Worklight HTTP Adapter not working with Kerberos - security

My team and I are currently doing a Worklight mobile project. One of our requirements is to retrieve data from MS CRM and Sharepoint via web service calls. The authentication mechanism that we are to make use of is Kerberos / Spnego.
We followed the instructions documented here, where we inserted the following into our HTTP adapter:
<authentication>
<spnego stripPortOffServiceName="true"/>
</authentication>
In addition, as mentioned in the same IBM site we have included the krb5.conf file into the ../server/conf directory in the project files.
However after invoking the adapter procedure, we encountered an error:
Runtime: Failed to create Kerberos login context
As there are very limited documentation around regarding Worklight working with Kerberos, we were unable to solve this issue. Hence we would like to seek for some help on this community. Is there something that we missed out on?

Unfortunately this type of configuration is not tested often at all and there are no more documentation on this subject matter. This will be discussed to see if documentation and testing can be improved.
The workaround that is currently used (by Desmond) is to continue using NTLM instead.

Related

SAP Cloud SDK CI/CD Pipeline: Usage with non S\4 Services

I am using SAP Cloud SDK (Java flavour) to create an extension application of SuccessFactors.
I sadly discovered that the Jenkins pipeline does not allow me to use any other service than the ones listed here: SCN Blog (scroll to the Appendix).
This does not make so much sense to me, as now the SDK can be used - and it is sponsored to be used by SAP - also with SaaS in its ecosystem, SuccessFactors being one of them.
Any hint? Can this check be somehow "bypassed"?
Thanks,
Roberto.
Please note that the blog post is quite old, have you verified your assumption that it does not work with SuccessFactors API?
Nonetheless, we recently introduced a configuration option which allows you to disable certain checks, cf https://github.com/SAP/cloud-s4-sdk-pipeline/blob/master/configuration.md#s4sdkqualitychecks
checkServices is what you would want to disable in your scenario.
As stated by Florian in the comment and following the Project Piper documentation, parameters "checkServices" and "customODataServices" can be used to customize the behavior of the pipeline when running upon a non-Business Hub API.
"checkServices: false" will completely deactivated the check, whereas "customODataServices: [ yourApiName ]" will skip the check just for the specified services.

How to monitor Wildfly with Nagios?

I've read that it's possible to monitor Wildfly with Nagios in links like this one and I also know that there are solutions that provide that service as well.
Does anybody knows how to do that, how to monitor Wildfly with Nagios, any recommendations on how to start? Any reference would be very appreciated.
You can consider using JSON based HTTP management API. Sample plugin (Python based) for JBossAS - standalone mode is available here https://github.com/aparnachaudhary/nagios-plugin-jbossas7. This should also work for WildFly.
Some details about WildFly HTTP Management API can be found here https://docs.jboss.org/author/display/WFLY9/The+HTTP+management+API

Opensource IAM tool used in development

I am looking for an Opensource lightweight IAM to be used in development as a substitute for the real commercial IAM in production. Something with basic IAM functionalities, easy to install & easily configured to inject HTTP headers like user group.
Is OpenAM a good option? Any recommendations?
OpenAM comes from a very good pedigree...is forked from OpenSSO which is open-sourced code from the original SUN Access Manager product. OpenSSO was abandoned by Oracle after the Sun acquisition, so another company took it over and promoted a developer community around it.
Overall its a good choice for your requirements; that is:
Production-ready - yes, this version and previous versions have been used in production implementations
basic IAM functionality - it contains basic web access management functions and more than a few advanced features.
Inject HTTP headers - Yes, this is a standard function among web access management products.
In the past, a limitation with OpenAM/OpenSSO is that it required Sun Directory as the configuration store; however, this has changed with recent releases allowing other directories to be used.
Expect that installation and configuration of OpenAM to be rather command-line intensive; that is, with a minimal package installation and then options set in config files or thru utilities.
Hope that helps...

Attempt by security transparent method X to access security critical method Y failed

I have a fairly stable server application version that's been deployed for nearly a year at dozens of customers.
One new customer recently setup the application and is getting the following error:
System.MethodAccessException: Attempt by security transparent method
[SomeMethod] to access security critical method [SomeOtherMethod]
failed.
Both SomeMethod and SomeOtherMethod are methods in assemblies that I wrote, that are built against .NET 4, and that are running inside a Windows Service. If it makes a difference, SomeOtherMethod does reference a type from a 3rd party assembly (EntLib 4.1) built against .NET 2.0. Looking at the code for EntLib 4.1, I do see that they use both SecurityTransparent and APTC attributes, but this has never caused issues at other clients.
These assemblies were upgraded from the .NET 2.0 CLR, but a long time ago. This exact code is running on other customers just fine, and I'm not explicitly using the APTC attribute nor am I using the SecurityCritical attribute anywhere.
This leads me to the conclusion that it's a configuration issue or perhaps .NET Framework patch issue. Has there been a patch released for .NET that would cause this breaking change? Is there a configuration setting some where that enforces this type of check which is off by default but that my customer may have enabled?
One last point. My service utilizes SSRS RDLCs to generate PDFs. Due to some changes in .NET 4, I must force the service to use the legacy security policy via the following config:
<runtime>
<NetFx40_LegacySecurityPolicy enabled="true" />
</runtime>
For more details on why I need to do this, see this stackoverflow post: Very High Memory Usage in .NET 4.0
The important point is that I do this at all my other customers as well. Only this one customer is having issues.
Sigh, the patterns and practices employed by the Microsoft Patterns And Practices team that's responsible for the Enterprise libraries are pretty deplorable. Well, the exception is accurate, you cannot call a method that's decorated as "I'll definitely check security" from code that's decorated with "Meh, I won't check security so don't bother burning the cpu cycles to check it". Which scales about as well as exception specifications as used in Java. CAS is incredibly useful, but diagnosing the exceptions is a major headache and often involves code that you don't own and can't fix. Big reason it got deprecated in .NET 4.
Editorial done. Taking a pot-shot at the problem, you need to find out why CAS is being enforced here. The simplest explanation for that is that the service doesn't run in full trust. The simplest explanation for that is that the client didn't install the service on the local hard drive. Or is generally running code in don't-trust-it mode even on local assemblies, a very paranoid admin could well prefer that. That needs to be configured with Caspol.exe, a tool whose command line options are as mysterious as CAS. Pot-shooting at the non-trusted location explanation, your client needs to run Caspol as shown in this blog post. Or just simply deploy the service locally so the default "I trust thee" applies.
Editing in the real reason as discovered by the OP: beware of the alternate data stream that gets added to a file when it is downloaded from an untrusted Internet or network location. The file will get a stream named "Zone.Identifier" that keeps track of where it came from with the "ZoneId" value. It is that value that overrides the trust derived from the storage location. Usually putting it in the Internet zone. Use Explorer, right-click the file and click "Unblock" to remove that stream. After you're sure you can trust the file :)
I was facing the similar issue while running the downloaded WCF sample from http://www.idesign.net/ while using their ServiceModelEx library.
I commented out the below line in AssemblyInfo.cs in ServiceModelEx project
//[assembly: AllowPartiallyTrustedCallers]
and it worked for me.
In case it helps others i post my solution for this issue:
1) On the AssemblyInfo.cs, removed/commented the [assembly: SecurityTransparent] line.
2) The Class and the Method that does the actual Job was marked as [SecuritySafeCritical], in my case establishing a Network Connection:
[SecuritySafeCritical]
public class NetworkConnection : IDisposable
{
[SecuritySafeCritical]
public NetworkConnection(string networkName, NetworkCredential credentials)
{
.............
}
}
3) The Caller Class and Method was market as [SecurityCritical]:
[SecurityCritical]
public class DBF_DAO : AbstractDAO
{
[SecurityCritical]
public bool DBF_EsAccesoExclusivo(string pTabla, ref ArrayList exepciones)
{
....
using (new NetworkConnection(DBF_PATH, readCredentials))
{
....
}
}
}
In my case it was an issue when I managed a NuGet packages in the solution some package overrides System.Web.Mvc assembly version binding in main web site project. Set back to 4.0.0.0 (I had 5.0 installed). I didn't change notice the change because Mvc v4.0 was installed and accessible via GAC. Set back

svcutil.exe - How to get WSDL

I'm working with a SOAP interface. The interface provider is having trouble getting me the full WSDL (long story). They have asked me to use svcutil.exe to generate everything I need. From what I can tell, svcutil.exe
requires windows - I don't have a windows box available
generates C# or VisualBasic
It'd be great if it could just spit out a WSDL. Or if there's something I can do from Linux, that would be great too.
Do I have any options from here, or do I just have to wait for the provider to get me the WSDL.
I guess the question is, given a URL and instructions to use svcutil.exe, how can I write code to use a SOAP service only using Linux?
If using linux you could save it via curl
curl url > service.wsdl
so to get a weatherForcast WSDL
curl http://www.webservicex.net/WeatherForecast.asmx?WSDL > weatherForcast.wsdl
#grantk has already demonstrated the easiest method: if you know where the WSDL is hosted, you can simply fetch the document using your tool of choice.
But as you asked specifically about using SVCUtil: you could find a windows box, use SVCUtil to fetch the WSDL, and then return to your linux (and Java?) stack and generate client proxies from that WSDL to call the service using your web service framework of choice.
If the target service supports WS-MetadataExchange or XML Web Service Discovery, SVCUtil will locate and download the WSDL for you: see this HowTo on Microsoft's MSDN web site.
Using the weather forecast service example that #grantk used, you can ask SVCUtil to query the service and download metadata as follows:
svcutil /t:metadata http://www.webservicex.net/WeatherForecast.asmx
(I'm sure there are similar tools to do this using WS-MetadataExchange in the linux world, but my experience is with SVCUtil.)

Resources