search

edrikL / javamelody

Automatically exported from code.google.com/p/javamelody
0 stars 0 forks source link

Enable Basic authentication with collect server #214

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Currently it is not possible, to secure the monitoring-URL with basic 
authentication when you want to use a collect server. Because the ip-adress of 
my collect server is not known upfront, IP-whitelists are not an option for me.

I added a patch for javamelody-core, which allows you to provide the username 
and password for Basic authentication in the style 
http://username:password@hostname:port/context. This is of course not the most 
secure way, but sufficient for my scenario.

For Base64-encoding i added the apache commons-codec library to the pom. It was 
not possible for me to easily understand the build.xml, so this has to be done 
by someone else.

I also added the old java.net repository in the pom to solve a dependency 
problem with javax.transaction.jta.

Regards,
Ralf

Original issue reported on code.google.com by purnhar@gmail.com on 6 May 2012 at 6:07

Attachments:

GoogleCodeExporter commented 9 years ago 
Adding the java.net repository in the pom is a No way, because it is 
discouraged to publish in Maven central with external repositories in the pom, 
and because it may slow down or block builds in Maven (for example, 
maven.glassfish.org was stopped for months and without much information).

But I have upgraded the pom to hibernate-core 3.6.9.Final which should fix the 
problem with jta 1.0.1B. Note: hibernate-core is an optional (not transitive) 
dependency which is there only to compile the HibernateBatcherFactory class.

For Base64, I do not want to add commons-codec as a compile dependency for all 
javamelody users.
So I would prefer to include in sources a copy of this codec for example:
http://www.source-code.biz/base64coder/java/

I will do that if you are ok.

Original comment by evernat@free.fr on 9 May 2012 at 9:59

GoogleCodeExporter commented 9 years ago 
Thank you for your quick response. I'm very fine with your decisions. I added 
the dependencies because it was just was the easiest way for me to test the 
authentication code.

I'm looking forward for a new version of javamelody with the authentication 
feature.

Original comment by purnhar@gmail.com on 9 May 2012 at 11:57

GoogleCodeExporter commented 9 years ago 
It is now committed in trunk (revision 2810 and revision 2813) and ready for 
the next release (1.38).

I have made a new build of the collect server from the trunk including that and 
it is available at:
http://javamelody.googlecode.com/files/javamelody-20120511.war
(There is no need to change the version of javamelody in the monitored webapp 
to enable this.)

Doc to be added in the wiki (UserGuideAdvanced):
    Instead of using {{{allowed-addr-pattern}}}, you may want to secure access with http basic authentication (username and password) in the monitored application. For that, add the following in the {{{web.xml}}} file of the monitored application:

{{{
        <login-config>
                <auth-method>BASIC</auth-method>
                <realm-name>Monitoring</realm-name>
        </login-config>
        <security-role>
                <role-name>monitoring</role-name>
        </security-role>
        <security-constraint>
                <web-resource-collection>
                        <web-resource-name>Monitoring</web-resource-name>
                        <url-pattern>/monitoring</url-pattern>
                </web-resource-collection>
                <auth-constraint>
                        <role-name>monitoring</role-name>
                </auth-constraint>
        </security-constraint>
}}}

    The realm and the user used by the collect server must be defined in the monitored application server, and the user must have the "monitoring" role to have access. For example, if tomcat is used with the default realm in the monitored application server, modify the content of the conf/tomcat-users.xml file as follows: 

{{{
        <?xml version='1.0' encoding='utf-8'?>
        <tomcat-users>
             <role rolename="monitoring"/>
             <user username="monitoring" password="monitoring" roles="monitoring"/>
        </tomcat-users>
}}}

    Then, when you add the monitored application in the collector server, define the username and the password in the URL. For example, the URL of the monitored application, as given to the collect server, could be:
    http://myusername:mypassword@myhost:8080/mywebapp

Original comment by evernat@free.fr on 11 May 2012 at 4:41