I'm not sure that this is a proper question. (I'm the novice about stackoverflow strategies)
I'm trying to configure SSO systems using OpenAM.
OpenAM... is not a light solution, but I did get my solution for my boss' request.
We have several Web Applications. (App1, App2, App3, ...)
I simulated the combination [OpenAM + App1].
That's OK~ (though much time and so many trials were needed.)
I used domain names following the guide.
[openam.example.com + www.app1.com]
But, in our real circumstances, We should use the IP addresses.
(for example, OpenAM : 1.1.1.1, App1 : 2.2.2.2)
Guide seems to say "it's not possible"...
and I failed about that trial.
when I used 'localhost' or '127.0.0.1' (for simple simulations)
App1(tomcat) failed to start.
Agent's logs were like this...
ERROR: Failed to obtain auth service url from server: null://null:null
ERROR: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
Check AMConfig.properties for the following properties
com.sun.identity.agents.app.username
com.iplanet.am.service.password
Is there a way to user IP addresses for OpenAM SSO?
If possible, my situation is just due to my mistake?
Thank you in advance... (and sorry for my poor English)
In short - no, it is not possible. You must use DNS names (and do not use localhost - this is asking for trouble). OpenAM uses cookies for SSO, and cookies require DNS names.
Related
I am curious how I could detect a users DNS servers from my website. Is there any way to know? Any possible way?
No. By the time the user initiates the request to your server, the DNS lookup is already finished (or they wouldn't know the address of your server).
I suppose it's theoretically possible to abuse Javascript or other content in order to breach the security of the user's machine and try to fetch its configuration data, but I doubt you will get much help with that here.
I am trying to determine possible vulnerabilities in a possible site implementation.
We need to be able to determine if the user is logging into the site from an local IP address or external. I know the IP address can be spoofed, though the spoofer won't be able to get much information.
I was thinking it could be possible for a person to spoof a local IP, perform a post action to modify data the server, though this would be difficult (predicting sequence numbers).
If the site used validation tokens on all post request, this might help. In particular I am using .Net MVC 4's AntiForgeryToken. I am not sure how the token is keyed to the user.
My question is if the spoofer went to a page normally to get the token, then spoofed his IP and used the token to do a post, would this succeed?
I know we're getting into the realm of the implausible, but ... Maybe an example might help. Lets say when a user logs in the application detects the IP (not using the HTTP_X_FORWARDED_FOR) and sets the session as local or remote. Could a malicous user load the login screen, get the token, spoof their IP address (assume they are able to determine the sequence number and post), then post the login with that IP address setting them as local?
Any insight would be appreciated.
Thanks,
Phillip
Your site's firewall should block anything with a source IP in your address block, to prevent IP spoofing in the first place.
I would like to enable my users (who are already authenticated in my application) to automatically log into their Cpanel accounts through API.
If I know the password of the specific account, then it will be no problem. However, I do not think that I can retrieve the password of any account? If I can, please tell me which API function to use? If not, what can I do to achieve what I want?
Thanks
Elcin
It looks like cPanel has a method for providing secure remote logins as documented here: http://docs.cpanel.net/twiki/bin/view/AllDocumentation/SecureRemoteLogins
You can find the source for it in /usr/local/cpanel/Cpanel/LogMeIn.pm
I have a PHP implementation of LogMeIn.pm ready to go (easy to understand and port to any other language) but I'm clearing it with the legal folks over at cPanel before I share it.
After speaking with cPanel's VP of Operations, LogMeIn.pm is now dual-licensed allowing modification and use elsewhere as long as a copyright and license notice stays intact.
My PHP port can be found here: https://gist.github.com/4440574 I decided to implement it as a static class to closely resemble the original but you can very easily turn it into a procedural function.
Using it is as easy as
LogMeIn::getLoggedInUrl('username', 'password', 'example.com', 'cpanel');
which will return false on failure, and on success a string with a URL that will log the user in.
If you're running PHP 5.3.0 or greater you can add this to a cPanel namespace (add namespace cPanel; on the line after <?php) to keep it from conflicting with anything in your application that you've already written (or will write).
My goal is a secure login in system such as stackoverflow uses. I am a newbie but as you have probably seen I have spent all day looking up stackoverflow articles on security. As a result of this research I have now worked out a plan of attack. In particular this page was a great help Using OpenID for website Authentication. Can you please tell me if the following system would be a secure system and if not how should I improve the system.
Use OpenID to validate users.
Once a user has been validated by OpenID get user's email address from OpenID.
Hash the email address and store in session variable.
Compare Hashed email address to list of hashed email addresses in databases
Return content appropriate to that user based on the hashed email address.
In particular I am nervous about using the email address instead of the ProviderOpenID.
Please assume that I have (as I have found answers to these questions on other stackoverflow pages):
Properly destroyed sessions after use.
Setup my server to store session data in an inaccessible location.
Setup my database in a secure manner.
I am using SSL to ensure traffic cannot be intercepted.
Thanks in advance.
In general, your way better of using some authentication architecture for the language you are using that supports OpenID. Not only is it more secure, its just easier, you write less code, and you don't have to maintain that code or test it. There are ones for PHP,python,c#/asp.net, rails. A lot of frameworks also have support.
First, why not use the provided ID ?
I think you have two problems:
Its possible that an openID provider could return a email address for a different domain than the provider's.
For example, gmail could authenticate me correctly but I could specify that my email address was billg#microsoft.com. Then you would read my identity as me being Bill Gates despite the fact that it is not. There are of course ways to prevent this, but the standard system probably has safeguards included and even if it doesn't, it is someone else's responsibility to fix them and other people will be looking at those issues.
If I am reading the wikipedia article correctly, openID id's are not necessarily email addresses
This is not a security problem , but it does break expected behavior.
I am working on a login section for a new project, which definitely requires user authentication.
The easiest way of doing that I assume would be using the http basic authentication. I implemented it fine on the Apache server, ssl was also intorudced to provide better security.
However, one thing concerns me, that it seems the basic authentication wouldn't stop no matter how many times a user failed to provide a valid username/password crentential. It would just keep asking...
I reckon, since each time the web server receives the credential, it needs to go through the password file to look up whether a match exists or not, it takes a certain amount of server resources. My question is, would this be a security risk of having DoS attack by malicious users?
If so, how can I stop this? By adding some configuration/feature onto the Apache? Or just swap to some other authentication method? Digest Authencation?
Many thanks to the advices in advance.
Handle the http authentication yourself, keep a count on amount of logins based on ip address (over a given time), and then just return 401 if the limits are reached.
mod_perl 2.0: http://perl.apache.org/docs/2.0/user/handlers/http.html#toc_PerlAuthenHandler
mod_php: http://no.php.net/manual/en/features.http-auth.php
mod_python: http://www.modpython.org/live/mod_python-3.2.8/doc-html/tut-more-complicated.html
Step 1: Read this: http://en.wikipedia.org/wiki/Denial-of-service_attack#Prevention_and_response
Step 2: Implement this. Create a set of counters indexed by IP address. Each failure from an IP address increases the counter. The counter is the sleep time -- in seconds. 10 failed attempts means 10 seconds for the 401 response.