Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
This document describes how to enable global security inside Tomcat to use the Fortress Realm. To target setup for a single web application, w/out global security enabled, follow the instructions in the REALM-CONTEXT-SETUP instead.
Minimum hardware requirements:
Minimum software requirements:
Everything else covered in steps that follow. Tested on Debian, Centos & Windows machines.
Copy fortress-realm-proxy-[version].jar to TOMCAT_HOME/lib/ folder:
cp $FORTRESS_REALM_HOME/proxy/fortress-realm-proxy-[version].jar $TOMCAT_HOME/lib
Copy the fortress.properties, created during FORTRESS_CORE_HOME setup, to this package's conf folder.
cp $FORTRESS_CORE_HOME/config/fortress.properties $FORTRESS_REALM_HOME/conf
# This param tells fortress what type of ldap server in use: ldap.server.type=apacheds # ldap host name host=localhost # if ApacheDS is listening on port=10389 # If ApacheDS, these credentials are used for read/write to fortress DIT admin.user=uid=admin,ou=system admin.pw=secret # This is min/max settings for admin pool connections: min.admin.conn=1 max.admin.conn=10 # This node contains more fortress properties stored on behalf of connecting LDAP clients: config.realm=DEFAULT config.root=ou=Config,dc=example,dc=com # Used by application security components: perms.cached=true # Fortress uses a cache: ehcache.config.file=ehcache.xml # Default for pool reconnect flag is false: enable.pool.reconnect=true
x@machine:~/FORTRESS_REALM_HOME/conf$ ls -l ... -rwxrwxr-x 1 x y 5905 Jan 23 12:41 ehcache.xml -rw-rw-r-- 1 x y 1161 Jan 23 12:41 fortress.properties -rw-rw-r-- 1 x y 1235 Jan 23 12:41 log4j.properties ...
Fortress needs all three files.
vi $TOMCAT_HOME/conf/server.xml
<!--Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" /-->
<Realm className="org.apache.directory.fortress.realm.tomcat.Tc7AccessMgrProxy" debug="0" resourceName="UserDatabase" containerType="Tomcat7" realmClasspath="$FORTRESS_REALM_HOME/conf:$FORTRESS_REALM_HOME/impl/target/fortress-realm-impl-uber-[version].jar" defaultRoles="" />
Here the FORTRESS_REALM_HOME conf folder and implementation jar are being declared to Tomcat server. Ensure that you stage these files outside of TOMCAT_HOME to ensure remaining clear of Tomcat's system classpath.
Save and exit the editor.
Restart Tomcat server to enable changes to take effect.
Verify it worked:
tail -f -n10000 $TOMCAT_HOME/logs/catalina.out ... org.apache.directory.fortress.realm.tomcat.Tc7AccessMgrProxy J2EE Tomcat7 policy agent initialization successful ...
vi $MY_APP_HOME/src/main/webapp/WEB-INF/web.xml
... <security-constraint> <display-name>Commander Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <!-- Anyone with one of the listed roles may access this area --> <role-name>MY_ROLE_NAME</role-name> ... </auth-constraint> </security-constraint> <!-- Example of HTTP Basic Authentication Setup. --> <login-config> <auth-method>BASIC</auth-method> <realm-name>FortressSecurityRealm</realm-name> </login-config> <!-- Security roles referenced by this web application --> <security-role> <role-name>MY_ROLE_NAME</role-name> </security-role> ...
Fortress Realm follows standard Java EE security semantics.
Redeploy web app to Tomcat.
Login to the web app. Users that successfully authenticate and have role(s) listed in auth-constraint may access resources matching the url-pattern.
Verify that the fortress realm is operating properly by viewing the Tomcat server log:
tail -f -n10000 $TOMCAT_HOME/logs/catalina.out ... org.apache.directory.fortress.realm.tomcat.Tc7AccessMgrProxy J2EE Tomcat7 policy agent initialization successful ...
Realm Usage Notes:
This section provides instructions for using the Tomcat Manager application to test Apache Fortress Realm.
Enable Tomcat Manager application. note: check the Tomcat documentation on how to do this.
Verify/enable role name. Edit TOMCAT_HOME/webapps/manager/WEB-INF/web.xml
<!-- Security roles referenced by this web application --/> <security-role/> <description/> The role that is required to log in to the Manager Application </description/> <role-name/>manager</role-name/> </security-role/>
Add and assign that role to a user.
Test logon onto the Tomcat Manager app.
Enter URL to manager web app: http://localhost:8080/manager/html
Enter creds (tcmanager, password) into basic logon form Verify authentication/authorization success to web app.
Jul 15, 2011 8:21:16 PM us.jts.sentry.tomcat.Tc7AccessMgrProxy initialize INFO: us.jts.sentry.tomcat.Tc7AccessMgrProxy.initialize - instantiate policy agent name: us.jts.sentry.tomcat.TcAccessMgrImpl 2011-07-15 20:21:17,053 (FATAL) us.jts.configuration.Config static init: Error, null configuration file: fortress.properties Jul 15, 2011 8:21:17 PM us.jts.sentry.tomcat.Tc7AccessMgrProxy startInternal SEVERE: us.jts.sentry.tomcat.Tc7AccessMgrProxy.startInternal caught Throwable=java.lang.ExceptionInInitializerError java.lang.ExceptionInInitializerError at us.jts.sentry.J2eePolicyMgrFactory.<clinit>(J2eePolicyMgrFactory.java:32) at us.jts.sentry.tomcat.TcAccessMgrImpl.<init>(TcAccessMgrImpl.java:35) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at java.lang.Class.newInstance0(Class.java:355) at java.lang.Class.newInstance(Class.java:308) at us.jts.sentry.tomcat.Tc7AccessMgrProxy.initialize(Tc7AccessMgrProxy.java:112) at us.jts.sentry.tomcat.Tc7AccessMgrProxy.startInternal(Tc7AccessMgrProxy.java:236) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1026) at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:291) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:443) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:727) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.startup.Catalina.start(Catalina.java:620) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:303) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:431) Caused by: java.lang.RuntimeException: us.jts.configuration.Config static init: Error, null configuration file: fortress.properties at us.jts.configuration.Config.<clinit>(Config.java:51) ... 25 more
ACTION: Ensure realm classpath points to Fortress configuration folder that contains fortress.properties config file.
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path... Apr 22, 2011 10:24:04 PM org.apache.tomcat.util.digester.Digester startElement SEVERE: Begin event threw exception java.lang.ClassNotFoundException: org.apache.directory.fortress.realm.tomcat.Tc7AccessMgrProxy
ACTION: Ensure fortress-realm-proxy jar copied to TOMCAT_HOME/lib folder.
Apr 22, 2011 10:22:25 PM org.apache.directory.fortress.realm.tomcat.Tc7AccessMgrProxy initialize SEVERE: Fortress Tomcat Realm.initialize java.lang.ClassNotFoundException=java.lang.ClassNotFoundException: org.apache.directory.fortress.realm.tomcat.TcAccessMgrImpl Apr 22, 2011 10:22:25 PM org.apache.directory.fortress.realm.tomcat.TcAccessMgrProxy start SEVERE: Fortress Tomcat Realm.start caught Exception=java.lang.RuntimeException: Fortress Tomcat Realm.initialize java.lang.ClassNotFoundException=java.lang.ClassNotFoundException: org.apache.directory.fortress.realm.tomcat.TcAccessMgrImpl java.lang.RuntimeException: Fortress Tomcat Realm.initialize java.lang.ClassNotFoundException=java.lang.ClassNotFoundException: org.apache.directory.fortress.realm.tomcat.TcAccessMgrImpl at org.apache.directory.fortress.realm.tomcat.TcAccessMgrProxy.initialize(TcAccessMgrProxy.java:118)
ACTION: Ensure realm classpath points fortress-realm-impl-uber jar, i.e. FORTRESS_REALM_HOME/impl/target/fortress-realm-impl-uber-[version].jar.
The Fortress Realm requires Tomcat version's 7 and beyond. If you are running Tomcat 4, 5 or 6 and see error that looks like this:
SEVERE: An exception or error occurred in the container during the request processing java.lang.RuntimeException: org.apache.directory.fortress.realm.tomcat.Tc7AccessMgrProxyauthenticate detected Fortress Tomcat7 Realm not initialized correctly. Check your Fortress Realm configuration at org.apache.directory.fortress.realm.tomcat.Tc7AccessMgrProxy.authenticate(Tc7AccessMgrProxy.java:161) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:259) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:449) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:662)
ACTION: Install and use Tomcat version 7 and later in your target machine.
The fortress realm proxy jar contains a shim that uses a URLClassLoader to reach its implementation libs. It prevents the realm impl libs, contained within this package, from interfering with Tomcat's system classpath thus providing an error free deployment process w/out classloader issues. The realm proxy offers the flexibility for each web app to determine its own version/type of security realm to use, satisfying a variety of requirements related to web hosting and multitenancy.