<RequestMap applicationId="default">
<Host name="www.example.org">
<Path name=**"secure"** authType="shibboleth" requireSession="true"/>
</Host>
Hi I am new to shibboleth. In "RequestMap" there is a child tag called "path". What is that tag for and what is the value should be in path name = " "?
It is the path which needs to be secured.
Suppose path is * then your whole www.example.com is secured, i.e. you need to have valid session in shibboleth to access www.example.com.
But if the path is secure then just www.example.com/secure is secured via shibboleth, you can access any www.example.com/xyz path without shibboleth authorization.
You can have multiple path items as child elements.
Shibboleth is an authorization tool, it just authorize - prevent user to access some part of module with shibboleth authentication (idP's authentication).
Related
I am trying to change the request url value in admin route.xml. When i use vendor_module as frontName it`s working fine. but when i try to use module as a frontName in admin route then its not working.
Vendor/ModuleName/etc/adminhtml/route.xml
Before
<router id="admin">
<route id="vendor_module" frontName="vendor_module">
<module name="Vendor_ModuleName" />
</route>
</router>
After
When i use below code as admin route it`s not worked for me. Like when i try access url module/template/edit then its redirect to admin Dashboard page.
<router id="admin">
<route id="vendor_module" frontName="module">
<module name="Vendor_ModuleName" />
</route>
</router>
Note : I want to use this without turn off Admin > Store > Configuration > Advanced > Admin > Security > Add Secret Key to URLs
The id and front name in the route.xml file must be synchronized with each other. If you set it differently it won't know what URL you're using so it will redirect you to the admin's home page.
For field: Add Secret Key to URLs, the main function of this field is secret Key is useful for preventing CSRF (Cross-site request forgery) Attack (The most practical example is in your case). This is a security bug that has been fixed by Magento. If you disable this field, your admin page will be very vulnerable to attack
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
I recommend leaving this option enabled.
I have the following configuration in Apache in my service provider:
<Location /login >
AuthType Shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
</Location>
After authentication, I tried to access the headers in another page, but they did not exist.
It looks like additional configuration is required in Apache.
How do I configure so that Shibboleth is triggers at /login and yet other pages have access to the headers?
Assuming you are using java to fetch shibboleth parameters;
Shibboleth attributes can only be fetched by AJP, So you have to have
AJP enabled in your server.
In shibboleth SP's shibboleth2.xml file's ApplicationDefaults tag add this parameter - attributePrefix="AJP_", this will send parameters as AJP.
In apache enable mod_proxy_ajp module and pass ajp via
ProxyPass /my-application/login ajp://localhost:8009/my-application/login
Even if this is done, shibboleth parameters won't display directly under parameters.keySet(). But if you do parameters.get(key) then it will return some value sent by shib.
Above behaviour may vary for different servers; i.e. you may need to get values by parameters.get("AJP_"+key). P.S. check in both header and request object.
i have two web site domain1.com and domain2.com user come in domain1.com and i authenticate
it and create authenticate cookie ,is it possible to share this cookie by domain2.com,for
example when user Soto domain2.com is authenticated because it authenticated in domain1.com?
is it possible?
I'm looking for a simple way and these domains are not
a sub domains they are two separate site
notice i don't want use sql server url parameter or other ways
thanks all
Absolutely. Hopefully both sites share the same username database or it is replicated so that you can secure and access content by using the HttpContext.User.Identity.Name.
Anyways, basically you need to update your web.config <authentication> section to be exactly the same between the two sites. This means your machine key, decryption key, algorithm....everything.
Here is the MSDN article with the full directions on how to proceed to share authentication across several applications
This is possible using <authentication> and <machineKey> in your web config.
Machine Key
Contains a decrytion key and validation key. This must be the same in both web configs.
<machineKey
decryptionKey="A225194E99BCCB0F6B92BC9D82F12C2907BD07CF069BC8B4"
validationKey="6FA5B7DB89076816248243B8FD7336CCA360DAF8" />
Auhentication
This must be in both web configs but the values are specific to the application.
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH"
path="/"
loginUrl="~Membership/login"
protection="ALL"
timeout="1000" />
</authentication>
I have an ASP.NET MVC 3 application with a self hosted ServiceStack API that provides the data. After I added the API location path in Web.Config the API is callable by my code and works well:
<location path="api">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
The problem I have is that when the application is running the API is accessible via the browser - I can simply type http:\localhost:xxxx\api into the browser. What would be a good approach to restricting access to my self hosted API so that I can continue to call it within the MVC 3 application but prevent users from accessing the API via the browser?
Note that at some point in the future I will want to expose some areas of the API to make them publicly accessible.
Note: the Authorization and Authentication support built-into ServiceStack is independent and decoupled from ASP.NET's Authentication.
You can generically restrict access to all your services by inheriting from a base class which contains one or more of:
[Authenticate] - Only allow access to Authenticated users
[RequiredRole] - Only allow access to users in the specified roles
[RequiredPermission] - Only allow access to users with the specified permissions
Note: These attributes also work in your MVC Controllers that inherit from ServiceStackController or Controllers marked with the [ExecuteServiceStackFilters] attribute.
You can inspect a MVC + ServiceStack demo that uses these attributes in the Social Bootstrap Api example project.
Another way you can generically restrict access is by registering a global Request filter which get executed on every request.
One possibility is to use a specific user for accessing the API:
<location path="api">
<system.web>
<authorization>
<allow users="api_user" />
</authorization>
</system.web>
</location>
Then configure your API to be accessible only by the api_user. This way any other authenticated user in the browser won't be able to access this API. In your ASP.NET MVC 3 application you could create an authentication ticket with the given user before sending an HTTP request to the API.
Also notice that using the <location> tag in web.config to control authorization in ASP.NET MVC application is a very bad idea. The reason for this is that you are relying on some url (api). But ASP.NET MVC works with routes. So you should be using the [Authorize] or a custom authorization attribute to decorate the corresponding controllers/actions that you want to protect. This way your authorization is no longer dependent on your routing configuration.
Another possibility is to use a custom authoriza attribute and implement an access token.
has anyone implemented signgle sign on in MVC? Can anyone give me any example for single sign on in MVC.
I've implemented a SSO solution between multiple ASP.NET MVC applications hosted on the same parent domain (app1.domain.com, app2.domain.com, ...) by using Forms Authentication and setting the domain property of the cookie in web.config of all applications:
<forms
name="ssoauth"
loginUrl="/login"
protection="All"
timeout="120"
requireSSL="true"
slidingExpiration="false">
domain="domain.com"
/>
When you set the domain property of the cookie, this cookie will automatically be sent by the client browser to all applications hosted on this domain and will be able to authenticated the user automatically.
If you want to implement a cross domain SSO using Forms Authentication here's what you could do:
The user navigates to foo.com and signs in. The application hosted on foo.com uses standard Forms Authentication, nothing fancy.
The user decides to go to bar.com and clicks on a link that you created. This link could contain a token parameter which will contain the encrypted username. This encryption could be done using the machine keys and look something like this: https://bar.com?token=ABC.
The application hosted on bar.com receives the request and because it uses the same machine keys as the other application it is capable of decrypting the token and fetching the username. Then it simply signs in the user by emitting an authentication cookie locally and the user is automatically signed in bar.com.
Below is an example for SSO for websites sharing same domain
http://www.codeproject.com/Articles/27576/Single-Sign-on-in-ASP-NET-and-Other-Platforms
Please see my answer here. Basically you need to set Authentication mode to windows on web.config and use HttpContext class to retrieve user identity which takes data from Active directory
https://stackoverflow.com/a/40938106/950944