I managed to integrate a saiku in SpagoBI 3.6. But the problem is that I couldn't avoid the authentication, the user has to double authenticate one for SpagoBI and the second for Saiku how can I disable the saiku authentication?
Remove authentication pop-in.
For demonstration, POC, tests, you should need to remove authentication popin, and be always and directly logged as admin.
Open apache-tomcat-8.0.5/webapps/ROOT/js/saiku/Settings.js
And you will see one lines 139 to 142
if (window.location.hostname && (window.location.hostname == "dev.analytical-labs.com" || window.location.hostname == "demo.analytical-labs.com" )) {
Settings.USERNAME = "admin";
Settings.PASSWORD = "admin";
}
Comment the "if" clause and its related closing bracket, reload the page, no authentication pop-in anymore.
Related
Environment
.NET Core 5 Web Application
IIS 10
Azure VM
Issue
Executing a GET action results in that action being called a second time. The first call shows cookie information. The second does not show cookie information.
What we've tried:
Occurs for GET requests but not POST requests
Occurs without a view (NOT a javascript issue)
Browser does not show two requests. This occurs server-side.
Does not occur in Firefox Privacy Mode
Does not occur on localhost. Only in production.
Occurs with HTTPS off
Fork of the solution does not exhibit this behavior (makes middleware unlikely cause)
Best guesses:
.NET 5 (deprecated) or dependencies (a bad developer blames his tools)
IIS Settings
Session
Code example:
Controller
// no other filters
[HttpGet]
public IActionResult DupeRequestTest()
{
// database insert with Dapper
var sql = #"INSERT INTO TrackingTable
(CookieJson, CreateDate)
VALUES(#CookieJson, GETDATE());";
using var con = new SqlConnection(_connectionString);
con.Open();
con.Execute(sql, new
{
CookieJson=JsonConvert.SerializeObject(Request.Cookies),
});
// returning a status code so no View, javascript, or other requests
return StatusCode(200);
}
Database results:
CookieJson
CreateDate
[{"Key":"SessionId","Value":"ac6f292c-1ca1-5179-9123-78a04d382dea"}]
2022-10-25 09:46:30.523
[]
2022-10-25 09:46:30.770
Thank you. Any help, such as next testing steps, would be appreciated - short of building a new app.
I'm sure the answer is either very stupid or very hidden.
It seems a like a pretty fundamental question, in a running Servlet hosted on Domino I want to access Domino resources that I have wisely protected using the the very fine security of IBM Notes and Domino.
I want the Servlet to be able to read and write data to Domino whilst keeping that data from the client that called the Servlet (or xAgent) and preventing the client from writing directly.
I'd be happy to be able to get a session that represented the signer of the application. I can get a session for a registered user by calling the Servlet using ?open&login and signing in. That's not practical.
I've looked here: How can you use SessionAsSigner in a Java Bean called from an XPage? where Mark Leusink (https://stackoverflow.com/users/1177870/mark-leusink) implies the use of ExtLib's getCurrentSessionAsSigner() could be used. I've tried it, having signed the whole application with a single user id and it doesn't return a session. The answer seems to lie in the Servlet's inability to get a FacesContext object.
This feels like the answer should be obvious but it isn't to me. Any ideas?
FacesContext is JSF stuff and can be used from XAgent (=XPage).
In a servlet you can do this:
Session session = NotesFactory.createSession(null, "user", "password");
Server ID usually has no password and doing this will use the server ID:
Session session = NotesFactory.createSession();
Check the source of the WebDav project on OpenNTF. It has all the code you need
There have been lots of good answers to the original question. Thanks very much.
The solution I propose to use is to port the code I have to OSGi plugins. It appears that java code/Servlets within the NSF context are subject to security controls that are relaxed when the same code runs within the OSGi context. The code:
try {
NotesThread.sinitThread();
Session s = NotesFactory.createSession("","<my username>","<my password>");
.....
session = null;
} catch (Exception e) {
} finally {
NotesThread.stermThread();
}
Runs fine in the OSGI context, but within in an NSF produc
com.ibm.domino.osgi.core.context.ContextInfo.getUserSession()
Jason - I assume you basically want the same functionality you would get running a Web Query Save agent if you didn't select run as Web User selected, in other words as the signer of the code.
You could try setting up a internet site rule to allow basic authentication for the specific application path you wanted to use - might be worth using a subdomain for this.
Then within the Servlet call this URL, whilst setting the Basic authorization parameters (username & password).
Something like this.
URL url = new URL(URL_TO_CALL);
String authStr = "USERNAME:PASSWORD";
String authEncoded = Base64.encodeBytes(authStr.getBytes());
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod("GET");
connection.setDoOutput(true);
connection.setRequestProperty("Authorization", "Basic " + authEncoded);
InputStream is = connection.getInputStream();
How do users reset passwords while in "off-line" mode.
We are running the site as Intranet.
Joomla 2.5.4
Mhm.. this is quite long to do, but maybe you can work it out.
Grant your user level offline access (you can do that in Global configuration -> Permissions)
Create a menu entry that point to the user profile and set visible to your users
Set every menu/modules etc etc invisible to "normal" users (except the previous one)
I've never tried it before, but it should work.
I just wanted to share my solution for Joomla 3.9:
In the file "offline.php" of your template (or in /templates/system if the template has no offline.php) you can place this code before where the login form is displayed:
if( JRequest::getVar('option') == 'com_users') {
?><jdoc:include type="message"/><?php
$registrationController = new UsersController();
$registrationController->display();
} else {
// Login Form
}
so it displays the dialogs to reset the password if the page is loaded by using "index.php?option=com_users&task=request.reset" or similar, but shows the "offline" login form by default.
I'm using H2 database console as a servlet in my own web application that provides a front end of many databases.
How to skip or help a login step at H2 database console by passing some parameters in my own code?
(I have many databases, so I won't use "saved settings" first.)
imaginary: http://myapp/h2console/login.do?user=scott&password=tiger&url=jdbc:thin:......
Because of the somewhat special session handling of the console, this is not possible just using an fixed URL. (The session handling allows to open multiple connections within multiple tabs from one browser, which is not possible when using cookies.)
However, what you can do is create a URL in the same way as Server.startWebServer(Connection conn) does:
// the server is already running in your case,
// so most likely you don't need the following lines:
WebServer webServer = new WebServer();
Server web = new Server(webServer, new String[] { "-webPort", "0" });
web.start();
Server server = new Server();
server.web = web;
webServer.setShutdownHandler(server);
// this will create a new session and return the URL for it:
String url = webServer.addSession(conn);
I've created a custom Weblogic Security Authentication Provider on version 10.3 that includes a custom login module to validate users. As part of the provider, I've implemented the ServletAuthenticationFilter and added one filter. The filter acts as a common log on page for all the applications within the domain.
When we access any secured URLs by entering them in the address bar, this works fine in IE and Firefox. But when we bookmark the link in IE an odd thing happens. If I click the bookmark, you will see our log on page, then after you've successfully logged into the system the basic auth page will display, even though the user is already authenticated. This never happens in Firefox, only IE. It's also intermittent. 1 time out of 5 IE will correctly redirect and not show the basic auth window. Firefox and Opera will correctly redirect everytime. We've captured the response headers and compared the success and failures, they are identical.
final boolean isAuthenticated = authenticateUser(userName, password, req);
// Send user on to the original URL
if (isAuthenticated) {
res.sendRedirect(targetURL);
return;
}
As you can see, once the user is authenticated I do a redirect to the original URL. Is there a step I'm missing? The authenticateUser() method is taken verbatim from an example in Oracle's documents.
private boolean authenticateUser(final String userName, final String password, HttpServletRequest request) {
boolean results;
try {
ServletAuthentication.login(new CallbackHandler() {
#Override
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
NameCallback nameCallback = (NameCallback) callback;
nameCallback.setName(userName);
}
if (callback instanceof PasswordCallback) {
PasswordCallback passwordCallback = (PasswordCallback) callback;
passwordCallback.setPassword(password.toCharArray());
}
}
}
}, request);
results = true;
} catch (LoginException e) {
results = false;
}
return results;
I am asking the question here because I don't know if the issue is with the Weblogic config or the code. If this question is more suited to ServerFault please let me know and I will post there.
It is odd that it works everytime in Firefox and Opera but not in Internet Explorer. I wish that not using Internet Explorer was an option but it is currently the company standard. Any help or direction would be appreciated. I have tested against IE 6 & 8 and deployed the custom provider on 3 different environments and I can still reproduce the bug.
We figured it out.
The fix was to disable auth cookies on the weblogic server. For some reason Internet Explorer would lose the cookie causing Weblogic to think the session was being hacked. That is what prompted the basic auth login.
We still don't know what was causing IE to lose the cookie but this provider is for an intranet so the fix won't harm our overall security.
I hope this helps someone else.