Can anyone please elaborate what are the local-service="true" remote-service="false" parameters in service.xml.
Below is brief detail from liferay-service-builder_6_1_0.dtd.
If the local-service value is true, then the service will generate the local
interfaces for the service. The default value is false.
If the remote-service value is true, then the service will generate remote
interfaces for the service. The default value is true.
You can also refer to link
local-service="true"
This will create classes to access your services within the same JVM.
remote-service="true"
This will create classes to access your services from outside.
In your case (local=true;remote=false) - you will be able to call the services in your portlet (or the whole portal, depends on how you set them up), but won't be able to call them from outside (for example from some SOAP client or a mobile application, etc).
Related
In my Spring Integration project (with Spring Security API using Basic Authorization), I am trying to access the Principal object in order to read the Username.
This is the structure of the inbound gateway:
<int-http:inbound-gateway request-channel="gatewayRequests"
reply-channel="gatewayResponses"
supported-methods="POST"
path="/api/v1/myservice"
request-payload-type="java.lang.String" reply-timeout="100">
<int-http:request-mapping consumes="application/xml" produces="application/xml"/>
<int-http:header name="principal" expression="T(org.springframework.security.core.context.SecurityContextHolder).context.authentication.principal"/>
</int-http:inbound-gateway>
I got the aforementioned expression from the reply in this:
Spring Integration and http inbound adapter, how do I extract a principal user?
Despite successful authentication, I don't see the principal - is my syntax correct in expecting the result of the expression to be mapped to a message header?
Instead of the mapping to the header, if I were to use the following, how do I access the Principal value in the code layer (assuming it gets added into the payload)?
<payload-
expression="T(org.springframework.security.core.context.SecurityContextHolder).
context.authentication.principal">
Can anyone kindly help me?
Sincerely,
Bharath
There is already a header like:
.setHeader(org.springframework.integration.http.HttpHeaders.USER_PRINCIPAL,
servletRequest.getUserPrincipal())
in the message sent to the gatewayRequests.
Why that doesn't work for you?
OTOH that expression must work too. If you don't have that one, then you can't assume that you are authenticated correctly...
Is it possible to use JAX-RS2 security roles in MF adapters?
E.g.:
securityContext.isUserInRole("MyTestRole")
This method returns always false in my adapter. I added in "mfp" app (mfp-server.war) in server.xml (LibertyProfile):
<security-role name="MyTestRole">
<group name="MyLDAPGroup" />
</security-role>
and I am logged in to user that is assigned to "MyLDAPGroup".
Or maybe in MF adapters we should use some other mechanism to specify roles?
You may want to check the following links:
Implementing a JAX-RS resource & security configuration of a JAX-RS resource in MFP v8.0:
https://www.ibm.com/support/knowledgecenter/en/SSHSCD_8.0.0/com.ibm.worklight.dev.doc/devref/t_impl_java_adapter_JAXRS.html
Security framework in MFP v8.0:
https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/authentication-and-security
I'm quite sure, the answer must be somewhere but I googled my ass off:
I know that "elevated privilegues" runs with the appPool-Account. But what account is used for
web.Site.SystemAccount in SharePoint? Is it the farm admin?
MSDN documentation says that
SPSite.SystemAccount Gets the system account of the site collection
In addition, Reflector says that SystemAccount user ID is 1073741823 that corresponds to SHAREPOINT\system:
<m:properties>
<d:Id m:type="Edm.Int32">1073741823</d:Id>
<d:IsHiddenInUI m:type="Edm.Boolean">false</d:IsHiddenInUI>
<d:LoginName>SHAREPOINT\system</d:LoginName>
<d:Title>System Account</d:Title>
<d:PrincipalType m:type="Edm.Int32">1</d:PrincipalType>
<d:Email></d:Email>
<d:IsShareByEmailGuestUser m:type="Edm.Boolean">false</d:IsShareByEmailGuestUser>
<d:IsSiteAdmin m:type="Edm.Boolean">false</d:IsSiteAdmin>
<d:UserId m:type="SP.UserIdInfo">
<d:NameId>S-1-0-0</d:NameId>
<d:NameIdIssuer>urn:office:idp:activedirectory</d:NameIdIssuer>
</d:UserId>
</m:properties>
this account is the primary administrator of Site collection which you can configure from Central admin.
I am afraid the RUNwithElevatedPrivileges is run by System account not app pool account. Because normally we use a separate app pool account than site collection administrator. If you debug the code and get SPContext with in RWEP... you will get System account syntax.
below article is explaining .
[http://www.mssharepointtips.com/tip.asp?id=1022][1]
How do you secure remote EJBs from unauthenticated principal in JBoss-5.1.0.GA application server? After configuring my ejb security I can still access the remote EJBs with a JNDI lookup without principal and credentials passed in? This is a security risk. Essentially I want to disable all unauthenticated JNDI lookup on remote EJBs.
Here is my server/conf/login-config.xml configruation:
<application-policy name="<my security domain name>">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName">**java:jdbc/<my datasource name>**</module-option>
<module-option name="principalsQuery"><my users query></module-option>
<module-option name="rolesQuery"><my roles query></module-option>
<module-option name="debug">true</module-option>
</login-module>
</authentication>
</application-policy>
Here is my jboss.xml configruation in my ejb jar:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss PUBLIC
"-//JBoss//DTD JBOSS 5.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss_5_0.dtd">
<jboss>
<security-domain><my security domain name from login-config></security-domain>
</jboss>
Here is how i do a a JNDI lookup to access my beans as a client
Note the principal and credentials are not being passed in to the context
Hashtable<String, String> props = new Hashtable<String, String>();
props.put(Context.INITIAL_CONTEXT_FACTORY,"org.jnp.interfaces.NamingContextFactory");
props.put(Context.URL_PKG_PREFIXES,"org.jboss.naming:org.jnp.interfaces");
props.put(Context.PROVIDER_URL,"jnp://localhost:1099");
//props.put(Context.SECURITY_PRINCIPAL,"");
//props.put(Context.SECURITY_CREDENTIALS,"");
ctx = new InitialContext(props);
ctx.lookup("<earname>/<ejb interface definition>/remote">
What is the issue?
When no/wrong principal/credentials are passed the user is authenticated as an anonymous principal and has full access to the remote EJBs via JNDI
What I tried already to fix the issue:
i deleted the following line from all login modules in my server/conf/login-config.xml but it had no effect
<module-option name="unauthenticatedIdentity">anonymous</module-option>
i deleted following line from server/conf/jboss-service.xml thinking it will resolve the issue, but it had no effect
<attribute name="DefaultUnauthenticatedPrincipal">anonymous</attribute>
i deleted application policy "client-login" from login-config.xml that is in there by default since i am using a DatabaseLoginModule
My jboss-ejb-policy and jboss-web-policy in server/depoly/security/security-policies-jboss-beans.xml are extending my DatabaseLoginModule policy in login-config.xml
I have no security related annotations in my ejb classes/interfaces
Other things to note
I tested this scenario in Jboss-as-7.1.1.final and i get EjbAccessException: invalid User which is correct (you add this to the jboss-ejb3.xml it will secure all EJBs via the security domain)
<assembly-descriptor>
<s:security>
<ejb-name>*</ejb-name>
<s:security-domain><security domain name here></s:security-domain>
</s:security>
</assembly-descriptor>
the issue here is NOT authorization but authentications all ejb security annotations do not help
what i want to do is prevent the anonymous principal completely from making JNDI call
I have enabled TRACE logging on org.jboss.security and i can see that when ever i call the JNDI i get the following hit in the logs
Principal: anonymous:callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null]; policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration#1f51a2f;
I have verified all my configurations work and the DatabaseLoginModule works when i use the programmatic login through WebAuthetication
Even when passing the initial context a valid principal/credential from database the anonymous principal is used indicating that the principal/credential is not even processed by the context
I can probably secure my EJBs through #RolesAllowed #DeclareRoles ... but like i mentioned this would be an authorization concern not authentication and also if I have many roles and EJBs this would not be good as far as maintainability
How can I disable/prevent unauthenticated anonymous JNDI lookup for the entire application like it automatically does in JBoss 7.1.1? I know I can upgrade my application server as one solution but I don't have the option to do so. This should be possible and easy to do in Jboss 5.1.0. but i have looked for the answer everywhere and I can't find it? Thanks for your help.
I am new to openAM. I am trying to use openAM (954) to secure my web service using J2EE agent 3.0. I have deployed my webservice (using CXF) on Glass fish 3.1.x.
I have created necessary configuration given in URL http://docs.oracle.com/cd/E19575-01/820-4803/ghuqg/index.html
I want to authenticate using user id and password. I am passing this information (userid/password) using SOAP header. But when I try to access my web service in browser it gives access forbidden message.
Are there any additional configurations required? Please let me know, I am not able to find any other information on this anywhere.
Following is the request we are sending. I am not sure about UsernameToken wsu:Id whether it is correct? How do we get this value from OpenAM dynamically at each time when we send the request.
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-27777511" xmlns:wsu="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>amadmin</wsse:Username>
<wsse:Password Type="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Amit4001</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<demo:greetPerson>
<!--Optional:-->
<arg0>Ashish</arg0>
</demo:greetPerson>
Please help me solve this issue.
I want to authenticate using user id and password. I am passing this information (userid/password) using SOAP header. But when I try to access my web service in browser it gives access forbidden message.
I'm currently struggling to learn OpenAM as well and I think your specific problem is that you have not yet set up a policy (not a policy agent) after users have successfully authenticated.
If you haven't try the following steps:
Navigate to Access Control -> YourRealm -> Policies -> New Policy
Name: yourpolicyname
Rules (click new):
Name: URLPolicy
Resource Name: http:// your-webservice-url/*
Check allow get and post
Name: GetUrlPolicy
Resource Name: http:// your-webservice-url /* ? *
Check allow get and post
Subjects (click new)
Type = OpenAM Identity Subject
Name: UserAccess
Add users you want to be able to authenticate
You have to add in the * ? * if you have any GET parameters in your web page.
Hope that helps, I know the documentation around is terrible.
For your agent policy, in the Global tab: General section > Agent Filter Mode, remove ALL and add SSO_ONLY (leave Map Key blank and Map Value as SSO_ONLY). Note that this configuration isn't hot-swappable, so OpenAM has to be restarted to apply.
Here is a procedure for installing the agent on the server you want to protect:
http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/jee-install-guide/index/chap-glassfish.html
Here is a good procedure for configuring the agent policy centrally on the OpenAM server:
http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/admin-guide/index/chap-agents.html#create-agent-profiles
You might want to also control which URIs (webapps) to protect instead of the entire website. To do that, in the agent policy:
Application tab: Not Enforced URI Processing section > add the URI to protect, for example: /application1/*
Application tab: Not Enforced URI Processing section > check the "Invert Not Enforced URIs" checkbox so that it will actually enforce the "Not Enforced URI" values