I'm writing a java program to access hadoop jobhistory service to retrieve some information.
I'm using HTTPClient to make the HttpGet call. I need to login from a keytab file (I have the file on my ~/.ssh/ folder) instead of type in user name and password.
My question is: How to login from keytab in HTTPClient?
Here is how I set up my HTTPClient
System.setProperty("java.security.krb5.conf", "krb5.conf");
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
System.setProperty("java.security.krb5.realm", prop.getProperty("krb5.realm"));
System.setProperty("java.security.krb5.kdc", prop.getProperty("krb5.kdc"));
PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager();
cm.setMaxTotal(200);
cm.setDefaultMaxPerRoute(100);
//TODO login from keytab ?
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials("DUMMY", null));
Lookup<AuthSchemeProvider> authRegistry = RegistryBuilder.<AuthSchemeProvider>create()
.register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory())
.build();
httpClient = HttpClients.custom().setDefaultCredentialsProvider(credsProvider)
.setDefaultAuthSchemeRegistry(authRegistry)
.setConnectionManager(cm)
.build();
HttpResponse response = httpClient.execute(request);
One interesting is this code can run successfully in my IntelliJ. But After I build and run it from command line, it will show up the info to ask me for username and password.
I'm new to authentication, hope somebody can help. Thanks a lot.
HttpClientBuilder builder = HttpClientBuilder.create();
Lookup<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create()
.register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true)).build();
builder.setDefaultAuthSchemeRegistry(authSchemeRegistry);
BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(new AuthScope(null, -1, null), new Credentials() {
#Override
public Principal getUserPrincipal() {
return null;
}
#Override
public String getPassword() {
return null;
}
});
builder.setDefaultCredentialsProvider(credentialsProvider);
final HttpClient httpClient = builder.build();
final Subject subj = new Subject();
Krb5LoginModule krb5 = new Krb5LoginModule();
Map<String, String> options = new HashMap<>();
options.put("doNotPrompt", "true");
options.put("storeKey", "true");
options.put("useKeyTab", "true");
options.put("useTicketCache", "true");
options.put("keyTab", keytabFilePath); //Path to keytab file
options.put("principal", principal); //Principal name
options.put("debug", "true");
krb5.initialize(subj, null, null, options);
krb5.login();
krb5.commit();
HttpResponse response = Subject.doAs(subj, new PrivilegedExceptionAction<HttpResponse>() {
#Override
public HttpResponse run() throws Exception {
return httpClient.execute(request);
}
});
Related
Last month the below steps were working well for me to debug and test a SharePoint online remote event receiver locally:-
Open Ngrok.exe >> run the following command inside ngrok:-
ngrok authtoken 3***e
ngrok http --host-header=rewrite 57269
register a new app:- # https://.sharepoint.com/sites//_layouts/15/AppRegNew.aspx >> enter the above Ngrok urls inside the App Redirect URL & App Domain.
Inside the _layouts/15/appinv.aspx >> I search for the above app using Client ID >> and enter the following:-
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>
Update the service's web config with the above ClientID and ClientSecret
Register the new remove event receiver as follow:-
Add-PnPEventReceiver -List "Order Management" -Name "TasksRER" -Url http://cc6e945e82f6.ngrok.io/service1.svc -EventReceiverType ItemUpdated -Synchronization Asynchronous
But today when I tried the above steps it failed >> where inside my event receiver when I tried to get the SharePoint context >> I will get that the Context is null:-
public void ProcessOneWayEvent(SPRemoteEventProperties properties)
{
var prop = properties;
var listItemID = properties.ItemEventProperties.ListItemId;
var listTitle = properties.ItemEventProperties.ListTitle;
using (ClientContext context = Helpers.GetAppOnlyContext(properties.ItemEventProperties.WebUrl))
{
context.Load(context.Web);
context.ExecuteQuery();
Here is a screen shot from Visual Studio with the error i am getting when trying to get the context:-
Any advice if anything has been changed which is preventing me from running the above steps? which were working well last month?
Thanks
here is the code for the GetAppOnlyContext
public class Helpers
{
public static ClientContext GetAppOnlyContext(string siteUrl)
{
try
{
Uri siteUri = new Uri(siteUrl);
string realm = TokenHelper.GetRealmFromTargetUrl(siteUri);
string accessToken = TokenHelper.GetAppOnlyAccessToken(TokenHelper.SharePointPrincipal, siteUri.Authority, realm).AccessToken;
return TokenHelper.GetClientContextWithAccessToken(siteUri.ToString(), accessToken);
}
catch (Exception ex)
{
Trace.TraceInformation("GetAppOnlyContext failed. {0}", ex.Message);
}
return null;
}
public static ClientContext GetAuthenticatedContext(string siteUrl)
{
string userName = WebConfigurationManager.AppSettings.Get("AuthenticatedUserName");
string password = WebConfigurationManager.AppSettings.Get("AuthenticatedUserPassword");
return GetAuthenticatedContext(siteUrl, userName, password);
}
public static ClientContext GetAuthenticatedContext(string siteUrl, string userName, SecureString password)
{
ClientContext ctx = new ClientContext(siteUrl);
ctx.Credentials = new SharePointOnlineCredentials(userName, password);
return ctx;
}
public static ClientContext GetAuthenticatedContext(string siteUrl, string userName, string password)
{
SecureString securePassword = GetPassword(password);
return GetAuthenticatedContext(siteUrl, userName, securePassword);
}
private static SecureString GetPassword(string passwd)
{
var secure = new SecureString();
foreach (char c in passwd)
{
secure.AppendChar(c);
}
return secure;
}
public static string EmptyIfNull(object obj)
{
return obj == null ? "" : obj.ToString();
}
}
}
I am migrating our legacy application into Azure Cloud . In the existing application we are securing our Jetty Server while starting so for that we are using jks file to secure our Jetty server .
Now we are moving into Azure Cloud so we have to fetch the .jks file from Azure keyvault . So how to fetch the complete .jks file from Azure keyvault . I am able to fetch the secrets from Keyvault but unable to fetch the certificate (which i uploaded in Azure keyvault). I am not sure whether we have any API which gives the certificate file.
Below code i am using to fetch the secrets & certificates:
import com.microsoft.aad.adal4j.AuthenticationContext;
import com.microsoft.aad.adal4j.AuthenticationResult;
import com.microsoft.aad.adal4j.ClientCredential;
import com.microsoft.azure.keyvault.KeyVaultClient;
import com.microsoft.azure.keyvault.authentication.KeyVaultCredentials;
import com.microsoft.azure.keyvault.models.CertificateBundle;
import com.microsoft.azure.keyvault.models.SecretBundle;
public class DemoTest {
private static String vaultBase = "https://abc.vault.azure.net/";
private static String ClientId = "*******************";
private static String clientKey = "*****************";
public static void main(String[] args) {
KeyVaultClient keyVaultClient = GetKeyVaultClient();
SecretBundle getSecret=keyVaultClient.getSecret(vaultBase, "mysecretkey");
SecretBundle getSecret1=keyVaultClient.getSecret(vaultBase, "DB-PASSWORD-POC");
SecretBundle getSecret2=keyVaultClient.getSecret(vaultBase, "certificate-value");
// SecretBundle getSecret2=keyVaultClient.getSecret(vaultBase, "DB-PASSWORD-DEV");
CertificateBundle getCertificate=keyVaultClient.getCertificate(vaultBase, "abcprod");
CertificateBundle bundle = keyVaultClient.getCertificate("https://abc.vault.azure.net/certificates/abcprod/********386c9403bab8337ce21d27495");
System.out.println(getSecret.value());
System.out.println(getSecret1.value());
System.out.println(getSecret2.value());
// System.out.println(getCertificate.contentType());
// System.out.println(getCertificate.id());
// System.out.println(getCertificate.kid());
// System.out.println(getCertificate.toString());
// System.out.println(getCertificate.attributes().toString());
// System.out.println(getCertificate.keyIdentifier().name());
// System.out.println(getCertificate.sid());
// System.out.println(getCertificate.certificateIdentifier().baseIdentifier());
// System.out.println(bundle.cer());
// System.out.println(bundle);
}
private static KeyVaultClient GetKeyVaultClient() {
return new KeyVaultClient(new KeyVaultCredentials() {
#Override
public String doAuthenticate(String authorization, String resource, String scope) {
String token = null;
try {
AuthenticationResult authResult = getAccessToken(authorization, resource);
token = authResult.getAccessToken();
} catch (Exception e) {
e.printStackTrace();
}
return token;
}
});
}
public static AuthenticationResult getAccessToken(String authorization, String resource) throws InterruptedException, ExecutionException, MalformedURLException {
AuthenticationResult result = null;
//Starts a service to fetch access token.
ExecutorService service = null;
try {
service = Executors.newFixedThreadPool(1);
AuthenticationContext context = new AuthenticationContext(authorization, false, service);
Future<AuthenticationResult> future = null;
//Acquires token based on client ID and client secret.
if (ClientId != null && clientKey != null) {
ClientCredential credentials = new ClientCredential(ClientId, clientKey);
future = context.acquireToken(resource, credentials, null);
}
result = future.get();
} finally {
service.shutdown();
}
if (result == null) {
throw new RuntimeException("Authentication results were null.");
}
return result;
}
}
We are securing our jetty server with this code :
public class ABCSubscriber {
private static final int Port = 9090;
private static final String KeyStoreType = "jks";
private static final String KeyStoreFile = "/home/abc/xyz/subscriber.jks";
private static final String KeyStorePassword = "******";
private static final String KeyPassword = "*******";
private static final String ContextPath = "/";
private static final String URLPattern = "/*";
public static void main(String[] args) throws Exception {
Server server = new Server();
HttpConfiguration http_config = new HttpConfiguration();
http_config.setSecureScheme("https");
http_config.setSecurePort(Port);
http_config.setRequestHeaderSize(8192);
// HTTP connector
ServerConnector http = new ServerConnector(server,
new HttpConnectionFactory(http_config));
http.setPort(9091);
http.setIdleTimeout(30000);
// SSL Context Factory
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStoreType(KeyStoreType);
sslContextFactory.setKeyStorePath(KeyStoreFile);
sslContextFactory.setKeyStorePassword(KeyStorePassword);
sslContextFactory.setKeyManagerPassword(KeyPassword);
// sslContextFactory.setTrustStorePath(ncm.getKSFile());
// sslContextFactory.setTrustStorePassword("changeit");
sslContextFactory.setExcludeCipherSuites("SSL_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_RSA_WITH_DES_CBC_SHA", "SSL_DHE_DSS_WITH_DES_CBC_SHA",
"SSL_RSA_EXPORT_WITH_RC4_40_MD5",
"SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
// SSL HTTP Configuration
HttpConfiguration https_config = new HttpConfiguration(http_config);
https_config.addCustomizer(new SecureRequestCustomizer());
// SSL Connector
ServerConnector sslConnector = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory,HttpVersion.HTTP_1_1.asString()),
new HttpConnectionFactory(https_config));
sslConnector.setPort(Port);
server.addConnector(sslConnector);
/**Disable and enable protocols*/
String[] includeProtocols = {"TLSv1.1","TLSv1.2"};
sslContextFactory.addExcludeProtocols("TLSv1.0");
sslContextFactory.setIncludeProtocols(includeProtocols);
/**End Disable and enable protocols*/
// HTTPS Configuration
ServerConnector https = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory,HttpVersion.HTTP_1_1.asString()),
new HttpConnectionFactory(https_config));
https.setPort(Port);
https.setIdleTimeout(30000);
//server.setConnectors(new Connector[] { http, https });
server.setConnectors(new Connector[] { https });
ServletContextHandler ctxt = new ServletContextHandler(0);
ctxt.setContextPath(ContextPath);
server.setHandler(ctxt);
ctxt.addServlet(new ServletHolder(new ABCServlet()), "/*");
try {
server.start();
} catch ( Exception e ) {
e.getLocalizedMessage();
};
server.join();
}
}
So , Is there any way to get the certificate file from Azure keyvault? If not then how can we use certificate to secure the server ?
Can anyone please help me on this ?
Thanks in Advance !!!
You need to download the private key of the certificate as a secret. Getting the secret using the more obvious GetCertificate will only return the public key part of the certificate.
I know this is C# in the code example below, but that is how I get the certificate out of Key Vault, I hope you can get an idea on how to do the same in Java:
/// <summary>
/// Helper method to get a certificate
///
/// Source https://github.com/heaths/azsdk-sample-getcert/blob/master/Program.cs
/// </summary>
/// <param name="certificateClient"></param>
/// <param name="secretClient"></param>
/// <param name="certificateName"></param>
/// <returns></returns>
private static X509Certificate2 GetCertificateAsync(CertificateClient certificateClient,
SecretClient secretClient,
string certificateName)
{
KeyVaultCertificateWithPolicy certificate = certificateClient.GetCertificate(certificateName);
// Return a certificate with only the public key if the private key is not exportable.
if (certificate.Policy?.Exportable != true)
{
return new X509Certificate2(certificate.Cer);
}
// Parse the secret ID and version to retrieve the private key.
string[] segments = certificate.SecretId.AbsolutePath.Split('/', StringSplitOptions.RemoveEmptyEntries);
if (segments.Length != 3)
{
throw new InvalidOperationException($"Number of segments is incorrect: {segments.Length}, URI: {certificate.SecretId}");
}
string secretName = segments[1];
string secretVersion = segments[2];
KeyVaultSecret secret = secretClient.GetSecret(secretName, secretVersion);
// For PEM, you'll need to extract the base64-encoded message body.
// .NET 5.0 preview introduces the System.Security.Cryptography.PemEncoding class to make this easier.
if ("application/x-pkcs12".Equals(secret.Properties.ContentType, StringComparison.InvariantCultureIgnoreCase))
{
byte[] pfx = Convert.FromBase64String(secret.Value);
return new X509Certificate2(pfx);
}
throw new NotSupportedException($"Only PKCS#12 is supported. Found Content-Type: {secret.Properties.ContentType}");
}
}
}
Here is the Java code equivalent to answer posted by #Tore Nestenius
public byte[] getPkcsFromAzureKeyVault(String certificateName) throws InvalidDataException {
String keyVaultName = System.getenv("KEY_VAULT_NAME");
String keyVaultUri = "https://" + keyVaultName + ".vault.azure.net";
CertificateClient certificateClient = new CertificateClientBuilder().vaultUrl(keyVaultUri)
.credential(new DefaultAzureCredentialBuilder().build()).buildClient();
KeyVaultCertificateWithPolicy certPol = certificateClient.getCertificate(certificateName);
SecretClient secretClient = new SecretClientBuilder().vaultUrl(keyVaultUri)
.credential(new DefaultAzureCredentialBuilder().build()).buildClient();
KeyVaultSecret secret = secretClient.getSecret(certPol.getProperties().getName(),
certPol.getProperties().getVersion());
if ("application/x-pkcs12".equalsIgnoreCase(secret.getProperties().getContentType())) {
return Base64.getDecoder().decode(secret.getValue());
}
throw new InvalidDataException();
}
Loving Azure AD B2C... Looking forward to when it is out of preview!!!
Have a special case I need help putting my head around.
I have a page where I capture new email addresses via a web form.
After adding that email to my mailing list, I want to then create an AD B2C account automatically without making the user click any additional buttons using my ASP.NET MVC Site.
In reading the Article at: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/
I see that it is possible to add a new user using the Graph API.
However, this example is written using a cmd program.
Does anyone know if there is some sample code to allow me to insert a user into AD B2C inside an MVC controller?
Heres some sample code on how I do it from ASP.Net MVC. Remeber that you need to include ClientId and Clientsecret (they are separate from the ASP.Net webapp) as explained in the article you mention. Code from controller--helperclass:
UserController:
// POST: User/Create
[HttpPost]
public async Task<ActionResult> Create(b2cuser usr)
{
try
{
usr.AlternativeSignInNamesInfo.First().Value = string.Format("{0}_{1}", usr.FirstName, usr.LastName);
usr.DisplayName = string.Format("{0} {1}", usr.FirstName, usr.LastName);
string json = Newtonsoft.Json.JsonConvert.SerializeObject(usr, Formatting.None);
Utils.GraphAPIHelper api = new Utils.GraphAPIHelper(graphAPIClientId, graphAPIClientSecret, tenant);
string res = await api.GraphPostRequest("/users/", json);
return RedirectToAction("Index");
}
catch (Exception e)
{
return View();
}
}
And in the GraphAPIHelper:
internal async Task<string> GraphPostRequest(string api, string json)
{
AuthenticationResult result = authContext.AcquireToken(graphResourceID, credential);
HttpClient http = new HttpClient();
string url = aadGraphEndpoint + tenant + api + "?" + aadGraphVersion;
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, url);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
request.Content = new StringContent(json, Encoding.UTF8, "application/json");
HttpResponseMessage response = await http.SendAsync(request);
if (!response.IsSuccessStatusCode)
{
string error = await response.Content.ReadAsStringAsync();
object formatted = JsonConvert.DeserializeObject(error);
throw new WebException("Error Calling the Graph API: \n" + JsonConvert.SerializeObject(formatted, Formatting.Indented));
}
return await response.Content.ReadAsStringAsync();
}
And finally, some samplecode from the model, pls note JsonProperty(Order:
public class b2cuser
{
[JsonProperty(Order = 0, PropertyName = "accountEnabled")]
public bool AccountEnabled = true;
[JsonProperty(Order = 1, PropertyName = "alternativeSignInNamesInfo")]
public List<AlternativeSignInNamesInfo> AlternativeSignInNamesInfo { get; set; }
[JsonProperty(Order = 2, PropertyName = "creationType")]
public string CreationType = "NameCoexistence";
the code tries to download text from a php script via a http request. Since the code should run on a Raspberry Pi with Windows IoT I have to use GetResponseAsync(). It works fine if I use it without the credentials (Http source is public then). When I add the NetworkCredential stuff I get the exception you see in the picture.
Screenshot
In the end I want to be able to load data from a http website that is protected via .htaccess. I hope anyone has some experience with this!
namespace HttpGetBeisp1Hta {
public sealed partial class MainPage : Page {
public MainPage() {
InitializeComponent();
}
private async void ClickMe_Click(object sender, RoutedEventArgs e)
{
try {
await HoleDaten();
}
catch(Exception ex) {
textBlock.Text = ex.ToString();
}
}
private async Task HoleDaten() {
NetworkCredential myCred = new NetworkCredential("user", "pw");
CredentialCache myCache = new CredentialCache();
myCache.Add(new Uri("https://..'my secret uri'../getSave.php"), "Basic", myCred);
WebRequest request = WebRequest.Create("https://..'my secret uri'../getSave.php");
request.Credentials = myCache;
WebResponse response = await request.GetResponseAsync();
Stream dataStream = response.GetResponseStream();
StreamReader reader = new StreamReader(dataStream);
string responseFromServer = reader.ReadToEnd();
textBlock.Text = responseFromServer;
}
}
}
Found it out!
I modified the header manually. The username and pw needs to be added in base64. Use a converter and feed it with "Hans:Mueller" gets you:
private async Task HoleDaten() {
WebRequest request = WebRequest.Create("https:// ... ll.php");
request.Headers["Authorization"] = "Basic SGFuczpNdWVsbGVy";
WebResponse response = await request.GetResponseAsync();
Stream dataStream = response.GetResponseStream();
StreamReader reader = new StreamReader(dataStream);
string responseFromServer = reader.ReadToEnd();
textBlock.Text = responseFromServer;
}
I am new to Azure development and want some help.
I have a HTTPS end point of a web service from my third party.
The webservice call uses a client certificate and user name and password for invoking the SOAP action.
I am using a default HTTP action API and passing the URL, headers, authentication and body as required.
How can i set the certificate setting there ??
Any help or way forward would be great help.Thanks in advance
This is an example for Java, you should find the right implementation for the language that you use.
public static void main(String[] args) throws Exception {
DefaultHttpClient httpClient = new DefaultHttpClient();
try {
SSLContext ctx = SSLContext.getInstance("TLS");
TrustManager[] trustManagers = getTrustManagers("jks", new FileInputStream(new File("cacerts")), "changeit");
KeyManager[] keyManagers = getKeyManagers("pkcs12", new FileInputStream(new File("clientCert.pfx")), "password");
ctx.init(keyManagers, trustManagers, new SecureRandom());
SSLSocketFactory factory = new SSLSocketFactory(ctx, new StrictHostnameVerifier());
ClientConnectionManager manager = httpClient.getConnectionManager();
manager.getSchemeRegistry().register(new Scheme("https", 443, factory));
//as before
}
}
protected static KeyManager[] getKeyManagers(String keyStoreType, InputStream keyStoreFile, String keyStorePassword) throws Exception {
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(keyStoreFile, keyStorePassword.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keyStore, keyStorePassword.toCharArray());
return kmf.getKeyManagers();
}
protected static TrustManager[] getTrustManagers(String trustStoreType, InputStream trustStoreFile, String trustStorePassword) throws Exception {
KeyStore trustStore = KeyStore.getInstance(trustStoreType);
trustStore.load(trustStoreFile, trustStorePassword.toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(trustStore);
return tmf.getTrustManagers();
}
PS: This code was provided by Barry Pitman in this link