Thursday, January 16, 2014

Set up a kerberos protected apache server on CentOS 6.5 x86_64

1. Install packages
# yum install mod_auth_kerb ipa-client ipa-admintools

2. Join into Kerberos domain
Make sure ipa server can resolve http server(DNS and/or hosts)
# ntpdate 0.centos.pool.ntp.org
# ipa-client-install --domain dev.id.aaf.edu.au --server iam1.dev.id.aaf.edu.au

3. Add service principal
# kinit admin
# ipa service-add HTTP/krbhttpservice.dev.id.aaf.edu.au

4. Retrieve Kerberos keytab
# ipa-getkeytab -s iam1.dev.id.aaf.edu.au -p HTTP/krbhttpservice.dev.id.aaf.edu.au -k /etc/httpd/conf/krb5.keytab
# chown apache:apache /etc/httpd/conf/krb5.keytab
# chmod 0600 /etc/httpd/conf/krb5.keytab

5. Configure apache
Open /etc/httpd/conf.d/auth_kerb.conf
#
# The mod_auth_kerb module implements Kerberos authentication over
# HTTP, following the "Negotiate" protocol.
#

LoadModule auth_kerb_module modules/mod_auth_kerb.so
#
# Sample configuration: Kerberos authentication must only be
# used over SSL to prevent replay attacks.  The keytab file
# configured must be readable only by the "apache" user, and
# must contain service keys for "HTTP/www.example.com", where
# "
www.example.com" is the FQDN of this server.
#

<Location /kerberos_protected>
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbServiceName HTTP/krbhttpservice.dev.id.aaf.edu.au

  KrbAuthRealms DEV.ID.AAF.EDU.AU
  Krb5KeyTab /etc/httpd/conf/krb5.keytab
  require valid-user
</Location>


6. Restart apache
# chkconfig httpd on
# service httpd start

7. Testing on a client machine, same as the server, you need to be a member of the Kerberos domain
# yum install ipa-client
# ntpdate 0.centos.pool.ntp.org
# ipa-client-install --domain dev.id.aaf.edu.au --server iam1.dev.id.aaf.edu.au
# kinit <username>
# curl -I -k --negotiate -u : https://krbhttpservice.dev.id.aaf.edu.au/kerberos_protected/phptest.php
The output should be like this:
HTTP/1.1 401 Authorization Required
Date: Fri, 17 Jan 2014 03:35:37 GMT
Server: Apache/2.2.15 (CentOS)
WWW-Authenticate: Negotiate
Connection: close
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Date: Fri, 17 Jan 2014 03:35:37 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Connection: close
Content-Type: text/html; charset=UTF-8

ipa-client-install failed with self-signed certificate

# ipa-client-install --domain dev.id.aaf.edu.au --server iam1.dev.id.aaf.edu.au
LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
Failed to verify that iam1.dev.id.aaf.edu.au is an IPA Server.
This may mean that the remote server is not up or is not reachable due to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.
#

We need to obtain the ca.crt from the ldap server and use it to trust the slef-signed certificate.
Run these commands to fix this issue:
# wget http://iam1.dev.id.aaf.edu.au/ipa/config/ca.crt
# mv ca.crt /etc/ipa/ca.crt# mv ca.crt /etc/ipa/ca.crt

See https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html

Wednesday, April 25, 2012

Java Regex Pattern and "^M"

A simple pattern:
 Pattern title = Pattern.compile("^Alert\\s*Digest.*", Pattern.CASE_INSENSITIVE);
When I tried to match this string. It failed:
Alert Digest No 6 of 2012^M 
 Yes, you can see that "^M" in the string. This is a "line terminator" which "." will not match by default.

So the solution is:
 Pattern title = Pattern.compile("^Alert\\s*Digest.*", Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
 This is the description from API document:

DOTALL

public static final int DOTALL
Enables dotall mode. In dotall mode, the expression . matches any character, including a line terminator. By default this expression does not match line terminators.

 

Invalid property 'packagesToScan' of bean class [org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean]

This is a maven webapp project with m2eclipse integrated into eclipse. In this project there are some hibernate dependencies used in spring-hibernate API. This is the related snippets:

    <bean id="sessionFactory"
        class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean">
        <property name="dataSource" ref="dataSource" />
        <property name="packagesToScan" value="com.seanlinxs.inventory.domain" />
        <property name="hibernateProperties">
            <props>
                <prop key="hibernate.dialect">org.hibernate.dialect.HSQLDialect</prop>
                <prop key="hibernate.show_sql">true</prop>
                <prop key="hibernate.cache.provider_class">org.hibernate.cache.NoCacheProvider</prop>
                <prop key="hibernate.hbm2ddl.auto">update</prop>
            </props>
        </property>
    </bean>




After changing the hibernate dependencies with m2e pom.xml GUI editor in eclipse many times, i.e. changing versions or something else like vendors. I found that junit runs well but tomcat deployment fail with this:

org.springframework.beans.NotWritablePropertyException: Invalid property 'packagesToScan' of bean class [org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean]: Bean property 'packagesToScan' is not writable or has an invalid setter method. Does the parameter type of the setter match the return type of the getter?



This is not a real issue with  AnnotationSessionFactoryBean, It is actually a jar conflict!
 E.g. In m2e pom.xml GUI editor when you see "ONE" hibernate-core, it might be "MANY" versions in the target WAR. You "remove" one dependency, then "save" the pom.xml, then add a different one, then "save" again. What you get in target WAR is two versions! You didn't really remove it though you might think you did. Run mvn clean will "REALLY" clean(empty) the target library directory and when you run mvn tomcat:deploy again everything should be WYSIWYG as expected.

 



Monday, January 30, 2012

maven-tomcat-plugin tomcat-users.xml

Here you can define tomcat-users.xml as in a real tomcat container (archetypeArtifactId: maven-archetype-webapp):


src/main/tomcatconf/tomcat-users.xml


Tomcat Maven Plugin search for a directory "src/main/tomcatconf" and if it exists it is copied to the configuration of embedded instance. 

Thursday, January 19, 2012

non-administrator user on windows 7 use emacs

Today I am trying to enable manager app of Tomcat 7 on Windows 7. According to tomcat document I need to add <user> to tomcat-users.xml to grant access. I use Emacs, edit tomcat-users.xml, then save, but whatever I set the username/password/roles, I cannot login due to 401 error.

After several hours attempting I suddenly realized that I am editing wrong file! After search and compare several version of this file. I found that this is what I am editing and saving:

C:\Users\Sean\AppData\Local\VirtualStore\Program Files\Apache Software Foundation\Tomcat 7.0\conf\tomcat-users.xml

Instead of the right place:

C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\tomcat-users.xml

What happened even if I open the file in emacs using the right path? This is from Microsoft answers:

To protect against some types of malware, Windows 7 doesn't allow users to store data in C:\Windows , C:\Program Files , or their subfolders.

To allow existing programs that access those locations to run, it automatically (and transparently) translates such access to the VirtualSore folder:

C:\Windows\... --> C:\Users\"Name"\AppData\Local\VirtualStore\Windows\...
C:\Program Files\... --> C:\Users\"Name"\AppData\Local\VirtualStore\Program Files\...

That’s it, restart emacs with administrator fix it.

Monday, January 9, 2012

<error-page> catch-all feature in servlet 3.0

 

Starting with Servlets 3.0, <error-code> and <exception-type> elements are optional. An <error-page> without any <exception-type> and <error-code> will be considered as the webapp's default error page, and will act as a "catch-all" for any error codes or exception types. It will be an error if a web.xml contains more than one such default error page.
There is a example here. We want to catch ArithmeticException and display /arithmeticError.jsp instead of default /errorPage.jsp, in servlet 3.0, this is the DD:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="
http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2eehttp://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
    version="2.4">
    <servlet>
        <servlet-name>JSTLSample</servlet-name>
        <servlet-class>web.JSTLServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>JSTLSample</servlet-name>
        <url-pattern>/JSTLSample.do</url-pattern>
    </servlet-mapping>
    <error-page>
        <location>/errorPage.jsp</location>
    </error-page>

    <error-page>
        <exception-type>java.lang.ArithmeticException</exception-type>
        <location>/arithmeticError.jsp</location>
    </error-page>
    <error-page>
        <error-code>404</error-code>
        <location>/notFoundError.jsp</location>
    </error-page>
</web-app>

In previous version, DD is like this:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="
http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2eehttp://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
    version="2.4">
    <servlet>
        <servlet-name>JSTLSample</servlet-name>
        <servlet-class>web.JSTLServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>JSTLSample</servlet-name>
        <url-pattern>/JSTLSample.do</url-pattern>
    </servlet-mapping>
    <error-page>
       <exception-type>java.lang.Throwable</exception-type>
       <location>/errorPage.jsp</location>
    </error-page>

    <error-page>
        <exception-type>java.lang.ArithmeticException</exception-type>
        <location>/arithmeticError.jsp</location>
    </error-page>
    <error-page>
        <error-code>404</error-code>
        <location>/notFoundError.jsp</location>
    </error-page>
</web-app>