[JBoss-user] [Security JAAS/JBoss] - Re: SSL in JBoss
The best idea is to use Apache in front of Tomcat.
The advantages :
- ability to use just one SSL certificate to handle multiple sites ( apps )
using mod_proxy module
http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
- ability to rewrite URLs in any way to archieve desired behaviour
http://httpd.apache.org/docs/2.0/misc/rewriteguide.html
for example, it is easy to rewrite your login page to use http://
always :
Example :
1) this forces to rewrite any URL with /login.jsp page to http://
RewriteEngine on
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^/login.jsp http://your.site.com/login.jsp [L,R]
2) this forces to rewrite any URL with /secure/* page to https://
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/secure/(.*)$ https://your.site.com/secure/$1 [L,R]
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=3902917#3902917
Reply to the post :
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3902917
---
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: SSL in JBoss
it is great information if I use Apache.. thanks But please tell me, do I need to use Apache or Jboss's tomcat server would be sufficient? .. In case of Jboss, how can I achieve snme behaviour ? Thanks for understanding my problem .. looking forward.. Awais Bajwa View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3902935#3902935 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3902935 --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: SSL in JBoss
About tomcat, I think, you should check current schema ( http or https ) and forward to some start page with desired schema . Maybe you can use filters for it. Use separate filter for login page that checks about http only. About other pages, use filter that accepts only https. In the case if schema does not match, forward/redirect to another location or show error/reminder/advise or somewhatsoever. The advantage of filters is that you can turn 'em on/off just to archieve desired behaviour. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3902944#3902944 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3902944 --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: SSL in JBoss
Hi Scott, Thanks for your reply, but you didnt understand my probelm. And there is no fruit in the link you sent me, as I've already completed steps iin the link suggested by you. Once again: I have installed SSl certificate successfully as provided in the wiki's link above. Now my site is working fine using HTTPS: My requirement: I have given my client the URL http://abc.com after implementing SSL I have https://abc.com. Now I cannot give Https://abc.com to my client. At the same time I dont want http: access to my web site other then the login Page. To achieve that I have to disable 80 port to and allow 443 port to restrict Http and to allow only https. So what should I do, so that whenever client types http://abc.com the page automatically redirects to https://abc.com, keep in mind I dont want Http:// access to my site other then the login page. Regards Awais Bajwa View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3902907#3902907 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3902907 --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: SSL in JBoss
Any JBoss guru can answer this question ? it has become a bottle neck and i believe it is a tiny issue. regards View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3902730#3902730 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3902730 --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: SSL in JBoss
http://wiki.jboss.org/wiki/Wiki.jsp?page=SSLSetup View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3902801#3902801 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3902801 --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: ssl in jboss 3.2.5 is broken
sorry to get back to you so late. In jboss 325, request.getUserPrincipal() returns Identity(members:user1) instead of user1. That's the reason my CustomRealm code failing to look for the user details. Now my questions are 1) request.getUserPrincipal should return user1 instead of Identity (members:user1) , isn't it? 2) What's the best way to get user1 out of request.getUserPrincipal() ? tia krishna View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3842821#3842821 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3842821 --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: ssl in jboss 3.2.5 is broken
Have tried your jsp code, but that also does not work for me. Do i need to modify something in login-config.xml ? I have added following bits to the default login-config.xml !-- GDS Login Module -- login-module code = com.xxx.gds.jaas.GdsJBossLoginModule flag = required module-option name = filenameserver/default/conf/gdsrealm.properties/module-option module-option name = debugtrue/module-option /login-module Above modification in login-config.xml works fine in jboss3.2.4. tia k View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3841342#3841342 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3841342 --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: ssl in jboss 3.2.5 is broken
You'll have to debug your custom GdsJBossLoginModule. There were some refactorings in the login module layer to support x509 cert based login modules so look into whether this broke your login module. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3841360#3841360 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3841360 --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: ssl in jboss 3.2.5 is broken
Infact its not refactoring. One of the class has changed! In jbosssx.jar, AbstractServerLoginModule.java class, CreateGroup method returns SimpleGroup if it didn't find one instead of NestableGroup. The change between AbstractServerLoginModule.java is 284c284 roles = new NestableGroup(name); // in Jboss 324 --- roles = new SimpleGroup(name); // in jboss 325 What's the reasoning behind this? tia k View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3841385#3841385 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3841385 --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: ssl in jboss 3.2.5 is broken
As stated in the release notes: Change the behavior of the base createGroup to use a SimpleGroup rather than a NestedGroup as the latter precludes the ability to combine roles across login modules. If that is the desired behavior the subclass would create its own NestedGroup instance. How does this affect you? View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3841390#3841390 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3841390 --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: ssl in jboss 3.2.5 is broken
Hi, If the problem is in my code, it would not work in jboss 3.2.3 or jboss 3.2.4. But my same code is working with Jboss 3.2.3 and jboss 3.2.4 but NOT with jboss 3.2.5. Which leads to the conclusion, something has changed in Jboss 3.2.5 in ssl/authentication layer. The exception shows invoking JBossSecurityMgrRealm Calling Filter [uid=Identity]. May be in jboss 3.2.5, i should be getting the uid/user principal in different way than in Jboss 3.2.4?? tia View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3841198#3841198 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3841198 --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: ssl in jboss 3.2.5 is broken
Maybe JBoss does something more correctly than before. Tell what you are doing and how this differs from what happened before. Maybe even show your code. There is no way anybody can help with an Exception you defined being thrown in your code without saying what is happening! Joachim View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3841209#3841209 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3841209 --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: ssl in jboss 3.2.5 is broken
Here is the code snippet/my test jsp page %@ page import = com.xxx.gds.security.* % %@ page import = java.util.* % %@ page import = java.lang.* % %@ page import = javax.naming.* % %@ page import=org.jboss.security.* % % GdsDAO dao = GdsDAO.getInstance(); GdsUser user = (GdsUser)session.getAttribute(user); user = dao.getUserEntry(request.getUserPrincipal()); String fullName = user.getGivenName() + + user.getSN(); out.println(Welcome : + user.getName() + ); % / The above jsp returns user id from the user certificate correctly in Jboss 3.2.4 but in Jboss 3.2.5 i get following exception java.lang.NullPointerException at org.apache.jsp.test1_jsp._jspService(test1_jsp.java:58) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94) at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:324) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:292) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236) at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:72) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.invoke(JBossSecurityMgrRealm.java:275) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:417) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:535) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683) at java.lang.Thread.run(Thread.java:536) --- tia k View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3841225#3841225 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3841225 --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit
[JBoss-user] [Security JAAS/JBoss] - Re: ssl in jboss 3.2.5 is broken
Here is a trivial jsp page that shows a principal with secured with basic auth using
both ssl and non-ssl connections:
| [EMAIL PROTECTED] import=java.io.*,javax.naming.*,
| java.util.Date,
| java.util.Enumeration,
| javax.security.cert.X509Certificate %
| html
| body bgcolor=white
| h1 Session Info/h1
| SessionID: %= session.getId() %br
| CreationTime: %= new Date(session.getCreationTime()) %br
| LastAccessedTime: %= new Date(session.getLastAccessedTime()) %br
| ul
| %
|Enumeration names = session.getAttributeNames();
|while( names.hasMoreElements() )
|{
| String name = (String) names.nextElement();
| out.print(li);
| out.print(name);
| out.print( = );
| out.print(session.getAttribute(name));
| out.println(/li);
|}
|if( request.getScheme().equals(https) )
|{
| String cipherSuite;
| X509Certificate certChain [];
| cipherSuite = (String) request.getAttribute
(javax.servlet.request.cipher_suite);
| certChain = (X509Certificate []) request.getAttribute
(javax.servlet.request.X509Certificate);
| out.print(lijavax.servlet.request.cipher_suite = );
| out.print(cipherSuite);
| out.println(/li);
| out.print(lijavax.servlet.request.X509Certificate = );
| out.print(certChain);
| out.println(/li);
|
|}%
| /ul
|
| h1 JNDI java:comp/env Context Info/h1
| pre
| %
| if( initException != null )
| out.println(initException);
| else
| out.println(jndiEnvCtxInfo);
| %
| /pre
| h1 Request Information /h1
| font size=4
| JSP Request Method: %= request.getMethod() %
| br
| Request URL: %= request.getRequestURL() %
| br
| Request URI: %= request.getRequestURI() %
| br
| Request Protocol: %= request.getProtocol() %
| br
| Servlet path: %= request.getServletPath() %
| br
| Path info: %= request.getPathInfo() %
| br
| Path translated: %= request.getPathTranslated() %
| br
| Query string: %= request.getQueryString() %
| br
| Content length: %= request.getContentLength() %
| br
| Content type: %= request.getContentType() %
| br
| Server name: %= request.getServerName() %
| br
| Server port: %= request.getServerPort() %
| br
| UserPrincipal: %= request.getUserPrincipal() %
| br
| Remote user: %= request.getRemoteUser() %
| br
| Remote address: %= request.getRemoteAddr() %
| br
| Remote host: %= request.getRemoteHost() %
| br
| Authorization scheme: %= request.getAuthType() %
| br
| Is secure: %= request.isSecure() %
| br
| Locale: %= request.getLocale() %
| hr
| The browser you are using is %= request.getHeader(User-Agent) %
| hr
| /font
| /body
| /html
|
|
Output without ssl:
| Session Info
| SessionID: 7D6B2FA8783C0B451C23319E990C393E
| CreationTime: Wed Jul 07 13:15:27 PDT 2004
| LastAccessedTime: Wed Jul 07 13:15:27 PDT 2004
|
| Request Information
| JSP Request Method: GET
| Request URL: http://localhost:8080/jmx-console/snoop.jsp
| Request URI: /jmx-console/snoop.jsp
| Request Protocol: HTTP/1.1
| Servlet path: /snoop.jsp
| Path info: null
| Path translated: null
| Query string: null
| Content length: -1
| Content type: null
| Server name: localhost
| Server port: 8080
| UserPrincipal: admin
| Remote user: admin
| Remote address: 127.0.0.1
| Remote host: 127.0.0.1
| Authorization scheme: BASIC
| Is secure: false
| Locale: en_US
|
Output with ssl:
| Session Info
| SessionID: 1AA806630E9DC97500C2D240066407EC
| CreationTime: Wed Jul 07 13:01:34 PDT 2004
| LastAccessedTime: Wed Jul 07 13:08:48 PDT 2004
|
| * javax.servlet.request.cipher_suite = TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| * javax.servlet.request.X509Certificate = null
|
| Request Information
| JSP Request Method: GET
| Request URL: https://localhost:8443/jmx-console/snoop.jsp
| Request URI: /jmx-console/snoop.jsp
| Request Protocol: HTTP/1.1
| Servlet path: /snoop.jsp
| Path info: null
| Path translated: null
| Query string: null
| Content length: -1
| Content type: null
| Server name: localhost
| Server port: 8443
| UserPrincipal: admin
| Remote user: admin
| Remote address: 127.0.0.1
| Remote host: 127.0.0.1
| Authorization scheme: BASIC
| Is secure: true
| Locale: en_US
|
View the original post :
http://www.jboss.org/index.html?module=bbop=viewtopicp=3841273#3841273
Reply to the post :
http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3841273
---
This SF.Net email sponsored by Black Hat Briefings Training.
Attend Black Hat Briefings Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit
[JBoss-user] [Security JAAS/JBoss] - Re: ssl in jboss 3.2.5 is broken
Looks like a problem in your code somewhere. Maybe a problem with DNS caching ? Note that the JVM caches DNS entries when not told otherwise. Joachim View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3841129#3841129 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3841129 --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: ssl in jboss 3.2.5 is broken
Explain how this exception relates to ssl. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3841137#3841137 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3841137 --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
