I have a user with role manager in jhipster, and this role should have the authority to create users.
I have implemented all front end functionality to allow this user to create users in user management. In admin.route.ts I provided the ROLE_MANAGER authority and in the canActivate method in user-management.component I gave the authority ROLE_MANAGER. I have also given permission .HasAnyAUthoirty() for both admin and manager roles in the /management/** APIs from the SecurityConfiguration class.
However, when I try open the user-management page,even though it opens, I see a message on top which says you are not authorized to see this page. THen when I create the user, I get the error
Enter: io.xiges.asbestos.adm.repository.CustomAuditEventRepository.add() with argument[s] = [AuditEvent [timestamp=2019-03-11T21:40:58.263Z, principal=user, type=AUTHORIZATION_FAILURE, data={type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]]
2019-03-12 08:40:58.267 DEBUG 25632 --- [ XNIO-2 task-24] i.x.a.adm.aop.logging.LoggingAspect : Exit: io.xiges.asbestos.adm.repository.CustomAuditEventRepository.add() with result = null
2019-03-12 08:40:58.269 WARN 25632 --- [ XNIO-2 task-24] o.z.p.spring.web.advice.AdviceTrait : Forbidden: Access is denied
2019-03-12 08:40:58.272 WARN 25632 --- [ XNIO-2 task-24] .m.m.a.ExceptionHandlerExceptionResolver : Resolved exception caused by Handler execution: org.springframework.security.access.AccessDeniedException: Access is denied.
In my application, I want to give all users in the role manager, the authority to create users. What am I missing here?
Related
I am trying to setup a test jhipster web app with okta as per this guide.
I am able to login with my jhipster web app with okta and I should be ROLE_ADMIN, but after getting redirected back to the webapp menu any attempt to navigate to an entity results in a not authorized/access denied page.
The IDE is Intellij and the build tool is gradle. I am using Java SDK 11.
The okta has ROLE_ADMIN and ROLE_USER groups:
I have added the claim:
The console logs:
Enter: add() with argument[s] = [AuditEvent [timestamp=2020-04-25T19:50:39.747921400Z, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null, type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]]
Exit: add() with result = null
WARN 16660 --- [ XNIO-1 task-52] o.z.problem.spring.common.AdviceTraits : Unauthorized: Full authentication is required to access this resource
WARN 16660 --- [ XNIO-1 task-52] .m.m.a.ExceptionHandlerExceptionResolver : Resolved [org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource]
In trying to fix the error I have added both users and groups to the assignments under the application:
But the problem persists.
What is the fix to be authorized as ADMIN?
Change your groups claim to use a filter of "Matches regex" and it should fix your problem.
I am working on a project that re-uses https://github.com/vdenotaris/spring-boot-security-saml-sample to integrate with Azure AD as IDP.
The integration went pretty smoothly. The only thing I couldn't fix was metadata trust check.
According to https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x/reference/html/chapter-idp-guide.html
it's recommended to set metadataTrustCheck to false to skip signature validation
However, I'd like to ask if it's possible to use metadata trust check with Azure.
To recreate, set IDP metadata url to
https://login.microsoftonline.com/sample.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml
set metadataTrustCheck to true for WebSecurityConfig#extendedMetadataProvider
and import login.microsoftonline.com SSL cert into samlKeystore.jks
2018-01-23 09:58:05.450 DEBUG 9924 --- [localhost-startStop-1] o.o.xml.signature.SignatureValidator : Signature validated with key from supplied credential
2018-01-23 09:58:05.451 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Signature validation using candidate credential was successful
2018-01-23 09:58:05.451 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Successfully verified signature using KeyInfo-derived credential
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Attempting to establish trust of KeyInfo-derived credential
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.x.s.x.BasicX509CredentialNameEvaluator : Supplied trusted names are null or empty, skipping name evaluation
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : Attempting PKIX path validation on untrusted credential: [subjectName='CN=accounts.accesscontrol.windows.net']
2018-01-23 09:58:05.458 TRACE 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : Building certificate path using default security provider
2018-01-23 09:58:05.466 TRACE 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : PKIX path construction failed for untrusted credential: [subjectName='CN=accounts.accesscontrol.windows.net']
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) ~[na:1.8.0_161]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) ~[na:1.8.0_161]
at java.security.cert.CertPathBuilder.build(Unknown Source) ~[na:1.8.0_161]
at org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator.validate(CertPathPKIXTrustEvaluator.java:85) ~[spring-security-saml2-core-1.0.3.RELEASE.jar!/:1.0.3.RELEASE]
The issue doesn't happen with ssocircle metadata https://idp.ssocircle.com/idp-meta.xml
The certificate used to sign your metadata seems different from the one at login.microsoftonline.com which you imported.
See Signature trust establishment failed for SAML metadata entry
I am using Spring Security and Active Directly for authentication. Below my configuration
registry
.ldapAuthentication()
.ldapAuthoritiesPopulator(customLdapAuthoritiesPopulator)
.userDnPatterns("cn={0},cn=Users")
.contextSource() .managerDn("cn=Administrator,cn=Users,cn=COMPANY,cn=COM,cn=TN")
.managerPassword("xxxxxxx")
.url("ldap://xxx.xxx.xxx.xxxx:389/cn=COMPANY,cn=COM,cn=TN") ;
When I am trying to connect with a valid user I've got this log:
23:30:49.321 [http-bio-8080-exec-8] DEBUG o.s.s.authentication.ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
23:30:49.322 [http-bio-8080-exec-8] DEBUG o.s.s.l.a.LdapAuthenticationProvider - Processing authentication request for user: ben
23:30:49.344 [http-bio-8080-exec-8] DEBUG o.s.s.l.a.BindAuthenticator - Attempting to bind as cn=ben,cn=Users,cn=COMPANY,cn=COM,cn=TN
23:30:49.345 [http-bio-8080-exec-8] DEBUG o.s.s.l.DefaultSpringSecurityContextSource - Removing pooling flag for user cn=ben,cn=Users,cn=COMPANY,cn=COM,cn=TN
23:30:52.371 [http-bio-8080-exec-8] DEBUG o.s.s.l.a.BindAuthenticator - Failed to bind as cn=ben,cn=Users: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580
Sorry, it was a stupid mistake: I used CN instead of DC.
I have configured Shibboleth IdP 3 to authenticate against LDAP (AD).
When I access the following URL
https://FDQN-of-the-IdP/idp/status
I see the following page.
Logs from the IdP show
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2015-11-24 10:39:43,394 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:108] - Message Handler: No metadata returned for http://google.com/enterprise/gsa/xxxx in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler' on INBOUND message context
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:132] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer http://google.com/enterprise/gsa/xxxxx
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:284] - Resolving relying party configuration
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:290] - Profile request is unverified, returning configuration shibboleth.UnverifiedRelyingParty
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:136] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration shibboleth.UnverifiedRelyingParty for request
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] - Profile Action PopulateAuditContext: Adding 1 value for field 'IDP'
2015-11-24 10:39:43,394 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] - Profile Action PopulateAuditContext: Adding 1 value for field 'SP'
2015-11-24 10:39:43,394 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for relying party configuration shibboleth.UnverifiedRelyingParty
2015-11-24 10:43:17,231 - INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategy:327] - Default key version has not changed, still secret1
Why can't I get access to the status page ?
Make sure that you have set your config\access-control.xml configuration correctly. The default access control is IP-based:
<entry key="AccessByIPAddress">
<bean parent="shibboleth.IPRangeAccessControl"
p:allowedRanges="#{ {'127.0.0.1/32', '192.0.0.0/32','::1/128', '192.168.120.148/32'} }" />
</entry>
make sure that you allow the IP to access the IDP, it has to be in CIDR format as well
I running spring boot and try to generate database, i have a access problem
Database is created but not foreign key
so i done:
GRANT ALL ON *.* TO 'dbuser#localhost';
flush privileges;`
launch spring boot application, but get this error about alter denied to dbuser
ALTER command denied to user 'dbuser'#'localhost' for table 'room_payment'
2015-07-16 12:04:28.099 ERROR 4550 --- [ main] org.hibernate.tool.hbm2ddl.SchemaUpdate : HHH000388: Unsuccessful: alter table vehicle add constraint FK_2k13lq037sx9358mhlf9gfmsc foreign key (model_modelId) references model (model_id)
2015-07-16 12:04:28.100 ERROR 4550 --- [ main] org.hibernate.tool.hbm2ddl.SchemaUpdate : ALTER command denied to user 'dbuser'#'localhost' for table 'vehicle'
2015-07-16 12:04:28.102 INFO 4550 --- [ main] org.hibernate.tool.hbm2ddl.SchemaUpdate : HHH000232: Schema update complete
Wrong quoting:
GRANT ALL ON *.* TO 'dbuser#localhost';
^----------------^
Since the whole thing is quoted, that's just a username. You want
GRANT ALL ON *.* TO 'dbuser'#'localhost';
^-^
instead. Note the extra quotes.