.WebappClassLoader] Delegating to parent classloader at end: java.net.FactoryURLClassLoader@182eca8 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] Loading class from parent 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(defaultUsers.properties) 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(users.properties) 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] getResource(defaultUsers.properties) 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(defaultUsers.properties) 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] getResource(users.properties) 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(users.properties) 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Returning 'file:/E:/java-common/jboss-4.0.4.CR2-from-zipfile/server/all/conf/users.properties' 2006-04-12 20:34:36,812 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[admin, myuser1, anonymous, myuser2] 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(defaultRoles.properties) 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(roles.properties) 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] getResource(defaultRoles.properties) 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(defaultRoles.properties) 2006-04-12 20:34:36,812 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null 2006-04-12 20:34:36,828 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null 2006-04-12 20:34:36,828 DEBUG [org.apache.catalina.loader.WebappClassLoader] getResource(roles.properties) 2006-04-12 20:34:36,828 DEBUG [org.apache.catalina.loader.WebappClassLoader] findResource(roles.properties) 2006-04-12 20:34:36,828 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Resource not found, returning null 2006-04-12 20:34:36,828 DEBUG [org.apache.catalina.loader.WebappClassLoader] --> Returning 'file:/E:/java-common/jboss-4.0.4.CR2-from-zipfile/server/all/conf/roles.properties' 2006-04-12 20:34:36,828 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[admin, myuser1, anonymous, myuser2] 2006-04-12 20:34:36,844 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated 'myuser1' with type 'BASIC' 2006-04-12 20:34:36,844 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl() 2006-04-12 20:34:36,844 DEBUG [org.apache.catalina.realm.RealmBase] Username myuser1 has role McbShareRoles 2006-04-12 20:34:36,844 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
So the authentication stuff in WEB.XML only works if the unpacked WAR
(or external directory in our case) is located in the
.../server/all/deploy directory.
Well it all looks a bit like class-loading issues to me, so maybe some
egg-head could tell us perhaps we have to add a "" element to
the entry in .../server/all/deploy/jbossweb-tomcat55.sar/server.xml?
The only clue here appears to be that in the FAILURE case, the loading
is delegated to "org.jboss.mx.loading.UnifiedClassLoader3@b0ede5",
whereas in the SUCCESS case, the loading is being delegated to
"java.net.FactoryURLClassLoader@182eca8".
P.S.
I have found that JBoss-Tomcat doesn't seem to take any notice of any
<external-dir>/WEB-INF/context.xml, so probably don't bother
experimenting with this technique (instead of editing
.../server/all/deploy/jbossweb-tomcat55.sar/server.xml), but PLEASE let
me know if you have any luck with this because it's better to drop in
"context.xml" files somewhere than go fiddling with Tomcat server.xml
'cos that probably is not reloadable and you have to keep restarting
JBoss:<Context path="/music" docBase="l:/music" override="true" debug="99" />