How to access sonarqube if the server requires basic authentication? - maven

Our sonarqubeinstance deployed on a server which requires basic authentication. How we should configure sonar maven plugin in this case? Any combination of sonar.login and sonar.host.url (with or without user:password for server) will result in 401 error

The sonar-runner, even if configured with credentials, does not use these to make it's first call to the server. The endpoint is /batch/index. You have to allow public access to that endpoint. For all other urls basic auth is fine.
I have more details in my answer here: https://stackoverflow.com/a/60132667/1838233

Related

How can I setup keycloak and Spring to use HTTPS when redirecting to login page

I'm trying to reach a Spring Boot API hosted on a server with my Angular application, but I have some CORS issues.
CORS Error in the console
Redirection Flow
I tried several things, I added my URLs in both keycloak and Spring, and I think I found the origin of the problem but can't seems to resolve it.
I believe the problem comes from the fact that keycloak redirects to http://user-service.cubetech-app.fr/sso/login instead of the HTTPS version of that url. I read that when the browser detect a redirection on a different hostname it change the Origin header to null, and I think this is what creates the CORS error.
I don't know how to force HTTPS on the internal redirection.
For further informations, my spring backend and my keycloak server are hosted on my VPS, in a docker, and behind a traefik reverse-proxy that enables HTTPS with Let's Encrypt.
Check the webOrigins value of the client you use in Keycloak.
Realm settings-> clients -> {your client}

Spring boot application with Azure AD throws Reply URL does not match

I have a spring boot application integrated with Azure AD SAML login. I have followed this sample to achieve this. It works fine in localhost but on deployment to a prod url, it keeps giving below error
the redirect uri that I see in the authorization request URL starts with http. This is contradictory because Azure App Registration does not allow to configure any non https URLs and only exception is localhost.
In order to match URLs, I tried editing App Registration's manifest in Azure portal to make it http. Now, it seems URLs match but then I get below error:
I have also tried setting https URL both on azure portal and application.properties using "azure.activedirectory.redirect-uri-template" as mentioned in stack overflow post here but that also does not work.
I have also gone through this post but that also didn't help.
Any help would be much appreciated.
In order to solve the error of redirecting to https but the redirect_uri in request still starts with http, there are two similar issues:
1. The HTTPS requests terminate at the proxy and the proxy then uses HTTP protocol to communicate to your Tomcat server. You will face this if you deploy your code on cloud providers like App Service. Answer is here.
In application.properties:
security.oauth2.client.pre-established-redirect-uri=https://yourappurl.net/login
security.oauth2.client.registered-redirect-uri=https://yourappurl.net/login
security.oauth2.client.use-current-uri=false
server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.protocol-header=x-forwarded-proto
server.tomcat.use-relative-redirects=true
server.use-forward-headers=true
server.tomcat.internal-proxies=.*
2. Add server.forward-headers-strategy=native in applications.properties. Answer is here. For more about this setting, see here.

Setting up authentication/authorization using Traefik ForwardAuth

I'm using Docker to setup some services and Traefik 2 acts as a reverse proxy for these services.
So far I was using Basic Auth to protect the access to the services, but I'm trying to get rid of the user/pass prompt.
Looking at the Traefik's documentation, I found the "ForwardAuth" middleware which seems fine. I'm planning to use it to replace Basic Auth, but a full implementation example is not provided as an example, and I'm having a hard time trying to set it up.
So far, thanks to Traefik forward-auth, I'm successfully calling a specific URL on a remote server in charge of the authentication (this server is developped with Spring Boot by myself). I understand that if the authentication server answers 200, it means "authentication success" while another code means "authentication failure".
Yet, I'm currently unable to write the authentication code on the remote server as I don't know how to check if I must return 200 or something else. Especially I don't know how to communicate information between Traefik and the authentication server.
Basically, the problems I have are:
I can't ask the user for his/her username/password using Traefik
When the authentication server receives the request from Traefik, it has no way to define that the source request was a previously authenticated user
The following picture shows most of my concerns:
What I'd like to achieve is the following behavior:
The user tries to access to the Docker services without entering any username/password
Traefik determines that the user is not authenticated, thanks to forward-auth it asks the authentication server for authentication
The authentication server determines that the user is not authenticated, the user is redirected to the login page
The user enters his/her username/password on the authentication server
The user is redirected to the Docker services
Traefik determines that the user is authenticated
So far, I can successfully achieve step 1 to 5, but I don't know how to achieve step 6.
Is this the right way to use ForwardAuth?
If it is, are there some headers I must use to transfer the auth information? If not, is it possible to achieve what I want using ForwardAuth?
As far as i understand, traefik also forwards Any headers accompaning the original request. If you are not filtering Any. see docs traefik forward-auth.

Spring Security Kerberos SSO for a REST API (Tomcat)

Here is my problem:
Context :
-Windows Server 2012 with ActiveDirectory
-Tomcat
-Rest API (Spring)
I'm currently trying to restrict REST request. I want that only specific groups of the AD could access to specific resources. I'm restricted to Kerberos authentication.
System configuration
Create a user in domain "Tomcat"
setspn -a HTTP/apirest.domain#DOMAIN
Generate a tomcat.keytab using ktpass
API rest configuration
I'm using the spring security sample on github that you can find here :
https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server-win-auth
I know that there is an EntryPoint and this is not needed in my context (API Rest). I've chosen this sample because it seems to use the windows authentication context and use it to automatically authenticate me in the spring security context. Right after, an ldap request is send to extract all information about the user logged. In my case, I need to extract the group.
I'm also using :
https://github.com/GyllingSW/kerberos-demo
To extract the role of the user with the class "RoleStrippingLdapUserDetailsMapper.java" instead of the "ActiveDirectoryLdapAuthoritiesPopulator". This implementation also offers localhost authentication but the issue with the NTLM token seems to be fixed in last commit of spring security.
I'm not really sure if this is the right way to do what I want.
My authentication seems to fail and I only have one things going wrong in my logs..
"Property 'userDn' not set - anonymous context will be used for read-write operations"
Questions
Do I have to run my tomcat service using the tomcat account ? (Seems to be, yes)
Am I doing the right things with Kerberos security ?
How can I get rid of the anonymous context?
The anonymous context seems to be set just right after Tomcat start. I want to get a context just after that my user (For instance, user1) requests the rest API (EntryPoint or whatever)
If there is something unclear let me know, I will try to reformulate!
Thanks,
You do not need to query LDAP to get information about which groups does user belong to. Active Directory already adds this information to the Kerberos ticket which is sent from browser to Tomcat.
You just need to extract this information from the token for example using Kerb4J library. It comes with Spring integration inspired by spring-security-kerberos project so it should be pretty easy to switch to it.
If you still want to query LDAP you need to authenticate in LDAP before you can make any queries. Again there's no need to use end-user accounts for it - you can use the keytab file for Kerberos authentication in LDAP and query groups using "Tomcat" account
I found a way to fix my issue.
In a REST API context, you have no entry point. I tried to set my entry point to an unmapped URL, just to do the negociation. By doing this, you will receive an HTTP response with the error code 404 (Not found) but with the right header was added by spring security (WWW-Authenticate).
The web browser will not send the ticket service if the error code is not 401.
To solve this problem, you have to create a CustomEntryPoint class (implements AuthenticationEntryPoint) and you need to override the "commence" method to return a 401 HTTP code with the right header.
I hope that could help. If there is a better way, let me know !

JMeter authentication error : 401

Currently I am having problem to login my application using Jmeter scripts for SSO login.Shows unauthorized but all my credentials that I provided to login into application are okay.
It was working earlier.
I have already implemented each and everything that require to run Jmeter to my application earlier.
Currently I am stuck at this point.If anyone has idea? If so it would be so nice to have that idea/help.
check if it is NTLM authentication then you need to provide Mechanism as "Basic Digest" and if any domain then mention in Realm as "{domainname}\"
Most probably this is due to irrelevant configuration of the HTTP Authorization Manager
Looking into WWW-Authenticate Negotiate, it seems application you are testing is using NTLM or Kerberos authentication so you need to properly configure JMeter in order to be able to bypass it.
See Windows Authentication with Apache JMeter article for more detailed explanation and example configurations for NTLM and Kerberos.

Resources