I am trying to connect a MySQL user table as a realm to my Tomcat 9. The user and roles are managed in 2 tables, as you can see in the realm configuration below. The passwords are MD5-hashed and Base64-encoded.
Unfortunately, I do not get it running properly.
REALM CONFIGURATION:
<!-- Use the LockOutRealm to prevent attempts to guess user passwords via a brute-force attack -->
<!--<Realm className="org.apache.catalina.realm.LockOutRealm"> -->
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<!--<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>-->
<!-- Custom realm for user database -->
<Realm className="org.apache.catalina.realm.JDBCRealm"
debug="99"
driverName="com.mysql.cj.jdbc.Driver"
connectionURL="jdbc:mysql://mysqlserver.example.com:3306/database?useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC&verifyServerCertificate=false&useSSL=true&requireSSL=true&autoReconnect=true"
connectionName="MYSQLDB"
connectionPassword="MYSQL_PASSWORD"
userTable="myuser" userNameCol="username" userCredCol="password"
userRoleTable="myuser_roles" roleNameCol="role"/>
<CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="{MD5}encodedCredential"
iterations="1"
saltLength="0"/>
<!-- </Realm> -->
WORKS:
When I save a password as plain text in the database and remove the CrendetialHandler from the configuration, it works. So, the database connection/configuration seems to be correct.
DOES NOT WORK:
As soon as the the password is saved hashed and encoded, it does not work anymore. I tried several CredentialHandler settings, but always getting an error, for example the latest:
WARNING [main] org.apache.tomcat.util.digester.Digester.endElement No rules found matching [Server/Service/Engine/CredentialHandler]
or
WARNING [main] org.apache.catalina.realm.CombinedRealm.setCredentialHandler A CredentialHandler was set on an instance of the CombinedRealm (or a sub-class of CombinedRealm). CombinedRealm doesn't use a configured CredentialHandler. Is this a configuration error?
As you can see, I also tried to comment out the existing logout realm or put the CrendentialHandler into it. Nevertheless, it does not work yet.
What can I do?
Thanks in advance!
Your "CredentialHandler" is sitting outside of your "Realm" That may be one of your issues (you close the Realm at the end of the "roleNameCol"). I also list the algorithm in my code as simply "MD5" vs what you show. That may also be a problem.
I would fix it such as below (I explicitly close the "CredentialHandler" and the "Realm" to be more clear):
<Realm className="org.apache.catalina.realm.JDBCRealm"
debug="99"
driverName="com.mysql.cj.jdbc.Driver"
connectionURL="jdbc:mysql://mysqlserver.example.com:3306/database?useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC&verifyServerCertificate=false&useSSL=true&requireSSL=true&autoReconnect=true"
connectionName="MYSQLDB"
connectionPassword="MYSQL_PASSWORD"
userTable="myuser" userNameCol="username" userCredCol="password"
userRoleTable="myuser_roles" roleNameCol="role">
<CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="{MD5}encodedCredential"
iterations="1"
saltLength="0">
</CredentialHandler>
</Realm>
Related
I want to configure Apereo CAS 6.0.x to perform X.509 authentication and then retrieve principal attributes from a database table.
Rudimentary X.509 authentication is working with these lines in application.properties (and appropriate reverse proxy setup):
cas.authn.x509.extractCert=true
cas.authn.x509.sslHeaderName=SSL_CLIENT_CERT
cas.authn.x509.principalDescriptor=SUBJECT_DN
The default "Log In Successful" page shows that it knows how to get my certificate's subject DN.
But I can't figure out how to tell CAS to then use that subject DN value to query my database for additional attributes.
This page explicitly mentions my need (though with LDAP instead of JDBC), but does not say specifically how to achieve it:
In many cases it is necessary to perform authentication by one means and resolve principals by another. The PrincipalResolver component provides this functionality. A common use case for this this mix-and-match strategy arises with X.509 authentication. It is common to store certificates in an LDAP directory and query the directory to resolve the principal ID and attributes from directory attributes. The X509CertificateAuthenticationHandler may be be combined with an LDAP-based principal resolver to accommodate this case.
What properties need to be set so that the X509 authentication handler resolves the principal against the database?
The missing ingredient was this line in application.properties:
cas.authn.x509.principalType=SUBJECT_DN
Without it, CAS does not attempt to query any attributeRepository settings that you may have.
We have just gone live with https://ecotaksen.be. The queries and updates on Exact were running fine, but after installing the production license an error itgenobr001: Client not found. occurs.
My data container specification is:
<database order="1"
creationDate="2016-04-13T09:11:03.3584276+02:00"
provider="ExactOnlineAll"
connectionString="apiUrl=https://start.exactonline.be"
/>
The connection to Exact Online using Query Tool with the same credentials and connection string is working fine.
How can I solve the itgenobr001 error?
In fact it was quite simple to solve: the "Client" referred to is the application. I needed to add the client ID of Exact Online app to my connection string, since Data Access Point requires a client ID when using a production license.
Resulting data container specification:
<database order="1" creationDate="2016-04-13T09:11:03.3584276+02:00" provider="ExactOnlineAll"
connectionString="apiUrl=https://start.exactonline.be;api-client-id=MYID" />
After that, I got a itgenobr001: Invalid authorization request., and that one required addition of the redirect url as specified in the My Apps page in Exact Online:
<database order="1" creationDate="2016-04-13T09:11:03.3584276+02:00" provider="ExactOnlineAll"
connectionString="apiUrl=https://start.exactonline.be;api-client-id=MYID;apiredirecturl=https://ecotaksen.be" />
I'm checking if this is a sitecore bug, or if I'm missing something obvious.
EDIT FOR CLARIFICATION: The problem I'm having is that I'm trying to set up the configuration settings in the Domains.config file so that Sitecore shouldn't be creating (and/or returning) an anonymous user for a domain set up this way. However, if I use the Domain.GetUsers() function on the domain, I still get the anonymous user returned.
The membership provider is a custom built and connects to LDAP in read only mode.
Details
Using Sitecore 6.4.1 and given the following domain configuration in App_Config/Security/domains.config
<domain name="DOMAINNAME" ensureAnonymousUser="false" anonymousUserName="" everyoneRoleName="" />
and these comments in that domain.config file
anonymousUserName: <snip> Set to blank to disable the anonymous user for the domain. Optional
ensureAnonymousUser: Indicates if the domain should ensure that an anonymous user for the domain exists in the Membership database. Optional - default value: false
everyoneRoleName: <snip> Set to blank to disable the everyone role for the domain. Optional - default value: Everyone
If I use the following code,
List<Sitecore.Security.Accounts.User> users = new List<Sitecore.Security.Accounts.User>();
var domain = Sitecore.Security.Domains.Domain.GetDomain(DOMAINNAME);
users.AddRange(domain.GetUsers().ToArray<Sitecore.Security.Accounts.User>());
I get the anonymous user included in users list. I assumed from the comments in the domain.config file that I shouldn't get the anonymous user if I set up my domain as above.
Is there something obvious that I'm missing?
Just a guess as I have not used 6.4 yet or tweaked any of those types of setting before... but I believe Sitecore always comes pre-packaged with the Anonymous user in the membership. By setting ensureAnonymousUser to false you're just telling it not to ensure its there, but its already there by default. Why don't you try this test:
Set ensureAnonymousUser to true then delete [*] the Anonymous user from the user manager.
Log out and back in and see if it's there again. If so then the "ensure" aspect of that worked. So...
Set ensureAnonymousUser to false then do the same thing. Does the user come back?
This is really just a hunch on how it works -- I don't have an environment like that setup right now to play with, but its worth a shot.
[*] - to delete a user form the User Manager, go to Sitecore > Security > User Manager
I think it's more question to membership provider you use. Take a look at Active Directory Module
Maybe this is something that could help you.
First Project: Spring3, Security3, Hibernate, MYSQL - How to install user tracking into database
I am working on my first project with Spring3, Security3, Hibernate, MYSQL.
I have the system working great I use Spring3 and Security3 goign to MySQL for the login and
using Spring3 MVC, Hibernate and MYSQL for system data.
I have a number of questions. Once I login does Spring Security save the user object somewhere that I can have
Hibrernate access it. I want Hibernate to put the user name or role into each insert to the database so as
I do my searches the system knows to only show data for that user and only that user?
this somes like it should be easy. Spring should be saving the user somewhere the hibernate can access.
please help me out
Once the user is authenticated, you can access the user's authentication session details:
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
SecurityContext will allow you to grab the Authentication object, and from that you can retrieve the principal (an object representing the authenticated user), roles, etc. You could inspect this information and determine what data should be stored/displayed for each user.
If you can add a request filter or interceptor (the vocabulary may vary between frameworks), you could probably make these security checks abstract/generic enough to be applied across your entire web app (instead of adding a few lines of code to every resource method you're attempting to secure). Either way, SecurityContext should get you closer to what you want.
I'm setting up a Jabber server for my website. I've already got some user accounts in place in the openfire database, and working IMs between them.
I'm now looking to add (some) of the users from my main database (members table, with login, password[plain text]) and allowed_to_IM[0 or 1] fields) to allow them to communicate between themselves. The Hybrid authentication is a new feature in v3.6.0a however, and there's little documentation in what configuration is required in the openfire.xml file for the database connectivity (to a second database), and what else may go in the properties (which have also taken much of the config's info away of the XML file).
My question is: Does anyone have a complete example that checks multiple databases? All the examples I'm seen seem to be just fragments.
I have it using ldap and mysql and if it helps you my setting from openfire.xml are:
<connectionProvider>
<className>org.jivesoftware.database.DefaultConnectionProvider</className>
</connectionProvider>
<database>
<defaultProvider>
<driver>com.mysql.jdbc.Driver</driver>
<serverURL>jdbc:mysql://127.0.0.1:3306/openfire</serverURL>
<username>username</username>
<password>pass</password>
<minConnections>5</minConnections>
<maxConnections>15</maxConnections>
<connectionTimeout>1.0</connectionTimeout>
</defaultProvider>
</database>
<ldap>
ldapsetting removed
</ldap>
<hybridAuthProvider>
<primaryProvider>
<className>org.jivesoftware.openfire.auth.DefaultAuthProvider</className>
</primaryProvider>
<secondaryProvider>
<className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className>
</secondaryProvider>
</hybridAuthProvider>
<provider>
<auth>
<className>org.jivesoftware.openfire.auth.HybridAuthProvider</className>
</auth>
<vcard>
<className>org.jivesoftware.openfire.auth.DefaultAuthProvider</className>
</vcard>
<user>
<className>org.jivesoftware.openfire.ldap.LdapUserProvider</className>
</user>
<auth>
<className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className>
</auth>
<group>
<className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className>
</group>
</provider>