I'm trying to set up a JAX-RS-service in thorntail with JWT authentication. Everything works fine (I can inject Principal and user is correctly set), except that in case of a failed authentication, answer is still sent without any 401-HTTP-Header. What I've done is:
Added #LoginConfig(authMethod = "MP-JWT", realmName = "my-domain") to my Application-Class
Configured the security-domain
security:
security-domains:
my-domain:
jaspi-authentication:
login-module-stacks:
roles-token-stack:
login-modules:
jwt-jaspi-login-module:
code: org.wildfly.swarm.microprofile.jwtauth.deployment.auth.jaas.JWTLoginModule
flag: required
auth-modules:
http:
code: org.wildfly.extension.undertow.security.jaspi.modules.HTTPSchemeServerAuthModule
module: org.wildfly.extension.undertow
flag: required
login-module-stack-ref: roles-token-stack
Configured JWT-specific things (seem to work, so I'm skipping this here)
What else do I need to do in order for this to work properly? Do I need to add any annotations to my Endpoint? As I said, I want to return a 401 in case of a failed authentication.
What I've found out so far: JASPICAuthenticationMechanism.isMandatory needs to return true in order for this to work. If this is the case JWTAuthMechanism.sendChallenge is triggered after a failure of JWTAuthMechanism.authenticate and so a 401 is sent to the client. But i have no idea, in which cases isMandatory returns true.
Thanks for any help in this case!
One, the configuration of the security domain isn't 100% correct. Here's a fix for one part of the YAML:
roles-token-stack:
login-modules:
- login-module: jwt-jaspi-login-module
code: org.wildfly.swarm.microprofile.jwtauth.deployment.auth.jaas.JWTLoginModule
flag: required
Two, indeed you need to use the common Java EE annotations (#RolesAllowed, #DenyAll, #PermitAll) on the JAX-RS resources.
Solution (thanks to Ladicek, see comments below):
If you want to use MP JWT, don't start it with Swarm and don't forget to set flag useUberJar if starting it with thorntail:run.
Related
I have a problem about python3_anticaptcha (api provided by anti-captcha.com), search on web, find support and try over a month but no luck.
API doc:
https://anticaptcha.atlassian.net/wiki/spaces/API/pages/416972814/GeeTestTaskProxyless+-+captcha+from+geetest.com+without+proxy
I am doing a auto login on a website, and copy the api on anti-captcha's doc:
def runGee(self, challenge):
print("start gee")
try:
# Enter the key to the AntiCaptcha service from your account. Anticaptcha service key.
ANTICAPTCHA_KEY = "mycode"
# обязательные параметры
websiteURL = "https:\/\/www.nike.com.hk"
gt = "2328764cdf162e8e60cc0b04383fef81"
print("sloving1")
print("challenge:" ,challenge)
# пример работы с GeeTestTask без прокси
result = GeeTestTaskProxyless.GeeTestTaskProxyless(anticaptcha_key=ANTICAPTCHA_KEY,
websiteURL=websiteURL,
gt=gt).captcha_handler(challenge=challenge)
print("sloving2")
print(result)
print("--end gee--")
except Exception as err:
print(err)
print("--end with error--")
However, the geetask start over 3 minute(or more), and got error everytime. usually error code like:
{'errorId': 34, 'errorCode': 'ERROR_TOKEN_EXPIRED', 'errorDescription': 'Captcha provider
reported that additional variable token has expired.', 'taskId': 1204556667}
or
{'errorId': 12, 'errorCode': 'ERROR_CAPTCHA_UNSOLVABLE', 'errorDescription': ' Captcha
could not be solved by 5 different workers.', 'taskId': 1204060350}
..etc
depends on what parameter i passed.
May i know am i passing the right value to geetask? or some wrong on the code?
Moreover, if geetest return the correct value, i need to do any else to pass capcha(or pass code to geetest server) or GeeTestTaskProxyless already done(not to do anything)?
it is extremely hard to me, does anyone had used this api successfully? Thanks
The problem is not in the anticaptcha but in the geetest provider.
The token challenger can only be used once, when your browser loads the geetest captcha it expires the token.
To fix this problem, you only need to block the request that consumes the token in your browser.
go to devtools and add the block for the geestest captcha API in the browser, like this:
You can automatically integrate this into the selenium with the following command:
driver.execute_cdp_cmd('Network.setBlockedURLs', {"urls": ["api.geetest.com/get.php"]})
driver.execute_cdp_cmd('Network.enable', {})
It seems for me that those errors are because of proxy (if you use any) or just bad IP.
Personally, I use another captcha service and I didn't have such problems with it.
I advice you to try it, it's actually much easier: https://2captcha.com/2captcha-api#solving_geetest
You should send a request like this one:
https://2captcha.com/in.php?key=1abc234de56fab7c89012d34e56fa7b8&method=geetest>=f1ab2cdefa3456789012345b6c78d90e&challenge=12345678abc90123d45678ef90123a456b&api_server=api-na.geetest.com&pageurl=https://www.example.com/page/
What you need to archieve is to get correct answer from it, like this one:
{
"challenge":"1a2b3456cd67890e12345fab678901c2de",
"validate":"09fe8d7c6ba54f32e1dcb0a9fedc8765",
"seccode":"12fe3d4c56789ba01f2e345d6789c012|jordan" }
Then you just need to implement that answer on a site. Just read the first link I gave you.
Cheers.
G'day all,
I've been having trouble upgrading to a more recent version of the ember-simple-auth module.
In particular I seem to have two challenges:
1) the application no longer transitions to the desired route after authenticating. the configuration looks like this:
ENV['ember-simple-auth'] = {
crossOriginWhiteList: ['http://10.10.1.7:3000'],
routeAfterAuthentication: 'profile',
//store: 'simple-auth-session-store:local-storage',
//authorizer: 'simple-auth-authorizer:token',
};
but it never gets to "profile".
2) I can't get the authenticated session to stick after a reload. I had been trying to use the local-store which I believed would do the trick, but it's not. Has something changed in the implementation?
The documentation seems to indicate that the configuration strings are right, but the transition and session store don't seem to be working.
Has anyone had a similar problem?
Thanks,
Andrew
you could try adding "routeIfAlreadyAuthenticated" to ENV['ember-simple-auth'] - or you could transition manually in index route "afterModel" hook, if session is already authenticated
have you configured a session store? https://github.com/simplabs/ember-simple-auth#session-stores - the way it's configured changed in 1.0, now you can add the desired session store to app/session-stores/application.js - maybe this solves #1 too.
OK. As the comments call out, there were two problems here:
1) I had written a customer authorizer for the old version of simple-auth which didn't work with the new version, and
2) I had a typo in the adapter code, where DataAdapterMixin was DAtaAdapterMixin.
Removing (1) and fixing (2) fixed the problem.
I am using Facebook Owin Authentication and more or less follow Microsoft sample. I am more or less following the First time user logs in, everything is ok. But if they sign out and try again, it seems like the previous .AspNet.Correlation.Facebook is not removed, but set to empty string. So my next call to api/getexternallogin looks like this in Fiddler:
This is when we are generating a correlationId and having multiple cookies at this point is not a show stopper. In the response, I set it to the new CorrelationId:
Later when facebook calls back to "/signin-facebook", we try to validate the correlationId in ValidateCorrelationId method. The request seems like this:
So the new CorrelationId has been set but the extra cookie with no value means when I go Request.Cookies["ValidateCorrelationId"], it returns empty string.
I have checked the code and it seems like the only methods modifying this cookie are GenerateCorrelationId and ValidateCorrelationId. Implementation of these methods can be found in here:
http://katanaproject.codeplex.com/SourceControl/latest#src/Microsoft.Owin.Security/Infrastructure/AuthenticationHandler.cs
Curiously enough, my browser does not seem to see the issue:
Any ideas will be much appreciated.
OK this has taken me a fair bit of frustration but when Response.Cookies.Delete(".AspNet.Correlation.Facebook") is called in ValidateCorrelationId method, it sends the following in response:
So the value of "expires" has been concatenated and treated as two separate "set-cookie"s. Hence, the cookie is not expired but its value set to empty string. It seems like the comma after "Thu" is causing it.
The fix I have come up with was to comment out Response.Cookies.Delete(".AspNet.Correlation.Facebook") and do the following instead:
Response.Headers.Add("Set-Cookie", new[] { CorrelationKey + "=; path=/; expires=Fri 02-Jan-1970 00:00:00 GMT" })
No commas there and it is working now.
This does seem like a genuine bug in OWIN.
I'd want to use a login page to access different firewalls, so I need to get information about the firewall I'm logging in.
In my controller I'd use
$this->container->get('security.context')->getToken()->getProviderKey()
but as an anonymous user I don't have access to getProviderKey method.
I could also parse
_security.xxx.target_path
to get xxx firewall but I'm looking for a more general solution if it exists at all.
Any idea?
As of symfony 3.2, you can now get the current firewall configuration using the following:
public function indexAction(Request $request)
{
$firewall = $this->container
->get('security.firewall.map')
->getFirewallConfig($request)
->getName();
}
Ref: http://symfony.com/blog/new-in-symfony-3-2-firewall-config-class-and-profiler
For Symfony 3.4 I wrote this to avoid referencing the non-public "security.firewall.map" service:
$firewallName = null;
if (($firewallContext = trim($request->attributes->get("_firewall_context", null))) && (false !== ($firewallContextNameSplit = strrpos($firewallContext, ".")))) {
$firewallName = substr($firewallContext, $firewallContextNameSplit + 1);
}
(Referencing "security.firewall.map" on 3.4 will throw an exception.)
Edit: This will not work in a custom exception controller function.
I was doing a little research on this myself recently so that I could send this information in an XACML request as part of the environment.
As far as I can tell from GitHub issues like this one:
https://github.com/symfony/symfony/issues/14435
There is currently no way to reliably get the information out of Symfony except the dirty compiler pass hack suggested on the linked issue. It does appear from the conversation on these issues, they are working on making this available, however, the status is still open, so we will have to be patient and wait for it to be provided.
#Adambean's answer is pretty elegant, but I'd write it as a one-liner:
$firewallName = array_slice(explode('.', trim($request->attributes->get('_firewall_context'))), -1)[0];
The difference is that $firewallName will always be a string (which may be empty).
Also, please note that this answer (like #Adambean's) doesn't work for a firewall with a dot in its name.
Is there some way to disable user auto-registration in ckan?
I'd like to have a ckan site that would be strictly read-only for visitors
with a back-end exclusive for contributors.
I went through the docs, but I couldn't find any option like that.
any advice on how to configure and secure ckan for such a purpose would be welcome
The easiest solution is to write an extension that implements the IAuthFunctions interface and override the user_create auth function.
Here is the basic extension:
def no_registering(context, data_dict):
return {'success': False, 'msg': toolkit._('''You cannot register for this
site.''')}
class NoSelfRegistration(plugins.SingletonPlugin):
plugins.implements(plugins.IAuthFunctions, inherit=True)
def get_auth_functions(self):
return {
'user_create': no_registering
}
UPDATE: We are currently implementing a config option to do this (pull request at https://github.com/okfn/ckan/pull/399).
For hub.HealthData.gov, we created this patch
https://github.com/HHS/ckan/commit/0102d4d7cee9151fc5fcfe31c56c485436eddda4
which makes a new config option ckan.auth. create_user which we set to false.
It has been in pull request purgatory since then:
https://github.com/okfn/ckan/pull/399
This is now a standard feature of CKAN (at least since version 2.3.2, perhaps earlier). You can use the ckan.auth.create_user_via_api and ckan.auth.create_user_via_web configuration options.
By default, ckan.auth.create_user_via_api is false but ckan.auth.create_user_via_web is true.