I changed authentication method from Form to Windows in Web.config file and added two keys into App.config:
<add key="autoFormsAuthentication" value="false" />
<add key="enableSimpleMembership" value="false"/>
After doing that and logging in to my application I get redirected back to login page instead of the one that I usually was redirected before.
Also I have noticed that the code is entering in the class extending HandleErrorAttribute and then executing Application_Error method which is catching an exception saying: "Server cannot set content type after HTTP headers have been sent" before redirecting to a login page.
What am I forgetting to do?
Related
I have a spring boot angular web app hosted in Azure app service which uses keycloak for user management. We have integration with VSCode editor, which is a menu item in the web application.
When user clicks on the menu item, the user is expected to navigate to VS code editor which is loaded in an iFrame within the web application UI.
We leveraged, https://github.com/zmartzone/lua-resty-openidc, with ngnix to implement keycloak authentication in VS Code editor. The VS code editor when accessed directly through the browser gets prompted for keycloak login page and hence can use the editor only after keycloak authentication.
The same VS code editor, when accessed through the web application is expected to get SSO and navigate to the editor within the iframe. This is not happening and the error encountered during rendering through iFrame is
"There was an error while logging in: request to the redirect_uri_path but there's no session state found"
We also see a warning in the set-cookie header attribute, that the set cookie attribute was not set and hence defaulted to "Lax".
The cookie attributes which has this warnings are
Please suggest how we can handle this error.
Tried this solution of adding in web.config file in azure appservice, but this did not work.
Tried adding this cookie header through Spring boot Filter layer and that also did not work
<rewrite>
<outboundRules>
<clear />
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set-Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; secure; SameSite=none" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set-Cookie}" pattern="." />
<add input="{RESPONSE_Set-Cookie}" pattern="; secure; SameSite=none" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
So I have a Spring controller, using Spring Security that was blocked off with a simple It worked fine.
Now I have a requirement that -some- people don't need to be logged in unless they are after my grandmothers cookie recipe. So in my controller code I check to see what recipe they are after, and if it's cookies, I throw a BadCredentialsException();
Now I don't want to split out controller methods. These recipes will be in a DB and some (biscuits) will be available to everyone, others you will want a specific role. (Meats for example)
However, that looks like the exception is being picked up buy the general Exception interceptor and is being re-directed to the "something went wrong" page.
I want them to go to the login page, login, and then be redirected back to the recipe page.
<bean id="failureRedirectHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="useForward" value="true"/>
</bean>
Again, this all worked with the intercept-url access="IS_AUTHENTICATED_FULLY" But why wont it work if I explicitly throw the BadCredentialsException?
I think the exception you want to throw is AccessDeniedException. With a standard configuration, that will redirect the user to the login page if currently not logged in. If logged in, an "access denied" page will be shown. You can customize this access denied page and for example include a link to login as a different user.
The BadCredentialsException is probably not intended to be thrown in controllers, but only internally in security filters, when user has actually has entered some wrong credentials.
I have an asp.net web site which uses asp.net membership to authenticate and authorize users. When a user is not authenticated and types url of some page from the web site, then the user is redirected to login.aspx with ReturnUrl initialized as the Page that was requested. Because of a requirement, I got rid of my login page. It still exists on the web site, but users would log on from a different site. As a result, I don't want unauthenticated access to a page to redirect to login.aspx page. I want to redirect users to some custom page I want. How can I achieve this?
The authentication node in the Web.config should be able to specify this. For example, in Forms authentication, one might have something like this:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/MyCustomPage.aspx" />
</authentication>
<authorization>
<deny users= "?"/>
</authorization>
<system.web>
My website has Windows Authentication enabled with Negotiate provider listed first as I want to use Kerberos for delegating. It works fine when I run the website from a browser on the web server itself. When I use IE from another machine in the domain, I get the login box. After 3 tries I get a HTTP 401.2 error: Unauthorized.
I've made sure the domain account used by the Application Pool has Read and Execute rights to the website folder, and so does the domain account I'm logging in under when hitting the website (and I've also thrown in 'Authenticated Users' for good measure).
Interestingly if I try to access the site using the web server's IP instead of the name, it loads fine.
Anyone have thoughts?
One year after my first encountering this problem I've solved it.
Got the tip from http://blogs.technet.com/b/proclarity/archive/2011/03/08/useapppoolcredentials-true-with-kerberos-delegation-on-2008.aspx
Need to set useAppPoolCredentials="true" on the windowsAuthentication element in applicationHost.config (can set via IIS Manager)
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
<providers>
<clear />
<add value="Negotiate" />
</providers>
<extendedProtection tokenChecking="None" />
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
The reason you're getting a 401.2 when using a DNS name is most likely due to the fact register the name you're using as a service principle name (SPN) in AD.
Here's a couple of links that should help you out:
Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5
http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx
Register a Service Principal Name for Kerberos Connections:
http://technet.microsoft.com/en-us/library/ms191153.aspx
In my web application, I have put encrypted password like:
<add name="ConnectionString1" connectionString="Data Source=abc;Initial Catalog=dms;Persist Security Info=True;User ID=sa;Password=****************" />
and at run time, I decrypt it and use it.
It works fine in all pages, but in 1 page it shows error like
Login failed for user 'sa'.
there is no error anywhere. I debug many times, but still it continues.
Instead I use actual connection string it works fine.
what should I do?