Error with SAF Realm on Tomcat 6.0.18
Error with SAF Realm on Tomcat 6.0.18
Hi:
I've tried to set up SAf security using the instructions found on http://dovetail.com/docs/tomcat/saf.html
Step 1 - skipped, nothing non-standard in LIBPATH
Step 2 - Checked, appropriate libs program-controlled
Step 3 - Modified SERVXML member to read:
<!--
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<!- For SAF(RACF) Authentication, replace the Realm above with: -->
<Realm className="com.dovetail.zos.tomcat.SafRealm"
resourceName="SafRoleDatabase"/>
Step 4 - Updated SAFROLES member to read:
<role rolename="manager"
safclass="FACILITY" safentity="BPX.SERVER" saflevel="READ"/>
<role rolename="admin"
safclass="FACILITY" safentity="BPX.SERVER" saflevel="READ"/>
and added appropriate RACF profiles.
When TOMCAT starts, get this warning message:
WARNING: ÝSetPropertiesRule¨{Server/Service/Engine/Realm} Setting property 'resourceName' to 'SafRoleDatabase' did not find a matching property.
And trying to access /manager/html gives these error messages:
SEVERE: An exception or error occurred in the container during the request processing
Throwable occurred: java.lang.ClassCastException: org.apache.catalina.users.MemoryRole incompatible with com.dovetail.zos.tomcat.Role
at com.dovetail.zos.tomcat.SafRealm.hasRole(SafRealm.java:129)
at org.apache.catalina.realm.RealmBase.hasResourcePermission(RealmBase.java:790)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:507)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:735)
I imagine I have a typo in SERVXML somewhere but I'm buggered if I can see it.
Thanks, Ant. Thompson
Northern Territory Government, Australia
I've tried to set up SAf security using the instructions found on http://dovetail.com/docs/tomcat/saf.html
Step 1 - skipped, nothing non-standard in LIBPATH
Step 2 - Checked, appropriate libs program-controlled
Step 3 - Modified SERVXML member to read:
<!--
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<!- For SAF(RACF) Authentication, replace the Realm above with: -->
<Realm className="com.dovetail.zos.tomcat.SafRealm"
resourceName="SafRoleDatabase"/>
Step 4 - Updated SAFROLES member to read:
<role rolename="manager"
safclass="FACILITY" safentity="BPX.SERVER" saflevel="READ"/>
<role rolename="admin"
safclass="FACILITY" safentity="BPX.SERVER" saflevel="READ"/>
and added appropriate RACF profiles.
When TOMCAT starts, get this warning message:
WARNING: ÝSetPropertiesRule¨{Server/Service/Engine/Realm} Setting property 'resourceName' to 'SafRoleDatabase' did not find a matching property.
And trying to access /manager/html gives these error messages:
SEVERE: An exception or error occurred in the container during the request processing
Throwable occurred: java.lang.ClassCastException: org.apache.catalina.users.MemoryRole incompatible with com.dovetail.zos.tomcat.Role
at com.dovetail.zos.tomcat.SafRealm.hasRole(SafRealm.java:129)
at org.apache.catalina.realm.RealmBase.hasResourcePermission(RealmBase.java:790)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:507)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:735)
I imagine I have a typo in SERVXML somewhere but I'm buggered if I can see it.
Thanks, Ant. Thompson
Northern Territory Government, Australia
I'm not absolutely certain that this is the entire problem, but in step 3, you are missing a closing XML end-commend (-->) after the third line. Also, two lines later, your begin commend is missing a dash:
Code: Select all
<!--
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
-->
<!-- For SAF(RACF) Authentication, replace the Realm above with: -->
<Realm className="com.dovetail.zos.tomcat.SafRealm"
resourceName="SafRoleDatabase"/>
Um... I left --> out so that the end-of-comment was seen at the end of the SAF(RACF) comment line, so I thought it was working like this:
<!--
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<!- For SAF(RACF) Authentication, replace the Realm above with: -->
<Realm className="com.dovetail.zos.tomcat.SafRealm"
resourceName="SafRoleDatabase"/>
where the red bit is all a comment and the green bit is code. The second '-' at the start of the SAF(RACF) comment line was removed because the parser moaned about the presence of '--' within a comment.
Nevertheless, I changed the syntax to what was recommended above and it has made a (slight) difference. I'm still getting the warning message:
WARNING: ÝSetPropertiesRule¨{Server/Service/Engine/Realm} Setting property 'resourceName' to 'SafRoleDatabase' did not find a matching property.
And now when I try /manager.html, instead of all the other error messages and my browser hanging in limbo, I just get a http404 error message in the browser and no further error messages in the Tomcat STDERR log:
HTTP Status 404 - /manager.html
--------------------------------------------------------------------------------
type Status report
message /manager.html
description The requested resource (/manager.html) is not available.
--------------------------------------------------------------------------------
Apache Tomcat/6.0.18
Cheers, Ant.
Northern Territory Government, Australia
<!--
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<!- For SAF(RACF) Authentication, replace the Realm above with: -->
<Realm className="com.dovetail.zos.tomcat.SafRealm"
resourceName="SafRoleDatabase"/>
where the red bit is all a comment and the green bit is code. The second '-' at the start of the SAF(RACF) comment line was removed because the parser moaned about the presence of '--' within a comment.
Nevertheless, I changed the syntax to what was recommended above and it has made a (slight) difference. I'm still getting the warning message:
WARNING: ÝSetPropertiesRule¨{Server/Service/Engine/Realm} Setting property 'resourceName' to 'SafRoleDatabase' did not find a matching property.
And now when I try /manager.html, instead of all the other error messages and my browser hanging in limbo, I just get a http404 error message in the browser and no further error messages in the Tomcat STDERR log:
HTTP Status 404 - /manager.html
--------------------------------------------------------------------------------
type Status report
message /manager.html
description The requested resource (/manager.html) is not available.
--------------------------------------------------------------------------------
Apache Tomcat/6.0.18
Cheers, Ant.
Northern Territory Government, Australia
It looks like it is complaining that it can't find a resource named "SafRoleDatabase".
In the sample that we distribute, there should be this:
<Resource name="SafRoleDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="z/OS SAF Role Database"
factory="com.dovetail.zos.tomcat.SafRoleDatabaseFactory"
pathname="conf/saf-roles.xml"
readonly="true" />
Did you remove this?
In the sample that we distribute, there should be this:
<Resource name="SafRoleDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="z/OS SAF Role Database"
factory="com.dovetail.zos.tomcat.SafRoleDatabaseFactory"
pathname="conf/saf-roles.xml"
readonly="true" />
Did you remove this?
No, these statements are still in SERVXML:
<GlobalNamingResources>
<!-- The default Tomcat user database -->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml"
readonly="true" />
<!-- The following used only if you setup the SAF(RACF) <Realm> -->
<Resource name="SafRoleDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="z/OS SAF Role Database"
factory="com.dovetail.zos.tomcat.SafRoleDatabaseFactory"
pathname="conf/saf-roles.xml"
readonly="true" />
At one point I removed the definition for the default Tomcat user database, but it didn't like that very much so I put it back in.
Cheers, Ant.
Northern Territory Government, Australia
<GlobalNamingResources>
<!-- The default Tomcat user database -->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml"
readonly="true" />
<!-- The following used only if you setup the SAF(RACF) <Realm> -->
<Resource name="SafRoleDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="z/OS SAF Role Database"
factory="com.dovetail.zos.tomcat.SafRoleDatabaseFactory"
pathname="conf/saf-roles.xml"
readonly="true" />
At one point I removed the definition for the default Tomcat user database, but it didn't like that very much so I put it back in.
Cheers, Ant.
Northern Territory Government, Australia
Better email me a copy of your SERVXML member to look at to info@dovetail.com
Thanks for reporting this problem.
We have found that a change in Tomcat 6 caused our SAF realm configuration not to work.
We have corrected this in the T:Z Tomcat 1.0.1 distribution (12/4/2009). The only change is to the file: <TOMCAT_HOME>/lib/zos-tomcat.jar. Those who are running T:Z 1.0.0 can download the new distribution and copy this jar to a running configuration to correct the problem.
We have found that a change in Tomcat 6 caused our SAF realm configuration not to work.
We have corrected this in the T:Z Tomcat 1.0.1 distribution (12/4/2009). The only change is to the file: <TOMCAT_HOME>/lib/zos-tomcat.jar. Those who are running T:Z 1.0.0 can download the new distribution and copy this jar to a running configuration to correct the problem.
TCAT.DEV.MYROLE never checks authorization?
1. SAF/RACF started to work after downloading and copying V1.0.1-version. However, the file is now in ascii, not ebcdic:
BROWSE /usr/local/tomcat/conf/saf-roles.xml
Command ===>
********************************* Top of Data ******
..Ì_%.ÎÁÊËÑ?>.......Á>#?ÀÑ>$..ÍÈÃ.......Ë/Ã.Ê?%ÁË...
******************************** Bottom of Data ****
and manually changing it to ebcdic will end up with a ascii file when tomcat6.0.18 is stopped.
2. Used racf-commands
RDEF EJBROLE TCAT.DEV.MYROLE UACC(NONE)
PE TCAT.DEV.MYROLE CLASS(EJBROLE) ACCE(RE) ID(TEUSERS)
RDEF EJBROLE TCAT.DEV.MANAGER UACC(NONE)
PE TCAT.DEV.MANAGER CLASS(EJBROLE) ID(TT0XGF1) ACCESS(READ)
but still no racuid/password needed for the
http://zos-tomcat:8080/
$CATALINA_HOME/webapps/ROOT/index.html
but the "manager" page
http://zos-tomcat:8080/manager/status
work well using racuid/password authorization.
Any hints why "TCAT.DEV.MYROLE" works as it does?
BROWSE /usr/local/tomcat/conf/saf-roles.xml
Command ===>
********************************* Top of Data ******
..Ì_%.ÎÁÊËÑ?>.......Á>#?ÀÑ>$..ÍÈÃ.......Ë/Ã.Ê?%ÁË...
******************************** Bottom of Data ****
and manually changing it to ebcdic will end up with a ascii file when tomcat6.0.18 is stopped.
2. Used racf-commands
RDEF EJBROLE TCAT.DEV.MYROLE UACC(NONE)
PE TCAT.DEV.MYROLE CLASS(EJBROLE) ACCE(RE) ID(TEUSERS)
RDEF EJBROLE TCAT.DEV.MANAGER UACC(NONE)
PE TCAT.DEV.MANAGER CLASS(EJBROLE) ID(TT0XGF1) ACCESS(READ)
but still no racuid/password needed for the
http://zos-tomcat:8080/
$CATALINA_HOME/webapps/ROOT/index.html
but the "manager" page
http://zos-tomcat:8080/manager/status
work well using racuid/password authorization.
Any hints why "TCAT.DEV.MYROLE" works as it does?
1. for historical reasons, the Saf Realm saves the saf-roles.xml file when it quits, which is why you see it being update. We will fix it to save in EBCDIC. Thanks for pointing this out.
2. This is working as designed. The manager application is requiring logon since it's web.xml requires the "manager" role, which is connected via saf-roles.xml to the TCAT.DEV.MANAGER SAF class.
2. This is working as designed. The manager application is requiring logon since it's web.xml requires the "manager" role, which is connected via saf-roles.xml to the TCAT.DEV.MANAGER SAF class.
2. This is working as designed. The manager application is requiring logon since it's web.xml requires the "manager" role, which is connected via saf-roles.xml to the TCAT.DEV.MANAGER SAF class.
==> OK
3. Could You please help me how I make racuid/password mandatory for
$CATALINA_HOME/webapps/ROOT/index.html
and all others?
==> OK
3. Could You please help me how I make racuid/password mandatory for
$CATALINA_HOME/webapps/ROOT/index.html
and all others?
AFAIK, Tomcat security is setup by web application. I'm not aware of a mechanism to set it up for all webapps. You might want to ask this question on the tomcat-users list.
For securing a given webapp, you would define a role to saf and then configure all or selected URLs in the webapp to require that role by adding definitions to the web.xml file:
For securing a given webapp, you would define a role to saf and then configure all or selected URLs in the webapp to require that role by adding definitions to the web.xml file:
Code: Select all
<!-- Define a security constraint on this application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>My Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>myrole</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the login configuration for this application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>My Application</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to this application
</description>
<role-name>myrole</role-name>
</security-role>