You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

The FEWS Web Service can be secured in many ways. The FEWS Web Service uses the security mechanisms of the Tomcat application server. In this section an example is given of using Basic Authentication as security measure.

Basic Authentication with Tomcat 7 and Tomcat 8

To configure Basic Authentication for the FEWS Web Services, the Tomcat application server has to be configured in the following steps. Since these steps are configured in the tomcat application server, they apply to all web applications running in that tomcat server. The installation directory of tomcat is referred to as "catalina.home" in the following section.

In the conf directory of a tomcat installation a web.xml file is available. At the end of this file the following xml should be added (just before the closing web-app tag):

web.xml
    <security-role>
        <role-name>fewswebservices</role-name>
    </security-role>
   
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>
                Fews Web Services
            </web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>fewswebservices</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Fews Web Services</realm-name>
    </login-config>

 

This configuration will apply basic authentication to all FEWS Web Services.

User management

Tomcat has the concept of a Realm to store users, roles and passwords. For more information see Tomcat Realm implementations.

In a standard tomcat installation, tomcat is configured with a file based user store that can be used with basic authentication called UserDatabaseRealm. For more advanced implementations, please consult the tomcat documentation.

In the conf directory of the Tomcat installation the server.xml file can be found where this realm is configured.

The UserDatabaseRealm uses the tomcat-users.xml file from the conf folder to store users, roles and passwords. By default the passwords are stored in plain text. It is strongly advised to use a hashing algorithm to prevent storing plain text passwords on the file system. To enable hashing a digest attribute has to be added to the UserDatabaseRealm with the hashing algorithm algorithm to be used. 

In the following server.xml file the digest attribute was added to the UserDatabaseRealm and as digest algorithm SHA-512 has been configured.

 

server.xml
  <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase" digest="SHA-512" />
      </Realm>


Now tomcat has been configured, users can be added that are allowed access to the FEWS Web Services. The following is an example of a tomcat-users.xml file that can be found in the conf directory the tomcat installation:

tomcat-users.xml
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">

<role rolename="fewswebservices"/>
<user username="fews" password="Test1234" roles="fewswebservices"/>
</tomcat-users>

Choose a strong password instead of the Test1234 used in this example!

In this example the password still has been set in plain text. To get the hashed version of the password, tomcat provides the digest tool in the bin folder of the tomcat installation. To generate a hashed version of the Test1234 password, the following command can be issued (on Windows, the command is available on Linux as well):

digest.bat -s 0 -a SHA-512 Test1234

Take not that generating hashes of passwords on the machine where the passwords are stored can still keep references to the password in for example a history file.


This will result in the following output with the original password, followed by a : and finally the hashed value of the password:

Test1234:b43f1d28a3dbf30070bf1ae7c88ee2784047fc86d7be8620c8510debbd8555b3ef0b96376a4dd494ae0561580274bcf7a3069f5c0beceff63d1237a13d4d72b7

The tomcat-users.xml file can now be updated with the hashed value, which will look as follows:

tomcat-users.xml
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">

<role rolename="fewswebservices"/>
<user username="fews" password="b43f1d28a3dbf30070bf1ae7c88ee2784047fc86d7be8620c8510debbd8555b3ef0b96376a4dd494ae0561580274bcf7a3069f5c0beceff63d1237a13d4d72b7" roles="fewswebservices"/>
</tomcat-users>


Now when accessing the FEWS Web Services the user fews can access all webserver pages with the Test1234 password.

  • No labels

Disclaimer