I've setup up a Security Realm in Glassfish to authenticate against an Active Directory server. The configuration of the realm is as follows:
Class Name: com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
JAAS context: ldapRealm
Directory: ldap://172.16.76.10:389/
Base DN: dc=smallbusiness,dc=local
search-filter: (&(objectClass=user)(sAMAccountName=%s))
group-search-filter: (&(objectClass=group)(member=%d))
search-bind-dn: cN=Administrator,CN=Users,dc=smallbusiness,dc=local
search-bind-password: abcd1234!
The realm is functional and I can log-in, but when ever I log in I get the following error in the log:
SEC1106: Error during LDAP search with filter [(&(objectClass=group)(member=CN=Administrator,CN=Users,dc=smallbusiness,dc=local))].
SEC1000: Caught exception.
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'dc=smallbusiness,dc=local'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
....
....
ldaplm.searcherror
While searching for a solution I found that it was recommended to add java.naming.referral=follow to the properties of the realm. However, after I add this it takes 20 minutes for GlassFish to authenticate against Active Directory. I suspect it is a DNS problem on the Active Directory server. The Active Directory server is a vanilla Windows Server 2003 setup in a Virtual Machine.
Any help/recommendation is highly appreciated!
This is the configuration I use in my domain.xml file, it might be of some interrest to you :
<auth-realm classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm" name="ldapRealm">
<property name="search-bind-password" value="Demodemo01"/>
<property name="search-bind-dn" value="Administrator"/>
<property name="search-filter" value="(&(objectClass=user)(sAMAccountName=%s)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"/>
<property name="group-search-filter" value="(&(objectClass=group)(member=%d))"/>
<property name="jaas-context" value="ldapRealm"/>
<property name="base-dn" value="CN=Users,DC=saierp,DC=net"/>
<property name="directory" value="ldap://192.168.1.38:389"/>
</auth-realm>
Specially, make sure to add the userAccountControl to your filter, otherwise, disabled accounts in AD will be allowed to connect.
This was maddening trying to solve this... Glassfish 3.0.1 trying to connect with Windows, and getting the above error.
I'm not a Windows or LDAP whiz at all... but finally found this:
http://forum.springsource.org/showthread.php?t=87673
And the very last line is the key: use the "Global Catalog Port" - instead of 389, it is 3268 by default. And the exception disappears.
Why?
Who cares?
(well, ok, I'm going to read about it now.)
Hopefully, you've resolved this, but just in case:
I used 'objectCategory' in place of 'objectClass' as I read the former are indexed, hence faster.
I had to add this property:
property name="assign-groups" value="Domain Users"
where "Domain Users" is the group in AD that all of our users are placed into. This must match the value in sun-web.xml for security-role-mapping.
Later, I was able to create a specific group for this application and make the appropriate changes.
Related
We've recently migrated a Spring REST application from Wildfly 15.0.1.Final to Wildfly 21.0.0.Final which apparently introduced an issue with GET requests: whenever we have a | (pipe) character in the query parameter string of the GET request, the request returns no response and we get ERR_HTTP2_PROTOCOL_ERROR.
I know that '|' (pipe) character is unsafe according to the RFC1738 specification of HTTP, while RFC3986 allows for the encoding of Unicode characters.
I would like this to keep working though, as we have external clients sending requests with | character in the query parameter, and currently if we would move to the current Wildfly 21 config, those requests would fail.
The same configuration was working fine on Wildfly 15.0.1.Final.
I have these in standalone.xml with no avail:
<system-properties>
<property name="org.apache.catalina.connector.URI_ENCODING" value="UTF-8"/>
<property name="org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING" value="true"/>
</system-properties>
<http-listener name="default" socket-binding="http" allow-unescaped-characters-in-url="true" redirect-socket="https" enable-http2="true" url-charset="UTF-8" />
<https-listener name="https" socket-binding="https" max-post-size="1048576000" allow-unescaped-characters-in-url="true" ssl-context="LocalhostSslContext" enable-http2="true" url-charset="UTF-8" />
...and this in standalone.conf.bat:
set "JAVA_OPTS=%JAVA_OPTS% -Dorg.apache.catalina.connector.URI_ENCODING=UTF-8"
The very same code on the very same VM, with (migrated) config works fine on Wildfly 15.0.1.Final but throws the ERR_HTTP2_PROTOCOL_ERROR in Wildfly 21.0.0.Final whenever I have a | in the request. In these cases it looks like the request is not even hitting my breakpoints.
I can programmatically do a dirty fix by URL encoding all | in our $.ajaxSetup, but this only fixes requests originating from the server itself, and not requests that are coming externally with | in their GET request query params.
The dirty (and insufficient) fix:
$.ajaxSetup({
beforeSend: function (jqXHR, settings) {
settings.url = settings.url.replace(/\|\|/g, "%7C%7C");
}
});
Has anyone encountered this issue?
Full standalone.xml (with sensitivre info masked) here.
EDIT: In the meantime I noticed that this issue only happens when I hit endpoints defined in Windows hosts file. When I go through our company's load balancer, it works fine.
So e.g. http://localhost.myproduct.com is not working from SERVER1 if 127.0.0.1 localhost.myproduct.com is in hosts file, but https://server1.myproduct.com that hits the very same server works fine, if the endpoint is routed through the load balancer.
I saw a few related postings around this time, all of which seem to have gone unanswered.
I've also encountered a similar issue with Wildfly 23.0.0.Final, which was a problem with http/2 handling - there is a fix for that: UndertowOptions.ALLOW_UNESCAPED_CHARACTERS_IN_URL has no effect for HTTP/2, but as of this reply AFAIK is not yet released in a Wildfly build.
Setting enable-http2="false" on the listeners - while not ideal - worked around the problem for me.
It could be that your load balancer is doing http/1.1 on the backend which would be why you don't encounter the problem when routing through it.
I have a problem communicating with Kafka secured with sasl using console scripts. Kafka is secured with sasl, listener is SASL_PLAINTEXT and mechanism is PLAIN.
What I did:
I tried listing some data using one of kafka scripts:
bin/kafka-consumer-groups.sh --bootstrap-server (address) --list
However I get
WARN Bootstrap broker (address) disconnected (org.apache.kafka.clients.NetworkClient)
and command fails, which is understandable because it's secured with sasl.
So I tried how to add client username/password to that command.
First, I tried to run kafka-console-consumer script, I used --command-config to add necessary file. I quickly discovered that I can't add jaas file directly and I needed to use .properties file, so I did.
My properties file(keep in mind that brackets indicate "censored" data, I can't put all real data here):
bootstrap.servers=(address)
zookeeper.connect=127.0.0.1:2181
zookeeper.connection.timeout.ms=6000
sasl.jaas.config=(path)/consumer_jaas.conf
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
group.id=(group)
My jaas file:
KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username=(username)
password=(password);
};
This jaas file works in my standard java applications.
However, when I'm trying to run either kafka-consumer-groups script or kafka-console-consumer, I get this error:
Exception in thread "main" org.apache.kafka.common.KafkaException: java.lang.IllegalArgumentException: Login module not specified in JAAS config
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:94)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:93)
at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:51)
at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:84)
at kafka.admin.AdminClient$.create(AdminClient.scala:229)
at kafka.admin.AdminClient$.create(AdminClient.scala:223)
at kafka.admin.AdminClient$.create(AdminClient.scala:221)
at kafka.admin.ConsumerGroupCommand$KafkaConsumerGroupService.createAdminClient(ConsumerGroupCommand.scala:454)
at kafka.admin.ConsumerGroupCommand$KafkaConsumerGroupService.<init>(ConsumerGroupCommand.scala:389)
at kafka.admin.ConsumerGroupCommand$.main(ConsumerGroupCommand.scala:65)
at kafka.admin.ConsumerGroupCommand.main(ConsumerGroupCommand.scala)
Caused by: java.lang.IllegalArgumentException: Login module not specified in JAAS config
at org.apache.kafka.common.security.JaasConfig.<init>(JaasConfig.java:68)
at org.apache.kafka.common.security.JaasUtils.jaasConfig(JaasUtils.java:59)
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:85)
This jaas file is a direct copy of a file that I'm using in java app that communicates with kafka and it works, however here, using console tools, it just doesn't work. I tried searching for a solution but I can't find anything useful.
Can anyone help me with this?
There are 2 ways to provide the JAAS configuration to the Kafka clients.
Via the client property: sasl.jaas.config. In that case you set it to the actual JAAS configuration entry. For example, your configuration file becomes:
bootstrap.servers=(address)
zookeeper.connect=127.0.0.1:2181
zookeeper.connection.timeout.ms=6000
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="(username)" password="(password)";
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
group.id=(group)
As you've already figured out, you can use --command-config to pass a properties file to kafka-consumer-groups.sh.
Via the Java property: java.security.auth.login.config. In this case, you set it to the path of your JAAS file. Also if you set it in KAFKA_OPTS, kafka-consumer-groups.sh will pick it up automatically.
export KAFKA_OPTS="-Djava.security.auth.login.config=(path)/consumer_jaas.conf"
I am developing a web based application using GlassFish 4 server. Today i got the following exception:
WARNING: GRIZZLY0173: More than the maximum number of request parameters (GET plus POST) for a single request ([10 000]) were detected. Any parameters beyond this limit have been ignored. To change this limit, set the maxParameterCount attribute on the Connector.
This means that when i did a post request to the server i sent more than the currently maximum allowed request parameters so i have to increace the value.
Anyone knows how this can be configured in case of GlassFish 4.
P.S. I dont want to decomplice the source files and change some value. I want to do it thought some xml configuration or throught the server administration console.
In GlassFish 4 you can change the setting max-request-parameters with the asadmin command-line utility:
asadmin set server.network-config.protocols.protocol.http-listener-1.http.max-request-parameters=10001
or manually in the domain.xml:
<protocols>
<protocol name="http-listener-1">
<http max-request-parameters="10001" max-connections="250"
default-virtual-server="server">
<file-cache></file-cache>
</http>
</protocol>
// more protocols...
<protocols>
Add the param max-request-parameters if it doesn't exist. Make sure to use the correct http-listener.
I just installed MySql Community Server, and I have a MySql Connection called mysqlserver. I created a schema called library, with some tables. Everything seems fine with the database, but when I try to generate bean classes with hibernate reverse engineering from Eclipse, I am getting this error:
org.hibernate.exception.SQLGrammarException: Getting database metadata
Getting database metadata
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown database 'mysqlserver'
Unknown database 'mysqlserver'
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown database 'mysqlserver'
Unknown database 'mysqlserver'
The interesting thing is that my tables are fetching, so I can see them from Eclipse, but the error is still here while trying to generate classes.
My guess was that the problem is with my url, but how are tables fetched then:
<property name="hibernate.connection.driver_class">com.mysql.jdbc.Driver</property>
<property name="hibernate.connection.password">mypassword</property>
<property name="hibernate.connection.url">jdbc:mysql://localhost:3306/library</property>
<property name="hibernate.connection.username">root</property>
<property name="hibernate.dialect">org.hibernate.dialect.MySQLDialect</property>
I do not get it how can mysqlserver be unknown database, when I specified that my database is library. I lost hours while trying to google it, and still nothing. Can anyone help me with this please?
Now, I am experiencing a new problem - I cannot start the server any more. I stopped it yesterday, and tried to start it now, it just won't start any more. The server log says:
Could not open error log file: [Errno 2] No such file or directory: 'SAMS-PC.err'
2014-02-06 13:10:32 - Status check of service 'MySQL56' returned stopped
2014-02-06 13:10:32 - Starting server...
2014-02-06 13:10:34 - Status check of service 'MySQL56' returned stopped
2014-02-06 13:10:34 - Server start done.
2014-02-06 13:10:34 - Status check of service 'MySQL56' returned stopped
Your jdbc string should be
hibernate.connection.url = jdbc:mysql://localhost:3306/mysqlserver
hibernate.default_schema = library
you schema is library, you database name mysqlserver.
I resolved the last issue, with starting the server from console. I don't know why MySql workbench didn't start it, but I will be satisfied with this solution for now. Later the server stopped working again, and so on... So, I concluded that I do not like MySql very much.
I solved the original problem, too. The problem was something unrelated to hibernate configuration - I forgot to create a .reveng.xml file. Embarrassing...
Anyway, thank you for willingness to help.
I've installed the MS SQL Server 2008 and I want to use it in a Java project with Struts.
Unfortunately I cannot configure it in Java. I am using the Windows authentication for MsSql. Is that possible?
My beans.xml file looks like:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
"http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.microsoft.sqlserver.jdbc.SQLServerDriver" />
<!-- S2-Install-Start: INSERT DB SERVER HERE -->
<property name="url" value="jdbc:sqlserver://localhost:1433;DatabaseName=MyDatabase" />
S2-Install-End:
<property name="username" value="Stefana\Steffi" />
S2-Install-Start: INSERT DB PASSWORD HERE
<property name="password" value="" />
S2-Install-End:
</bean>
I don't know what should I write in the user and password fields? When I connect to the Ms Sql Server, I get the following:
Servertype: DatabaseEngine
Servername: Stefana\SQLEXPRESS
Authentication: Windows Authentication
Username:Stefana\Steffi
Password:
You can use Windows authentication if you use the jTDS JDBC Driver for SQL Server. The jTDS driver is free, open source and generally more powerful than the official Microsoft one.
If you include the jTDS jar in your project, I believe this datasource URL should work:
jdbc:jtds://localhost:1433/MyDatabase;domain=Stefana
Because you're running on Windows the jTDS driver is capable of using a native library to automatically log you in with your current credentials. However it's usually a better idea to explicitly specify the username and password, because that way your web app won't behave differently depending on who starts it up.
Note also that SQL Server 2008 probably won't have TCP connections enabled by default. Unless you turn that on you won't be able to connect with either the Microsoft driver or the jTDS one.
To enable TCP connections:
Open Sql Server Configuration Manager (it should be on your Start menu)
In the tree on the left, navigate to SQL Server Network Configuration then Protocols for MSSQLSERVER
You should see TCP/IP in the list of protocols.
If its status is Disabled then double-click it, and change the Enabled option to Yes and click OK
You now need to restart SQL Server. Navigate to the SQL Server Services item
Right-click on SQL Server (MSSQLSERVER) in the list of services
Choose Restart
You should now be able to connect to SQL Server from your Java web app
This is not the right thing to do.
Do you own that database? Your config says "localhost", so I'll assume yes. You should be using another username and password for your application from SQL Server, not Windows Authentication. I'd create a separate user just for this application. Give it access only to the application schema, and GRANT the minimum permissions necessary to accomplish its mission (e.g. no DELETE permission if not needed; no access to SYSTEM tables if not needed; no running stored procedures if not needed).
A better solution is to use a JNDI data source and not have passwords in plain text on your machine.
replace the property:
<property name="url" value="jdbc:sqlserver://localhost:1433;DatabaseName=MyDatabase" />
for:
<property name="url" value="jdbc:sqlserver://localhost:1433;DatabaseName=MyDatabase;" />
Done!!!