Scribd Logo
Upload

Welcome to Scribd!

  • App Security

    Uploaded by

    Gautam Kumar
    1 views3 pages

    Original Title

    App+Security

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    1 views3 pages

    App Security

    Uploaded by

    Gautam Kumar

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Application Level Security

    23 January 2016 08:07

    Multiple Security for application:

    Working with the default application Security:

    Get to know the Roles assigned to get authenticated and to access the Manager console.

    Go to /opt/<tomcat>/webapps/manager/WEB-INF/web.xml
    In that search for security
    Under the security constraints you will have a lot of URL patterns. Make sure you see
    /html
    Check for roles ( should be tomcat by default)

    Add the role to the tomcat-user.xml under the conf folder.

    Here make sure you add a new role called tomcat and assign the user to that role.

    Browse http://localhost:8080/manager/html

    Take the two application Samples and Calendar

    When you browse it individually it works fine.

    http://localhost:8080/Calendar/

    http://localhost:8080/Samples/

    Enable to security:

    Calendar (place this security configuration right above </web-app> :

    vi /opt/apache-tomcat-6.0.37/webapps/Calendar/WEB-INF/web.xml

    <security-constraint>
    <display-name>Example Security Constraint</display-name>
    <web-resource-collection>
    <web-resource-name>Protected Area</web-resource-name>

    Tomcat 9 Page 1
    <web-resource-name>Protected Area</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>tomcat</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>You need to enter username and password to enter</realm-name>
    </login-config>
    <security-role>
    <role-name>tomcat</role-name>
    </security-role>

    Samples:

    vi /opt/apache-tomcat-6.0.37/webapps/Samples/WEB-INF/web.xml

    <security-constraint>
    <display-name>Example Security Constraint</display-name>
    <web-resource-collection>
    <web-resource-name>Protected Area</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>admin</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Only accessed by Admin</realm-name>
    </login-config>
    <security-role>
    <role-name>admin</role-name>
    </security-role>

    Now in the tomcat-user.xml configure this new role and enable the old roles and assign
    these to a user and password:

    vi /opt/apache-tomcat-6.0.37/conf/tomcat-users.xml

    <tomcat-users>
    <!--
    NOTE: By default, no user is included in the "manager-gui" role required
    to operate the "/manager/html" web application. If you wish to use this app,
    you must define such a user - the username and password are arbitrary.
    -->
    <!--
    NOTE: The sample user and role entries below are wrapped in a comment
    and thus are ignored when reading this file. Do not forget to remove
    <!.. ..> that surrounds them.
    -->
    <role rolename="tomcat"/>
    <role rolename="admin"/>
    <user username="tomcat" password="tomcat1" roles="tomcat"/>
    <user username="admin" password="admin1" roles="admin"/>
    </tomcat-users>

    Now try to access the application it will ask for username and password.

    To Encrypt:

    Sever.xml
    <Realm className="org.apache.catalina.realm.LockOutRealm">
    <!-- This Realm uses the UserDatabase configured in the global JNDI
    resources under the key "UserDatabase". Any edits
    that are performed against this UserDatabase are immediately
    available for use by the Realm. -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
    resourceName="UserDatabase">
    <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="sha-256" />
    </Realm>
    </Realm>

    ./digest.sh -a sha-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler tomcat1

    <user username="tomcat" password="425e614c9056a587c0ab063a46d901fe0827ab523a17e6507b4aa4fdee7abf05$1


    $9b083d07d5ce1358269ac8ae72e3f800b8173171d6f36c1ac39f473c579c4e63" roles="admin-gui,manager-gui"/>

    Digest:
    Server.xml entry:

    Running Digest:
    Tomcat 9 Page 2
    Running Digest:

    /opt/tomcat1/bin/digest.sh -a sha-256
    org.apache.catalina.realm.MessageDigestCredentialHandler tomcat1
    org.apache.catalina.realm.MessageDigestCredentialHandler:11079e34512798046b757f44b93cddaa5e9ec06f72c3891e37d51ce67727eb65$1
    $9a67ad41b1f8515a4d2303d6c05d573cc73e8cc145c4f47fd5d50ca6b5464c1c
    tomcat1:97e704dbef29c91cae4b78bac2ebb6fcd274019fe55a7ca9b8318eb47eebd436$1$e70009f4614ebdabad0fa6cb5384ade58d552b8c1bc40d2b8f65e82517cb01c0

    <CredentialHandler
    className="org.apache.catalina.realm.MessageDigestCredentialHandler"
    algorithm="sha-256" />

    Tomcat 9 Page 3

    You might also like