Securing FusionReactor and jsp applications in tomcat using LDAP

Debugging plugin performance in CFWheels 2.x with FusionReactor
5 things you should check every day to ensure your application health

Overview

FusionReactor provides different types of user accounts (Administrators/Manager/Observer), however, if you would like to restrict access to FusionReactor for individual users, you can do this via LDAP authentication.

This technote will guide you through configuring tomcat to use LDAP authentication to restrict access to both FusionReactor and your JSP applications.

We will split this guide into 5 distinct sections

  1. Configuring LDAP
  2. Configuring the server.xml file
  3. Configuring the JSP application
  4. Configuring the FusionReactor web root
  5. Disabling the external web root of FusionReactor

1.  Configuring LDAP

When configuring LDAP for use with tomcat you are required to create a collection of individuals and a collection of groups (one group per required tomcat security role), each user can be assigned to one specific group

In this example, FusionReactor and the JSP application are assigned to separate tomcat roles. The domain structure is as follows

dn: dc=mydomain,dc=com objectClass: dcObject dc:mydomain dn: ou=people,dc=mydomain,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=mydomain,dc=com objectClass: organizationalUnit ou: groups dn: uid=jsmith,ou=People,dc=mydomain,dc=com objectClass: inetOrgPerson uid: jsmith cn: John Smith sn: Smith userPassword: myPassword dn: uid=ajones,ou=People,dc=mydomain,dc=com objectClass: inetOrgPerson uid: ajones cn: Adam Jones sn: Jones userPassword: myPassword dn: cn=fusionreactor,ou=groups,dc=mydomain,dc=com objectClass: groupOfUniqueNames cn: fusionreactor uniqueMember: uid=jsmith,ou=People,dc=mydomain,dc=com dn: cn=myApplication,ou=groups,dc=mydomain,dc=com objectClass: groupOfUniqueNames cn: myApplication uniqueMember: uid=ajones,ou=People,dc=mydomain,dc=com

 

You could instead create one group for example “admin” and use this for FusionReactor and the JSP application.

2. Configuring the server.xml file

Tomcat in its default installation will use a local database to authenticate user access, we need to modify the server.xml file typically located at {Tomcat Root Directory}/conf/server.xml so that tomcat will instead use the LDAP server as it’s authentication service.

To do this first open the server.xml file in a text editor, you should replace the default Realm element tag:

<Realm className="org.apache.catalina.realm.LockOutRealm"> <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. --> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> </Realm>

With the following:

<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://myDomain.com:389" userPattern="uid={0},ou=people,dc=myDomain,dc=com" roleBase="ou=groups,dc=myDomain,dc=com" roleName="cn" roleSearch="(uniqueMember={0})" />

More information on realms can be found here: https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html

3.  Configuring the JSP application

By default any application you place in the webapps directory of tomcat will be accessible without authentication, however, you may have an application that should only be accessible to a specific user, you can achieve this by modifying the web.xml file of the application this can usually be found at {Tomcat Root Directory}/webapps/{App Name}/WEB-INF/web.xml

Within the “web-app” element tag add the following:

<security-constraint> <web-resource-collection> <web-resource-name>FusionReactor</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>myApplication</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>SecuredApp</realm-name> </login-config>

This will block any user with an unauthorized role from accessing your application, it is possible to define multiple authorized roles my duplicating the “role-name” element tag for example:

<auth-constraint> <role-name>myApplication</role-name> <role-name>fusionreactor</role-name> </auth-constraint>

4. Configuring the FusionReactor web root

With the default configuration of FusionReactor, you will be able to access the Application Performance Monitor through either the application server port (external port), 8080 for tomcat, or the instance port defined in the java arguments (internal port). Accessing FusionReactor through the external port uses the web root, the path to FusionReactor on the port.

By default, this is “/fusionreactor/” so if the internal port is enabled you will be able to access your FusionReactor instance at http://localhost:8080/fusionreactor/.

You can change this value by navigation to FusionReactor > Settings > Web Root:

Securing FusionReactor and jsp applications in tomcat using LDAP, FusionReactor

To configure LDAP security you will first need to create the following web app directory structure:

Securing FusionReactor and jsp applications in tomcat using LDAP, FusionReactor

ensuring you replace “fusionreactor” with your web root.

Your web.xml file should contain the following:

<?xml version=”1.0″ encoding=”UTF-8″?> <web-app version=”2.5″ xmlns=”http://java.sun.com/xml/ns/javaee” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:schemaLocation=”http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd”> <security-constraint> <web-resource-collection> <web-resource-name>FusionReactor</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>fusionreactor</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>SecuredApp</realm-name> </login-config> </web-app>

 

This will ensure that any user that does not have the tomcat role fusionreactor cannot access the instance.

At this stage, you will be able to test that both your application and FusionReactor authentication access is working as expected

5. Disabling the external web root of FusionReactor

Although your external port is now secured FusionReactor is still accessible over the internal port without LDAP authentication, to stop this we simply need to disable the external port.

You can do this in 2 ways:

  1. In the settings page
    1. Simply disable the port
Securing FusionReactor and jsp applications in tomcat using LDAP, FusionReactor

2. In the java arguments

    • Windows – Run the tomcatw.exe application within {Tomcat Directory}\bin
    • Linux – Open the setenv.sh file in a text editor this file should be located at {Tomcat Directory}/bin/setenv.sh

In the -javaagent argument remove the address={port number} configuration option, for example:

-javaagent:/opt/fusionreactor/instance/tomcat7/fusionreactor.jar=name=tomcat7,address=8098 will become –javaagent:/opt/fusionreactor/instance/tomcat7/fusionreactor.jar=name=tomcat7

Conclusion

After following the above steps we should now be in the following state:

  • An unauthorized user cannot access either the JSP application or FusionReactor
  • To Authenticate a user your LDAP server will be contacted
  • Only users with appropriate tomcat roles will be able to access the JSP application of FusionReactor
  • FusionReactor will not be accessible on the internal port

Issue Details

Type Technote
Issue Number FRS-448
Attachments image-2018-07-19-12-41-25-990.png
Resolution Fixed
Last Updated 2020-03-16T11:04:50.857+0000
Fix Version(s) None
Server(s) Tomcat