Versions Compared

Old Version 43

changes.mady.by.user Rudie Ekkelenkamp

Saved on

compared with

New Version Current

changes.mady.by.user Rudie Ekkelenkamp

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This section describes how the FEWS Web Services can be protected using the security mechanisms of the Tomcat application server. 

Warning

In general it is recommended to handle authentication outside of tomcat. When running in a cloud enviroment, this can typically be done with an API gateway. In on premise enviroments a reverse proxy (like NGinx or Apache HTTPD) or a firewall/applicance is recommended. Using FEWS Web Services Security with Open ID Connect is natively supported by the Delft-FEWS Web Services since 2022.01.


In this section an example is given of using Basic Authentication as security measure using the default UserDatabaseRealm using a file based user store. Alternatively Tomcat has support for connecting to an LDAP server or using a JDBC connection to a database to access user accounts.

Info

Tomcat 8 or 9 is recommended above Tomcat 7 for it's advanced security possibilities using the so called CredentialHandler

...

Code Block
titleweb.xml
    <security-role>
        <role-name>fewswebservices</role-name>
    </security-role>
   
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>
                FEWS Web Services
            </web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>fewswebservices</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>FEWS Web Services</realm-name>
    </login-config>

 


This configuration will apply basic authentication to all FEWS Web Services.

...


Now tomcat has been configured, users can be added that are allowed access to the FEWS Web Services. The following is an example of a tomcat-users.xml file file where a fews user (dummy_username) and a fewswebservices role has been added. All users with the role fewswebservices will get access to the FEWS Web Services. The file can be found in the conf directory the tomcat installation:

Code Block
titletomcat-users.xml
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">

<role rolename="fewswebservices"/>
<user username="fewsdummy_username" password="Test1234password="dummy_password" roles="fewswebservices"/>
</tomcat-users>

...

Warning

Choose a strong password instead of the Test1234 dummy_password used in this example!

In this example the password still has been set in plain text. To get the hashed version of the password, tomcat provides the digest tool in the bin folder of the tomcat installation. To generate a hashed version of the Test1234 dummy_password password, the following command can be issued (on Windows, the command is available on Linux as well). Note that the algorithm, number of iterations, salt length and keyLength all are passed to the tool:

Code Block
digest.bat -a "PBKDF2WithHmacSHA512" -i 100000 -s 16 -k 256 -h "org.apache.catalina.realm.SecretKeyCredentialHandler" Test1234dummy_password


This will result in the following output with the original password, followed by a : and finally the hashed value of the password:

Code Block
Test1234dummy_password:91429c93e8b1d9462852770ea94d3cee$100000$48c94a74968e5a1b5df394a50c27effeb330553b66dc75d7840a9beb25a2ce90

...

Code Block
titletomcat-users.xml
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">

<role rolename="fewswebservices"/>
<user username="fewsdummy_username" password="91429c93e8b1d9462852770ea94d3cee$100000$48c94a74968e5a1b5df394a50c27effeb330553b66dc75d7840a9beb25a2ce90" roles="fewswebservices"/>
</tomcat-users>

...


Now tomcat has been configured, users can be added that are allowed access to the FEWS Web Services. The following is an example of a tomcat-users.xml file where a fews user (dummy_username) and a fewswebservices role has been added. All users with the role fewswebservices will get access to the FEWS Web Services. The file can be found in the conf directory the tomcat installation:

Code Block
titletomcat-users.xml
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">

<role rolename="fewswebservices"/>
<user username="fewsdummy_username" password="Test1234dummy_password" roles="fewswebservices"/>
</tomcat-users>

...

Warning

Choose a strong password instead of the Test1234 dummy_password used in this example!

In this example the password still has been set in plain text. To get the hashed version of the password, tomcat provides the digest tool in the bin folder of the tomcat installation. To generate a hashed version of the Test1234 password, the following command can be issued (on Windows, the command is available on Linux as well):

Code Block
digest.bat -s 0 -a SHA-512 Test1234dummy_password

This will result in the following output with the original password, followed by a : and finally the hashed value of the password:

Code Block
Test1234dummy_password:b43f1d28a3dbf30070bf1ae7c88ee2784047fc86d7be8620c8510debbd8555b3ef0b96376a4dd494ae0561580274bcf7a3069f5c0beceff63d1237a13d4d72b7

...

Code Block
titletomcat-users.xml
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">

<role rolename="fewswebservices"/>
<user username="fewsdummy_username" password="b43f1d28a3dbf30070bf1ae7c88ee2784047fc86d7be8620c8510debbd8555b3ef0b96376a4dd494ae0561580274bcf7a3069f5c0beceff63d1237a13d4d72b7" roles="fewswebservices"/>
</tomcat-users>


Now when accessing the FEWS Web Services the user fews dummy_username can access all webserver pages with the Test1234 dummy_password password.

Advanced access configuration

...

  • FEWS PI Rest Web Services: /rest/fewspiservice/*
  • FEWS PI SOAP Web Services: /fewspiservice
  • FEWS Digitale Delta Web Services: /rest/digitaledelta/*
  • FEWS WaterML Web Services: /waterml
  • FEWS PI Rest Umaquo Web Services: /umaquo
  • FEWS WMS Web Services: /wms
  • FEWS Schematic Status Display Web Services: /ssd

These patterns can be used in the web.xml configuration to specify more specific security-constraint elements.

...


In the following example the user "dummy_username_rest" has been assigned the role "fewpirest".  The The "dummy_username_rest" user will user will only have access to the FEW PI Rest service.

Code Block
languagexml
titletomcat-users.xml
<role rolename="fewswebservices"/>
<role rolename="fewspirest"/>

<user username="fewsdummy_username" roles="fewswebservices" password="91429c93e8b1d9462852770ea94d3cee$100000$48c94a74968e5a1b5df394a50c27effeb330553b66dc75d7840a9beb25a2ce90" />
<user username="dummy_username_rest" roles="fewspirest" password="[PASSWORD_OF_USER_REST]_dummy_username_rest" />

</tomcat-users>

General recommendations

  • Always inspect the Tomcat documentation on the latest security improvements.
  • Take note that generating hashes of passwords on the machine where the passwords are stored can still keep references to the password in for example a history file. Take measurements to avoid the passwords from being logged. For example in Linux bash starting a command with a space, will prevent the command from being added to the history file.
  • Always use strong passwords

...