Tomcat container managed security - Yash-777/SteamingServlet GitHub Wiki

Manager Application Access Configuring

To enable access to the Manager web application, you must either create a new username/password combination and associate one of the manager-xxx roles with it, or add a manager-xxx role to some existing username/password combination. As the majority of this document describes the using the text interface, this example will use the role name manager-script. Exactly how the usernames/passwords are configured depends on which Realm implementation you are using:

  • UserDatabaseRealm plus MemoryUserDatabase, or MemoryRealm — The UserDatabaseRealm and MemoryUserDatabase are configured in the default $CATALINA_BASE/conf/server.xml. Both MemoryUserDatabase and MemoryRealm read an XML-format file by default stored at $CATALINA_BASE/conf/tomcat-users.xml, which can be edited with any text editor. This file contains an XML for each individual user, which might look something like this: 
    <user username="craigmcc" password="secret" roles="standard,manager-script" />
    which defines the username and password used by this individual to log on, and the role names he or she is associated with. You can add the manager-script role to the comma-delimited roles attribute for one or more existing users, and/or create new users with that assigned role.
  • DataSourceRealm or JDBCRealm — Your user and role information is stored in a database accessed via JDBC. Add the manager-script role to one or more existing users, and/or create one or more new users with this role assigned, following the standard procedures for your environment.
  • JNDIRealm — Your user and role information is stored in a directory server accessed via LDAP. Add the manager-script role to one or more existing users, and/or create one or more new users with this role assigned, following the standard procedures for your environment.

Realm Configuration

Tomcat's container-managed security is based on realms. A realm contains the names of users, their passwords, and roles. Authentication can be controlled by a web application or by the container (such as Tomcat) that the web application runs in.

Tomcat Architecture

Static « UserDatabase realm is mostly used for development applicationm, As we need manually cahnge file and restart the server. Dynamic « JDBC Realm is used fro actual production system. As we can dynamically update the JDBC realm data at runtime rather than only at startup.

Note: the jar where RealmBase class can be found is %TOMCAT_HOME%/lib/container/tomcat_modules.jar

What is a Realm?

A Realm is a "database" of usernames and passwords that identify valid users of a web application (or set of web applications), plus an enumeration of the list of roles associated with each valid user.

UserDatabaseRealm

UserDatabaseRealm is an implementation of the Tomcat Realm interface that uses a JNDI resource to store user information. By default, the JNDI resource is backed by an XML file. It is not designed for large-scale production use. At startup time, the UserDatabaseRealm loads information about all users, and their corresponding roles, from an XML document (by default, this document is loaded from $CATALINA_BASE/conf/tomcat-users.xml). The users, their passwords and their roles may all be editing dynamically, typically via JMX. Changes may be saved and will be reflected in the XML file.

Example

The default installation of Tomcat is configured with a UserDatabaseRealm nested inside the element, so that it applies to all virtual hosts and web applications. The default contents of the conf/tomcat-users.xml file is:

<tomcat-users>
	<role rolename="manager"/>
	<user username="user_yash" password="user_Yash777" roles="manager"/>
</tomcat-users>

In Application web.xml file we need to specify authentication details as security-constraint.

<security-constraint>
	<web-resource-collection>
		<web-resource-name>My Resource</web-resource-name>
		<url-pattern>/auth/*</url-pattern>
	</web-resource-collection>
	<auth-constraint>
		<role-name>manager</role-name>
	</auth-constraint>
</security-constraint>

<login-config>
	<auth-method>BASIC</auth-method>
	<!-- <auth-method>DIGEST</auth-method> -->
	
	<realm-name>My Resource</realm-name>
</login-config>

<security-role>
	<role-name>manager</role-name>
</security-role>

<error-page>
    <error-code>401</error-code>
    <location>/WEB-INF/jsp/401error.jsp</location>
</error-page>

Custom error message JSP:

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
This request requires HTTP authentication.
401 : Custom Error Message from StramingServlet Application.

JDBCRealm

Accesses authentication information stored in a relational database, accessed via a JDBC driver.

NOTE: You need to download mysql-connector-java-5.1.24-bin.jar and place in Tomcat lib folder so that on startup tomcat container can access database for authentication details.

CREATE TABLE IF NOT EXISTS `users` (
  `user_name` varchar(15) COLLATE utf8_unicode_ci NOT NULL,
  `user_pass` varchar(15) COLLATE utf8_unicode_ci NOT NULL,
  PRIMARY KEY (`user_name`)
);

INSERT INTO `users` (`user_name`, `user_pass`) VALUES
('tomcat_jdbc', 'realmjdbc'),
('yash', 'Yash777');

CREATE TABLE IF NOT EXISTS `user_roles` (
  `user_name` varchar(15) COLLATE utf8_unicode_ci NOT NULL,
  `role_name` varchar(15) COLLATE utf8_unicode_ci NOT NULL,
  PRIMARY KEY (`user_name`,`role_name`)
);

INSERT INTO `user_roles` (`user_name`, `role_name`) VALUES
('tomcat_jdbc', 'tomcat'),
('yash', 'manager');

Use the LockOutRealm to prevent attempts to guess user passwords via a brute-force attack

<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
	<Realm className="org.apache.catalina.realm.JDBCRealm"
		  driverName="com.mysql.jdbc.Driver"
	   connectionURL="jdbc:mysql://localhost/applicationdatabase?user=root&amp;password="
		   userTable="users" userNameCol="user_name" userCredCol="user_pass"
	   userRoleTable="user_roles" roleNameCol="role_name"/>

	<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" 
	pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log" suffix=".txt"/>

	<Context docBase="SteamingServlet" path="/SteamingServlet" reloadable="true" 
	source="org.eclipse.jst.jee.server:SteamingServlet"/>
</Host>

Test the autentication by changeing the table names.

RENAME TABLE users TO container_users, user_roles TO container_user_roles;

Listener

A Listener element defines a component that performs actions when specific events occur, usually Tomcat starting or Tomcat stopping.

Listeners may be nested inside a Server, Engine, Host or Context. Some Listeners are only intended to be nested inside specific elements

Global Resources Lifecycle Listener - org.apache.catalina.mbeans.GlobalResourcesLifecycleListener

The Global Resources Lifecycle Listener initializes the Global JNDI resources defined in server.xml as part of the Global Resources element. Without this listener, none of the Global Resources will be available.

This listener must only be nested within Server elements.

<Server port="8005" shutdown="SHUTDOWN">

  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>

  <GlobalNamingResources>
    <!-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -->
    <Resource auth="Container" description="User database that can be updated and saved" 
    factory="org.apache.catalina.users.MemoryUserDatabaseFactory" name="UserDatabase"
    pathname="conf/tomcat-users.xml" type="org.apache.catalina.UserDatabase"/>
  </GlobalNamingResources>

  <!-- A "Service" is a collection of one or more "Connectors" that share a single "Container" -->
  <Service name="Catalina">

    <!--The connectors can use a shared executor, you can define one or more named thread pools. -->
    <!--
    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" maxThreads="150" minSpareThreads="4"/>
    <Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
    -->

    <!-- A "Connector" represents an endpoint by which requests are received and responses are returned. -->
    <Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>


    <!-- An Engine represents the entry point (within Catalina) that processes every request.
    The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request,
    and passes them on to the appropriate Host (virtual host). -->

    <Engine defaultHost="localhost" name="Catalina">

      <!-- <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
      <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase".
      Any edits that are performed against this UserDatabase are immediately available for use by the Realm.  -->
      <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
      </Realm>


    <Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.JDBCRealm"
            driverName="com.mysql.jdbc.Driver"
           connectionURL="jdbc:mysql://localhost/applicationdatabase?user=root&amp;password="
             userTable="container_users" userNameCol="user_name" userCredCol="user_pass"
           userRoleTable="container_user_roles" roleNameCol="role_name"/>
      </Realm>
      <!-- connectionURL="jdbc:mysql://localhost/applicationdatabase?user=root&amp;password=" -->
        
      <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
      pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log" suffix=".txt"/>
      
      <Context docBase="SteamingServlet" path="/SteamingServlet" reloadable="true" source="org.eclipse.jst.jee.server:SteamingServlet"/>
    </Host>

    </Engine>
  </Service>
</Server>

Bug java-1.8.0.131 doesn't support Tomcat JDBCRealm container authentication

<Realm className="org.apache.catalina.realm.JDBCRealm"
    connectionName="root" connectionPassword=""
    connectionURL="jdbc:mysql://127.0.0.1:3306/applicationdatabase"
    driverName="com.mysql.jdbc.Driver"
    userTable="container_users" userNameCol="user_name" userCredCol="user_pass"
    userRoleTable="container_user_roles" roleNameCol="role_name"/>

Tomcat Authentication reference video

Node JS thumbnailUrl

⚠️ **GitHub.com Fallback** ⚠️