RE: Is there a class or way in Tomcat to write org.apache.catalina.authenticator messages to a different logfile
Hello, Is there a class or way in Tomcat to write org.apache.catalina.authenticator messages to a different logfile? I'm using Tomcat 8.0.9 - I have logging turned on for the realm authentication but i cannot get authentication messages to write to a different log prefix file other than catalalina.out. Is there a way to do this and keep the normal server messages writing to catalina.out? In conf/logging.properties - this writes fine to catalina.out # Handler specific properties. # Describes specific configuration info for Handlers . org.apache.catalina.realm.level = FINE org.apache.catalina.realm.useParentHandlers = true org.apache.catalina.authenticator.level = FINE org.apache.catalina.authenticator.useParentHandlers = true I did not see any org.apache.catalina.authenticator.juli.AsyncFileHandler classes to do this - I need somthing like: org.apache.catalina.authenticator.juli.AsyncFileHandler.prefix = authuser. thanks for any information on how to configure this. -Larry - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat Realm/LDAP - userRoles and Organization Unit name for authenticated users
Hi Felix
If isUserinRole has information to make determination to different component
accesses in the application that would be sufficient - although, what I
really need to know is what department or Organizational unit they belong to
after authentication in order to give them specific page component accesses.
Any help on this is appreciated.
-Original Message-
From: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
Sent: Sunday, December 04, 2016 2:17 AM
To: users@tomcat.apache.org
Subject: Re: Tomcat Realm/LDAP - userRoles and Organization Unit name for
authenticated users
Am 04.12.2016 um 08:04 schrieb Taylor, Larry:
> Hello,
>
> For Users that have authenticated from the Web Login page through Tomcat
> Realm LDAP configuration is it possible to get the authenticated user's
> ou=Organizational Unit or Department name? and also what their role names
> are? I need this information to pass to a servlet or jsp page.
>
> I saw documentation about the java.security.Principal class but could not
> find any documentation or examples on how to get this type of information
> after users are authenticated.
>
> I am able to get the username with ${pageContext.request.userPrincipal.name}
> & request.getRemoteUser(); but nothing about how to get the user's member
> affiliations and roles.
The standard way to get the roles is to iterate over your expected roles and
ask for request.isUserInRole(role). The servlet spec has no API to get directly
a list of roles.
If you are willing to bind yourself to the implementation of JNDIRealm you
could get the list of roles. But I don't recommend it, as that implementation
is not guaranteed to stay stable.
Do you really need to get the list, or is isUserInRole enough?
Regards,
Felix
>
> Any information or pointers on this is appreciated.
>
>
>
> Larry Taylor
>
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
re: Tomcat Realm/LDAP - userRoles and Organization Unit name for authenticated users
Hello,
For Users that have authenticated from the Web Login page through Tomcat
Realm LDAP configuration is it possible to get the authenticated user's
ou=Organizational Unit or Department name? and also what their role names
are? I need this information to pass to a servlet or jsp page.
I saw documentation about the java.security.Principal class but could not find
any documentation or examples on how to get this type of information after
users are authenticated.
I am able to get the username with ${pageContext.request.userPrincipal.name} &
request.getRemoteUser(); but nothing about how to get the user's member
affiliations and roles.
Any information or pointers on this is appreciated.
Larry Taylor
Recall: re: Tomcat with LDAP help
Taylor, Larry would like to recall the message, "re: Tomcat with LDAP help". - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
re: Tomcat with LDAP help
Hello,
I need some assistance with Tomcat and LDAP authentication -
After trying many different server.xml realm configuration settings I was
finally able to get connectivity to our LDAP server from Tomcat 8.0.9; but
this is still not authenticating any users.
By the following configurations can anyone tell if something is possible
missing or incorrect in syntax :
I am new to Tomcat /LDAP setup and not sure what could be the issue here:
My server.xml settings:
ldap://ldaphostname.com:389;
alternateURL="ldap://ldaphostname2.visa.com:389;
userPattern="cn={0},dc=companyname,dc=com"
roleBase="Ou=Groups,dc=companyname,dc=com"
roleName="cn"
roleSearch="(Users={0})"
roleSubtree="true" />
webapp/WEB-INF/web.xml settings:
http://java.sun.com/j2ee/dtds/web-app_2_2.dtd;>
http://java.sun.com/xml/ns/javaee;
xsi="http://www.w3.org/2001/XMLSchema-instance;
schemalocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
index.jsp
SecurityConstraint
scheduling
/*
Groups
CONFIDENTIAL
FORM
/login.jsp
/error.jsp
*
The catalina.log result after attempts to login to the Tomcat web application::
29-Nov-2016 21:48:44.957 INFO [main] org.apache.coyote.AbstractProtocol.start
Starting ProtocolHandler ["ajp-nio-8009"]
29-Nov-2016 21:48:44.966 INFO [main] org.apache.coyote.AbstractProtocol.start
Starting ProtocolHandler ["http-bio-443"]
29-Nov-2016 21:48:45.010 INFO [main]
com.visa.tcserver.properties.SystemPropertiesExporter.lifecycleEvent Effective
Properties written to
/opt/webdev/apache-tomcat-8.0.9/conf/effectiveProperties.xml
29-Nov-2016 21:48:45.011 INFO [main] org.apache.catalina.startup.Catalina.start
Server startup in 29076 ms
29-Nov-2016 21:48:49.225 FINE [http-bio-443-exec-1]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request GET /scheduling/
29-Nov-2016 21:48:49.230 FINE [http-bio-443-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[scheduling]' against GET /index.jsp --> true
29-Nov-2016 21:48:49.231 FINE [http-bio-443-exec-1]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
29-Nov-2016 21:48:49.233 FINE [http-bio-443-exec-1]
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
constraint already satisfied
29-Nov-2016 21:48:49.233 FINE [http-bio-443-exec-1]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
29-Nov-2016 21:48:49.242 FINE [http-bio-443-exec-1]
org.apache.catalina.authenticator.FormAuthenticator.authenticate Save request
in session '21072264578E08ED6F1B38591CDDA9F3'
29-Nov-2016 21:48:49.249 FINE [http-bio-443-exec-1]
org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage
Forwarding request for [/scheduling/] made with method [GET] to login page
[/login.jsp] of context [/scheduling] using request method GET
29-Nov-2016 21:48:49.295 FINE [http-bio-443-exec-1]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test
29-Nov-2016 21:49:01.631 FINE [http-bio-443-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request POST /scheduling/j_security_check
29-Nov-2016 21:49:01.636 FINE [http-bio-443-exec-2]
org.apache.catalina.authenticator.FormAuthenticator.authenticate Authenticating
username 'hitaylor'
29-Nov-2016 21:49:01.704 FINE [http-bio-443-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test ??/scheduling/j_security_check
Login.jsp
VISA
CSO Operations
Job Scheduling Panel Login
">
UserName
Password
The effectiveProperties.xml file shows the following:
false
strict
ldap://visaldapocc.visa.com:389
null
org.apache.catalina.realm.JNDIRealm
null
cn=Users,dc=visa,dc=com
5000
ldap://visadcocc.visa.com:389
com.sun.jndi.ldap.LdapCtxFactory
null
null
org.apache.catalina.realm.JNDIRealm
null
/realm0
null
Ou=Groups,dc=visa,dc=com
cn
false
(Users={0})
true
STARTED
cn={0},dc=visa,dc=com
null
null
false
true
Thanks for any information or pointers on this.
Larry Taylor
re: Tomcat 9 Java version required
Hi , I downloaded and configured Tomcat 9 - what version of Java does this version require? I have installed: java version "1.7.0_95" OpenJDK Runtime Environment (rhel-2.6.4.0.el6_7-x86_64 u95-b00) OpenJDK 64-Bit Server VM (build 24.95-b01, mixed mode) With: JRE_HOME=/usr/mware/jdk1.7.0_17/jre My OS is: Red Hat Enterprise Linux Server release 6.5 (Santiago) 64bit On startup.sh now getting: Exception in thread "main" java.lang.UnsupportedClassVersionError: org/apache/catalina/startup/Bootstrap : Unsupported major.minor version 52.0 at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:791) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:449) at java.net.URLClassLoader.access$100(URLClassLoader.java:71) at java.net.URLClassLoader$1.run(URLClassLoader.java:361) at java.net.URLClassLoader$1.run(URLClassLoader.java:355) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:354) at java.lang.ClassLoader.loadClass(ClassLoader.java:423) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) at java.lang.ClassLoader.loadClass(ClassLoader.java:356) at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:482) thanks for any information. Larry Taylor
RE: Apache Tomcat Vulnerabilities
Thanks Andre If an upgrade we will bump up to Tomcat 9 if this is a stable release -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Thursday, April 28, 2016 1:24 PM To: users@tomcat.apache.org Subject: Re: Apache Tomcat Vulnerabilities On 28.04.2016 21:48, Taylor, Larry wrote: > Hello, > > I am using Tomcat Version: apache-tomcat-7.0.50 That version dates back to 2014. The latest version in that branch is 7.0.69 See : http://tomcat.apache.org/download-70.cgi > OS: Red Hat Enterprise Linux Server release 6.5 (Santiago) 64bit > > Issue: There were 2 vulnerabilities found and need to know if there > are configurations or patches available Maybe, see above. The Tomcat project does not provide any patches. It is recommended instead, to download and install the latest version. See : http://tomcat.apache.org/security.html Please upgrade to the latest version, and report again if the vulnerabilities which you mention are still there. If you wish, you can also check the ChangeLog (http://tomcat.apache.org/tomcat-7.0-doc/changelog.html) between version 7.0.50 and 7.0.69, to see if you find something related to your enquiry. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
re: Apache Tomcat Vulnerabilities
Hello, I am using Tomcat Version: apache-tomcat-7.0.50 OS: Red Hat Enterprise Linux Server release 6.5 (Santiago) 64bit Issue: There were 2 vulnerabilities found and need to know if there are configurations or patches available to resolve these. 1. Tomcat was configured to use SSL https. It was found that there is an input validation vulnerability that exists. The error is due to improper filtering of HTTP requests, which could allow users to conduct request attacks. In server.xml these are enabled: ... ... To prevent and restrict user redirection of https pages, the following solution was also added and thought this may resolve this vulnerability: In /webapps/WEB-INF/web.xml - does this web.xml update verify remediation on this vulnerability issue? Or is there another solution that I should use? WEB-INF/web.xml: HTTPSOnly /* CONFIDENTIAL HTTPSOrHTTP *.ico /img/* /css/* NONE 2. We are using Samba and NetBIOS Access through Tomcat to auto detect Windows usernames internally, I am using the jcifs.jar in the Tomcat lib to do this which to identifies the user's Windows username for a web application. a. Is there a configuration we could use instead to remediate this vulnerability reported in Tomcat 7? b. Or would upgrading to Tomcat version 9 eliminate these 2 vulnerabilities ? Example of what was found: Vulnerability Title Result 1. Apache Tomcat Input Validation Security Bypass Vulnerability Apache Tomcat Input Validation Security Bypass Vulnerability detected on 8443 port.Apache Tomcat/7.0.50 - Error reportApache Tomcat Input Validation Security Bypass Vulnerability detected on 8080 port. 2. Null Session/Password NetBIOS Access Thanks for any information Larry Taylor
