I add users through LDAP for a certain application, made with spring.
While this works for most of the cases, in some cases, it does not work...
The retrieve the users I use:
public class LdapUserServiceImpl implements ILdapUserService {
#Override
public List<LdapUserVO> getUserNamesByQuery(String query) {
return ldapTemplate.search(
query().countLimit(15)
.where("objectClass").is("user")
.and("sAMAccountName").isPresent()
.and(query()
.where("sAMAccountName").like("*" + query + "*")
.or("sAMAccountName").is(query)
.or("displayName").like("*" + query + "*")
.or("displayName").is(query))
,
new AttributesMapper<LdapUserVO>() {
public LdapUserVO mapFromAttributes(Attributes attrs) throws NamingException {
LdapUserVO ldapUser = new LdapUserVO();
Attribute attr = attrs.get(ldapUserSearch);
if (attr != null && attr.get() != null) {
ldapUser.setUserName(attr.get().toString());
}
attr = attrs.get("displayName");
if (attr != null && attr.get() != null) {
ldapUser.setDisplayName(attr.get().toString());
}
return ldapUser;
}
});
}
}
So this works in most of the cases, but sometimes I get the following error:
unprocessed continuation reference(s); remaining name "/"
I've searched a lot about this, and I explicitly set
DefaultSpringSecurityContextSource ctxSrc = new DefaultSpringSecurityContextSource(ldapUrl);
ctxSrc.setReferral("follow");
Some more info:
Search-query "admin_a" works, but "admin_ah" does not
Spring version is 4.2.5.RELEASE
Spring ldap-core version is 2.0.2.RELEASE
I think it strange that the remaining name is the root directory... Does someone has any ideas how to fix this, or even where to start looking?
Thanks in advance!
This may be related with the Active Directory being unable to handle referrals automatically. Please take a look at the LdapTemplate javadoc.
If this is the case, set the ignorePartialResultException property to true in your ldapTemplate configuration.
The reason for this error in my case was that the structure of the new AD had changed (userPrincipleName was now the emailaddress instead of login). Because of this the authentication to the AD worked fine, but no entry could be found that matched the filter, and as such didn't return any result.
So the PartialResultException was only an indication, not the reason. the reason is the lack of any result in the method searchForSingleEntryInternal of the SpringSecurityLdapTemplate class.
In my case, I had to make sure I used the correct userPrincipleName and configure the correct domain and baseDN in my ActiveDirectoryLdapAuthenticationProvider.
Related
I have used Keycloak for access and user management system and spring boot as my resource server.
For test purposes, I set the lifespan of the access token to one minute. The problem I face is that I can access the secured APIs for exactly 60 seconds after the expiration time of the access token, then I get 401 unauthorized responses.
Can someone please explain to me the reason for this action and a solution to fix it?
Edit
Thanks to Evil_skunk, I looked for JWT validator class in spring boot, which is JwtTimestampValidator. This class implements OAuth2TokenValidator interface.
JwtTimestampValidator class has the following function for validation of JWT:
public OAuth2TokenValidatorResult validate(Jwt jwt) {
Assert.notNull(jwt, "jwt cannot be null");
Instant expiry = jwt.getExpiresAt();
if (expiry != null && Instant.now(this.clock).minus(this.clockSkew).isAfter(expiry)) {
OAuth2Error oAuth2Error = this.createOAuth2Error(String.format("Jwt expired at %s", jwt.getExpiresAt()));
return OAuth2TokenValidatorResult.failure(new OAuth2Error[]{oAuth2Error});
} else {
Instant notBefore = jwt.getNotBefore();
if (notBefore != null && Instant.now(this.clock).plus(this.clockSkew).isBefore(notBefore)) {
OAuth2Error oAuth2Error = this.createOAuth2Error(String.format("Jwt used before %s", jwt.getNotBefore()));
return OAuth2TokenValidatorResult.failure(new OAuth2Error[]{oAuth2Error});
} else {
return OAuth2TokenValidatorResult.success();
}
}
}
According to this code, the function subtracts clockSkew from right now time instance then compares it with expiration instant of JWT token.
I performed a debugging test to find out the values of fields in clockSkew. I found out that the field, which is named "seconds" has a value of 60. This value exactly matches with my observation.
I searched for the usage of JwtTimestampValidator class and its methods in my project. The usage is not found. It seems like the source code is decompiled from a jar file.
Can someone please help me to find out which part of the project sets the value of clockSkew? Is it the spring boot or the Keycloak server? Also, I want to know if it is possible to set the value of clockSkew.
Using Spring Boot to create API to access FileNet documents. I have it working but ran into this issue with user context not saving. No problem getting Object Store and setting user context.
First time I call endpoint it is successful. Subsequent times it fails with can't find user context.
Here is the main code parts:
Login and get object store works fine and push subject.#
... typical login code
com.filenet.api.core.Connection ceConn = Factory.Connection.getConnection(uri);
subject = UserContext.createSubject(ceConn, username, password, "FileNetP8WSI");
UserContext.get().pushSubject(subject);
Method to get document: Error occurs on fetchInstance
public List<String> downloadDocumentFromFileNet(String docId, List<Integer> pages)
{
List<String> actualPageFiles = new ArrayList<>();
try {
String path = "/opt/UtilDownload/";
if (docId != null) {
if (objStore == null) {
objStore = getObjectStore();
} else if (UserContext.get().getSubject() == null) {
UserContext.get().pushSubject(subject);
logger.debug("Setting Subject: {}", subject.toString());
}
if (objStore != null) {
logger.debug("User Context During: {}", UserContext.get().getSubject());
PropertyFilter pf = new PropertyFilter();
pf.addIncludeProperty(new FilterElement(null, null, null, PropertyNames.CONTENT_SIZE, null));
pf.addIncludeProperty(new FilterElement(null, null, null, PropertyNames.CONTENT_ELEMENTS, null));
pf.addIncludeProperty(new FilterElement(null, null, null, PropertyNames.MIME_TYPE, null));
pf.addIncludeProperty(new FilterElement(null, null, null, PropertyNames.NAME, null));
Document oDoc = Factory.Document.fetchInstance(objStore, docId, pf); **ERROR HERE**
if (oDoc != null) {
Looks like spring boot loads 10 threads to service the API and this is what is causing my issue. First run initializes thead one with context but next time another thread does not have the context. The object store is ok but context is null. I was able to work around it by putting a check on user context and setting it if null but I do not know if this is best practice. Any advice would be appreciated. Seems each thread needs a push subject.
In spring framework we have #Cacheable to cache data right. Now my requirement is i want to retrieve all data form database by using Get method.
Controller
#RequestMapping(value = "/getUploadData", method = RequestMethod.GET)
public ResponseEntity<List<Ticket>> getUploadFileData() throws IOException {
return new ResponseEntity<>(ticketBookingService.getFileUploadData(), HttpStatus.OK);
}
Service
#Cacheable(value="ticketsCache")
public List<Ticket> getFileUploadData() {
List<Ticket> listOfData = (List<Ticket>) ticketBookingDao.findAll();
return listOfData;
}
}
output:
click image here to check output
http://localhost:8080/api/tickets/getUploadData
[{"ticketId":1,"passengerName":"Sean","bookingDate":1502649000000,"sourceStation":"Pune","destStation":"Mumbai","email":"sean.s2017#yahoo.com"},{"ticketId":2,"passengerName":"Raj","bookingDate":1502476200000,"sourceStation":"Chennai","destStation":"Mumbai","email":"raj.s2007#siffy.com"},{"ticketId":3,"passengerName":"Martin","bookingDate":1502735400000,"sourceStation":"Delhi","destStation":"Mumbai","email":"martin.s2001#xyz.com"},{"ticketId":4,"passengerName":"John","bookingDate":1503253800000,"sourceStation":"Chennai","destStation":"Mumbai","email":"john.s2011#yahoo.com"}]
Now i will do get and put operation by ticketid.
Get:
Controller:
#GetMapping(value="/ticket/{ticketId}")
public Ticket getTicketById(#PathVariable("ticketId")Integer ticketId){
return ticketBookingService.getTicketById(ticketId);
}
Service:
#Cacheable(value="ticketsCache",key="#ticketId",unless="#result==null")
public Ticket getTicketById(Integer ticketId) {
return ticketBookingDao.findOne(ticketId);
}
http://localhost:8080/api/tickets/ticket/1
{"ticketId":1,"passengerName":"Sean","bookingDate":1502649000000,"sourceStation":"Pune","destStation":"Mumbai","email":"sean.s2017#yahoo.com"}
Now when i do update email by using ticketid:
Put: controller
#PutMapping(value="/ticket/{ticketId}/{newEmail:.+}")
public Ticket updateTicket(#PathVariable("ticketId")Integer ticketId,#PathVariable("newEmail")String newEmail){
return ticketBookingService.updateTicket(ticketId,newEmail);
}
Service:
#CachePut(value="ticketsCache",key="#ticketId")
public Ticket updateTicket(Integer ticketId, String newEmail) {
Ticket upadedTicket = null;
Ticket ticketFromDb = ticketBookingDao.findOne(ticketId);
if(ticketFromDb != null){
ticketFromDb.setEmail(newEmail);
upadedTicket = ticketBookingDao.save(ticketFromDb);
}
return upadedTicket;
}
http://localhost:8080/api/tickets/ticket/1/abcd#yahoo.com
{
"ticketId": 1,
"passengerName": "Sean",
"bookingDate": 1502649000000,
"sourceStation": "Pune",
"destStation": "Mumbai",
"email": "abcd#yahoo.com"
}
Now when get data by using ID changes are updating.
http://localhost:8080/api/tickets/ticket/1
{"ticketId":1,"passengerName":"Sean","bookingDate":1502649000000,"sourceStation":"Pune","destStation":"Mumbai","email":"abcd#yahoo.com"}
Now my Question is if i try to get all data by using above first URL my changes are not reflecting.
http://localhost:8080/api/tickets/getUploadData
[{"ticketId":1,"passengerName":"Sean","bookingDate":1502649000000,"sourceStation":"Pune","destStation":"Mumbai","email":"sean.s2017#yahoo.com"},{"ticketId":2,"passengerName":"Raj","bookingDate":1502476200000,"sourceStation":"Chennai","destStation":"Mumbai","email":"raj.s2007#siffy.com"},{"ticketId":3,"passengerName":"Martin","bookingDate":1502735400000,"sourceStation":"Delhi","destStation":"Mumbai","email":"martin.s2001#xyz.com"},{"ticketId":4,"passengerName":"John","bookingDate":1503253800000,"sourceStation":"Chennai","destStation":"Mumbai","email":"john.s2011#yahoo.com"}]
Suggest me how to reslove this issue
You cannot bulk update the cache with Spring.
Please check the following issue - closed with status declined:
Thanks for creating the issue but I am not keen to add this extra complexity to the cache abstraction. It is not meant to manage state for you (the next logical step if we allow this is that we have to keep the returned list in sync with each item). And if we don't we are inconsistent and we merely provide a way to talk to the cache using annotations. That's not very helpful.
Back to your example, this is typically what a second level cache is meant to do for you. This is not in the scope of the cache abstraction.
Hi I have been unable to solve the following problem in Wicket 6.*:
In our webapp we are using wicket-auth-roles to manage authentication/authorization. When session expires, user should be redirected to a page set by getApplicationSettings().setPageExpiredErrorPage(SomePage.class) on his next action. However, if the user tries to access a page which doesn't allow guests, he is redirected to a login page skipping the PageExpiredPage altogether.
My question is - how can I display "Session has expired." message to the user?
Among other things, I have tried session.info("message") during onInvalidate phase of session's lifecycle, however the feedback message is then rendered on the first page after login (not on the login page).
Thank you for your anwsers.
You could use a RequestCycleListener to record when a PageExpiredException is thrown.
public class ExceptionMapperListener extends AbstractRequestCycleListener {
#Override
public IRequestHandler onException(RequestCycle cycle, Exception ex) {
if (ex instanceof PageExpiredException) {
// Record in session or request cycle
// OR
// Create a RenderPageRequestHandler yourself and add a page parameter
// See DefaultExceptionMapper#internalMap(Exception)
}
return null;
}
}
// In Application#init():
getRequestCycleListeners().add(new ExceptionMapperListener());
ORINAL ANSWER
(kept because it could still help...)
I haven't tried it myself since I don't use wicket-auth-roles, but try overriding the method AuthenticatedWebApplication#restartResponseAtSignInPage() with something like this:
if (isSessionExpired()) {
PageParameters params = new PageParameters();
params.add("showSessionExpired", true);
throw new RestartResponseAtInterceptPageException(getSignInPageClass(), params);
} else {
throw new RestartResponseAtInterceptPageException(getSignInPageClass());
}
And then in the SignInPageClass, display the desired message if the showSessionExpired page parameter is present.
I'm not sure how you implement isSessionExpired(), but you seem to have that part already covered.
OR
Depending on how you implemented isSessionExpired(), maybe you could do the following in your SignInPageClass:
if (sessionExpired()) {
session.info("message")
}
After bernie put me on the right path, I eventually figured out a solution to the problem:
First it is required to override RequestCycleListener:
public class SessionExpiredListener extends AbstractRequestCycleListener {
public void onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler) {
if (handler instanceof IPageRequestHandler) {
IPageRequestHandler pageHandler = (IPageRequestHandler) handler;
HttpServletRequest request = (HttpServletRequest) cycle.getRequest().getContainerRequest();
//check whether the requested session has expired
boolean expired = request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid();
//check whether the requested page can be instantiated with the current session
boolean authorized = Session.get().getAuthorizationStrategy().isInstantiationAuthorized(pageHandler.getPageClass());
if (expired && !authorized) {
throw new PageExpiredException("Session has expired!");
}
}
super.onRequestHandlerResolved(cycle, handler);
}
}
Check for authorized prevents the session-expired message from displaying on log-out or when accessing unprotected pages.
Finally, you must register your listener and PageRequestHandlerTracker in your WebApplication:
getRequestCycleListeners().add(new SessionExpiredListener());
getRequestCycleListeners().add(new PageRequestHandlerTracker());
In the SDK Javadoc, the Community class does not have a "setParentCommunity" method but the CommunityList class does have a getSubCommunities method so there must be a programmatic way to set a parent Community's Uuid on new Community creation. The REST API mentions a "rel="http://www.ibm.com/xmlns/prod/sn/parentcommunity" element". While looking for clues I check an existing Subcommunity's XmlDataHandler's nodes and found a link element. I tried getting the XmlDataHandler for a newly-created Community and adding a link node with href, rel and type nodes similar to those in the existing Community but when trying to update or re-save the Community I got a bad request error. Actually even when I tried calling dataHandler.setData(n) where n was set as Node n=dataHandler.getData(); without any changes, then calling updateCommunity or save I got the same error, so it appears that manipulating the dataHandler XML is not valid.
What is the recommended way to specify a parent Community when creating a new Community so that it is created as a SubCommunity ?
The correct way to create a sub-community programatically is to modify the POST request body for community creation - here is the link to the Connections 45 infocenter - http://www-10.lotus.com/ldd/appdevwiki.nsf/xpDocViewer.xsp?lookupName=IBM+Connections+4.5+API+Documentation#action=openDocument&res_title=Creating_subcommunities_programmatically_ic45&content=pdcontent
We do not have support in the SBT SDK to do this using CommunityService APIs. We need to use low level Java APIs using Endpoint and ClientService classes to directly call the REST APIs with the appropriate request body.
I'd go ahead and extend the class CommunityService
then go ahead and add CommunityService
https://github.com/OpenNTF/SocialSDK/blob/master/src/eclipse/plugins/com.ibm.sbt.core/src/com/ibm/sbt/services/client/connections/communities/CommunityService.java
Line 605
public String createCommunity(Community community) throws CommunityServiceException {
if (null == community){
throw new CommunityServiceException(null, Messages.NullCommunityObjectException);
}
try {
Object communityPayload;
try {
communityPayload = community.constructCreateRequestBody();
} catch (TransformerException e) {
throw new CommunityServiceException(e, Messages.CreateCommunityPayloadException);
}
String communityPostUrl = resolveCommunityUrl(CommunityEntity.COMMUNITIES.getCommunityEntityType(),CommunityType.MY.getCommunityType());
Response requestData = createData(communityPostUrl, null, communityPayload,ClientService.FORMAT_CONNECTIONS_OUTPUT);
community.clearFieldsMap();
return extractCommunityIdFromHeaders(requestData);
} catch (ClientServicesException e) {
throw new CommunityServiceException(e, Messages.CreateCommunityException);
} catch (IOException e) {
throw new CommunityServiceException(e, Messages.CreateCommunityException);
}
}
You'll want to change your communityPostUrl to match...
https://greenhouse.lotus.com/communities/service/atom/community/subcommunities?communityUuid=2fba29fd-adfa-4d28-98cc-05cab12a7c43
and where the Uuid here is the parent uuid.
I followed #PaulBastide 's recommendation and created a SubCommunityService class, currently only containing a method for creation. It wraps the CommunityService rather than subclassing it, since I found that preferrable. Here's the code in case you want to reuse it:
public class SubCommunityService {
private final CommunityService communityService;
public SubCommunityService(CommunityService communityService) {
this.communityService = communityService;
}
public Community createCommunity(Community community, String superCommunityId) throws ClientServicesException {
Object constructCreateRequestBody = community.constructCreateRequestBody();
ClientService clientService = communityService.getEndpoint().getClientService();
String entityType = CommunityEntity.COMMUNITY.getCommunityEntityType();
Map<String, String> params = new HashMap<>();
params.put("communityUuid", superCommunityId);
String postUrl = communityService.resolveCommunityUrl(entityType,
CommunityType.SUBCOMMUNITIES.getCommunityType(), params);
String newCommunityUrl = (String) clientService.post(postUrl, null, constructCreateRequestBody,
ClientService.FORMAT_CONNECTIONS_OUTPUT);
String communityId = newCommunityUrl.substring(newCommunityUrl.indexOf("communityUuid=")
+ "communityUuid=".length());
community.setCommunityUuid(communityId);
return community;
}
}