Container Managed Security in tomcat 7

-

Resources within web application can be secured with declarative syntax in the web.xml.  
This is the easiest way to implement security layer for your web application.
Three steps to add security to your web application
Ø  prepare deployment descriptor  with security elements
Ø  define roles and user credentials in the  conf/tomcat-users.xml  (in memory)
Ø  add realm value in the conf/services.xml

Prepare deployment descriptor with security elements
There are three direct child elements for <web-app> root element which does this functionality inside the web.xml
1.  <security-constraint>
2.  <login-config>
3.  <security-role>







1.  security-constraint: security constraint is used to define the access privileges to a collection of resources using their URL mapping. The following elements can be part of a security constraint:
i.            Web-resource-collection:  here we need to specify URL pattern for which we need to secure and http method we have to allow for those operations.
        <web-resource-collection>
            <web-resource-name>REST_WS</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>

ii.            Auth-constraint:  need to define role for which we allowing the access.  This role should have an entry in the tomcat-users.xml file under conf folder.
         <auth-constraint>
            <role-name>WS_SECURITY</role-name>
        </auth-constraint>
iii.            User-data-constraint:  (optional for this tutorial) this is only requires when have enabled https protocol.  Allowed values are
·         CONFIDENTIAL:   trying to access secure resources through Https .  redirects to https after authentication
·         INTEGRAL:  trying to access all the resources through Https. redirects to https before authentication
·         NONE:   access the resources with both the protocols (HTTP, https)

  1. Specify CONFIDENTIAL when the application requires that data be transmitted so as to prevent other entities from observing the contents of the transmission.
  2. Specify INTEGRAL when the application requires that the data be sent between client and server in such a way that it cannot be changed in transit.
  3. Specify NONE to indicate that the container must accept the constrained requests on any connection, including an unprotected one.
       <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
2.  login-cofig:  this is used to specify authentication mechanism. Following values are allowed for this element. For BASIC and DIGEST below prompt will displayed to enter credentials. Realm name what you supplied in the web.xml will be display in this popup. Here it is BASIC AUTHENTICATION



Ø  BASIC:  this is simple way of authentication, but it is not much secured. Username, password is send through base-64 encoding and one can easily intercept and decode the data.
<login-config>
           <auth-method>BASIC</auth-method>
           <realm-name>file</realm-name>
</login-config>

Ø  FORM:  this is useful when we want design our own customized login form. But the credentials are passed to server as plain text.
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>file</realm-name>
    <form-login-config>
        <form-login-page>/logon.jsp</form-login-page>
        <form-error-page>/logonError.jsp</form-error-page>
    </form-login-config>
</login-config>
Addition steps for this form based authentication is need to design login form with below details in the form-login-page.
<form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="password" name="j_password">
</form>

Ø  DIGEST: Like HTTP Basic Authentication, HTTP Digest Authentication authenticates a user based on a username and a password. However, unlike HTTP Basic Authentication, HTTP Digest Authentication does not send user passwords over the network. In HTTP Digest authentication, the client sends a one-way cryptographic hash of the password (and additional data). Although passwords are not sent on the wire, HTTP Digest authentication requires that clear text password equivalents be available to the authenticating container so that it can validate received authenticators by calculating the expected digest.
<login-config>
    <auth-method>DIGEST</auth-method>
</login-config>

Ø  CLIENT-CERT:  this requires additional public key generation can be read at

3. security-role: define the security role same as mentioned in the auth-constraint.
    <security-role>
        <role-name>WS_SECURITY</role-name>
    </security-role>



Resultant file looks like as shown below

  <security-constraint>
        <web-resource-collection>
            <web-resource-name>REST_WS</web-resource-name>
            <description/>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>WS_SECURITY</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>DIGEST</auth-method>
        <realm-name>BASIC AUTHENTICATION</realm-name>
    </login-config>
    <security-role>
        <role-name>WS_SECURITY</role-name>
    </security-role>




Define roles and user credentials in the tomcat-users.xml
1.       Open the the tomcat-users.xml file under conf folder of your tomcat
2.       Define your own username, password and roles in this file
                <user username="jaxrs" password="jaxrs" roles="WS_SECURITY"/>
3.       Make sure the same role you have mentioned in the web.xml

Define realm in the services.xml under conf folder
Add below realm element under <Engine> element of services.xml
<Realm className="org.apache.catalina.realm.MemoryRealm" />
NOTE:  Read more about realms, if you want to take these credentials from database instead of tomcat-users.xml

Comments

Post a Comment

Popular posts from this blog

IBM Datapower GatewayScript

-
Introduction IBM API Assembly Language Introduction GatewayScript is a new transformation technology for API, Web, and Mobile and is available in DataPower. GatewayScript is based on the JavaScript programming language. More precisely, it supports the ECMAScript 5.1 version of the specification. On the DataPower appliance, JavaScript runs in ‘strict’ mode only. The strict mode provides a more consistent and more disciplined behavior. For example, if a script attempts to write a property of a DataPower API object and that object is frozen, an immediate exception is thrown. The ‘strict’ mode behavior supports stronger error checking and handling and increases security. DataPower Playground (GatewayScript Fiddle) IBM DataPower Playground is an interactive website that lets you write GatewayScript code and execute it on a cloud-hosted DataPower Gateway for learning purposes. Available at : https://datapower-playground.mybluemix.net/ GatewayScript provides
Read more

Spring boot Kafka Integration

-
Image
Introduction Introduction K afka is an open source streaming platform which scales very well in a horizontal way without compromising speed and efficiency. The Kafka core is written in Scala , and Kafka Streams and KSQL are written in Java . Features Kafka is a service bus To connect heterogeneous applications, we need to implement a message publication mechanism to send and receive messages among them. A message router is known as message broker . Kafka is a message broker , a solution to deal with routing messages among clients in a quick way. Kafka architecture has two directives The first is to not block the producers (to deal with back pressure). The second is to isolate producers and consumers . The producers should not know who their consumers are, hence the kafka follows the dumb broker and smart clients model. Tip Back pressure is to make applications robust against data surges. when producer generates data higher rate tha
Read more

Spring boot SOAP Web Service Performance

-
Image
Consumng This tutorial walks you through the process of consuming a SOAP-based web service with Spring. It elucidates following items Making parallel calls with RxJava (or WebFlux ) Sending large SOAP message payloads using AXIOM( AXis Object Model) AxiomSoapMessageFactory .(which improves performance) Marshalling( is the process of transforming the memory representation of an object to a data format suitable for storage or transmission) Marshalling (XML Serialization) done with O/X Mappers, different types of mappers out there and choose appropriate one for your need. Castor XML mapping is an open source XML binding framework. It allows you to transform the data contained in a java object model into/from an XML document. By default, it does not require any further configuration, though a mapping file can be used to have more control over the behavior of Castor. The Spring integration classes reside in the org.springframework.oxm.castor pa
Read more