How secured is SSO based on token based authentication? - security

I am planning to integrate jasper server with my web application as Single Sign on. I went through Jasper Authentication cookbook
and jasper
suggest Token based authentication as one of the solution (as authentication is already done by my web application)
What Jasper suggests is this
you pass the token in specific format (as defined below under tokenFormatMapping) to jasper server
, jasper will authenticate the request.
So valid tokens can be
u=user|r=role1|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601
Invalid token can be
u1=user|r=role1|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601
r=role1|u=user|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601
My question is this really a secured process because as soon hacker knows the pattern, he can simply login to jasper server ?
To me looks like security can be compromised here. Am i missing something here?
<bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.preauth.JSPreAuthenticatedAuthenticationProvider">
....................
<property name="tokenPairSeparator" value="|" />
<property name="tokenFormatMapping">
<map>
<entry key="username" value="u" />
<entry key="roles" value="r" />
<entry key="orgId" value="o" />
<entry key="expireTime" value="exp" />
<entry key="profile.attribs">
<map>
<entry key="profileAttrib1" value="pa1" />
<entry key="profileAttrib2" value="pa2" />
</map>
</entry>
</map>
</property>
<property name="tokenExpireTimestampFormat" value="yyyyMMddHHmmssZ" />
</bean>
</property>
</bean>

According to the Jasper Reports Authentication cookbook, using token-based authentication the user is not directly logged in, meaning that only certain operations can be done using this method.
Furthermore, it specifies the following:
JasperReports Server will accept any properly formatted token;
therefore, you need to protect the integrity of the token using
measures such as the following:
Connect to JasperReports Server using SSL to protect against token interception.
Encrypt the token to protect against tampering.
Configure the token to use a timestamp to protect against replay attacks. Without a timestamp, when you include the token in a web page or REST web service URL, the URL can be copied and used by unauthorized people or systems. Setting the expire time for the token will stop tokens/URLs from being used to authenticate beyond the indicated time. You can set the expiry time depending on your use case. For a user who is logged into the application/portal and is requesting access to JasperReports Server, expiry time of a minute or less from the request time is appropriate.
All communications need to be made through an SSL tunnel. Otherwise, anyone could establish a connection to your JR server, send tokens and get information from it.

I was also looking to implement token based SSO with Jasper Server and got stuck on exactly the same question. This approach doesn't seem secure to me as the authentication is never denied if the request is properly formatted which is a simple thing to do.
The other alternative (If you are not using CAS or LDAP providers) would be to authenticate based on request as mentioned in section 7.4 "Authentication Based on Request" in the authentication cook-book. Create your own custom authentication provider and configure it in the applicationContext-externalAuth.xml :
<bean id="customAuthenticationManager" class="org.springframework.security.
providers.ProviderManager">
<property name="providers">
<list>
<ref bean="${bean.myCustomProvider}"/>
<ref bean="${bean.daoAuthenticationProvider}"/>
</list>
</property>
</bean>

Related

Can't Enforce password reset on WSo2IS?

When I send the SOAP request to update the forcedpasswordreset value i get 202 Code on the SOAP UI and the user doesn't get notified to update the password, and the wso2carbon.log says the following:
INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'wso2admin#carbon.super [-1234]' logged in at [2019-01-07 11:39:23,318+0200]
I'm trying to use AdminForcedPasswordReset in WSO2 Identity Server and I followed the steps in {https://docs.wso2.com/display/IS530/Forced+Password+Reset} RecoveryEmail type.
Here's my SOAP Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mgt="http://mgt.profile.user.identity.carbon.wso2.org" xmlns:xsd="http://mgt.profile.user.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<mgt:setUserProfile>
<mgt:username>omar.alaeldain</mgt:username>
<mgt:profile>
<xsd:fieldValues>
<xsd:claimUri>http://wso2.org/claims/identity/adminForcedPasswordReset</xsd:claimUri>
<xsd:fieldValue>true</xsd:fieldValue>
</xsd:fieldValues>
<xsd:profileName>default</xsd:profileName>
</mgt:profile>
</mgt:setUserProfile>
</soapenv:Body>
I expect the user omar.alaeldain to get nitified at next login by an E-mail to update his password.
Please verify whether you have done the following changes.
You need to enable "Enable Password Reset via Recovery Email" from the below configuration.
https://docs.wso2.com/display/IS530/Forced+Password+Reset?preview=/60494003/60494255/forced-password-reset-residentidp.png
You need to configure "from email address".
Open the output-event-adapters.xml file found in the /repository/conf directory.
Configure the relevant property values for the email server that you need to configure for this service under the tag.
<adapterConfig type="email">
<!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust
based authentication rather username/password authentication -->
<property key="mail.smtp.from">abcd#gmail.com</property>
<property key="mail.smtp.user">abcd</property>
<property key="mail.smtp.password">xxxx</property>
<property key="mail.smtp.host">smtp.gmail.com</property>
<property key="mail.smtp.port">587</property>
<property key="mail.smtp.starttls.enable">true</property>
<property key="mail.smtp.auth">true</property>
<!-- Thread Pool Related Properties -->
<property key="minThread">8</property>
<property key="maxThread">100</property>
<property key="keepAliveTimeInMillis">20000</property>
<property key="jobQueueSize">10000</property>
</adapterConfig>
Configure email address to the user omar.alaeldain.
once finish all the three steps invoke the soap service.

Symfony2 using http-basic and preauthentication together

What do I need
In my application I have a following schema
users (id(PK), username, email(unique), password, etc)
devices (id(PK), device_id, status, user_id)
Relation
user HAS ONE device
The application needs to support basic authentication in two variations.
Variation one: Normal, email as username and password. This approach will be used by the admin console. The admin console just like an webapp.
Variation two: email as username, device id as password. This approach will be used by mobile application. During the authentication process from device, it will pass the device id as password. Since a user will have only device at a time, the authentication process will match the device id and email to identify the user.
What I tried?
I have basically followed symfony tutorial on api key based authentication for the second variation and http-basic for the first. Please find my security.xml below.
Here, I need the firewall setup to pass when any of the underlying authentication mechanism passes. For instance, in case of web authentication, only http-basic will pass, in case of device login only simple-preauth will pass.
security.xml
<srv:container xmlns="... ...">
<config>
<firewall name="resource" pattern="^/" stateless="true">
<http-basic realm="Webservice" />
<simple-preauth authenticator="device_authenticator" />
</firewall>
<provider name="administrators">
<entity class="AppBundle\Entity\User" property="email"/>
</provider>
<provider name="device_id_user_provider" id="device_id_user_provider" />
<encoder class="AppBundle\Entity\User" algorithm="bcrypt" cost="12"/>
</config>
</srv:container>
services.xml
<container xmlns="... ...">
<services>
<service id="device_id_user_provider"
class="AppBundle\Security\DeviceIdUserProvider">
<argument type="service" id="doctrine.orm.entity_manager" />
</service>
<service id="device_authenticator" class="AppBundle\Security\DeviceAuthenticator">
<argument type="service" id="device_id_user_provider" />
</service>
</services>
</container>
My problem
For every request the firewall tries to pass both of the authentication mechanisms. Hence its always responding with 401.
Did I set this up in a wrong way?
Or a firewall MUST pass all of its underlying auth mechanisms?
Or this is happening only because of using preauthentication?
Any recommended approach to achieve this?

Spring Integration web service client not signing key for outgoing message

I am currently using Spring Integration web service client and its works fine for web service end point with http call.
Now i am trying to call https end point with signing client key to outgoing messages with server cerificate from cacerts(defaut).We have added server certificate in cacerts and we keep authentication key in separate keysore file to sign/add keys to outgoing messages.Its binding with certificate from cacerts as expected.For sign/add key to the outgoing message alonwith server certificate, I have added below code in Spring Integration xml.
<bean id="keyStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
<property name="location">
<value>classpath:client.jks</value>
</property>
<property name="password" value="test123"/>
</bean>
<bean id="keyStoreHandler" class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
<property name="keyStore" ref="keyStore"/>
<property name="privateKeyPassword" value="test123"/>
</bean>
After adding above code, Authentication key is not binding with outbound gateway message and there is no exception also. Please help me what i am missing here.Itneed to add/sign authentication keys from myown keystore file alongwith server certificate. I really appreciate your input on this.
Please refer my final Spring integration xml.
<bean id="xshMessageFactory" class="org.springframework.ws.soap.axiom.AxiomSoapMessageFactory" />
<si:channel id="xshReqChannel" />
<si:channel id="xshResChannel" />
<si:gateway id="xshProvider" service-interface="comm.sd.xshProvider" default-request-channel="xshReqChannel" default-reply-channel="xshResChannel"
/>
<ws:outbound-gateway id="xshProvider"
marshaller="xshMarshaller"
unmarshaller="xshMarshaller"
message-sender="xshMessageSender"
message-factory="xshMessageFactory"
request-channel="xshReqChannel"
reply-channel="xshResChannel"
uri="${xshEndPoint}" />
<bean id="keyStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
<property name="location">
<value>classpath:client.jks</value>
</property>
<property name="password" value="test123"/>
</bean>
<bean id="keyStoreHandler" class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
<property name="keyStore" ref="keyStore"/>
<property name="privateKeyPassword" value="test123" />
</bean>
</beans>
Do be honest, I have never done anything similar, but according to the Spring WS Docs you go right way. What you have missed is just a configuration for a XwsSecurityInterceptor bean and it injection to the <ws:outbound-gateway> using interceptor attribute.
Would be great if you do the solution and share it with us to add it to our Samples.

Spring Security Authenticate multiple apps with an external one

I'm trying to make a central point of authentication.
The goal is to have N spring security apps that use the same external application to login/logout.
Now I managed to do that, using CAS. However, I'm not automatically logged in through all the applications.
Use case:
1. access first app
2. redirected to CAS, login
3. redirected to first app logged in.
4. access second app
5. redirect to CAS login, again, WHY ?
I managed to resolve it, added the property sendRenew to false:
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<property name="service" value="https://****/j_spring_cas_security_check"/>
<property name="sendRenew" value="false"/>
</bean>

SharePoint and <identity impersonate="false" />

I would like to use integrated authentication to access a SQL database from a web part. It should use the IIS Application pool identity.
By default you will get the error:
System.Data.SqlClient.SqlException: Login failed for user 'SERVER\IUSR_VIRTUALMACHINE'.
Because in web.config impersonation is set to true:
<identity impersonate="true" />
I can set this to false and the database code will work. Anonymously accessed sites will also work. Any SharePoint site that uses authentication will fail however so this is not really a solution..
To solve this would I have to encapsulate all my database access code to run with elevated priviliges, is that how SharePoint does it internally? Somehow that doesn't seem like the most performant solution.
Is that still the way to go, just use SQL security to access databases from SharePoint custom web parts?
The <identity /> and <authentication /> elements in the web.config file will together determine the account that is used in to connect to SQL Server when using integrated authentication.
When <authentication mode="Windows" /> is configured, you're deferring to IIS to authenticate users. I'm guessing that your your web.config contains:
<authentication mode="Windows" />
<identity impersonate="true" />
and that IIS is configured to allow anonymous users. Setting <identity impersonate="true" /> causes IIS to pass the identity of the IIS anonymous access account to SQL Server.
As Lars point out, using SPSecurity.RunWithElevatedPrivileges will achieve what you want. I don't believe you'll see any noticeable impact on performance but that's something you can test :-)
Use SPSecurity.RunWithElevatedPrivileges to run your code in the context of the app pool identity.
This is incorrect. Because <identity impersonate="true" /> is set to true ASP.NET / IIS will run the thread as the user that is currently logged in (so not the app pool account but the actual user logged into the website).
Something else is going on here. Could you post your connection string for the custom database? (minus the private data off course)

Resources