RE: Tomcat 7 JNDI Realm credential password update availability
So you're saying the change via JMX would update in-memory representation of the server.xml conf, and be using the update credentials, but if and when restarted it would use the credentials present in the actual server.xml? -John -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, May 13, 2015 1:28 PM To: Tomcat Users List Subject: Re: Tomcat 7 JNDI Realm credential password update availability -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/13/15 2:45 PM, Mark Thomas wrote: On 13/05/2015 19:13, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote: Hello, We have a Tomcat 7 server running on Linux that must use LDAP over SSL to connect to an AD server for user authentication. This configuration we have working. The issue is the credentials used to connect to the AD server must have the password updated every 180 days, and therefore updated in the JNDI Realm configuration. Is there a way to update the password in server.xml that would allow it to be recognized as changed without restarting the Tomcat server. Or some other configuration what ever it may be that would achieve this. The goal is to update the password and have it recognized as updated with no down time for the application running on the server. Any thoughts would be appreciated. server.xml changes require a restart. Can you update it via JMX as well? (That should work but I am going from memory rather than testing it / looking at the source). - From *my* memory, modifying things that come from server.xml via JMX often does nothing, because the component itself doesn't get re-initialized. You basically just change the in-memory representation of the configuration, but the component (Realm, in this case), just keeps doing what it was doing. A good example is the Connectors, though in that case, the Connector is just configuration that gets used to generate a Protocol+Endpoint so maybe I'm just thinking of this special case. Ultimately, JMX is the *right* way to do this, provided that the Realm notices that the configuration has changed and actually uses that configuration. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVU7PVAAoJEBzwKT+lPKRYOJwQAMrZi9Pu+MuG25bnTbgMCBtm gTAdkheI/ovuG2H2hjCAqUJo6x0B1piG71uOV7S0lTatTIdclUIeDR67mheZlLXx yY0oy4pFWSsH1UJE14LnTyqXUWQWGFTD1tAMmgGrXhMhkIVlltaFkBP9fxis33xN sjhJh8QL27jK80QL19PuVNhDLWJbAAAGhDlxHDqeCRZaxu9mC/9imWr4juTw/4vu l1xcy4Q8+G+nwpYjKlAv3ttpgMipfOKRlYSLVpxZO45yEbJmCZWJef51CSLL4Ib/ 0qxONW+aKndUJ1ZhAgc6ZSQL4N9Z+stNphD/IQhKK8I9SCdVuJrTrsdUjurpuMXZ d89uIduDKVLsIqnUyHH019M4zWa9xs26pJ/JJv9yyTZvkCfH2X5YAAO8tJE7kTm3 HTZA8hIWD09n4VZ0P0BZurmRt2aI/pTq6+aVhig0uEC0POA5MME5WWKidTVAat09 vRqKtQYgVWP0iBB7Cd2IVcpb2sE6ZpRgsF6K4Nw+brfr68uTk/FvD6kb/7JrpTYd Thkfyh102WQBVZxeTXOo952v1CKv0tAWdxx9/t1boRbCM9cNvDnsjKGzMgRkJ+0r Zx0/A19ORdC7uBn87+uW8Q9CgUIuN+NQuR89OS+nQSZdhnDU8pQgLZR1hoEuYCpO yRmNoIOIMQFnrKKPAqGC =psQ4 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7 JNDI Realm credential password update availability
From: John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) [mailto:jbeau...@cisco.com] Subject: RE: Tomcat 7 JNDI Realm credential password update availability So you're saying the change via JMX would update in-memory representation of the server.xml conf, and be using the update credentials, but if and when restarted it would use the credentials present in the actual server.xml? Partially correct. The update via JMX would modify the in-memory fields, but the Realm might not notice the update and would continue to use older credentials and connections based on those (need to review the code). If Tomcat is restarted, it would use whatever is in server.xml at that time; updating via JMX does not rewrite the server.xml file. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 JNDI Realm credential password update availability
John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) a écrit : Hello, We have a Tomcat 7 server running on Linux that must use LDAP over SSL to connect to an AD server for user authentication. This configuration we have working. The issue is the credentials used to connect to the AD server must have the password updated every 180 days, and therefore updated in the JNDI Realm configuration. Is there a way to update the password in server.xml that would allow it to be recognized as changed without restarting the Tomcat server. Or some other configuration what ever it may be that would achieve this. The goal is to update the password and have it recognized as updated with no down time for the application running on the server. I use the following solution in a production system : * derive your own, custom MyRealm class from JNDIRealm. You will typically have to put it in the same package (org.apache.catalina.realm) to get access to some base methods and attributes. * overload key methods, such as authenticate and getRoles to perform your configuration tweaking before forwarding to the base methods. * tweaking typically includes checking the last modification date of a configuration file holding required info, reloading it and applying new config only on change. * use MyRealm instead of realm in server configuration. May sound a bit dirty but... works and takes less than 100 lines of code. And avoids rewriting everything from scratch. Hope this helps, Ludovic | | AVANT D'IMPRIMER, PENSEZ A L'ENVIRONNEMENT. | - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 JNDI Realm credential password update availability
On 13/05/2015 19:13, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote: Hello, We have a Tomcat 7 server running on Linux that must use LDAP over SSL to connect to an AD server for user authentication. This configuration we have working. The issue is the credentials used to connect to the AD server must have the password updated every 180 days, and therefore updated in the JNDI Realm configuration. Is there a way to update the password in server.xml that would allow it to be recognized as changed without restarting the Tomcat server. Or some other configuration what ever it may be that would achieve this. The goal is to update the password and have it recognized as updated with no down time for the application running on the server. Any thoughts would be appreciated. server.xml changes require a restart. Can you update it via JMX as well? (That should work but I am going from memory rather than testing it / looking at the source). Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 JNDI Realm credential password update availability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/13/15 2:45 PM, Mark Thomas wrote: On 13/05/2015 19:13, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote: Hello, We have a Tomcat 7 server running on Linux that must use LDAP over SSL to connect to an AD server for user authentication. This configuration we have working. The issue is the credentials used to connect to the AD server must have the password updated every 180 days, and therefore updated in the JNDI Realm configuration. Is there a way to update the password in server.xml that would allow it to be recognized as changed without restarting the Tomcat server. Or some other configuration what ever it may be that would achieve this. The goal is to update the password and have it recognized as updated with no down time for the application running on the server. Any thoughts would be appreciated. server.xml changes require a restart. Can you update it via JMX as well? (That should work but I am going from memory rather than testing it / looking at the source). - From *my* memory, modifying things that come from server.xml via JMX often does nothing, because the component itself doesn't get re-initialized. You basically just change the in-memory representation of the configuration, but the component (Realm, in this case), just keeps doing what it was doing. A good example is the Connectors, though in that case, the Connector is just configuration that gets used to generate a Protocol+Endpoint so maybe I'm just thinking of this special case. Ultimately, JMX is the *right* way to do this, provided that the Realm notices that the configuration has changed and actually uses that configuration. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVU7PVAAoJEBzwKT+lPKRYOJwQAMrZi9Pu+MuG25bnTbgMCBtm gTAdkheI/ovuG2H2hjCAqUJo6x0B1piG71uOV7S0lTatTIdclUIeDR67mheZlLXx yY0oy4pFWSsH1UJE14LnTyqXUWQWGFTD1tAMmgGrXhMhkIVlltaFkBP9fxis33xN sjhJh8QL27jK80QL19PuVNhDLWJbAAAGhDlxHDqeCRZaxu9mC/9imWr4juTw/4vu l1xcy4Q8+G+nwpYjKlAv3ttpgMipfOKRlYSLVpxZO45yEbJmCZWJef51CSLL4Ib/ 0qxONW+aKndUJ1ZhAgc6ZSQL4N9Z+stNphD/IQhKK8I9SCdVuJrTrsdUjurpuMXZ d89uIduDKVLsIqnUyHH019M4zWa9xs26pJ/JJv9yyTZvkCfH2X5YAAO8tJE7kTm3 HTZA8hIWD09n4VZ0P0BZurmRt2aI/pTq6+aVhig0uEC0POA5MME5WWKidTVAat09 vRqKtQYgVWP0iBB7Cd2IVcpb2sE6ZpRgsF6K4Nw+brfr68uTk/FvD6kb/7JrpTYd Thkfyh102WQBVZxeTXOo952v1CKv0tAWdxx9/t1boRbCM9cNvDnsjKGzMgRkJ+0r Zx0/A19ORdC7uBn87+uW8Q9CgUIuN+NQuR89OS+nQSZdhnDU8pQgLZR1hoEuYCpO yRmNoIOIMQFnrKKPAqGC =psQ4 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 JNDI Realm credential password update availability
John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote: Hello, We have a Tomcat 7 server running on Linux that must use LDAP over SSL to connect to an AD server for user authentication. This configuration we have working. The issue is the credentials used to connect to the AD server must have the password updated every 180 days, and therefore updated in the JNDI Realm configuration. Is there a way to update the password in server.xml that would allow it to be recognized as changed without restarting the Tomcat server. Or some other configuration what ever it may be that would achieve this. The goal is to update the password and have it recognized as updated with no down time for the application running on the server. Any thoughts would be appreciated. The real issue there, is that the password must be updated every 180 days. That means that to connect to the AD server, you are probably using a normal user account, to which this kind of policy applies. You should probably request a special service account, of which the password does not run out. Yes, such a service account is probably harder to get, and you will probably have to go through some administrative burdens to get it, but that is the right way to run for your Tomcat, which is a service, and which should not be submitted to the same kind of policies as a normal user. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 7 JNDI Realm credential password update availability
Hello, We have a Tomcat 7 server running on Linux that must use LDAP over SSL to connect to an AD server for user authentication. This configuration we have working. The issue is the credentials used to connect to the AD server must have the password updated every 180 days, and therefore updated in the JNDI Realm configuration. Is there a way to update the password in server.xml that would allow it to be recognized as changed without restarting the Tomcat server. Or some other configuration what ever it may be that would achieve this. The goal is to update the password and have it recognized as updated with no down time for the application running on the server. Any thoughts would be appreciated. Thanks -John
