RE: IIS authentication applies to static but not dynamic requests (servlets, JSPs). Any way to control that?

2018-06-11 Thread charlie arehart 
> -Original Message-
> From: Igal @ Lucee.org  
> Sent: Monday, June 11, 2018 04:55 PM
> To: users@tomcat.apache.org
> Subject: Re: IIS authentication applies to static but not dynamic requests 
> (servlets, JSPs). Any way to control that?
>
> Charlie,
>
> Are you sure that the static requests are passed to Tomcat?  Can you verify 
> that in the response headers?
>
> The logical explanation that I can think of is that IIS still serves the 
> static content, but passes the JSP stuff to Tomcat without checking the 
> security permissions.
>
> HTH,
>
> Igal Sapir

Thanks, Igal. No, I agree the static files are NOT passed to Tomcat. I wasn't 
saying that they were. :-) I was implying rather that they do NOT go to Tomcat, 
and are NOT processed by the Tomcat connector/ISAPI Filter (because they are 
not in the uriworkermap.properties list of processed URLs). 

This was to confirm that they WERE therefore being handled CORRECTLY by IIS, in 
that a user trying to run the request who did NOT have access to the files (per 
Windows on the server) would find the request rejected (per the Windows 
Authentication feature in IIS).

The problem is that jsps and servlets, which ARE passed to Tomcat by the 
connector (are in the uriworkermap.properties mappings) are NOT being properly 
rejected by IIS (or the connector, whichever should have control).

Now, I should add that I had in mind at one time a test to change the order of 
the modules in IIS, to put the ISAPIFilterModule below the 
WindowsAuthentication and FileAuthorization module, to see if that would 
"help'. But really, that should not be needed (even if it would help). Users of 
Tomcat (who want to implement web server file security like this) shouldn't 
(I'd think) have to know of such a low-level tweak. I would think that the 
connector (the Tomcat isapifilter.dll) could/should implement such a security 
for the user. I suppose someone may quibble with that.

I had also meant to test things out in pure asp.net, to see if an aspx page got 
honored this way (was protected by Windows Auth and file security, like a 
static file). I forgot to do these before writing. (Someone wanting me to get 
this to the Tomcat folks for attention pressed me about it, and I forgot these 
were 2 things I wanted to check before writing in.)

But perhaps someone familiar with all this may have a thought based simply on 
what has been shared so far.

/charlie


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: IIS authentication applies to static but not dynamic requests (servlets, JSPs). Any way to control that?

2018-06-11 Thread Igal @ Lucee.org 

Charlie,

On 6/11/2018 2:38 PM, charlie arehart wrote:

Folks, I have found that if Windows authentication (NTLM) is enabled for a site 
(or folder) in IIS, such authentication does apply (and is honored) for static 
files (html, images) but NOT dynamic ones (servlets, JSPs). Is that intended?

To be clear, this is the latest Tomcat 8 (8.5.31) and the latest IIS connector 
(1.2.43). The uriworkermap.properties is configured to pass all requests to 
Tomcat (not just JSPs, for instance).

What I’m referring to in particular is this: consider that I set the security 
properties for one of the JSP example folders:

‪ C:\Program Files\Apache Software Foundation\Tomcat 
8.5_Tomcat8_5_31\webapps\examples\jsp\jsp2\el

such that my user had been denied access to that folder.

And let’s say I have configured a site in IIS that listens on port 91 to pass 
to Tomcat. If I open a new browser window (so as to not have any caching of 
previous authentication), and I visit this URL:

http://localhost:91/examples/jsp/jsp2/el/basic-arithmetic.html

I get a prompt in the browser to login, and if I login with the user whose 
permissions had been denied, I get a rejection from IIS. (In my case, I am 
running my Tomcat test site on port 91 in IIS. It’s not at all pertinent if 
there is a non-std port or port 80 used.)

The key issue is that if I then visit a JSP or servlet, that IS ALLOWED to run, 
even though a static file is rejected:

http://localhost:91/examples/jsp/jsp2/el/basic-arithmetic.jsp

I have found nothing in the docs to indicate that this is expected behavior. 
Can anyone offer any thoughts? I am happy to do any tests or shared any needed 
diagnostics to help resolve this. Thanks.
Are you sure that the static requests are passed to Tomcat?  Can you 
verify that in the response headers?


The logical explanation that I can think of is that IIS still serves the 
static content, but passes the JSP stuff to Tomcat without checking the 
security permissions.


HTH,

Igal Sapir
Lucee Core Developer
Lucee.org

IIS authentication applies to static but not dynamic requests (servlets, JSPs). Any way to control that?

2018-06-11 Thread charlie arehart 
Folks, I have found that if Windows authentication (NTLM) is enabled for a site 
(or folder) in IIS, such authentication does apply (and is honored) for static 
files (html, images) but NOT dynamic ones (servlets, JSPs). Is that intended?

To be clear, this is the latest Tomcat 8 (8.5.31) and the latest IIS connector 
(1.2.43). The uriworkermap.properties is configured to pass all requests to 
Tomcat (not just JSPs, for instance). 

What I’m referring to in particular is this: consider that I set the security 
properties for one of the JSP example folders:

‪ C:\Program Files\Apache Software Foundation\Tomcat 
8.5_Tomcat8_5_31\webapps\examples\jsp\jsp2\el

such that my user had been denied access to that folder.

And let’s say I have configured a site in IIS that listens on port 91 to pass 
to Tomcat. If I open a new browser window (so as to not have any caching of 
previous authentication), and I visit this URL:

http://localhost:91/examples/jsp/jsp2/el/basic-arithmetic.html

I get a prompt in the browser to login, and if I login with the user whose 
permissions had been denied, I get a rejection from IIS. (In my case, I am 
running my Tomcat test site on port 91 in IIS. It’s not at all pertinent if 
there is a non-std port or port 80 used.)

The key issue is that if I then visit a JSP or servlet, that IS ALLOWED to run, 
even though a static file is rejected:

http://localhost:91/examples/jsp/jsp2/el/basic-arithmetic.jsp

I have found nothing in the docs to indicate that this is expected behavior. 
Can anyone offer any thoughts? I am happy to do any tests or shared any needed 
diagnostics to help resolve this. Thanks.



/charlie

Re: creation of virtual directories

2018-06-11 Thread Jeffrey Beckstrom 
We would go with the latest which appears to be 9. Google found articles for V7 
and one that said it changed in 8 but did not describe the change.
>>> Mark Thomas  6/11/18 3:06 PM >>>
On 11/06/18 19:58, Jeffrey Beckstrom wrote:
> We are looking at migrating from Glassfish to Tomcat. In Glassfish, we
> created alternatedocroot_N entries to map a path in Glassfish to a
> windows drive.
> 
> How do we perform a similar function in Tomcat?

Tomcat version? (it changed between 7.0.x and 8.0.x)

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


--

This email has been scanned for spam and viruses. Visit the following link to 
report this email as spam:
https://attseg.cloud-protect.net/index01.php?mod_id=11_option=logitem_id=1528744019-gV-baVzK1ou7_address=jbeckstrom%40gcrta.org=1


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: creation of virtual directories

2018-06-11 Thread Mark Thomas 
On 11/06/18 19:58, Jeffrey Beckstrom wrote:
> We are looking at migrating from Glassfish to Tomcat. In Glassfish, we
> created alternatedocroot_N entries to map a path in Glassfish to a
> windows drive.
> 
> How do we perform a similar function in Tomcat?

Tomcat version? (it changed between 7.0.x and 8.0.x)

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

creation of virtual directories

2018-06-11 Thread Jeffrey Beckstrom 
We are looking at migrating from Glassfish to Tomcat. In Glassfish, we created 
alternatedocroot_N entries to map a path in Glassfish to a windows drive.

How do we perform a similar function in Tomcat?


Jeffrey Beckstrom
Lead Database Administrator
Information Technology Department
Greater Cleveland Regional Transit Authority
1240 W. 6th Street
Cleveland, Ohio 44113



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Secure WebSockets clients - hostname verification

2018-06-11 Thread Mark Thomas 
On 11/06/18 11:47, Weiner Harald wrote:



> What are your thoughts?

I'm leaning towards adding:

SSLParameters sslParams = new SSLParameters();
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
sslSocket.setSSLParameters(sslParams);

unconditionally to WsWebSocketContainer.createSSLEngine()

I've been trying to think of a use case where you'd want to use TLS
without wanting to verify the host name and I can't think of one.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat Secure WebSockets clients - hostname verification

2018-06-11 Thread Weiner Harald 
Hello Tomcat user group,

I want a Tomcat-Servlet to connect to a secure web socket endpoint to exchange 
data with another component / server
(so my Tomcat-Servlet is acting as a WebSocket client).

Now I would also like to do some hostname verification (verify that the host to 
which I am connecting matches
the subject alternative name from the certificate) to prevent Man-in-the-middle 
attacks, see also [1].

I know that it is possible to provide an SSLContext to Tomcat through  user 
properties [2].
But an javax.net.ssl.SSLContext does not provide any configuration options for 
hostname verifiers, see JavaDoc at [3],
e.g., something like sslParams.setEndpointIdentificationAlgorithm("HTTPS"), as 
suggested by [4].

So one way to achieve this would be to patch org.apache.tomcat.websocket. 
WsWebSocketContainer.java
in the method private SSLEngine createSSLEngine(Map 
userProperties) and introduce another
user property.

But maybe there are already other solutions available to achieve Hostname 
verification in Tomcat WebSocket clients.

My code looks like this:



import javax.websocket.ClientEndpointConfig;
import javax.websocket.ContainerProvider;
import javax.websocket.Session;
import javax.websocket.WebSocketContainer;

public class MyServlet extends HttpServlet
{
  final String hostname = "otherpc";

@Override
  protected void doGet(final HttpServletRequest request, final 
HttpServletResponse response)
  throws ServletException, IOException
{
System.setProperty("javax.net.ssl.trustStorePassword", "My123456");
System.setProperty("javax.net.ssl.trustStoreType", "PKCS12");
System.setProperty("javax.net.ssl.trustStore", "C:\\RootCACertificate.pfx");
final URI uri = URI.create("wss://" + hostname + ":8443/websocket");
final WebSocketContainer container = 
ContainerProvider.getWebSocketContainer();
final ClientEndpointConfig config = 
ClientEndpointConfig.Builder.create().build();
final Session session = container.connectToServer(MyEndpoint.class, config, 
uri);
   // more stuff 
}



What are your thoughts?

Thank you very much for your time!


Harald.

[1] https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/

[2] https://www.mail-archive.com/users@tomcat.apache.org/msg125312.html

[3] https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLContext.html

[4] https://stackoverflow.com/a/18174689


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuration of Tomcat Container to use SAML authentication

2018-06-11 Thread Luis Rodríguez Fernández 
Hello Sandeep,

Both keycloack saml adapter [1] or the servlet filter[2] work for me
out-of-the-box.

I am using tomcat 9.0.5

Cheers,

Luis


[1]
https://www.keycloak.org/docs/latest/securing_apps/index.html#_saml-tomcat-adapter
[2]
https://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet-filter-adapter

2018-06-09 14:09 GMT+02:00 Arnaud Yahoo :

> Hello,
>
> I recently tried (with success) the tomcat Valve from Fediz (Apache CXF)
>
> http://cxf.apache.org/fediz-tomcat.html
>
> Note tha you need to take a recent 1.4.4 snapshot, because 1.4.3 has some
> bugs preventing it to work with SAML
>
> Hope this help
>
> Arnaud
>
>
>
> On 08/06/2018 21:49, Christopher Schultz wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Sandeep,
>>
>> On 6/8/18 10:39 AM, Sandeep Muddamsetty wrote:
>>
>>> We are trying to implement  SAML SSO configuration on Tomact 8.5.X
>>> servers . As we came to know that there is no direct
>>> implementation of this authentication process  through some of the
>>> blogs and need to depend on third party tools to make it possible .
>>> As we are seeing so many tools  while searching for this but  not
>>> getting exact information to use which tool . Do we have any apache
>>> recommended tools for this ?.
>>>
>> I don't have a particular recommendation for you, but if you find
>> something that works well, would you mind sharing your experience with
>> the community?
>>
>> I have implemented SAML SSO myself, but we don't use Tomcat's built-in
>> authentication and authorization framework, so it wouldn't be applicable
>> .
>>
>> You will almost certainly have to implement a Valve (which is a
>> Tomcat-specific component) to accomplish this. You might want to look
>> at the org.apache.catalina.authenticator.FormAuthenticator source code
>> to see how it's done. Much of the heavy-lifting is done by the
>> AuthenticatorBase class, but the
>> doAuthenticate(Request,HttpServletResponse) method is where the "real
>> work" gets done to handle the incoming data, etc.
>>
>> I suspect if you began with that code and started chopping-out pieces
>> and replacing them with parsing of the SAML response, validating and
>> verifying its authenticity, and then obtaining the user's identity
>> through the various SAML attributes sent by the identity provider, you
>> could get quite far on your own.
>>
>> If you want to use an outside authentication system, it wouldn't
>> surprise me to discover that Spring Security already had a plug-in for
>> this kind of thing.
>>
>> Hope that helps,
>> - -chris
>> -BEGIN PGP SIGNATURE-
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsa3d0ACgkQHPApP6U8
>> pFgk1A//dRubWfOSrqniOQcUz0kFPtgyCYVOKBus6HLoo2+nWR6yXarLvbA8WG0+
>> rOcpmrSI4k2hcsjtDCG1GgtzdKVKdQhWJk5ZZOAomEl5Bwyj97geUxtrsnOwgXBY
>> BxY+p1m0IJuTSG5qF8i+zkvdfSRESghPx+wAUwxhf8g/XGucGA+S39HyEUrEGx6y
>> hkgdWvZdj13MIBADidY54yyq7mCqccAz+Qn7D87E5i65D4aM4mBjqUM33U+55t/C
>> 6FQjRSDJVO0ShRrQg4gPLk7r9f1BNibr0gdiy5oCg4P/zbDLEvVNVnViGQV4gjmx
>> P3scgYGhamHLdTyGtmN1Bz19Ls1GFLia9JdA/2AtD41V6wpTIoWoN8wdHDOWTuO6
>> JTRDzTmLimjI38ca5ze26JJITueKK4MTpSL7eAcRopXfW4qoNi6Rc87hUUA/btT7
>> UhZGqeDVlyXTGQi5/KdL6BaFan+s6ILG/Ntuy9jCyohx/Jwrwx0XoksbjgTxYhhd
>> zYRlHG8XSEcGt9epHLm5G2Rnk8GfeuzuBtj512+QxsX6VrI2q3sHuIPIgA7Egsa4
>> LMNntcn156spvvrF2AbsGevCqKp+fka6JL6FT7cT7EHJ60spi93kLpKx+oN1j4wI
>> YInTT9ClPaEvj85EO5eKJdTAMPReB0Hj3ZvUeoj4Kvx1enenTG4=
>> =1Fc/
>> -END PGP SIGNATURE-
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett