Re: Manager setup in Tomcat 8
On 12/22/20 10:51 AM, Christopher Schultz wrote: I would try to lock-down that IP range as much as you can, rather than either removing the Valve (which would allow connections from anywhere) or specifying something like ".*" in the "allow" attribute (which is a regular expression which will be applied to the remote-user's IP address, either IPv4 or IPv6 as the case may be). Dear Mr. Schultz: Thanks. Very much applicable to the EC2 instance (and I recall doing just that, although I'd have to look at what I did to recall exactly how), and to most customer boxes, but not necessarily so much for this particular customer: they've got everything locked down in the tightest VPN I've ever seen. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Manager setup in Tomcat 8
James, On 12/22/20 13:39, James H. H. Lampert wrote: A few months back, as I recall, I ran into some "gotchas" in connection with the manager context, while setting up Tomcat 8.5 on one of our AWS EC2 instances. As I recall, I had to do something special, somthing I don't have to do with Tomcat 7, in order to make the manager context reachable from the outside. Very shortly, I'll be setting up Tomcat 8.5 for the first time on an AS/400, and like the EC2, it can't exactly browse itself, so it, too, will need to have the manager context reachable from the outside world. Can somebody remind me of what it is I had to do, that I don't have to do for Tomcat 7? It was probably changing the default RemoteAddrValve to allow non-local IP addreses. You can find that in the manager's META-INF/context.xml file. I would try to lock-down that IP range as much as you can, rather than either removing the Valve (which would allow connections from anywhere) or specifying something like ".*" in the "allow" attribute (which is a regular expression which will be applied to the remote-user's IP address, either IPv4 or IPv6 as the case may be). -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Manager setup in Tomcat 8
A few months back, as I recall, I ran into some "gotchas" in connection with the manager context, while setting up Tomcat 8.5 on one of our AWS EC2 instances. As I recall, I had to do something special, somthing I don't have to do with Tomcat 7, in order to make the manager context reachable from the outside. Very shortly, I'll be setting up Tomcat 8.5 for the first time on an AS/400, and like the EC2, it can't exactly browse itself, so it, too, will need to have the manager context reachable from the outside world. Can somebody remind me of what it is I had to do, that I don't have to do for Tomcat 7? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat SSO valve implementation
Most apps I have seen implement it themselves using a SAML framework like spring. usually they build the functionality into their App. I suppose you could build a tomcat implementation, Tomcat supports J2EE so you could leverage those mechanisms to get the tomcat session. I don't think there is anything OOTB for tomcat SAML. Essentially you need to create a couple endpoints, One for SAML metadata retrieval/generation and one for parsing an incoming SAML assertion. assuming your providing a service with your App. You would also want a logout endpoint. You will also need to figure out login as your App needs to redirect to the IDP in the event an user does not have a session. Some SPs have a local login and IDP login. So you would have to implement that. in my quick google searching there seems to be a tool called PicketLink that might do some of this for you. This seems to be a decent write up although I haven't used it. https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink On Tue, Dec 22, 2020 at 12:04 PM Steve Sanders wrote: > Just to add on to the options already listed (which I'm sure work just > great!), we used openSAML and wrote our own valve fairly painlessly and > have been having really good success with it. > > Steve Sanders > > On Mon, Dec 21, 2020 at 1:17 PM George Stanchev < > george.stanc...@microfocus.com> wrote: > > > We use spring-security-saml for application-level SP implementation and > it > > works pretty good too. The project is in the process of being rewritten > > from scratch though with 2.0 in milestone builds. No direct integration > > with Tomcat though but on application level. > > > > George > > > > -Original Message- > > From: André Warnier (tomcat/perl) > > Sent: Thursday, December 17, 2020 8:42 AM > > To: users@tomcat.apache.org > > Subject: Re: Tomcat SSO valve implementation > > > > On 16.12.2020 19:39, Kevin Oxley wrote: > > > We are trying to support SSO SAML 2.0 for user authentication in Tomcat > > > (9.0.22). Can anybody provide a reference to a pre-integrated SAML > SSO > > > valve implementation that you've had a good experience with? > > > > > > > searching Google for "SAML SP for servlet engine" gives a few links, > among > > them this one : > > > https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink > > > > I haven't tried it myself. In my cases, I always use an Apache httpd > > front-end, which does the authentication prior to proxying to a back-end > > tomcat (with the Connector attribute ' > > tomcatAuthentication="false" '). In the front-end Apache2 httpd then, we > > use Shibboleth as the SAML SP side. > > That works perfectly. > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: Tomcat SSO valve implementation
Just to add on to the options already listed (which I'm sure work just great!), we used openSAML and wrote our own valve fairly painlessly and have been having really good success with it. Steve Sanders On Mon, Dec 21, 2020 at 1:17 PM George Stanchev < george.stanc...@microfocus.com> wrote: > We use spring-security-saml for application-level SP implementation and it > works pretty good too. The project is in the process of being rewritten > from scratch though with 2.0 in milestone builds. No direct integration > with Tomcat though but on application level. > > George > > -Original Message- > From: André Warnier (tomcat/perl) > Sent: Thursday, December 17, 2020 8:42 AM > To: users@tomcat.apache.org > Subject: Re: Tomcat SSO valve implementation > > On 16.12.2020 19:39, Kevin Oxley wrote: > > We are trying to support SSO SAML 2.0 for user authentication in Tomcat > > (9.0.22). Can anybody provide a reference to a pre-integrated SAML SSO > > valve implementation that you've had a good experience with? > > > > searching Google for "SAML SP for servlet engine" gives a few links, among > them this one : > https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink > > I haven't tried it myself. In my cases, I always use an Apache httpd > front-end, which does the authentication prior to proxying to a back-end > tomcat (with the Connector attribute ' > tomcatAuthentication="false" '). In the front-end Apache2 httpd then, we > use Shibboleth as the SAML SP side. > That works perfectly. > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Subdomain with SSL in same connector
Maurice, On 12/22/20 08:59, Maurice Poos wrote: Hi there, This question (or the gist of it) was asked around 2009 but a lot can happen in 10 years. The question is as follows: I've got tomcat 9.0.35 running on a server (no apache or anything else) The connector and ssl are all running smoothly. When I put an alias in the connector of course the SSL breaks because the subdomain is not included in the certificate in the keystore nor are wildcards used. Is it possible to add the subdomain ssl to the first keystore and then use the alias to secure the subdomain. Or...do I need to set up a separate connector, different keystore etc. Thank you all for reading and stay safe! Maurice As a keynote..I'm not up to all the RFC's *Config (highlights):* ** ## www.site1.nl *-->* subdomain1.site1.nl *<-- This is what I want to add -->* This isn't really a Tomcat thing, it's an X.509 thing. There is no way your client is going to accept a certificate for www.site1.nl when requesting a resource from subdomain1.site1.nl unless it's been instructed (by the user) to ignore TLS hostname mismatches, which is a pretty insecure practice. So no matter which way you configure Tomcat, the client isn't going to make the connection. If you have two separate certificates (one for www, one for subdomain1), then I would expect Tomcat to allow you to put them all into one keystore and list each one in a separate under the . The just "accepts" requests once the TLS handshake is complete, so using an there should work. If it's not working, please post your full and configurations (with any secrets removed) and also the output of this command: $ keytool -list -v -keystore /etc/ssl/crt/site1.nl.jks $ keytool -list -v -keystore /etc/ssl/crt/subdomain.site1.nl.jks Note: you might want to start using PKCS12 (.p12) files since (a) OpenSSL can use them and (b) Javva is dropping support for JKS files. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Subdomain with SSL in same connector
Hi there, This question (or the gist of it) was asked around 2009 but a lot can happen in 10 years. The question is as follows: I've got tomcat 9.0.35 running on a server (no apache or anything else) The connector and ssl are all running smoothly. When I put an alias in the connector of course the SSL breaks because the subdomain is not included in the certificate in the keystore nor are wildcards used. Is it possible to add the subdomain ssl to the first keystore and then use the alias to secure the subdomain. Or...do I need to set up a separate connector, different keystore etc. Thank you all for reading and stay safe! Maurice As a keynote..I'm not up to all the RFC's *Config (highlights):* ** ## www.site1.nl *-->* subdomain1.site1.nl *<-- This is what I want to add -->*
