How can i set a path prefix for scdf UI. I already set the tomcat property (like server.contextPath=/api/) which works for the rest API but the UI is still giving errors.
Info: i have it running in Kubernetes using ingress.
We do not support GUI redirects with a overridden contextPath. The Dashboard is a SPA and this type of interaction requires special handling from the client-side.
Feel free to open an issue and consider also contributing to the project.
My Websphere App needs to configure the "Web container transport chains" in the traditional Admin Console. But when I switch to the Liberty, I can't find it in the AdminCenter. Where can I do it?
I would rethink the settings you're using for WebSphere when using WebSphere Liberty. The configuration in Liberty is entirely in the server.xml. Rarely the bootstrap.properties, usually for things that need to be set before we read the server.xml. I would try instead to simply define the HTTP endpoints you want, along with the deployed application, as seen here. The full httpEndpoint configuration documentation is here.
We have a product developed in grails 1.3.7 that supports Kerberos and ADS/LDAP authentication. The application is deployed in different environments. Some deployments are running as SaaS. The SaaS deployments don't require kerberos authentication. There is a dummy keytab file placed within the application and the same credentials are configured in the config.groovy as default to start the application without failing (if they are missing, application will not start). This blog helped me a lot while integrating kerberos
The authentication is working fine in all cases. Some customers accessing the SaaS application from their intranet domain are complaining extreme slowness(3-5 minutes) in the response after kerberos integration. When they access from out of the domain, it seems to be pretty faster. Mostly they are using IE browser. But when I tested the same from our domain, I don't see any issue. It loads in 5-7 seconds. So I am not sure if this is something related to their IE configuration or security policy?
Now I want to disable the Kerberos authentication in the application for specific deployments only. I don't want to keep two versions of the code. But I don't see any configuration with spring-security-kerberos plugin to do so.
Spring Security plugins used in the app are
spring-security-core=1.1.2
spring-security-kerberos=0.1
spring-security-ldap=1.0.5
Is it possible to enable/disable kerberos authentication for specific deployment alone or do I need to have 2 versions with and without kerberos?
Will any IE configuration help to solve this?
In the environments you want to disable spring -security just specifiy
grails.plugins.springsecurity.active = false
in your Config.groovy file, that is it.
I cannot access remote EJB beans of our application server within a web application running on Glassfish 3 web-profile using jndi lookup.
Using full profile for our web-application or even testing with a console application we have no problem accessing jndi remote beans.
Exception:
Unable to acquire SerialContextProvider for SerialContext
We just hoped to make our web servers more lightweight.
The Web Profile version of Glassfish only contains EJB Lite, which doesn't support #Remote interfaces. You need the Full Profile which supports the full EJB 3 spec.
From the oracle docs:
The Web Profile of the GlassFishTM Server supports the EJB 3.1 Lite
specification, which allows enterprise beans within web applications,
among other features. The full GlassFish Server supports the entire
EJB 3.1 specification. For details, see JSR 318.
You can find a comparision of features included in Web Profile and Full Profile here (It was made for Glassfish 3.1.1 but it should be nearly the same for Glassfish 4 except some newer versions of some features). You can find a nice feature comparision between EJB 3.1 Lite and Full in this article.
Update:
As you wrote in the comment (and the initial question) you are not using any enterprise beans directly in your web application, but you are retrieving bean instances via JNDI. This doesn't work with the Web Profile of Glassfish because the functionality for remote lookups is not there, e.g. the CORBA and ORB modules are missing (there are some basic CORBA OMG APIs but only because they are needed by other modules).
As your goal was to make the server more lightweight, maybe this is another option for you: You can remove unused components and modules with the pkg command-line-tool or with the graphical utility updatetool. You could install the Full Profile of Glassfish and then remove obsolete components step by step to make the server more lightweight. More details about the tools can be found in the oracle docs.
See also:
Can EJB 3.1 Lite be exposed via Remote interface?
How to know what glassfish is - full plaform or web profile?
EE6 web profile … no EJB container?
GLASSFISH-14459 corba classes are part of web profile
I've just built a basic ASP MVC web site for deployment on our intranet. It expects users to be on the same domain as the IIS box and if you're not an authenticated Windows User, you should not get access.
I've just deployed this to IIS6 running on Server 2003 R2 SP2. The web app is configured with it's own pool with it's own pool user account. The IIS Directory Security options for the web app are set to "Windows Integrated Security" only and the web.config file has:
<authentication mode="Windows" />
From a Remote Desktop session on the IIS6 server itself, an IE7 browser window can successfully authenticate and navigate the web app if accessed via http://localhost/myapp.
However, also from the server, if accessed via the server's name (ie http://myserver/myapp) then IE7 presents a credentials dialog which after three attempts entering the correct credentials eventually returns "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials".
The same problem occurs when a workstation browses to the web app url (naturally using the server's name and not "localhost").
The IIS6 server is a member of the only domain we have and has no firewall enabled.
Is there something I have failed to configure correctly for this to work?
Thanks,
I have tried the suggestions from Matt Ryan, Graphain, and Mike Dimmick to date without success. I have just built a virtual machine test lab with a Server 2003 DC and a separate server 2003 IIS6 server and I am able to replicate the problem.
I am seeing an entry in the IIS6 server's System Event Log the first time I try to access the site via the non-localhost url (ie http://iis/myapp). FQDN urls fail too.
Source: Kerberos, Event ID: 4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/iis.test.local. The target name used was HTTP/iis.test.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (TEST.LOCAL), and the client realm.
After extensive Googling I managed to find a solution on the following MSDN article:
How To: Create a Service Account for an ASP.NET 2.0 Application
Specifically the Additional Considerations section which describes "Creating Service Principal Names (SPNs) for Domain Accounts" using the setspn tool from the Windows Support Tools:
setspn -A HTTP/myserver MYDOMAIN\MyPoolUser
setspn -A HTTP/myserver.fqdn.com MYDOMAIN\MyPoolUser
This solved my problem on both my virtual test lab and my original problem server.
There is also an important note in the article that using Windows Authentication with custom pool users constrains the associated DNS name to be used by that pool only. That is, another pool with another identity would need to be associated with a different DNS name.
Sounds like the new Loopback check security feature of Windows Server 2003 SP1. As I understand it, is designed to prevent a particular type of interception attack.
From http://support.microsoft.com/kb/896861
SYMPTOMS
When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or IIS 6, you may receive an error message that resembles the following:
HTTP 401.1 - Unauthorized: Logon Failed
This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address.
Note You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.
CAUSE
This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.
Workaround
Method 1: Disable the loopback check
Method 2: Specify host names
See http://support.microsoft.com/kb/896861 for details.
Edit - just noticed that you said you were seeing this from Client PCs as well... that's more unusual. But I'd still look to test one of these workarounds, to see if it corrected the problem (and if so, might indicate a problem with your DNS config).
It sounds to me as though you've done everything right.
I'm sure you are but have you made sure you are using 'DOMAIN\user' as the user account and not just 'user'?
IE7 only sends Windows credentials (NTLM, Kerberos) if it identifies the server as being on the Intranet. IE7 also added an Intranet zone lockdown feature - if you're not on a domain, by default no servers are in the Intranet zone. This was done to prevent zone-migration attacks.
To change this, go to Tools/Internet Options, Security tab, then click Local Intranet. You can then manually add servers that should be treated as Intranet, by clicking the Sites button, then Advanced, or tell IE not to automatically detect your Intranet and selecting the other checkboxes as appropriate.
I just encountered the opposite problem - my site authenticates externally but not locally.
I compared it to the sites we have working and the difference was that the site that failed to authenticate was using Windows Authentication.
However, other sites I work with (this is a dev server) tend to have Basic Authentication.
Not sure why exactly but this fixed it.
However, at the same time I noticed "Default Domain" and "Realm" settings.
I know it's very unlikely but could these perhaps help at all?