I am using WildFly 8.2.0 with Picketlink 2.7
I have application deployed running fine with SAML HTTP POST Authentication. I now have a requirement to write an audit log which contains login fail, login success, logout fail, logout success information. For every record I have to identify originating address (HTTP Referer header).
I tried PicketLinkAuditProvider, it logs but does not contain all the details. Also tried the org.jboss.security.audit.providers.LogAuditProvider but it provides Source=org.wildfly.extension.undertow.security.AuditNotificationReceiver;message=UT000030
I went to see the AuditNotificationReceiver code and found that it is swallowing the information that I need.
Need help to understand if I am moving in right direction or not.
If I am in right direction, is it possible to provide custom AuditNotificationReceiver to Wildfly security subsytem.
Related
I'm new to JMeter and trying to create test case.The application is using OAuth 2.0 azure active directory authentication,I followed one the post https://blog.pnop.co.jp/jmeter-webapps-azuread-auth_en/ and was able to do http request to app but in return I'm getting below error:
We can't sign you in
Your browser is currently set to block cookies. You need to allow cookies to use this service.
Cookies are small text files stored on your computer that tell us when you're signed in. To learn how to allow cookies, check the online help in your web browser.
I took care of CookieManager.save.cookies=true in user.properties but still cookies are giving me hard-time though I could see cookies populating in request header being sent
If someone have a crack of similar scenario then that would be great help
Thanks
Have you added HTTP Cookie Manager to your test plan?
If yes and you're still experiencing problems try:
Checking jmeter.log file for any suspicious entries
Choose a more "relaxed" implementation for the cookie manager, i.e. netscape
Add the next line to user.properties file:
CookieManager.check.cookies=false
JMeter restart will be required to pick up the change
More information: HTTP Cookie Manager Advanced Usage - A Guide
My problem is that the oAuth gets denied on our test server but it works on our live and development (local) servers.
Is there something specific what I have to configure to make it work on antoher server?
I compared the platform folder with test and live, both are identical.
I created same oAuth logins on both servers, didn't work.
I tried to login through the ip, to avoid apache, didn't helped.
Now I am kind of lost where to look next.
To test my login I use Swagger or Postman with this url: https://test.shop/authorizationserver/oauth/token with Basic Authorization.
The reponse is: {"error":"invalid_client","error_description":"Bad client credentials"} but it is wrong.
This is the configuration for the user:
I had besides this problem, an equal one on the live system. Our apache removed the Authorization from the header to get the Backoffice working, which is protected through the htaccess. When I was researching this problem, I got the same error as this one. Now everything works fine on live. I corrected the same thing on test, tried even uninstall apache, but the login is still not working.
You need configure oAuthClient for SmartEdit by running following Impex:
INSERT_UPDATE OAuthClientDetails;clientId[unique=true];resourceIds;scope[mode=append];authorizedGrantTypes;accessTokenValiditySeconds;authorities;clientSecret;;smartedit;hybris;basic,permissionswebservices,previewwebservices;password,client_credentials;3600;;;
For details, please see:
Configuring oAuthClient for SmartEdit
Can you please check if the configurations are similar? If yes then there is something env specific and needs to be debugged individually.
We fixed the problem by pasting the correct "OAuth client secret" into the "Password" and "Verify password" field. This was initialized via impex with an old value (but not visible to the user in the dialog as seen in the lower screen).
I am trying to record an internal website for which i need to enter credentials that is not same as the windows credential. Later on the same test needs to be run for more than one user. i know how to use the csv file to pass the parameters - username and password.
For Windows Authentication i have added Authorization manager.
From Fiddler i checked it was NTLM authentication(though i am not sure yet) and i did enter the values for NTLM authentication in Authorization Manager.
Now when i try and record the internal website - i cannot even go to homepage after the windows credentials, it keeps on spinning.
When i check the Authorization Manager, i find an extra line added for kerberos Authentication as shown in Picture:
My query here is:
1)why is it recording it as kerberos
2)where is it saving the username and password
3)why is it not loading the website- always keeps spinning and i have to stop it
4)I have tried Kerberos settings and then record, but its not working either , could it be i am using the wrong values in the kerb5.conf file , how do i debug.
Kind of stuck at the moment.
Thanks for help!
If you're uncertain what authentication is being used under the hood - just ask around, application developers or network administrators should be aware of the external authentication scheme. You can also try using a 3rd-party tool like Kerberos Authentication Tester
I don't think you can record and replay Windows authentication so it makes sense to start recording some time after the login screen as long as you can login using JMeter
Looking into JMeter source
// if HEADER_AUTHORIZATION contains "Basic"
// then set Mechanism.BASIC_DIGEST, otherwise Mechanism.KERBEROS
In case of Kerberos credentials are saved directly in the HTTP Authorization Manager in form of ${AUTH_LOGIN} and ${AUTH_PASSWORD}, real credentials are not stored anywhere
Most probably your application doesn't receive valid authentication context therefore it cannot proceed
Add sun.security.krb5.debug=true line to system.properties file (lives in "bin" folder of your JMeter installation), JMeter restart will be required to pick the property up.
More information:
Windows Authentication with Apache JMeter
JAAS and Java GSS-API Tutorials
I'm aware similar sounding questions have been asked in the past. But this issue is really annoying me and I'm not sure if it can be resolved easily.
In order to cope with a successful login when the JSESSIONID cookie was missing or had expired, the web.xml was configured to redirect to the home page on a 408 error. This was when running on JBoss 7.1.1.
The login page is standard j_security_check form based authentication with POST action etc.
We then migrated to Wildfly 8.2.1, where we found that the server simply replies with 200 OK and so a blank page would be presented, with the url ending in xxx/j_security_check .
. Not nice since the user had logged in successfully.
The correct response was still being presented when trying to login with invalid credentials.
I tried running on wildfly 10.1 as well but no difference.
I'm guessing it's caused by a "fix" with undertow which requires some additional handling, possibly in a web filter.
Has anyone else experienced this issue and managed to find a solution?
In IIS I've got:
http://myserver/myapplication
http://myserver/reports
The reports app is reporting services in fact which uses windows authentication. myapplication is an asp.net application that uses forms authentication.
The server is outside the company domain. If I access the reports first and type in the user and password(local credentials created on the server) when prompted I can access the reports page, no problems. If then I go straight to my application's login page and try to login, the login page refreshes without doing anything. This always happen in IE 6. In IE 7 it happens intermittently. Does not happen in Firefox or if Fiddler is running in the background which seems to fix the problem on the fly.
I used wireshark to see what's going on and found that IE 6 send the windows authentication token obtained from the reports app to myapp. That was the only difference between IE and Firefox. IIS seems to freak out and simply interpret my POST to the login page as a GET and return.
If I add windows authentication to myapplication in IIS everything seems to work fine with any browser.
Why is this happening? A bug in IE or am I missing something?
It's sorta a bug in IE, and sorta a bug in the design of NTLM/Negotiate (aka Integrated) authentication over HTTP.
NTLM/Negotiate are connection-oriented auth protocols, which HTTP wasn't really designed for. As a result, when you require this auth mechanism for one page on your server, IE will typically assume that other pages on the server have the same requirement.
Furthermore, for performance and security reasons, if IE expects a Negotiate/NTLM challenge for a given POST request, then it will first send a 0 byte POST, expecting the server to return a HTTP/401 challenge to which it will authenticate and then properly send the POST body.
However, in your case, the folder which doesn't require Integrated auth gets the 0 byte POST and says "Hrm, weird, a 0 byte post. Okay, HTTP/200, here's the page as if you'd used GET."
Because IE never gets the 401 challenge it expects, it never actually sends the POST body.
(Fiddler may confuse you a bit due to how HTTP connection reuse works).
The workaround is to ensure that if you're using Integrated auth on the host, use it everywhere.