Error with SAF Realm on Tomcat 6.0.18

Issues and Questions related to running Apache Tomcat on z/OS
Post Reply
Ant
Posts: 6
Joined: Tue Dec 01, 2009 1:09 am
Location: Darwin, NT, Australia

Error with SAF Realm on Tomcat 6.0.18

Post by Ant » Tue Dec 01, 2009 1:44 am

Hi:

I've tried to set up SAf security using the instructions found on http://dovetail.com/docs/tomcat/saf.html

Step 1 - skipped, nothing non-standard in LIBPATH

Step 2 - Checked, appropriate libs program-controlled

Step 3 - Modified SERVXML member to read:

<!--
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>

<!- For SAF(RACF) Authentication, replace the Realm above with: -->
<Realm className="com.dovetail.zos.tomcat.SafRealm"
resourceName="SafRoleDatabase"/>

Step 4 - Updated SAFROLES member to read:

<role rolename="manager"
safclass="FACILITY" safentity="BPX.SERVER" saflevel="READ"/>

<role rolename="admin"
safclass="FACILITY" safentity="BPX.SERVER" saflevel="READ"/>

and added appropriate RACF profiles.



When TOMCAT starts, get this warning message:

WARNING: ÝSetPropertiesRule¨{Server/Service/Engine/Realm} Setting property 'resourceName' to 'SafRoleDatabase' did not find a matching property.

And trying to access /manager/html gives these error messages:

SEVERE: An exception or error occurred in the container during the request processing
Throwable occurred: java.lang.ClassCastException: org.apache.catalina.users.MemoryRole incompatible with com.dovetail.zos.tomcat.Role
at com.dovetail.zos.tomcat.SafRealm.hasRole(SafRealm.java:129)
at org.apache.catalina.realm.RealmBase.hasResourcePermission(RealmBase.java:790)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:507)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:735)


I imagine I have a typo in SERVXML somewhere but I'm buggered if I can see it.


Thanks, Ant. Thompson
Northern Territory Government, Australia

dovetail
Site Admin
Posts: 1781
Joined: Thu Jul 29, 2004 12:12 pm

Post by dovetail » Tue Dec 01, 2009 9:12 am

I'm not absolutely certain that this is the entire problem, but in step 3, you are missing a closing XML end-commend (-->) after the third line. Also, two lines later, your begin commend is missing a dash:

Code: Select all

<!--
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
-->

<!-- For SAF(RACF) Authentication, replace the Realm above with: -->
<Realm className="com.dovetail.zos.tomcat.SafRealm"
resourceName="SafRoleDatabase"/> 

Ant
Posts: 6
Joined: Tue Dec 01, 2009 1:09 am
Location: Darwin, NT, Australia

Post by Ant » Tue Dec 01, 2009 7:52 pm

Um... I left --> out so that the end-of-comment was seen at the end of the SAF(RACF) comment line, so I thought it was working like this:

<!--
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>

<!- For SAF(RACF) Authentication, replace the Realm above with: -->


<Realm className="com.dovetail.zos.tomcat.SafRealm"
resourceName="SafRoleDatabase"/>


where the red bit is all a comment and the green bit is code. The second '-' at the start of the SAF(RACF) comment line was removed because the parser moaned about the presence of '--' within a comment.

Nevertheless, I changed the syntax to what was recommended above and it has made a (slight) difference. I'm still getting the warning message:

WARNING: ÝSetPropertiesRule¨{Server/Service/Engine/Realm} Setting property 'resourceName' to 'SafRoleDatabase' did not find a matching property.

And now when I try /manager.html, instead of all the other error messages and my browser hanging in limbo, I just get a http404 error message in the browser and no further error messages in the Tomcat STDERR log:

HTTP Status 404 - /manager.html

--------------------------------------------------------------------------------

type Status report

message /manager.html

description The requested resource (/manager.html) is not available.


--------------------------------------------------------------------------------

Apache Tomcat/6.0.18


Cheers, Ant.
Northern Territory Government, Australia

dovetail
Site Admin
Posts: 1781
Joined: Thu Jul 29, 2004 12:12 pm

Post by dovetail » Tue Dec 01, 2009 8:19 pm

It looks like it is complaining that it can't find a resource named "SafRoleDatabase".

In the sample that we distribute, there should be this:

<Resource name="SafRoleDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="z/OS SAF Role Database"
factory="com.dovetail.zos.tomcat.SafRoleDatabaseFactory"
pathname="conf/saf-roles.xml"
readonly="true" />

Did you remove this?

Ant
Posts: 6
Joined: Tue Dec 01, 2009 1:09 am
Location: Darwin, NT, Australia

Post by Ant » Tue Dec 01, 2009 8:45 pm

No, these statements are still in SERVXML:

<GlobalNamingResources>
<!-- The default Tomcat user database -->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml"
readonly="true" />

<!-- The following used only if you setup the SAF(RACF) <Realm> -->
<Resource name="SafRoleDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="z/OS SAF Role Database"
factory="com.dovetail.zos.tomcat.SafRoleDatabaseFactory"
pathname="conf/saf-roles.xml"
readonly="true" />


At one point I removed the definition for the default Tomcat user database, but it didn't like that very much so I put it back in.


Cheers, Ant.
Northern Territory Government, Australia

dovetail
Site Admin
Posts: 1781
Joined: Thu Jul 29, 2004 12:12 pm

Post by dovetail » Tue Dec 01, 2009 8:49 pm

Better email me a copy of your SERVXML member to look at to info@dovetail.com

Ant
Posts: 6
Joined: Tue Dec 01, 2009 1:09 am
Location: Darwin, NT, Australia

Post by Ant » Tue Dec 01, 2009 9:01 pm

Done.

Thankyou, Ant.
Northern Territory Government, Australia

Ant
Posts: 6
Joined: Tue Dec 01, 2009 1:09 am
Location: Darwin, NT, Australia

Post by Ant » Thu Dec 03, 2009 1:56 am

Oh, I was calling the manager in the wrong way... but when I did it properly I get the same errors as originally reported. :(

dovetail
Site Admin
Posts: 1781
Joined: Thu Jul 29, 2004 12:12 pm

Post by dovetail » Fri Dec 04, 2009 4:32 pm

Thanks for reporting this problem.
We have found that a change in Tomcat 6 caused our SAF realm configuration not to work.

We have corrected this in the T:Z Tomcat 1.0.1 distribution (12/4/2009). The only change is to the file: <TOMCAT_HOME>/lib/zos-tomcat.jar. Those who are running T:Z 1.0.0 can download the new distribution and copy this jar to a running configuration to correct the problem.

Ant
Posts: 6
Joined: Tue Dec 01, 2009 1:09 am
Location: Darwin, NT, Australia

Post by Ant » Sun Dec 06, 2009 8:59 pm

Replacement zos-tomcat.jar fixed the problem.

Thanks very much, Ant.
Northern Territory Government, Australia

fagu
Posts: 14
Joined: Wed Dec 02, 2009 8:51 am

TCAT.DEV.MYROLE never checks authorization?

Post by fagu » Mon Dec 21, 2009 5:56 am

1. SAF/RACF started to work after downloading and copying V1.0.1-version. However, the file is now in ascii, not ebcdic:
BROWSE /usr/local/tomcat/conf/saf-roles.xml
Command ===>
********************************* Top of Data ******
..Ì_%.ÎÁÊËÑ?>.......Á>#?ÀÑ>$..ÍÈÃ.......Ë/Ã.Ê?%ÁË...
******************************** Bottom of Data ****
and manually changing it to ebcdic will end up with a ascii file when tomcat6.0.18 is stopped.

2. Used racf-commands
RDEF EJBROLE TCAT.DEV.MYROLE UACC(NONE)
PE TCAT.DEV.MYROLE CLASS(EJBROLE) ACCE(RE) ID(TEUSERS)
RDEF EJBROLE TCAT.DEV.MANAGER UACC(NONE)
PE TCAT.DEV.MANAGER CLASS(EJBROLE) ID(TT0XGF1) ACCESS(READ)

but still no racuid/password needed for the
http://zos-tomcat:8080/
$CATALINA_HOME/webapps/ROOT/index.html

but the "manager" page
http://zos-tomcat:8080/manager/status
work well using racuid/password authorization.

Any hints why "TCAT.DEV.MYROLE" works as it does?

dovetail
Site Admin
Posts: 1781
Joined: Thu Jul 29, 2004 12:12 pm

Post by dovetail » Mon Dec 21, 2009 9:47 am

1. for historical reasons, the Saf Realm saves the saf-roles.xml file when it quits, which is why you see it being update. We will fix it to save in EBCDIC. Thanks for pointing this out.


2. This is working as designed. The manager application is requiring logon since it's web.xml requires the "manager" role, which is connected via saf-roles.xml to the TCAT.DEV.MANAGER SAF class.

fagu
Posts: 14
Joined: Wed Dec 02, 2009 8:51 am

Post by fagu » Tue Dec 22, 2009 4:17 am

2. This is working as designed. The manager application is requiring logon since it's web.xml requires the "manager" role, which is connected via saf-roles.xml to the TCAT.DEV.MANAGER SAF class.

==> OK

3. Could You please help me how I make racuid/password mandatory for
$CATALINA_HOME/webapps/ROOT/index.html
and all others?

dovetail
Site Admin
Posts: 1781
Joined: Thu Jul 29, 2004 12:12 pm

Post by dovetail » Tue Dec 22, 2009 10:49 am

AFAIK, Tomcat security is setup by web application. I'm not aware of a mechanism to set it up for all webapps. You might want to ask this question on the tomcat-users list.

For securing a given webapp, you would define a role to saf and then configure all or selected URLs in the webapp to require that role by adding definitions to the web.xml file:

Code: Select all

<!-- Define a security constraint on this application -->
<security-constraint>
  <web-resource-collection>
    <web-resource-name>My Application</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>myrole</role-name>
  </auth-constraint>
</security-constraint> 			

<!-- Define the login configuration for this application -->
<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>My Application</realm-name>
</login-config>

<!-- Security roles referenced by this web application -->
<security-role>
  <description>
    The role that is required to log in to this application
  </description>
  <role-name>myrole</role-name>
</security-role>

Post Reply