We are using a custom database data store in OpenAM. This store authenticates user against our Oracle database.
Now, there are many possible causes why that authentication might fail. The account could be locked in Oracle or the password might be expired.
The datastore catches the SQLException, but how do I propagate the cause to the OpenAM UI?
I can throw a AuthLoginException from authenticate(), but on its way to the AMLoginContext, it gets wrapped and AMLoginContext kind of ignores error codes of AuthLoginExceptionS anyway. Meaning: AMLoginContext doesn't read the error code from the exception but tries to determine the error code itself, and usually it just puts AMAuthErrorCode.AUTH_LOGIN_FAILED into the login state.
How do I get the UI to show the cause of the login problem?
As Bernhard says, that is not recommended. However, from your data store you could obtain a Debug instance (com.sun.identity.shared.debug.Debug) and you can log exceptions, and they will appear in [AM_INSTALL_DIR]/openam/debug.
edit: You can find examples of doing so throughout the OpenAM source code.
Related
I am extremely new to UiPath. I have inherited a project from an experienced UiPath developer. I am trying to find the username and password he uses to login to a specific app. Because the project is not working when executing in the development environment, it is possible the password has expired. I am on the machine he used to develop the project, but logged in under my name. I have found the process that does the "Get Credential". I am using a message box to show the username at this point. When I run the process The "Get Credential" activity returns the error "you are not authenticated Error Code:0" I have researched the error and found several answers as to why it is happening, but not what to do to either fix my problem or get around the problem. The UiPath.systems.Activites version used is 21.4.1. I am aware of the concept of the CredentialStores, but can't seem to find the one used for this project. Where would I find the name of the credential store used? How do I find the username? I need to test the change I made for a user request.
I am going to close this question as I have determined the correct password for what I needed to do. I have no need to get into the credential stores for a password.
Credential stores and password were not the actual issue with the error I was receiving. The error "Loading asset PreAuth_Citrix_FolderName failed:
You are not authenticated! Error code: 0" by referencing the word authenticated, I assumed it had to do with passwords. As I did more research I found the issue to be the new security certificate installed on our web server. While orchestrator recognized the new cert, the Identity Server was not updated with the new thumbprint. I found the information I need at this link https://forum.uipath.com/t/get-asset-you-are-not-authenticated-error-code-0/343910. Once I updated the Identity Server thumbprint, I no longer received the error and my jobs ran. (not successful, but at least they ran past this error!)
I am trying to setup a simple RPA application through BluePrism which will login into a website and will perform certain tasks. Now, while logging into the website through BluePrism I am getting Authentication error although the password and username is correct.
Normally, I can login but error is showing while logging through BluePrism. Can anyone please tell why this is happening?
There are two options for passing credentials (Username & Password)
1. Hard Coded - If you are using hard coded values, please check if values are correct. Sometimes space or any special characters can lead us to error.
2. Credential Manager - If you are passing credentials through credential manager make sure you are using correct variables mapping so that there is no mismatch.
3. Lastly make sure you are using wait stage so that while executing the application it is waiting for values to be pasted or passed before control moving to other screen or other function.
Please check caps lock key of keyboard, when running the process.
I have successfully installed liferay 7 and configured CAS 3.6 for SSO. Everything is working fine. I was able to create users, assign roles, create pages etc etc.
After few days, I was trying to create a new user via admin, I got warning "User 30810 is not allowed to access URL https://mysite:8443/group/control_panel/manage and portlet com_liferay_users_admin_web_portlet_UsersAdminPortlet". I could not able to create user. and from then that user does not have any permission that I use to do earlier.
I googled a lot on this, got few suggestions like
1) Adding below in portal-ext.properties:
redirect.url.security.mode=domain
redirect.url.domains.allowed=*.mysite.com
session.timeout.warning=0
session.timeout.auto.extend=true
2) Some links:
https://web.liferay.com/community/forums/-/message_boards/message/92226678
3) Somewhere it is mentioned that this it is bug with liferay started from liferay 7 GA4
4) If you read the link, it is mentioned that it related to Guest user and session expiration that starts causing this issue etc.
Had any one gone through this issue? Is there any solution or workaround for this?
I could not able to update this question with all the option I tried or solutions that is mentioned on google or liferay's official jira sites however I will keep updating this question with proper references.
Meanwhile
Do provide your suggestions/solutions.
"this starts happening when some session automatically logs out"
This phrase tells me several things, like the possibility of an user logging out even though you set "session.timeout.auto.extend".
Two basic scenarios where this can happen is:
When you close your tabs, after the assigned timeout, the user will be logged out. And when you got back, especially after a browser crash or using the back button, your browser used old data.
When you have the auto session extension working with a big timeout, leading to the possibility that the session timeout configured in Liferay being bigger than the one configured on the server.
On the last case, one might be interested on completed the config you exposed with short timeouts.
session.timeout.warning=0
session.timeout.auto.extend=true
session.timeout=5
session.timeout.redirect.on.expire=true
I know it is an old thread but it may help someone...
The "extend session" functionality is not working correctly and the final user session is expired, so when they try to log in, they have the wrong CSRF token from the previous session:
You have to double-check that the session.timeout Liferay portal.properties has the same value as the session timeout configured in your application server.
You have also check that the session.timeout.auto.extend.offset is greater than 60 seconds to avoid having problems with the chrome javascript intensive throttling
Is there a way to catch the openssh key based authentication failure?
I am looking for an option, where some custom "error handling like alarms" to be raised whenever a ssh key based authentication fails for a certain user.
I know that the key based authentication is done by openssh, I wanted to know if there is any option, where in I can plug in my error handling/reporting code which will be called when the authentication fails.
Any pointers on how this can be done? Any way for this failure to caught by some application process?
No. OpenSSH does not support any way to plug your error handling. But the failed login attempts are recorded in error log or in audit (on RHEL/Fedora), where you can simply differentiate the user, authentication type and react accordingly.
This is very similar as the way fail2ban does it (it reads error logs). But I don't know what are you trying to achieve. Failed publickey authentication is quite common (most of the clients are sending public keys tests to all servers they are trying to access and therefore you can see a lot of these events).
We have a web-app which uses federated authentication to authenticate users. Data for the Fed Auth are obtained from the Active Directory service.
One of the system's requirements is to have a "Last log in date" saved in the web-app, but the application is not performing any log in operation. It just checks if the incoming request if allowed to perform requested operation, based on the AD credentials.
Have you ever encountered such a requirement in a similar scenario? What was your approach to the problem? We thought about creating user session on the first request and treat the session creation point as the log in date. This seemed as a bad idea, as we don't want to use user-session at all, and it would be the only scenario utilizing it.
Another approach we were thinking about was to use client to tell us if he is logging in or not, for example by making a special "mock" request, which on the web-app would be treated as the log in. This also seems bad, because in that case we have to trust the client to be telling the truth, which basically looks like a major vulnerability.
I am aware that this requirement makes little sense in such environment, but that is something I can't argue with right now, that's why I am trying to find most reasonable solution to that situation.
Thanks for all the suggestions in advance.