I have written below code to access a web page and run in Ubuntu.
How do I fix this? I have tried suggested fixes from all over the internet, but still can't figure out a solution.
A 407 response means "Proxy Authentication Required", as described here.
Now you appear to be setting a proxy user and password in the System properties, but it is apparently not working. I can think of a couple of explanations:
You could be setting the properties too late. Those properties are read by the default ProxySelector and Authenticator as they are initializing. If you set them too late, then they won't be respected. Try setting the properties using -D... options.
You could be using the wrong proxy username and password.
The proxy could be expecting the proxy authentication details in a different form than they are being supplied. Take a look at the headers in the response for the failed request. There should be a "Proxy-Authenticate" header that includes a "challenge".
If this approach doesn't work, another alternative would be to implement the proxy selection and authentication programatically by implementing and registering your own ProxySelector and Authenticator classes.
FOLLOWUP
I included the ProxyAuthenticator class and now, "java.net.ProtocolException: Server redirected too many times (20)" is thrown.
Somehow, your application has gotten into a redirection loop.
I'm still not convinced that you set the proxy properties early enough.
Related
I am trying to run the tests using Zalenium but the browser is asking for the credentials, so I am providing the username and password manually.
Does anyone know how to handle browser authentication?
My project uses Specflow, C# and Selenium
There are several options
You can login with http://username:password#website.com/page
Automate login process at #BeforeMethod or #BeforeClass
Set cookies. Although I don't advise this method since it doesn't speed up automation much and there is quite a bit of work to do to implement it.
You could put your web application behind a proxy that automatically injects the basic auth credentials. I did this once for a client a few years back.
I'm pretty sure I used: https://github.com/adamfisk/LittleProxy with https://github.com/ganskef/LittleProxy-mitm
But I had to write some code intercept requests and inject basic auth headers. Although from memory it was pretty straight forward.
If you don't need https then you could probably use cntlm and then set the basic auth header by hand using this:
-r "HeaderName: value"
Add a header substitution. All such headers will be added/replaced
in the client's requests.
Here is my problem:
Context :
-Windows Server 2012 with ActiveDirectory
-Tomcat
-Rest API (Spring)
I'm currently trying to restrict REST request. I want that only specific groups of the AD could access to specific resources. I'm restricted to Kerberos authentication.
System configuration
Create a user in domain "Tomcat"
setspn -a HTTP/apirest.domain#DOMAIN
Generate a tomcat.keytab using ktpass
API rest configuration
I'm using the spring security sample on github that you can find here :
https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server-win-auth
I know that there is an EntryPoint and this is not needed in my context (API Rest). I've chosen this sample because it seems to use the windows authentication context and use it to automatically authenticate me in the spring security context. Right after, an ldap request is send to extract all information about the user logged. In my case, I need to extract the group.
I'm also using :
https://github.com/GyllingSW/kerberos-demo
To extract the role of the user with the class "RoleStrippingLdapUserDetailsMapper.java" instead of the "ActiveDirectoryLdapAuthoritiesPopulator". This implementation also offers localhost authentication but the issue with the NTLM token seems to be fixed in last commit of spring security.
I'm not really sure if this is the right way to do what I want.
My authentication seems to fail and I only have one things going wrong in my logs..
"Property 'userDn' not set - anonymous context will be used for read-write operations"
Questions
Do I have to run my tomcat service using the tomcat account ? (Seems to be, yes)
Am I doing the right things with Kerberos security ?
How can I get rid of the anonymous context?
The anonymous context seems to be set just right after Tomcat start. I want to get a context just after that my user (For instance, user1) requests the rest API (EntryPoint or whatever)
If there is something unclear let me know, I will try to reformulate!
Thanks,
You do not need to query LDAP to get information about which groups does user belong to. Active Directory already adds this information to the Kerberos ticket which is sent from browser to Tomcat.
You just need to extract this information from the token for example using Kerb4J library. It comes with Spring integration inspired by spring-security-kerberos project so it should be pretty easy to switch to it.
If you still want to query LDAP you need to authenticate in LDAP before you can make any queries. Again there's no need to use end-user accounts for it - you can use the keytab file for Kerberos authentication in LDAP and query groups using "Tomcat" account
I found a way to fix my issue.
In a REST API context, you have no entry point. I tried to set my entry point to an unmapped URL, just to do the negociation. By doing this, you will receive an HTTP response with the error code 404 (Not found) but with the right header was added by spring security (WWW-Authenticate).
The web browser will not send the ticket service if the error code is not 401.
To solve this problem, you have to create a CustomEntryPoint class (implements AuthenticationEntryPoint) and you need to override the "commence" method to return a 401 HTTP code with the right header.
I hope that could help. If there is a better way, let me know !
I am using Aacotroneo/Laravel-Saml2 and have successfully setup a login system using ADFS. In another system I am using simpleSAMLphp elsewhere on the same domain successfully with WIA so I know ADFS is setup for that and that everything is setup correctly except the laravel application.
I have installed a browser addon to check the SAML logs for responses and requests. The only thing I can think of is that there is no client request ID sent through from laravel.
&client-request-id=d1ccbbdd-d55e-4828-eb24-0080000000b4
Any suggestions are appreciated. If I have missed a saml2 setting I am more than happy to try them, a lot of them don't seem to work or make any difference whether set to true or false.
Is it possible I need to setup encryption certificates and certain true/false combinations?
Thanks
Check this article
ADFS has non-standard SAML2 Authentication Context Class urn:federation:authentication:windows
By default this class has lower priority than urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
I would suggest making the following changes to AuthNRequest:
<samlp:RequestedAuthnContext Comparison=”minimum”
<samlp:AuthnContextClassRef xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">
urn:federation:authentication:windows
</samlp:AuthnContextClassRef>
<samlp:AuthnContextClassRef xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</samlp:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
I'm currently working on building a WCF web Service, I was asked to use Basic Authentication over HTTPS and also to validate whether the user is present in an LDAP group for Authorization.
I searched in Internet and it is said that Active Directory Authentication is not available in IIS and we should use our own Custom Basic Authentication Module or UserNamePasswordValidator.
Link I used for coding Custom Authentication Module
I have hosted the WCF in local IIS with SSL and now it is running under https.
The question is, If I implement this one, I need to add the Authorization header manually it seems. Is there any other way I can get the User Name or Password entered in the Basic Authentication dialog which is showed when we open the service in a browser ?.
OR
could you please provide an advice on what are the things I need to do to implement the above said Security ?
I'm helpless and requesting your help on this !!!!. Thanks in Advance.
Background:
I also tried UserNamePasswordValidator, but it was doing at the Application level, I was able to view the wsdl file (Meta data of the web service without even providing credentials) so I did went with the Custom Basic Authentication Module.
With Custom Basic Authentication Module , it is asking for credentials before the svc is opened in browser. So I think this would best suite. Please provide your valuable suggestions.
Basic authentication works by the web server returning a 401.0 status code AND a WWW-Authenticate response header with the value 'Basic real="xxx"' where the realm is simply information shown to the user so that they understand what is asking for the authentication. When the browser receives this type of response, it displays a dialogue box to the user asking for a username/password. The browser then re-submits the originally requested URL, but also includes an 'Authorization' header whose value is a base64 encoded string which includes the username and password.
A custom authentication module for IIS basically has to handle this interaction. For each request that comes in, it needs to see if there is an 'Authorization' header, and if so, it extracts the username/password, authenticates them in whatever fashion it likes, and if successful sets up the Context.User. If there is no 'Authorization' header, or the username/password are not valid, then the module must set the response code to 401.0, and ensure that there is a WWW-Authenticate header (as described above).
In order to use the module, all other authentication modules in IIS must be disabled (although there seem to be some circumstances in which the anonymous authentication module should be enabled). Due to caching in IIS, don't be surprised if not all requests are passed to your authentication module.
I am facing a peculiar problem. The problem is, my webapp is being installed behind a proxy. The request gets submitted to the proxy which forwards the request to the original host that is running the websphere web application.
The problem I am facing is, when I access the webapp, its URL looks like the below
http://www.myproxy.com
Lets say I get a form on this URL, when I submit the form, it is getting submitted to another URL - http://10.1.2.87
Since the URL is changing, application server thinks it is a different session and throws the login page again. The login page comes thru a filter which checks whether user is already authenticated in the session or not.
I do not have much knowledge on proxy settings .. where do you think is the problem?
Thus, you're using a reverse proxy. You need to configure it to manage the sessions as well. To the point, it should send the HTTP Cookie and Set-Cookie headers forth and back as well. Consult the documentation of the proxy in question for details or ask at serverfault.com for detailed assistance (don't forget to mention which proxy you're using).