Can I export a LTPA key file from a WebSphere Application Server 8.0.x, then import the file to an Liberty Profile Server and use the SSO functionality? (16.0.0.3)
I tried it out and it seems not to work. I get a login screen instead of being automatically logged-in.
Following configuration is done in server.xml:
...
<ltpa keysFileName="${server.output.dir}/ltpakeyexport.keys" keysPassword="ltpatest" expiration="400" />
<webAppSecurity ssoCookieName="ltpav2" ssoDomainNames="myintranet.net"/>
<basicRegistry id="basic" ignoreCaseForAuthentication="true" realm="realmNameFromWAS">
...
LTPA keys can be exported from WebSphere Application Server console. Global security > LTPA -> Cross-cell single sign-on
Provide the password and the file name to export LTPA keys.
These LTPA keys can be used on the Liberty Profile Server using the same password as specified above while exporting.
If you are trying to use Single Sign On (SSO) between WebSphere Application Server and Liberty profile, you will also need to make sure that the "realm name" is same for user registry (LDAP) on both. Realm name can be specified on Liberty profile by specifying realm="MyRealm" in ldapRegistry definition.
Hmm, i was able to trace down the problem by enabling tracing:
<logging traceSpecification="com.ibm.ws.security.*=all:com.ibm.ws.webcontainer.security.*=all"/>
I found the following exeption:
com.ibm.ws.security.registry.EntryNotFoundException: uid=KARSTEN,type=Person,scope=LTPA does not exist
at com.ibm.ws.security.registry.basic.internal.BasicRegistry.getUserSecurityName(BasicRegistry.java:506)
So, user cannot be automatically authenticated because the user id "uid=KARSTEN,type=Person,scope=LTPA" does not exist. Thats true, only user "KARSTEN" does exists. There seems to be a regex matching problem because the used pattern
java.util.regex.Matcher[pattern=([^:]+):(\QMyRealm\E)/(.*) region=0,49 lastmatch=user:MyRealm/uid=KARSTEN,type=Person,scope=LTPA]
does not only match the user id but the whole string including "type=Person" etc.
When i create this user in basic registry:
<basicRegistry id="basic" ... >
...
<user name="uid=KARSTEN,type=Person,scope=LTPA" password="test" />
...
</basicregistry>
everything works like expected!
Seems to be a bug in WLP (or our WebSphere 8.0.x SSO infrastructure provides a non standard identifier for users).
((Pattern specified in com.ibm.ws.security.AccessIdUtil.setSecurityService():38 ~))
Related
I am using exactly the same settings for javax Mail session, which works like charm in SpringBoot App but fails in Tomee Server.
On SpringBoot's application.properties, I have the following settings (which works):
spring.mail.host=smtp.gmail.com
spring.mail.port=587
spring.mail.username=<my gmail>
spring.mail.password=<App PW generated on Google>
spring.mail.properties.mail.smtp.auth=true
spring.mail.properties.mail.smtp.starttls.enable=true
And here are the setting in Tomee's conf/tomee.xml settings
<Resource id="mail/bjm" type="javax.mail.Session">
mail.smtp.host=smtp.gmail.com
mail.smtp.starttls.enable=true
mail.smtp.port=587
mail.transport.protocol=smtp
mail.smtp.auth=true
mail.smtp.user=<my gmail>
password=<App PW generated on Google>
</Resource>
On Tomee, when I run the application, I get the following error message:
failure (javax.mail.AuthenticationFailedException: null)
I am puzzled what wrong am I doing in tomee.xml because I have followed the guidelines from here: https://tomee.apache.org/master/docs/configuring-javamail.html
How can I fix the issue?
The sample you "state" you are following Declaring a JavaMail Resource which you aren't really since you have changed it.
Is for use with MAP SASL XOAUTH2 mechanism configuration Xoauth2 is a form of oauth2 that is supported by googles imap server.
rather then following the sample you have changed it to use user name and an apps password. This is not Xoauth2.
Offending lines of code:
spring.mail.username=<my gmail>
spring.mail.password=<App PW generated on Google>
You are getting a fail for javax.mail.AuthenticationFailedException because you have not added a valid access token as shown in the sample, which you have not shown in your code.
store.connect("imap.gmail.com", "<username>#gmail.com", "<YourAccesToken>");
To be 100% clear an apps password is not an access token an access token must be created by standard Oauth2 mechanizes of requesting authorization of the user, with a mail scope.
I need to have my .NET application access the internet, however they only allow me to access the internet through a proxy server with authentication.
On my first attempt I simply configured Internet Options with the proxy and user/pass, it worked, but that configuration only applied to the windows account I was logged with, when someone else logged in with their account they didn't have the proxy setup, plus I think over time it will re-prompt you for the credentials again. So this didn't work.
Second attempt was by following these steps form https://github.com/rollbar/Rollbar.NET/issues/186
using following block in your app.config or web.config file:
<system.net>
<defaultProxy useDefaultCredentials="true">
<proxy proxyaddress="proxyAddress" usesystemdefault="True"/>
</defaultProxy>
</system.net>
and in Credential Manager >> Add a Generic Credential
Internet or network address: your proxy address
User name: your user name
Password: you pass
Again, no luck, I still get asked for authentication:
Inner Exception:
Type Of Exception: System.Net.WebException
Source Of Exception: System
Target Site: GetRequestStream
Exception Message: The remote server returned an error: (407) Proxy Authentication Required.
What am I missing on my approaches? is there a way to propagate the proxy settings to any account/caller from my first attempt? Am I missing something on my second attempt?
Thanks.
A RollbarConfig object supports the following properties for proxy related settings: ProxyAddress, ProxyUsername, ProxyPassword for providing custom proxy settings. The same properties can be configured via either XML or JSON config file as well (as proxyAddress, proxyUsername, proxyPassword)
My requirement is authenticate the login request to the Active Directory LDAP and to the local db as the user may be created manually or by the LDAP.
I am loading all the users i my database in a users table but i want to make the dynamic login to LDAP for the ldap users if user did not get authenticated by LDAP with invalid login or invalid user then only i need to authenticate it to the db.
Am not certain on this, so obviously please confirm, but in your Spring security.xml, set up two authentication providers under your authentication manager, first your ldap one and then your database one. A failure with the LDAP authentication should cause the DB one to activate and give the user a second chance to authenticate with the same credentials. Also see this article for some testing I had done earlier with Active Directory and Spring Security.
When adding an STS reference, I input the my windows azure federation metadata URL and it gives me the error in the title. It works if I create a new namespace, but a lot of stuff is configured on the current namespace, so I can't delete it.
So for anyone that would get this error, it's a simple fix.
You need a X.509 certificate configured as primary in your ACS namespace.
To do this you go under your acs configurations, in certificates and keys then you add a X.509 by uploading a .pfx file to the server and entering the password.
You might also need a symmetric key also set as primary depending on your configuration.
has anyone implemented signgle sign on in MVC? Can anyone give me any example for single sign on in MVC.
I've implemented a SSO solution between multiple ASP.NET MVC applications hosted on the same parent domain (app1.domain.com, app2.domain.com, ...) by using Forms Authentication and setting the domain property of the cookie in web.config of all applications:
<forms
name="ssoauth"
loginUrl="/login"
protection="All"
timeout="120"
requireSSL="true"
slidingExpiration="false">
domain="domain.com"
/>
When you set the domain property of the cookie, this cookie will automatically be sent by the client browser to all applications hosted on this domain and will be able to authenticated the user automatically.
If you want to implement a cross domain SSO using Forms Authentication here's what you could do:
The user navigates to foo.com and signs in. The application hosted on foo.com uses standard Forms Authentication, nothing fancy.
The user decides to go to bar.com and clicks on a link that you created. This link could contain a token parameter which will contain the encrypted username. This encryption could be done using the machine keys and look something like this: https://bar.com?token=ABC.
The application hosted on bar.com receives the request and because it uses the same machine keys as the other application it is capable of decrypting the token and fetching the username. Then it simply signs in the user by emitting an authentication cookie locally and the user is automatically signed in bar.com.
Below is an example for SSO for websites sharing same domain
http://www.codeproject.com/Articles/27576/Single-Sign-on-in-ASP-NET-and-Other-Platforms
Please see my answer here. Basically you need to set Authentication mode to windows on web.config and use HttpContext class to retrieve user identity which takes data from Active directory
https://stackoverflow.com/a/40938106/950944