Basic server administration
Once the installation has been completed, it's about time to complete some basic administration tasks. The most obvious one involves creating one or more users for managing your platform. Out of the box, a script called add-user.sh
is provided along with your installation. The purpose of this script is to manage two different types of user:
- Management users: users in charge of administrating your application server
- Application users: users in charge of accessing your applications
Note
Important notice!
The add-user script uses a very simple file-based mechanism to store the users' information. This can be acceptable for basic security requirements. Real-world scenarios, however, would need to use more appropriate security polices as detailed in Chapter 11, Securing the Application Server, of this book.
You can execute the add-user script both in an interactive way and in an automatic way.
In order to execute the add-user script in an interactive way, just execute it as follows and provide the requested information:
$ ./add.user.sh What type of user do you wish to add? a) Management User (mgmt-users.properties) b) Application User (application-users.properties) (a): a Enter the details of the new user to add. Using realm 'ManagementRealm' as discovered from the existing property files. Username : administrator1 . . . . . Password : Re-enter Password : What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[ ]: About to add user 'administrator1' for realm 'ManagementRealm' Is this correct yes/no? yes To represent the user add the following to the server- identities definition <secret value="UGFzc3dvcmQxIQ==" />
We have removed some negligible information from the output so that you can focus on the required arguments of the script. The previous information can be filled in also in a non- interactive way by providing the username with the -u
parameter, the password with the -p
, and the group (if needed) with -g
. You can discriminate between management users and application users with the -m
and -a
parameters.
Here is how to create a management user:
$ ./add-user.sh -m -u administrator1 -p Securepassword1!
Note
Once you have created the management user, you can verify that the login correctly lets you through the management console, which is available at http://localhost:9990
.
On the other hand, here is the shell script to create an application user belonging to the guest
group:
$ ./add-user.sh -a -u demouser -p Securepassword1! -g guest
Note
Beware that creating users in a non-interactive way exposes your user/password information across the shell history system process table if you are a Linux user.
Once you have created your users the following files (contained in the configuration folder of your server base directory) will be updated:
-rw-rw-r--. 1 francesco francesco 711 Oct 26 06:13 application-roles.properties -rw-------. 1 francesco francesco 935 Oct 26 06:13 application-users.properties -rw-rw-r--. 1 francesco francesco 646 Nov 24 16:11 mgmt- groups.properties -rw-------. 1 francesco francesco 1111 Nov 24 16:11 mgmt- users.properties
The application-roles.properties
holds the list of roles granted to application users. The file application-users.properties
contains the list of application users and their hashed passwords. Conversely, mgmt-groups.properties
contains the list of roles granted to management users and mgmt-users.properties
holds the management users and their hash passwords. As a final note, the password contained in *-users.properties
files is in hash using this format:
username=HEX( MD5( username ':' realm ':' password))
Note
How to recover the password
Being an MD5 based hash means that the password is not reversible. On the other hand, consider that most hashes are also non-unique; rather, they're unique enough, so a collision is highly improbable, but still possible.