Ignore LtpaToken in WebSphere Liberty - websphere-liberty

My organization already has some web applications deployed on a liberty server, using its SSO, which sets an LtpaToken cookie for the entire intranet domain.
Now we are switching to openidconnect authenticated, sessionless (with JWT) secured web applications.
Authentication is working fine - only the browser is involved - and authorization is also working fine (with feature mpJwt-1.1).
But when the user comes from another web application (within the same session), the browser sends LtpaToken2 cookie and liberty rejects the request with 401 (unauthorized).
I'd like to:
completely ignore whichever LtpaToken cookie happens to come in the request (yes, completely ignore, as if it was never there, either valid or invalid, or expired or whatever, our new applications could never care less for the older SSO scheme);
never ever generate an LtpaToken once the first request with a valid JWT token comes in.
EDIT
The 2nd point above is not really happening (to be clear, this new liberty server is not generating an LtpaToken).
I've managed to create a MWE, comprising (in fact so minimal that you only need the server.xml and any index.html):
(server.xml)
<server>
<featureManager>
<feature>servlet-3.1</feature>
<feature>mpJwt-1.1</feature>
</featureManager>
<applicationManager autoExpand="true" />
<webApplication location="mysample.war" contextRoot="/" />
<httpEndpoint host="*" httpPort="9080" id="defaultHttpEndpoint"/>
<mpJwt id="server.xml-<mpJwt/>"
issuer="sso-issuer"
keyName="sso-jwk"
/>
</server>
(index.html)
any content will do
I could positively reproduce the 1st point (rejecting with 401) with a simple 'Cookie: LtpaToken2' header (yes, don't event need a value):
$ curl -v http://localhost:9080/index.html -H 'Cookie: LtpaToken2'
This returns the index.html file indeed, but with HTTP Status 401. For html this is fine. For the javascript files this is not (the browser refuses to run the scripts).
Response headers are:
HTTP/1.1 401 Unauthorized
X-Powered-By: Servlet/3.1
WWW-Authenticate: Bearer realm="MP-JWT", error="invalid_token"
Date: Wed, 01 Jul 2020 22:18:52 GMT
Content-Type: text/html
Last-Modified: Wed, 01 Jul 2020 21:51:32 GMT
Content-Length: 11
Content-Language: en-US
At startup the server reports:
...
[AUDIT ] CWWKS4104A: LTPA keys created in 1.716 seconds. LTPA key file: .../target/liberty/wlp/usr/servers/mysample/resources/security/ltpa.keys
...
[AUDIT ] CWWKF0012I: The server installed the following features: [appSecurity-2.0, cdi-1.2, distributedMap-1.0, jndi-1.0, jsonp-1.0, jwt-1.0, mpConfig-1.3, mpJwt-1.1, servlet-3.1, ssl-1.0].`
...
Change the request header "Cookie" to anything other than "LtpaToken2", and the result is the very same index.html, but with status 200 instead.

Found a workaround:
<server>
...
<webAppSecurity ssoCookieName="" useOnlyCustomCookieName="true"/>
...
</server>

Related

Authentication unsuccessful error even after right username and password passing in "HTTP Authorization Manager"

HTTP/1.1 401
X-message-code: PWD_WRONG
WWW-Authenticate: Basic realm="SAP HANA Cloud Platform"
Transfer-Encoding: chunked
Date: Fri, 18 Oct 2019 11:06:40 GMT
Server: SAP
Set-Cookie: BIGipServerl4097iflmapavrhcip.factory.customdomain=!Nu8jU3HA2IxyvHz2sXeD7QV2Vba36noiDcfL3aW4P6aJ3bFLqxzKN/NcLEGyHmjUFAx3qBE6h10zBwU=; path=/; Httponly; Secure; httponly; secure
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Some times, the site may encode the password at the frontend and then send it to the server which can decode it. Check with your dev team if the password is encoded by a javascript before being sent
Logically X-message-code: PWD_WRONG indicates that you provided wrong password. Double check your credentials in the HTTP Authorization Manager, it might be the case you made a typo, even characters which are not visible like whitespace or line break matter.
Looking into Create new user on Cloud Integration thread:
The message displayed (PWD_WRONG) means the member has never logged into the SCP Account and no credentials were provided to it.
Also looking here it might be the case you need to supply an appropriate client-side certificate

Cookie not set after HTTP request with Set-Cookie response header

Context: I'm trying to couple a separate frontend (Nuxt.js) with a Laravel backend. Session (logged in user etc.) is maintained by the backend and should be stored and updated in the frontend using cookies. I am making API calls using Axios.
I am currently running my frontend on localhost:3000 and my backend on 127.0.0.1:8000. When I make API calls from the frontend, I get the following headers in the response:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://localhost:3000
Cache-Control:no-cache, private
Connection:close
Content-Type:application/json
Date:Sun, 15 Oct 2017 13:05:24 GMT
Host:127.0.0.1:8000
Set-Cookie:laravel_session=fuqQf1fX3ZwQYl7xORGPopgZhD4qw5Mfi8lFrHTJ; expires=Sun, 15-Oct-2017 15:05:24 GMT; Max-Age=7200; path=/;
Vary:Origin
X-Powered-By:PHP/7.0.10
From what I understand, the browser should now set/update the laravel_session cookie. However, when I check the cookies in Chrome devtools, nothing changes.
Are the different URLs (or at least ports) an issue here? Am I missing some kind of header or directive that is required? I've done some research but haven't found a solution yet.

Using Active Directory roles while accessing a website from JMeter

In our company the web app that we are testing uses the active directory roles assigned to the user for accessing the website.
Edit:
Important information that I forgot to mention is that, while accessing the website I am not prompted for the username and password. The website is only displayed if I have the correct Active Directory role assigned to my user profile.
For Example,
Opening IE as myself - able to access the website.
Opening IE as a service account (with required Active Directory roles) - able to access the website.
Opening IE as a different user outside my project - not able to access the website.
I have tried (skeptically, desperate to get it working) Basic/ Kerberos Authorization in the HTTP Authorization Manager and even running JMeter as that service account still no luck. I keep getting the below
Thread Name: Users 1-1
Sample Start: 2017-04-26 17:08:18 CDT
Load time: 83
Connect Time: 13
Latency: 83
Size in bytes: 438
Sent bytes:136
Headers size in bytes: 243
Body size in bytes: 195
Sample Count: 1
Error Count: 1
Data type ("text"|"bin"|""): text
Response code: 401
Response message: Unauthorized
Response headers:
HTTP/1.1 401 Unauthorized
Server: nginx/1.10.1
Date: Wed, 26 Apr 2017 22:08:18 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Negotiate
X-Frame-Options: deny
X-Content-Type-Options: nosniff
HTTPSampleResult fields:
ContentType: text/html
DataEncoding: null
I am just trying to find out if any one here has got the JMeter working in a similar scenario/ if any one can point me in the right direction to overcome this hurdle.
Thanks all for your help in advance.
You need to identify the exact implementation of the authentication in your application.
Given you receive WWW-Authenticate: Negotiate - this is definitely not Basic HTTP Auth.
Negotiate may stand either for NTLM or for Kerberos (or in some cases for both, i.e. if Kerberos is not successful it will fall back to NTLM) and JMeter needs to be configured differently for these schemes.
For example for NTLM you need to provide only credentials and domain in the HTTP Authorization Manager and for Kerberos you need to populate Realm and set your Kerberos settings (KDC and login config) under jaas.conf and krb5.conf files
See Windows Authentication with Apache JMeter article for more information and example configurations.

Token based authentication for user and separate module

I have 2 scenarios where I want to implement the token based authentication:
I want to implement token based authentication when a user logs in. i.e.. based on username and password , user should get a token and that token should be used with every request.
I have a separate independent module which has ID and secret Key. It has to communicate with server in specific interval. I want to implement token based authentication for this module also.
In both the cases token should have these properties:
It should be in payload.
It should have a timeout period
When token expires server should provide a new token,if the session is not expired else it should logout.
Is OAuth 2.0 right choice? If any other approach is better, Please tell me.
What should I do to solve this problem?
Which is the best place to put token in request -Payload or header? and Why?
OAuth 2.0 is a good choice for the requirements you mentioned: timeout period and refresh-ability.
Stormpath has an excellent OAuth2.0 implementation that gives you what you are looking for out of the box.
Stormpath has both remote and local OAuth2 Implementations and both are freely available. For the remote case you can rely on our backend using any REST client (http://docs.stormpath.com/guides/token-management/) and any of our SDKs. For the local case you can use our Servlet plugin to run a Web-app with out of the box OAuth2 support. Using the docs link above, you can find documentation for these resources.
Using the Stormpath Spring Boot integration, for instance, you could do something like this:
http -v --form POST http://localhost:8080/oauth/token \
> 'Origin:http://localhost:8080' \
> grant_type=password username=micah+demo.jsmith#stormpath.com password=<actual password>
(This example uses httpie to interact with a locally running Spring Boot instance). The line I've bolded above conforms to the OAuth2.0 spec for authenticating with usernames and passwords. What you get back is a response like:
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 325
Content-Type: application/json;charset=UTF-8
Date: Tue, 04 Aug 2015 16:02:08 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: account=eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxNDQyNmQxMy1mNThiLTRhNDEtYmVkZS0wYjM0M2ZjZDFhYzAiLCJpYXQiOjE0Mzg3MDQxMjgsInN1YiI6Imh0dHBzOi8vYXBpLnN0b3JtcGF0aC5jb20vdjEvYWNjb3VudHMvNW9NNFdJM1A0eEl3cDRXaURiUmo4MCIsImV4cCI6MTQzODk2MzMyOH0.wcXrS5yGtUoewAKqoqL5JhIQ109s1FMNopL_50HR_t4; Expires=Wed, 05-Aug-2015 16:02:08 GMT; Path=/; HttpOnly
{
"access_token": "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxNDQyNmQxMy1mNThiLTRhNDEtYmVkZS0wYjM0M2ZjZDFhYzAiLCJpYXQiOjE0Mzg3MDQxMjgsInN1YiI6Imh0dHBzOi8vYXBpLnN0b3JtcGF0aC5jb20vdjEvYWNjb3VudHMvNW9NNFdJM1A0eEl3cDRXaURiUmo4MCIsImV4cCI6MTQzODk2MzMyOH0.wcXrS5yGtUoewAKqoqL5JhIQ109s1FMNopL_50HR_t4",
"expires_in": 259200,
"token_type": "Bearer"
}
This provides a bearer token that can be used on subsequent requests as well as an expiration. Plus, it has the advantage of being a JWT - JSON Web Token. The JWT is cryptographically signed to ensure that it hasn't been tampered with and it can be decoded to provide additional meta-information to your client, including user information, access controls and expiration.
You could do something very similar using the grant_type=authorization_code for interacting using an id and secret, such as for the independent module you mentioned.
This article goes into more detail on token authentication with Java.
Full disclosure: I am a Stormpath employee and I wrote the article referenced above.

Open SSO Authentication failure when invoking via Oracle PLSQL

I am an Oracle Developer, we have a requirement to read the contents of a filenet documents via oracle database , but OpenSSO is enabled in our environments which is currently blocking us to read the data from filenet server.
While checking with OpenSSO guys , they confirmed that while invoking the filenet URL via browser , a session cookie gets generated in OpenSSO which plays a significant role in authentication.
But , when we tried to invoke the same filenet URL via Oracle pl/sql ( i.e database) , we could see the cookie details as below. However, we don't understand , why opensso was still not showing 'successful authentication'.
We googled the error code X-AuthErrorCode: -1 which says "In the response you're going to receive "X-autherrorcode" header, if it's value 0, then the login was successful. Also, you need to check the
iPlanetDirectoryPro cookie for admin session id".
With all these information, can someone please help us in getting the root cause of the authentication failure in OpenSSO?
HTTP response status code: 200
HTTP response reason phrase: OK
X-Powered-By: JSP/2.1
Server: Sun GlassFish Enterprise Server v2.1
Cache-Control: private
Pragma: no-cache
Expires: 0
X-DSAMEVersion: (2011-March-02 18:42)
AM_CLIENT_TYPE: genericHTML
Set-Cookie:
AMAuthCookie=AQIC5wM2LY4SfcyXSVnslvF7a5TLMa4KXz5Op9tRKzczinU.*AAJTSQACMDE.
*; Domain=.companyname.co.uk; Path=/
Set-Cookie: amlbcookie=01; Domain=.companyname.co.uk; Path=/
X-AuthErrorCode: -1
Set-Cookie: AMAuthCookie=LOGOUT; Domain=.companyname.co.uk;
Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: JSESSIONID=286b0c94d89dffd4f602831969ae; Path=/opensso;
Secure
Content-Type: text/html;charset=UTF-8
Date: Fri, 24 Oct 2014 14:19:23 GMT
Connection: close
While downloading a Text file from filenet, we got the content as below
HTTP Status 401 -
type Status report
message
descriptionThis request requires HTTP authentication ().
Sun GlassFish Enterprise Server v2.1.1
Can someone please help me at the earliest to get a solution for this ? Is this really possible to make the authentication success via oracle database packages rather than invoking the URL via browser ? if it is possible what should be next step I need to do ?
Any help would be much appreciated.
Thanks and Regards,
Remya Sudhakaran

Resources