Getting 403 Forbidden, trying to access secured web service

Question

Has anyone successfully secured a web service using Active Directory credentials instead of an application specific username/password?

I have an application that talks to web services written with Axis2 1.5.1 and deployed on Tomcat 6.0.24, deployed on Linux, FWIW.

I have changed Tomcat from a JDBCRealm, authenticating against a database, to a JAASRealm, configured to access AD with Centrify (the client's preferred solution).

This works with web applications but for web services I get a 403 response.

I have tested using a simple Axis2 service (written with Axis2 1.5.1) and deployed against Tomcat 6.0.24 and 7.0.63. I've also tried with a web service written using Axis2 1.6.2. I get the same result in each case. I'm testing using a browser, BTW. When the service works I get xml; when it doesn't I get the error.

I'm wondering whether I need to change something in axis2.xml since even https://tomcat:8443/HelloWorld (my service is called HelloWorld) generates a 403.

Some configuration details...

I've changed the realm in server.xml to the following

<Realm className="org.apache.catalina.realm.JAASRealm"
       appName="CENTRIFYDC"
       roleClassName="com.centrify.dc.tomcat.RolesPrincipal"
       userClassName="com.centrify.dc.tomcat.LoginPrincipal" />
<Valve className="com.centrify.dc.tomcat.ContextValve" />

In web.xml I have added

<security-constraint>
    <display-name>Security Web Service</display-name>
    <web-resource-collection>
        <web-resource-name>Secured Area</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>USER</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>SPNEGO</auth-method>
    <realm-name>CENTRIFYDC</realm-name>
</login-config>

<!-- Security roles referenced by this web application -->
<security-role>
    <role-name>USER</role-name>
</security-role>

I've mapped the USER role to one of my AD groups

Any suggestions or guidance or setups that have worked for someone would be very useful, thanks.

Answer 1

There were a couple of problems. The first was an error was in the server.xml file. JAASRealms can accept several classes for role and user so the properties are roleClassNames and userClassNames as follows

<Realm className="org.apache.catalina.realm.JAASRealm"
       appName="CENTRIFYDC"
       roleClassNames="com.centrify.dc.tomcat.RolesPrincipal"
       userClassNames="com.centrify.dc.tomcat.LoginPrincipal" />

The second issue is around using several applications which use different authorization. The centrifydc.xml file maps roles when the app is first authenticated. However, if org.apache.catalina.authenticator.SingleSignOn is enabled then the roles are set only for the application that performs the authentication. Thereafter, only the roles set in the authenticating application's centrifydc.xml file are set. Other applications will see that the user is already authenticated but does not have the necessary authorization and fail with a 403 error.

In different applications use the roles user, USER and manager then the logging-in application must set up all three roles when it authenticates.

Answer 2

The 403 error is indicating the permission problem after authentication. It is because after SSO, the server will check for group membership to see if the user got proper permission. The 403 error is coming from the configuration part of role mapping. SSO to the server is actually working fine.

We would suggest you to try the following(the following example is using 5.5 version tomcat but it will be the same for later version):

• Configure tomcat for Centrify

a. Configure tomcat for Centrify by using configure.pl:

 cd /usr/share/centrifydc/java 
./configure.pl
Enter /opt/apache-tomcat-5.5.25 when prompted for the tomcat directory.
Enter /usr/jdk1.5.0_15 when prompted for the java directory.
Enter y when prompted if you want to configure Tomcat for SSL
Enter n when prompted if you want to configure Tomcat for SSL communication with ADFS server
Take default for everything else.

• Configure webdav for Centrify and use kerberos(SPNEGO) for authentication

a. Set the logon realm to CENTRIFYDC:

1. cd /opt/apache-tomcat-5.5.25/webapps/
2. mkdir webdav/META-INF

3. create webdav/META-INF/context.xml as:

       <Context path="/webdav">
        <Realm className="org.apache.catalina.realm.JAASRealm"
         appName="CENTRIFYDC"
          roleClassNames="com.centrify.dc.tomcat.RolesPrincipal"
          userClassNames="com.centrify.dc.tomcat.LoginPrincipal"/>
           <Valve className="com.centrify.dc.tomcat.ContextValve"/>     </Context>
   

b. Configure mapping of AD groups to roles for the jspwiki app.

1. cp /usr/share/centrifydc/java/templates/centrifydc.xml webdev/WEB-INF/centrifydc.xml

2. modify RoleMapping section in webdev/WEB-INF/centrifydc.xml as follow:

    <RoleMapping separator=";">
    <Role name="user" group="*" user="*"/>
    <Role name="@ROLE2@" group="@GROUP2@"/>
    <Role name="@ROLE3@" user="@USER3@"/> 
    </RoleMapping>
   

c. Configure web.xml to use kerberos(SPNEGO) for authentication:

1. Edit web.xml and add

    <login-config>
   
    <auth-method>SPNEGO</auth-method>
   
    <realm-name>Default</realm-name>
   
    </login-config>
   
    <!--
   
    OPTIONAL: Add CentrifyFilter to set the authenticated user's attributes
   
    such as group membership in HTTP headers. You must also configure the
   
    <SetHeaders> element in centrifydc.xml to set user attributes in HTTP
   
    headers.
   
    This filter is not needed if you do not want the authenticated
   
    user's attributes set in HTTP headers.
   
    -->
   
    <filter>
   
    <filter-name>CentrifyFilter</filter-name>
   
    <filter-class>com.centrify.dc.wbase.DCFilter</filter-class>
   
    </filter>
   
    <!--
   
    OPTIONAL: Apply (map) CentrifyFilter to the url patterns in the
   
    <security-constraint> section of this application to set the
   
    authenticated user's attributes in HTTP headers.
   
    This <filter-mapping> is not needed if you do not want the
   
    authenticated user's attributes set in HTTP headers.
   
    -->
   
   <filter-mapping>
   
   <filter-name>CentrifyFilter</filter-name>
   
   <url-pattern>/*</url-pattern>
   
   </filter-mapping>
   
   <security-constraint>
   
   <web-resource-collection>
   
   <web-resource-name>ProtectedResource</web-resource-name>
   
   <url-pattern>/index.html</url-pattern>
   
   </web-resource-collection>
   
   <auth-constraint>
   
   <role-name>user</role-name>
   
   </auth-constraint>
   
   </security-constraint>
   
   <security-role>
   
   <description>
   
   An test role
   
   </description>
   
   <role-name>user</role-name>
   
   </security-role>
   

You could also refer to the Centrify Java Guide p.135 for the example for role mapping configured as follow:

Extensible Markup Language (XML) files, like the centrifydc.xml file, are structured documents that contain a set of supported elements enclosed in opening and closing angle (< >) brackets. The elements can be required or optional depending on the requirements of the application. The following is an example of how the key elements defined in the centrifydc.xml file:

 <Centrifydc>
 <enableAuthSchemes>Negotiate,NTLM,Basic</enableAuthSchemes>
 <adclientSocket>/var/centrifydc/daemon</adclientSocket>
 <RoleMapping>
 <Role name=”role1” group=”arcade.com/Users/Sales”/>
 </RoleMapping>
 </Centrifydc>

Although the template centrifydc.xml file contains some default settings, these default settings should be modified in the copy of the centrifydc.xml file you place in an application’s WEB-INF directory. The following table describes the elements you can set in the centrifydc.xml file.

If you need any further assistance, please feel free to contact Centrify Technical Support directly.