I want to setup libzmq plaintext authentication for my pub server. How can I do that??
The official doc is too simple. http://api.zeromq.org/4-1:zmq-plain. I set ZMQ_PLAIN_SERVER = 1, But I don't know how to set username and password to the socket.
In Java, I can use
public ZAuth configurePlain(String domain, String filename)
To specify an auth file, then I put usernames and passwords in it like the following:
username1=password1
username2=password2
...
I found czmq has a similar operation http://czmq.zeromq.org/czmq4-0:zauth which I failed to see
the equivalent in libzmq.
In trying to get a Liberty container to work I'm encountering the following problem.
For a database connection I have an authData section like this in the server.xml:
<authData id="datasourceAuth" user="test" password="{xor}ABCD"/>
When I try to run the server with the password not encoded the database connection works as expected, but when the password is encoded I get this message: Connection refused (Connection refused). ERRORCODE=-4499, SQLSTATE=08001 DSRA0010E: SQL State = 08001, Error Code = -4,499
It looks like the password isn't being decoded when setting up the connection, but I don't understand why or if I am missing something in the configuration.
Encoding of data source passwords is supported in Liberty and ought to be working. I'll provide a more complete example aligning with the style of config you are using, as well as a reference to an official knowledge center doc with its own example
Use the securityUtility to encode the password,
securityUtility encode --encoding=xor test123
output:
{xor}KzosK25tbA==
Configure the value on authData and use the authData on a dataSource,
<authData id="datasourceAuth" user="test" password="{xor}KzosK25tbA=="/>
<dataSource id="testdb" jndiName="jdbc/testdb" containerAuthDataRef="datasourceAuth">
<jdbcDriver libraryRef="db2jcc"/>
<properties.db2.jcc databaseName="TESTDB" serverName="localhost" portNumber="50000"/>
</dataSource>
The authentication data applies when using a resource reference with container authentication.
I'd recommend going back and trying all of the steps again to rule out the possibility of a typo or copy/paste error. If it still doesn't work, then raise a case against OpenLiberty here,
https://github.com/OpenLiberty/open-liberty/issues/new/
How to specify a user id and password for Visual Studio Code with an authenticating proxy?
I've seen the Proxy Server Support on the main VS Code site, but this only mentions two settings ...
"http.proxy": "http://10.203.0.1:5187/"
"http.proxyStrictSSL": false
I've set these, but still no luck, e.g. I can't install extensions ... can't even get a list of them
I suspect it's our proxy, as it needs a user id and password :-(
So how can you set these values?
Set credentials inside the proxy url:
http://username:password#10.203.0.1:5187/
WARNING: Setting your password in plaintext in a file can easily lead to your account being compromised. Further it might violate your companies data security guidelines. https://cwe.mitre.org/data/definitions/256.html
If you don't want to store your credentials in the settings file, fiddler can be used to proxy the call to the proxy. Furthermore, I believe the above only works for proxy servers using basic authentication, the following should work for NTLM.
VSCode Open Settings File:
%APPDATA%\Code\User\settings.json
add the following:
{
"http.proxy": "http://127.0.0.1:8888",
"http.proxyStrictSSL": false
}
Fiddler Confirm fiddler settings:
Fiddler Ensure Fiddler set to automatically authenticate:
VSCode Extensions should now be online:
Update
This is now no longer required following implementation of PR #22369 which was implemented in version 1.15 Proxy server authentication.
In my case I still needed to add:
"http.proxyStrictSSL": false
My favorite response here is David Martin's suggestion of using Fiddler. But in case that is not something you want to undertake, below is how to set your credentials for the proxy.
To specify DOMAIN + username + password: (It will likely not work with a slash, so use %5C in the place of the slash as shown below)
// The proxy setting to use. If not set will be taken from the http_proxy and https_proxy environment variables
"http.proxy": "http://DOMAIN%5Cusername:password#proxy_name_or_ip:port",
"https.proxy": "http://DOMAIN%5Cusername:password#proxy_name_or_ip:port",
// Whether the proxy server certificate should be verified against the list of supplied CAs.
"http.proxyStrictSSL": false,
To specify just username + password:
// The proxy setting to use. If not set will be taken from the http_proxy and https_proxy environment variables
"http.proxy": "http://username:password#proxy_name_or_ip:port",
"https.proxy": "http://username:password#proxy_name_or_ip:port",
// Whether the proxy server certificate should be verified against the list of supplied CAs.
"http.proxyStrictSSL": false,
The venerable CNTLM could help you. You give it your credentials, tell it about the upstream proxy, run it on your local machine, then point VS to the proxy at http://localhost:3128.
http://cntlm.sourceforge.net/
It's a handy solution for any application that doesn't support authenticated proxies.
I really like the solution David Martin posted (further below) using Fiddler, however I wanted to figure out how to use http.proxyAuthorization and here is my solution considering you are OK to have credentials saved in base64 encoded format in the settings.json file.
WARNING: Saving credentials in base64 encoded format is certainly better than plain text, however consider base64 encoding as obfuscation not an encryption and the account can still be compromised - use at your own risk. Consider modifying the ACL of the settings file to reduce read access to it.
Step 1: Encode your credentials using the code below:
var s = #"DOMAIN\user:pass";
var bytes = System.Text.Encoding.UTF8.GetBytes(s);
Console.WriteLine(Convert.ToBase64String(bytes));
RE9NQUlOXHVzZXI6cGFzcw==
Step 2: Update VS Code settings by adding http.proxyAuthorization using the base64 encoded value from above:
{
"https.proxy": "https://internal-proxy.corp.net:8080",
"http.proxyAuthorization": "Authorization: Basic RE9NQUlOXHVzZXI6cGFzcw=="
}
Step 3: Secure the settings.json by updating it's ACL
Since you have stored credentials in the file to increase the security you can modify the ACL of the settings file by removing the local administrators group - make sure only you can read this file. I used the following PowerShell script to remove the local admin group for example:
#Requires -Version 5.1
# PowerShell 5.1 min version required for the code below
$settings = "$env:appdata\Code\$env:username\settings.json"
$acl = (Get-Item $settings).GetAccessControl('Access')
$acl.SetAccessRuleProtection($true,$true) # removes the ACL inheritance
$accesToRemove = $acl.Access | ?{ $_.IsInherited -eq $false -and $_.IdentityReference -eq 'BUILTIN\Administrators' }
$acl.RemoveAccessRule($accesToRemove)
Set-Acl -AclObject $acl $settings
Please take ref to this article.
https://taeguk.co.uk/blog/working-in-visual-studio-behind-the-firewall/
Let’s assume my NTLM login is DOMAIN\User Name and my password is P#ssword!
The format for the credentials needs to be DOMAIN\User Name:P#ssword!, but you need to URL Encode the user name and password.
A simple online URL encoded can translate your username and password to: DOMAIN%5CUser%20Name and P%40ssword!.
Piece all this info into a single string like so: http://DOMAIN%5CUser%20Name:P%40ssword!#proxy-cluster.fqdn.local:8881
Then add this into your User Settings in File, Preferences against the "http.proxy" value:
// Place your settings in this file to overwrite the default settings
{
"http.proxy": "http://DOMAIN%5CUser%20Name:P%40ssword!#proxy-cluster.fqdn.local:8881"
}
"http.proxy": "http://DOMAIN//USER:PASSWORD#wsg.test.com:8080".
Do not forget to add the port.
Use the below command and replace the username,password and ip address of you proxy:port
PS C:\Users\rathakrishnan> npm config set proxy http://username:password#172.18.10.27:3128
PS C:\Users\rathakrishnan> npm install -g #angular/cli
in Visual Studio Code (my version is 1.32.3) you write a request, i.e.
### my request
GET https://defdomain.prefix.com/app/resource
Authorization: bXl1c2VyOnVzZXIyMkBwYXNzd29yZA==
Wherefore the Authorization header is of type "Basic base64encoded" and consists of
myuser:user22#password (username:usercredentials) base64 encoded. Thats all.
I have an RP for which I've built a login page using the Json feed from ACS. The IP images are linked to the .LoginUrl attribute of the feed and when I click on one of the images it correctly jumps to that IP's page.
Entering my credentials, however, I'm redirected to a page on the appfabriclabs.com site with the following error:
HTTP Error Code: 400
Message: ACS50000: There was an error issuing a token.
ACS50011: The RP ReplyTo address is missing. Either the RP ReplyToAddresses
are not configured or an invalid wreply 'https://www.skillscore.it/' was received
in the sign-in request.
the RP is configured in the App Labs site with a returnUrl of:
https://www.skillscore.it/Home/FederationResult
and in looking at the wreply parameter in the feed, I see:
https%3a%2f%2fskillscore.accesscontrol.appfabriclabs.com%3a443%2fv2%2fwsfederation
According to some SO articles like [this one] the return url of the app should be a prefix of the wreply parameter - which is clearly not the case here.
so... what have I done wrong now?
e
p.s. one interesting bit of info: in the Application Integration page of ACS there is a link to the ACS-hosted login page. the link used there seems to differ from the one I'm given in the feed; in particular, the ACS-hosted page uses a wctx of:
pr%3dwsfederation%26rm%3dhttps%253a%252f%252fwww.skillscore.it%252f
whereas the feed gives me:
pr%3dwsfederation%26rm%3dhttps%253a%252f%252fwww.skillscore.it%252f%26ry%3dhttps%253a%252f%252fwww.skillscore.it%252f
so I don't know what that's worth but maybe it's a clue to what's wrong.
* update *
decoded, that last string is:
pr=wsfederation
&rm=https%3a%2f%2fwww.skillscore.it%2f
&ry=https%3a%2f%2fwww.skillscore.it%2f
which clearly shows the Json feed is providing an ry that is not present in the ACS-hosted page... meaning anything to anyone?
ok. my bad. apparently, when I was fetching the Json feed, the URL I used did not have the reply_to set correctly.
I am trying to read a public calendar (in public folders) in my Exchange server.
I am sending the following query to my Exchange server, and the server replies with 400 - Bad Request.
<?xml version=""1.0""?>
<g:searchrequest xmlns:g=""DAV:"">
<g:sql>
SELECT
""urn:schemas:httpmail:subject"",
""urn:schemas:calendar:location"",
""urn:schemas:calendar:dtstart"",
""urn:schemas:calendar:dtend""
FROM
Scope('SHALLOW TRAVERSAL OF ""https://server/public/SomeFolder/SomeCalendar/""')
</g:sql>
</g:searchrequest>
Now that same query works with this store URL:
https://server/exchange/username/calendar/
So I know that's the URL that is wrong in the query.
If I paste the problematic URL in my web browser, it will come up with the calendar, so the URL does seem fine though.
Any help appreciated.
Thanks
Xavier
Try
https://server/public/SomeFolder/SomeCalendar/?cmd=contents
Thanks SillyMonkey for your input.
Your URL returned the same error but I have found out the problem was with the endpoint I was connecting to to submit the query.
I was posting the query to this URI:
string uri = string.Format("{0}/exchange/{1}", server, credentials.UserName);
and now changed it to:
string uri = string.Format("{0}/public", server);
I am a bit surprised that I have to use different endpoints depending whether I am querying the user's mailbox or the public folders, but it seems to be the way it is.