right now I have the following architecture built with classic asp and visual basic 6
I have a COM+ component developed in VB6 which connects to the dabatase. I set the DB conf thru an .udl file configured with integrated security.
At the web server (IIS) I register the componente with the com+ manager, and configure it to be run under an account name, something like mydomain\appAccount...
in sql 2005 I give the appropiate permissions the mydomain\appAccount
from asp, I just use the component with server.createobject...
I'd like to develop a similar solution with java, the question(s) is(are) the following:
is it possible?
how can I configure a domain account to connect to a sql server 2005 db?
where should I store the db conf? and where should I configure the domain account? in tomcat / jetty configuration?
I'd like the solution to be as simple and straight forward as possible (I'm trying to avoid things like glassfish or jboss)
well, thanks a lot...
What you'll need to do is make sure that the Tomcat JVM process is being executed by the user with the trusted connection to the database.
Then you'll need to configure the data source in Tomcat, per Bhushan's answer.
The following MSDN article details how you set up the data source to use integrated security:
http://msdn.microsoft.com/en-us/library/ms378428.aspx
So this is a real tough issue, and I'm going through the same problems right now. I haven't solved impersonation within an app server yet, but my team is getting close.
So far, we've been successful in Authenticating a user against a Domain Controller with Kerberos. Both the SourceForge SPNEGO and Spring Security Kerberos Extension have been very helpful in that regard. We have also been able to successful impersonate the process running a Java application when connecting to SQL Server. The real problem is impersonation via delegation, since it requires you to obtain a Kerberos ticket that can be delegated to another service. This is the issue we are currently working on.
If you are going to impersonate a user in SQL Server, you've got to do it using NTLM or Kerberos. Kerberos offers the best security, and to be quite honest, we haven't even bothered to try using NTLM. There are two JDBC drivers (that I know of) that will allow you to connect to SQL Server using a Domain account: jTDS and DataDirect JDBC. jTDS is a Type-2 JDBC driver, which means it relies on a native library to grab credentials for the user. jTDS will only impersonate the user running the process, and will not allow you to impersonate other accounts (also, it can only do this on Windows). The DataDirect driver (Commercial) is a Type-4 driver, which means it's a pure Java implementation (and will work on *nix). This is the driver we are using and its working great.
If I get a solution working, I'm going to post it because I think a lot of people in the community are hurting on this issue.
Good Luck!
Check this tomcat documentation about how to configure a datasource.
http://tomcat.apache.org/tomcat-6.0-doc/jndi-datasource-examples-howto.html
Related
I am new to AWS world and still learning. It's been only a month that I am trying things.
I have been looking for it for quite a few days now and haven't been able to find a correct and more appropriate solution. Therefore it would be great if somebody can help me by giving a sample code, provide some pointer or guide in the right direction.
I have a AWS RDS MySQL instance and a database created. I have configured "IAM DB AUthentication Enabled" to "Yes".
Created an IAM Role and Policy as per AWS documentation.
And finally, I have an EC2 instance with Tomcat with my Java/Spring application deployed and running in it. I am able to access the MySQL database using database credentials (like db user name, password, db url, etc.) successfully. So I know things are setup properly now.
Can somebody please help me know how to connect to this database from my Java/Spring application using spring-jdbc and AWS IAM Authentication (the IAM role I created above)?
I read somewhere that I need the certificate file or certificate bundle file in my application environment and that I need to generate a token to be connected to the database. But I am not able to think on how to put it together.
Any help will be highly appreciated.
Thanks.
I had a similar problem recently.
This is what I did:
Included Spring Cloud AWS JDBC and Spring Data JPA
Implemented a custom DataSourceFactory, which generates an IAM access token and uses that for the connection
You can find a full step-by-step guide here.
Btw., Spring Cloud AWS JDBC provides some additional benefits, like read replica or failover support, and you only have to provide the instance ID of your RDS instance, and not the full canonical endpoint.
I know this is an older question, but after a some searching I found a pretty easy way you can now do this using the MariaDB driver. In version 2.5 they added an AWS IAM credential plugin to the driver. It will handle generating, caching and refreshing the token automatically.
I've tested using Spring Boot 2.3 with the default HikariCP connection pool and it is working fine for me with these settings:
spring.datasource.url=jdbc:mariadb://host/db?credentialType=AWS-IAM&useSsl&serverSslCert=classpath:rds-combined-ca-bundle.pem
spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
spring.datasource.username=iam_username
#spring.datasource.password=dont-need-this
spring.datasource.hikari.maxLifetime=600000
Download rds-combined-ca-bundle.pem and put it in src/main/resources so you can connect via SSL.
You will need these dependencies on the classpath as well:
runtime 'org.mariadb.jdbc:mariadb-java-client'
runtime 'com.amazonaws:aws-java-sdk-rds:1.11.880'
The driver uses the standard DefaultAWSCredentialsProviderChain so make sure you have credentials with policy allowing IAM DB access available wherever you are running your app.
Addionally, if you want failover support like #markusgulden mentioned in his answer, you can use the aurora mode described here. Your endpoint would then look like
jdbc:mariadb:aurora://host/db?credentialType=AWS-IAM&useSsl&serverSslCert=classpath:rds-combined-ca-bundle.pem
Hope this helps someone else - most examples I found online involved custom code, background threads, etc - but using the new driver feature is much easier!
I would suggest using this library that you use to replace the HikariDatasource. Everything else just works like normal.
<dependency>
<groupId>io.volcanolabs</groupId>
<artifactId>rds-iam-hikari-datasource</artifactId>
<version>1.0.4</version>
</dependency>
Hi I'm sorry for the naivety of this problem but I need some guidance as I have confused myself greatly.
I have been tasked with creating a database(mysql) and creating a web interface for i to be interacted with. I have experience with web design and database development. Previously I have used java to interact with a DB and was hoping I could use JSP for the web interface. This is where my problem is, how I would I deploy/host this website?
I have 2 theories which are misguided:
(A). Use a cms which has a web server for me to place the jsps in?
or
(B). Use a domian/web hosting site that has a server for me to place the jsps in?
I'm totally lost and any guidance would be greatly appreciated.
Simple answer is you will require a Java Application Server to host your JSPs.
You can use Apache Tomcat, GlassFish, or some other application server to do this.
You will also need a database e.g MySQL running on your host or some other host accessible by the machine running the Java application server.
You can choose to host all of this locally or farm it out to a web host provider depending on your resources.
A CMS seems like overkill. See this link for a description of CMS and its functionality. I don't believe this is what you are looking.
I don't know exactly what you're looking for, but I think you need (B)
You need a MySQL instance running your database and a servlet container (e.g. Tomcat) to host your JSPs.
Running a CMS which is just used to use the DB that it works with is a little bit heavy for that usecase.
As suggested by Mr #cmd , yes there is no need to go for an outsourced server just to host your website, unless you need it to be visible to the world.
Else for your testing purpose, you can use Any of the Apache Tomcat, Glassfish servers for hosting the applications designed in JSP or in other web interface language.
And Inside of the JSP coding itself you may write the interaction coding with your database.
your database also can be installed in the same server.
And actually instead of a server, you may even use your PC to install the Apache Tomcat and the database and start using it.
is anyone aware of any embeddable Kerberos servers (KDC / KAdmin), which are written in Java and may run just within the JVM process (something like Hadoop minicluster or embedded LDAP servers)?
My goal it to let people run integ tests requiring Kerberos authentication without having to install local kerberos server/configure remote server and connection to it.
You can give Apache Directory Server (http://directory.apache.org/) a try. It supports LDAP and Kerberos. See this example:
http://svn.apache.org/repos/asf/directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/SaslGssapiBindITest.java
I was/am looking for such a thing too but this is simply not really possible because you will need a fully functional DNS server for this. A fully decoupled system is necessary. You can achieve this via the virtualization-maven-plugin and a group of virtual machines in VirtualBox with an internal network.
LDAP servers won't help you at all because they do absolutely nothing with GSS-API and Kerberos. SASL does everything by delegating auth to the next available KDC.
You need KDC and DNS server. You may try Samba 4 on one machine, setup a second one which joins
the domain. Install Hadoop on it, add a third one (client), join and run tests from there.
It seems like you can have Apache DS mimic a KDC: http://directory.apache.org/apacheds/configuration/ads-2.0-configuration.html
I have a written an Embedded LDAP for similar purpose and also to you can use it for testing with Kerberos, spcially useful for cases like testing Hadoop Kerberos testing.
https://github.com/krishdey/EmbeddedLdapKDC
You may also look at the class for writing embedded JUnit testing https://github.com/krishdey/EmbeddedLdapKDC/blob/master/EmbeddedLdapKDC/src/test/java/com/krish/ead/server/KerberosLdapIntegrationTest.java
Might be useful for you.
Hadoop publishes a MiniKdc class which can be used. From the MiniKdc class doc comment:
Mini KDC based on Apache Directory Server that can be embedded in testcases or used from command line as a standalone KDC.
https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-minikdc
I've read some articles on the Internet that this is not possible. To communicate own SQL database that is located on other server from GWT application. Jetty doesn't allow it.
I found a way how to perform it but it's not very cosy. I have client and server part inside GWT. The server has to communicate with MySQL database on localhost. So I've written an ant script to build a war that I can launch on Apache Tomcat server. It works perfectly there but I'm not able to debug the code effectively.
Do you have some advices how to perform this task? I was thinking of writing the clienty only in GWT and find some waz how to communicate my own server written outside the GWT. I've found Apache Thrift for GWT but this edited library of thrift seem not to work properly.
Thank you very much for your answers:)
It is possible to communicate with a database from a GWT application. The client side has to call the methods of the server via GWT-RPC, which can communicate with any database.
Maybe Jetty does not support it (have not tested it personally) but you can develop your web application using Apache too. There you can access the database the same way as from any web application:
You will need the mysql-connector-java-5.1.20-bin.jar file (downloadable from: http://dev.mysql.com/downloads/connector/j/ ), and restart the server added to the $CATALINA_HOME/common/lib directory.
OR added to the WEB-INF/lib folder of your web application.
You can find tutorials online of how to develop an application using Tomcat instead of Jetty. For example: https://wiki.auckland.ac.nz/display/BeSTGRID/Deploying+GWT+to+Tomcat+in+Eclipse
Reshi, stop and think about how applications really work. Nobody provides web pages with javascript to read/write databases, that would be crazy and unsecure. Servers are always in themiddle of all communication in this case. You need to create services that run inside your server, one of these services will be a database layer.
Javascript cant create network connections and read/write binary data, thus it would be insane to attempt to get the gwt compiler to compile any jdbc drvier and more.
Jetty does NOT stop us from connecting to a database. All you have to do is to follow the MVP model way. Although MVP is better bet against all hurdles, at a minimal point, you would have to try not having SQL code on the client package.
I have a self built JSP webapp and at the moment I'm using tomcats built in admin pannel to manage user accounts (that are stored in tomcats config xml files) but this is limited because i can not create new accounts from within the web-app (eg. I can not have a sign up website) and need to manually create the accounts.
What is the most straight forward way of implementing accounts in a tomcat environment?
dennis
Set up a database realm in Tomcat, either a simple JDBC realm or a DataSource realm that will allow for connection pooling. Then adding users is a very simple CRUD web application, possibly combined with some confirmation emails.
If you are on Windows (not specified in the question) and want to use a windows logon to authenticate you might want to check out JCIFS. JCIFS allows you to obtain the user name of an authenticated windows logon in Java. It is easy to install and relatively foolproof.
Not for every situation but in windows only environments it can get you up and running quickly.