Archive

Archive for April, 2010

JRE Exploit happened!

April 11, 2010 3 comments

Tavis Ormand discovered the bug inside Java Web Start. Critical bug that exists inside Java Runtime Environment allows to remotely run code on any machine with Java 6.0 with update 10 or later. In practice anyone can be attacked by simply entering specially designed page.

To explain how the exploit can work, you need to know that ever since 1.6.10 Sun has distributed an NPAPI plugin (for firefox, chrome ect.) and ActiveX control (for Internet Explorer) called “Java Deployment Toolkit” that simplifies distributing applications to the end user by Web Start. The launch() method of this toolkit accepts url as a parameter, however this parameter is poorly validated, thus allowing passing arbitrary parameters. This parameter is later on passed to javaws, allowing to run any code on attacked machine.

Tavis Ormand created a Proof of Concept application to show exploit in use. Source of this PoC was published by Ruben Santamart. Currently there is no fix for the bug and according to Tavis Ormand, Oracle/Sun is not planning to do it quickly:

Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.

Advertisements
Categories: News

Installing Liferay with MySQL, CAS and openLDAP on Ubuntu (part 3)

April 8, 2010 2 comments

This is third part of of article “Installing Liferay with MySQL, CAS and openLDAP on Ubuntu”.

5. Installing and configuring CAS

The easiest way to integrate CAS with openLDAP is to build CAS using Maven.  Created war file will contain all needed dependencies and all properties will be set inside configuration files.  Before we move on you need to first download CAS sources and unpack it somewhere in your file system (for example /home/user/Downloads/cas). We will refer to this folder (or to the path of this folder) as CAS_SOURCE further in this tutorial.

5.1 Configuration of dependencies and properties

1. Go to folder $CAS_SOURCE/cas-server-webapp and in file pom.xml add

<dependency>
     <groupId>${project.groupId}</groupId>
     <artifactId>cas-server-support-ldap</artifactId>
     <version>${project.version}</version>
</dependency>

2. Go to folder $CAS_SOURCE/cas-server-webapp/src/main/webapp/WEB-INF and open file deployerConfigContext.xml

3. In file deployerConfigContext.xml inside bean authenticationManager comment out SimpleTestUsernamePasswordAuthenticationHandler

<!--
<bean
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
-->

4. Add FastBindLdapAuthenticationHandler inside authenticationManager bean (where SimpleTestUsernamePasswordAuthenticationHandler used to be)

<bean
class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler">
  <property name="filter" value="uid=%u,ou=people,dc=it,dc=mycompany,dc=com" />
  <property name="contextSource" ref="contextSource" />
</bean>

5. Add new bean called contextSource

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
        <property name="pooled" value="true"/>
        <property name="urls">
            <list>
                <value>ldap://localhost/</value>
            </list>
        </property>
        <property name="userDn" value="cn=admin,dc=it,dc=mycompany,dc=com"/>
        <property name="password" value="asdfgh"/>
        <property name="baseEnvironmentProperties">
            <map>
                <entry>
                    <key>
                        <value>java.naming.security.authentication</value>
                    </key>
                    <value>simple</value>
                </entry>
            </map>
        </property>
</bean>

5.2 Building CAS war file

Building CAS war file actually requires only modules cas-server-core, cas-server-webapp and cas-server-support-ldap, however you can always build all components (somemodules simply won’t be used). For me personally, this is much quicker way. So all you really need to do now is to open your command line, go to $CAS_SOURCE folder and type

mvn -Dmaven.test.skip=true clean install

Created war file (called cas.war) can be found inside folder  $CAS_SOURCE/cas-server-webapp/target.  Now all you need to do is to deploy this file in tomcat. Just copy it to folder LIFERAY_ROOT/tomcat/webapps/ .

6. Integrating Liferay with CAS and with openLDAP

6.1 Integrating Liferay with CAS

1. Start Liferay

2. Log into admin account (at this point Liferay is not integrated with CAS yet)
login: test@liferay.com
haslo: test

3. Go to Control Panel -> Settings -> Authentication -> CAS

4. Select values ‘Enabled’ and  ‘Import from LDAP’
[x] Enabled
[x] Import from LDAP

5. In default values change cas-web into cas and localhost into your server’s DNS name (for this tutorial it will be it.mycompany.com) – or leave it localhost if you don’thave DNS name for your server.

6. In field  “Server Name” enter DNS name – it.mycompany.com:443

7. In field “Service URL” enter path to the service – https://it.mycompany.com:443/c/portal/login

6.2 Integrating Liferay with openLDAP

1. Go to Control Panel -> Settings -> Authentication -> LDAP
2. Select ‘Enabled’ option
3. Select openLDAP
4. Values

Connection:
base provider: ldap://localhost:389
base dn: dc=it,dc=mycompany,dc=com
principal: cn=admin,dc=it,dc=mycompany,dc=com
password: asdfgh
(test connection)

Users:
Authentication Search Filter: (uid=@screen_name@)
Import Search Filter: (objectClass=uidObject)
Screen Name: uid
Password: userPassword
Email Address: email
Full Name:
First Name: name
Last Name: sn
Job Title: — leave it empty
Group: member

Groups:
Import Search Filter: (objectClass=groupOfNames)
Group Name: cn
Description: description
User: member
(test connection)

5. In Import/Export:

Import Enabled: [x]
Import on Startup Enabled: [x]
Import Interval: any value e.g. 5 minutes
Export Enabled: [ ]

6. Go to Control Panel -> Settings -> Authentication → General and change “How do users authenticate?” to “By Screen Name”

7. Accept changes by clicking “Save” button

After importing users and groups you need to give  group “admins” a role “Administrator”. Go to Control Panel → Roles → Administrator → Assign Members → User Groups. Select group „admins” and click “Update Associations”.

Part 4 is coming soon….

Reference:

[CAS1] http://www.jasig.org/cas/ – CAS official site
[CAS2] http://en.wikipedia.org/wiki/Central_Authentication_Service – what wikipedia knows
[CAS3] http://www.ja-sig.org/wiki/display/CAS/Home – CAS official wiki

Categories: Articles