I have liberty profile authentication working with MS Active directory. But I am not able to setup a role mapping to a group.
I have created a security role in my web.xml:
<security-role>
<description>Users who are authorized to do update and insert operations</description>
<role-name>AuthorizedUser</role-name>
</security-role>
And for full WAS with wmm I have mapped the role to a group in ibm-application-bnd.xml which works:
<security-role name="AuthorizedUser" >
<group name="mygroup" access-id="group:defaultWIMFileBasedRealm/CN=mygroup,OU=myorg,DC=mydomain,DC=AD,DC=myco,DC=com"/>
</security-role>
But this is not working with liberty profile.
Do I need to alter the access-id?
The accessId must use exactly the same realm name as your user registry is configured to have. For example, if your registry is configured thusly:
<ldapRegistry realm="myLDAPRealm"/>
Then your accessId values must take on the same value
<security-role name="AuthorizedUser" >
<group name="mygroup" access-id="group:myLDAPRealm/..."/>
</security-role>
The default realm name for the LDAP registry is "LdapRegistry", and for reference, the default realm name for the basic registry is "BasicRegistry".
As AJ_R pointed out, you can remove the access-id field entirely and let the access-id be generated automatically. More often than not, specifying the access-id value manually is not necessary.
The issue was b/c 'o' != 'O' in "memberOf", I don't think this was case sensitive in TWAS.
Customizing the MS Active directory groupMemberIdMap fixed the group searches:
<activedFilters groupMemberIdMap="memberOf:member"/>
Did you use the same realmName (defaultWIMFileBasedRealm) when configuring the MS Active directory?
You can also try removing the access-id (just use the group name) and let the liberty server generate it using the relamName defined for the registry to see if that would help.
Related
I am planning to implement SSO w/OIDC between several identical Websphere Liberty profile (wlp) instances with the standard LtpaToken2 cookie, but I don't see it being generated under that name. Instead, I see a random WAS_* cookie.
Even when I set it manually in 1 single wlp's server.xml like:
<webAppSecurity ssoCookieName="LtpaToken2" />
I see that wlp intentionally ignores it, as seen in the logs:
[AUDIT] CWWKS9112A: The web application security settings have changed.The following properties were modified: ssoCookieName=WAS_p1887216770
so it doesn't seem to be an app-related issue, or even oidc-related issue.
Why is wlp behaving like this? All the existing documentation doesn't mention any restriction/reservation of the LtpaToken2 name, in fact it should be the default.
Although I can set it to any other custom name, I am interested in understanding this impediment in using the default LtpaToken2 name, and the reason why it doesn't align with the documentation.
Any explanation is deeply appreciated
Enabling either the openidConnectClient-1.0 or openidConnectServer-1.0 will cause the cookie name to be automatically generated with a server specific identifier for either one of those features. In some situations, this allows configuring multiple Relying Parties and Providers in the same host without collisions when processing their respective cookies.
For the openidConnectProvider, you have the option to use LtpaToken2 when setting the allowDefaultSsoCookieName attribute to "true" as documented in https://www.ibm.com/docs/en/was-liberty/nd?topic=configuration-openidconnectprovider. The openidConnectClient does not provide this option. We have an issue open to allow using the default cookie name for the OIDC client at https://github.com/OpenLiberty/open-liberty/issues/18803.
On the other hand, you might benefit from using jwtSso-1.0 to do SSO between identical servers after the initial authentication with the OIDC Provider. For example, please see the documentation for the allowCustomCacheKey attribute in https://www.ibm.com/docs/en/was-liberty/nd?topic=configuration-openidconnectclient.
Another alternative is to specify a value other than LtpaToken2 for the ssoCookieName attribute. This will override the auto generation of the cookie name when those features are enabled.
Regards,
Teddy
We're trying to leverage Azures deployment slots for an Umbraco site we've built.
By default Umbraco uses a DSN defined in the connectionStrings sections of the web.config and we want it to use the connection string for the deployment slot it's sitting in.
What we've tried
Azure deployment slots put all defined app settings (and connection strings) into environment variables and to access them we can use Environment.GetEnvironmentVariable() which works but there doesn't seem to be a way to tell Umbraco to do this.
So in OnApplicationInitialized() (in /App_Code/Core/UmbracoAppStart.cs) we loaded the connectionstring section from the web.config, grabbed the connstr from env vars, added the DSN to the connectionstring section and saved.
The correct connection string is grabbed and stored but this seems to recycle the app (due to a web.config change) and thus we just get timeouts. (Or Umbraco XML cache errors, or it takes 20 mins to load the page).
I know you can store the appsettings and connectionstrings sections in separate files. But the file attribute (that doesn't cause a recycle if the referenced file is changed) doesn't work on the connectionStrings section - only the configSource attribute and that DOES recycle if changed.
(from: ASP.NET web.config: configSource vs. file attributes)
Help
Has anyone found a way around this?
We simply need to get Umbraco to use the deployment slot connection string - not the one in webconfig.
I'm even willing to copy and paste blindly at the moment without understanding how it works - and I hate doing that :). But that's what happens when people agree when the client wants to go live just before Christmas...
You don't need to do any code to use Azure connection string or the app settings. Just give them the same keys/names as you have on your web.config and they will be used instead.
So if you have this on your web config:
<add name="umbracoDbDSN" connectionString="Server={server};Initial Catalog={db};Persist Security Info=False;User ID={user};Password={password};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=300;" providerName="System.Data.SqlClient" />
Your slot configuration should be this:
To replace an app setting just use the same key. So for this:
<add key="umbracoUseSSL" value="false" />
You'd use this:
If you want the setting to be slot specific you have to activate the Slot setting checkbox.
In my development environment my custom domain wired up to a custom membership provider has an anonymous user myDomain\Anonymous however when I deployed to QC it does not contain the anonymous user (other users work fine).
For some background, I need the anonymous user to lock down pages with the deny read.
The domains configuration for both instances are the same, see below:
<domain name="sitecore" ensureAnonymousUser="false" />
<domain name="extranet" />
<domain name="default" isDefault="true" />
<domain name="myDomain" ensureAnonymousUser="false" />
Any ideas? I'm running Sitecore 7 Update 2
It might be that you haven't set the switchingprovider correctly. So if you on one environment have: storeFullNames=true and the other environment have storeFullNames=false. This means that in one instance you have created "myDomain\Anonymous" and in the other instance you are trying to look after "Anonymous".
The property indicates whether domains should be included in the name.
Anyway, why don't you just set ensureAnonymousUser="true", then it will create the user for you?
I am using elasticsearch-jetty plugin and trying to use it for the authentication of elasticsearch access.
I am wandering which security roles are available for users specified in realms.properties. I couldn't find definite list.
I saw in examples usage of: admin, readwrite and read-only. Are there any other and where can I specify new ones?
I have just found that roles are defined inside of jetty-restrict-*.xml files, depending on which is used. For default jetty-restrict-all.xml file, only "readwrite" role is defined, but for jetty-restrict-write.xml role "admin" is also used.
That is also the place where other roles can be defined.
I am implementing in a development project Oracle Session State Store Class, which is found in Oracle 11g Client to hold my users Sessions as the application is being run over a web farm.
Whilst I can make Oracle Session State Store work through the web.config, I need to make the store work in the code behind because our database connections i.e. the passwords are encrypted and are only decrypted when a connection is made. Unfortunately, I cannot do this in the web.config.
I have tried to implement the Oracle Session State Store Class in the Global.asax in the Session_Start method using the Initialise method. The problem is that it is throwing an error. The exception it is calling is "The connectionStringName attribute is empty or does not exist in the configuration file, or an invalid attribute is found in the configuration file."
In the Session_Start method, I created a Name Value Collection and added two variables, one of which is the database connection string and the other the type for the custom session store.
Does anyone know what I am doing wrong?
Thanks
First, make sure your web.config or machine.config is configured correctly. You can take a look at Oracle Session State Store documentation, or below:
<?xml version="1.0"?>
<configuration xmlns=
"http://schemas.microsoft.com/.NetConfiguration/v2.0">
<connectionStrings>
<add name="my_sessionstate_app_con_string" connectionString=
"User Id=scott;Password=tiger;Data Source=Oracle"/>
</connectionStrings>
<system.web>
<!-- Enable and customize OracleSessionStateProvider -->
<sessionState mode="Custom" customProvider="MyOracleSessionStateStore">
<providers>
<add name="MyOracleSessionStateStore"
type="Oracle.Web.SessionState.OracleSessionStateStore,
Oracle.Web, Version=2.111.6.20, Culture=neutral,
PublicKeyToken=89b483f429c47342"
connectionStringName="my_sessionstate_app_con_string"/>
</providers>
</sessionState>
</system.web>
</configuration>
Second, you don't HAVE to encrypt your Oracle session state store connection string during development time. You can use aspnet_regiis to encrypt it at deployment like below.
aspnet_regiis -pef connectionStrings "c:\inetpub\wwwroot\myapp\"
If the command line above runs fine but your web app produces RSA error messages, try to add the following accounts (or the specific ones you use) to the RSA container:
aspnet_regiis -pc "NetFrameworkConfigurationKey" -exp
aspnet_regiis -pa "NetFrameworkConfigurationKey" "ASPNET"
aspnet_regiis -pa "NetFrameworkConfigurationKey" "NETWORK SERVICE"
aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITY\NETWORK SERVICE"
By the way, I didn't have to implement OracleSessionStateStore in Global.ascx. I just reference with Session["key"] = value; and var value = Session["key"];
Also, make sure your DBA setup a job to clean up the session state table.