I have setup Spnego authentication on my Tomcat 7 webapp. It works fine for Ubuntu 14.04 and Windows 10 users. However, all users using Chrome/Firefox/IE get the following error:
GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))
I am unable to identify the root cause for this. How can I debug this issue, since it is specific to Windows 7 users?
Check whether your server and clients have their clocks synchronized.
I got this issue, when i pass token, which was generated once and reusing the same token in header.
val tokenLoadedOnce=KrbHttpClient.token get.addHeader("Authorization",
s"Negotiate $tokenLoadedOnce")
Instead, when i generated token EVERYTIME and added to header, this issue was resolved.
get.addHeader("Authorization", s"Negotiate ${KrbHttpClient.token}")
In my case, when I work with Solr, this exception is triggered.
Then I have made changes to Solrconfig.xml for supporting the Kerberos.
<directoryFactory name="DirectoryFactory" class="solr.HdfsDirectoryFactory">
<str name="solr.hdfs.home">hdfs://nas.XYZ.lan:8020/user/solr</str>
<bool name="solr.hdfs.blockcache.enabled">true</bool>
<int name="solr.hdfs.blockcache.slab.count">1</int>
<bool name="solr.hdfs.blockcache.direct.memory.allocation">true</bool>
<int name="solr.hdfs.blockcache.blocksperbank">16384</int>
<bool name="solr.hdfs.blockcache.read.enabled">true</bool>
<bool name="solr.hdfs.nrtcachingdirectory.enable">true</bool>
<int name="solr.hdfs.nrtcachingdirectory.maxmergesizemb">16</int>
<int name="solr.hdfs.nrtcachingdirectory.maxcachedmb">192</int>
<bool name="solr.hdfs.security.kerberos.enabled">true</bool>
<str name="solr.hdfs.security.kerberos.keytabfile">/etc/krb5.keytab</str>
<str name="solr.hdfs.security.kerberos.principal">solr/admin#KERBEROS.COM</str>
</directoryFactory>
Related
In trying to get a Liberty container to work I'm encountering the following problem.
For a database connection I have an authData section like this in the server.xml:
<authData id="datasourceAuth" user="test" password="{xor}ABCD"/>
When I try to run the server with the password not encoded the database connection works as expected, but when the password is encoded I get this message: Connection refused (Connection refused). ERRORCODE=-4499, SQLSTATE=08001 DSRA0010E: SQL State = 08001, Error Code = -4,499
It looks like the password isn't being decoded when setting up the connection, but I don't understand why or if I am missing something in the configuration.
Encoding of data source passwords is supported in Liberty and ought to be working. I'll provide a more complete example aligning with the style of config you are using, as well as a reference to an official knowledge center doc with its own example
Use the securityUtility to encode the password,
securityUtility encode --encoding=xor test123
output:
{xor}KzosK25tbA==
Configure the value on authData and use the authData on a dataSource,
<authData id="datasourceAuth" user="test" password="{xor}KzosK25tbA=="/>
<dataSource id="testdb" jndiName="jdbc/testdb" containerAuthDataRef="datasourceAuth">
<jdbcDriver libraryRef="db2jcc"/>
<properties.db2.jcc databaseName="TESTDB" serverName="localhost" portNumber="50000"/>
</dataSource>
The authentication data applies when using a resource reference with container authentication.
I'd recommend going back and trying all of the steps again to rule out the possibility of a typo or copy/paste error. If it still doesn't work, then raise a case against OpenLiberty here,
https://github.com/OpenLiberty/open-liberty/issues/new/
I have website created under IIS 8.0 in Windows 2012. An URL rewrite with ARR has created under this site which points to a linux machine (Basically to a webservice deployed in Tomcat) and through IIS there will be "GET" request where the URL is exceeding more than 5000 characters along with query string. When the URL is hit through program or in browser, I see IIS throws "Bad Request" with Status code as 400 and no Substatus code. The same works when it is directly hit to the webservice (for tomcat Linux). I suspected the issue is because of the excess characters in the url, because when I try decreasing the url length to 3500 characters which works without any error. Below are the configuration and settings that I have tried in IIS web.config and as well as http.sys registry, but nothing seems to be work.
<configuration>
<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="true">
<requestLimits maxAllowedContentLength="4294967295" maxUrl="10999" maxQueryString="2097151">
<headerLimits>
<add header="Content-Type" sizeLimit="100000000" />
</headerLimits>
</requestLimits>
</requestFiltering>
</security>
<urlCompression doDynamicCompression="false" />
</system.webServer>
<system.web>
<httpRuntime maxRequestLength="8192" maxUrlLength="8192" maxQueryStringLength="8192" requestPathInvalidCharacters="" />
</system.web>
</configuration>
http.sys Registry Settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\MaxFieldLength - DWORD - 65534
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\MaxRequestBytes - DWORD - 16777216
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\UrlSegmentMaxCount - DWORD - 16383
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\UrlSegmentMaxLength - DWORD - 32766
I have rebooted the Windows server after every above settings and configurations was done.
These settings and configuration are honored by IIS without url rewrite. If I try other url with length of 5000 characters for the same website its works without any error. This is appearing only for the url that has fallen under URL rewrite config. Is there any specific configurations that need to be done with respect to URL length in ARR apart from the above mentioned? Please suggest and help.
Thanks in Advance.
Answering to my question.
The issue was on the Linux Tomcat side not on IIS, the catalina.out logs was stated as below
INFO: Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Request header is too large
I added the configuration of maxHttpHeaderSize="65536" in server.xml of tomcat/conf. After modifying this, the issue was resolved.
I pasted the googletag manager code in my joomla website, But it showing following error in console. and also not reflection in the google dashboard
Refused to load the script 'https://www.googletagmanager.com/gtm.js?id=GTM-T44GGZR' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.googleapis.com *.gstatic.com *.google-analytics.com *.youtube.com *.g.doubleclick.net https://s.ytimg.com/yts/jsbin/ *.googleadservices.com *.google.com *.google.cz http://platform.linkedin.com cdnjs.cloudflare.com static.hotjar.com widget.prodpad.com api-widget.prodpad.com vars.hotjar.com script.hotjar.com insights.hotjar.com wss://ws4.hotjar.com www.google.com.pk wss://ws1.hotjar.com wss://ws5.hotjar.com https://www.transguardgroup.com". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Google Tag Manager is a script injector (and actually it injects itself via a few lines of bootstrap code), so it will not work with unsafe-inline in place.
Simo Ahava has an article about configuring your CSP for GTM, but that basically removes the protection your CSP is supposed to offer, so you have to choose between the convenience of GTM or the security via a CSP.
HELP! - I am trying to take a PayPal Payments Pro (Magento 1.8.1) API live and I am getting the following error:
exception 'Exception' with message 'PayPal NVP CURL connection error #35:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure'
in <my_root_folders>/app/code/core/Mage/Paypal/Model/Api/Nvp.php:986
In the payment_paypal_direct.log file I have the following for every error:
2014-11-08T02:12:36+00:00 DEBUG (7): Array
(
[url] => https://api-3t.sandbox.paypal.com/nvp
[DoDirectPayment] => Array
(
No matter how I set the various flags for sandbox mode, my errors all show the sandbox URL for the API. I have even double checked the paypal/wpp/sandbox_flag in the core_config table in the db and it is flipping from 0 to 1 when I change the configuration in Magento's admin.
Has anyone experienced this persistent sandbox URL?
Sandbox Mode = OFF
SSL Verification = Disabled (have tried it enabled too, no difference)
all caching is disabled (I clear cache often just in case)
I reindex entire site frequently
There were two issues effecting my website:
Our server was not configured in response to the POODLE vulnerability and PayPal was rejecting the server connection.
Sandbox setting was enabled for a child "Configuration Scope" and edits made to the "Default Config" (the parent/master config) were being overridden.
Hopefully this may help someone.
In addition to the above answer you may configure your server and disable SSLv3 by editing you Apache's httpd.conf and adding the following code:
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1
You may also do this via WHM if you have a VPS or Dedicated Server:
Go to Service Configuration -> Apache Configuration -> Include Editor -> Pre Main Include
and add the above two lines.
When trying to access /Glimpse.axd after I've published to IIS (7.5), I'm now receiving a 403 Forbidden response. Is there a setting in IIS that disables access to .axd files? Or is this something else entirely?
This is usually due to the fact that your source IP Address is not allowed in the web.config section for Glimpse. I just ran in to this issue yesterday.
Look for this in your web.config file, it can go anywhere in the web.config file.
<glimpse enabled="true">
<ipAddresses>
<!-- List of IP addresses allowed to get Glimpse data. Optional. localhost (IPv4 &IPv6) by default -->
<add address="x.x.x.x"/> <!--The ip of your machine -->
<add address="::1"/>
</ipAddresses>
</glimpse>
I got an error like this when trying to access http://leniel-pc:8083/glimpse.axd:
403 Forbidden
Ensure 'aa90::edad:55a5:7777:cd2c%11' is configured for
Glimpse access.
After doing this:
<glimpse enabled="true">
<ipAddresses>
<!-- List of IP addresses allowed to get Glimpse data. -->
<!--The ip of your machine -->
<add address="aa90::edad:55a5:7777:cd2c%11"/>
</ipAddresses>
</glimpse>
Problem solved! :D