I am currently working on migrating our ISAPI filters to IIS modules. In our ISAPI filter we have both HttpFilterProc() and HttpExtensionProc() defined and each has a different code flow.
The module is responsible for displaying login page and authenticate the user account (the login page is displayed based on the URL the user is accessing.)
I have now OnBeginRequest(), OnAuthenticateREquest() etc. defined in the module. I am able to display the login page, but the problem is that all the notifications (OnBeginRequest() to OnEndRequest()) are called immediately and does not wait for the actual completion of authenticating the user account.
The destructor of CHttpModule derived class is called before the user enters the credentials and try to authenticate the account.
Should this be handled with another set of OnBeginRequest() to OnEndRequest(). I have read about CloneContext() and ExecuteRequest(). Should I be creating a child request by cloning the context?
Regards,
George
Related
I have made a Java ExtLib XPage custom REST service (CustomServiceBean) database basing on this solution: https://setza-projects.atlassian.net/wiki/spaces/RS/pages/363593730/IBM+Domino
I modified it though to use NotesCalendar class to create, update and delete events & resource reservations (so everything in fact is processed by the calendar, I'm only using raw documents for reading $Rooms in names.nsf and $Reservations in the reservations database). Everything works fine so far, it uses current session to open the calendar. I have some concerns regarding the permissions though.
What I want (and need):
Ability to create calendar events & reservations as SPECIFIC users, I don't want just one "main" user that will create everything. I want each IBM Lotus user to be able to login with their credentials and create or update their calendar events.
This database with XPage will be deployed on our client's servers, so I don't want to require some special configuring for each user in order to be able to access my REST service.
I set up a new local installation of Lotus Server and created a new application using my XPage database as template, and I couldn't access the API neither with admin account or other accounts:
HTTP JVM: CLFAD0229E: Security exception occurred servicing request for: /db.nsf/services.xsp/api - HTTP Code: 403. For more detailed information, please consult error-log-0.xml
As soon as I added my admin account to Server configuration -> Security -> Sign or run unrestricted methods and operations, it started working again. Not only for the admin account, but also for other accounts that were just created with an internet password and weren't assigned any specific roles or permissions. I didn't even sign the database.
So my question is, is this enough in order to get it working on client's production server? It kind of makes no sense to me, but it worked on my local server so I'm not sure, I'm new to IBM Lotus and I'm just doing an integration REST service.
If not, how could I do it, so I wouldn't really need to put the end client (Lotus server owner) into the hassle of configuring each user, while still being able to access the API as any Lotus user (providing the username and password)? I can either log-in as each indepentend user, or perform some impersonation with a "main" privileged account (create entries in someone else's calendar as him), although I think there is no way to do it in Java, because .getCalendar is a method of the Session class, I tried using createSession(), but I wasn't able to.
Every notes application needs to be signed by an administrator with an ID known to the customers environment. The Id which is used to sign the db must have the appropriate rights, through the security tab in the server document. If the app is not signed properly, the app won't run. Once the app is signed, it runs in the authorized users session with the users rights.
We have a working user journey scenario (roundtrip), where user signs up/signs in, gets objectId, and at the end, we call a REST service sending the objectId to receive a custom attribute (uniqueidentifier from an on-premise service) to add it as a custom attribute (extension) in Azure AD.
As said this works fairly well, but we would like to react to errors, when the REST service calls fails (e.g. server is down). Now the user shows up in AD, but it is missing the unique identifier as custom attribute.
Is there a way we can react to errors in the execution of a Technical Profile?
For Example, make another REST call, where we can handle this Error? As per default the user now gets to see a standard error page.
Thx
My company has just obtained Kentico for some new applications. These applications will be going into production in about 2 weeks, so we are still fairly new with this. What we have are three ASP.NET MVC applications/sites that format and present content that is stored in Kentico. Additionally, we have specific users who will log into the Kentico9/Admin site to manage the content displayed by the MVC apps.
From a corporate standpoint, we also have Siteminder SSO enabled. When a user navigates to our Kentico9/Admin site, they are first authenticated by our corporate Siteminder SSO form using their corporate user id. When they are successfully authenticated, Siteminder redirects the user to the Kentico9/Admin site they originally requested and the user is presented with the standard Kentico login form. If the user has already logged in through Siteminder during another session, they only get presented with the Kentico login form. Otherwise, if this is their first time logging in, the user is required to login twice (once through Siteminder and again through Kentico).
What I want to do is bypass the standard Kentico login form and use the Siteminder information to Authorize the user to log them into the Kentico admin site. Siteminder adds the username and some other information to the HTTP request headers. Using C#, I can retrieve their corporate user id using the following: System.Web.HttpContext.Current.Request.Headers.Get("SM_USERID").
So, in a nutshell, I want to override Kentico's standard login form and write some code that will get the user id from the HTTP request header and authorize the user by looking up their userid in Kentico. If the user id is not found or is not active, present the user with the standard Kentico login form. Otherwise, if the user is a valid and active user, pull their user record and allow them to access Kentico.
I have found some tidbits of information and given enough time, I may be able to figure something out, but I am hoping someone has done something similar and can speed up my process. Any ideas on what I can do? I will also entertain anything that might have tighter integration with Siteminder, although it doesn't seem Kentico can handle Siteminder out of the box, but I am not sure about that.
Sounds like you might be able to create a custom webpart which you will place on a page and simply have Siteminder redirect the user to the page with that webpart on it and look for those header values on page load. If it finds them, perform your actions within Kentico to look that user up and authenticate them in Kentico as needed. If there are no header values or it can't find the Kentico info, simply send them to the regular login page.
You could also create a global event handler but that would require someone to click a button or such on your site after they have entered credentials.
I am using oidc-token-manager with OAuth and identity server to setup authorization/authentication on my site. All the functionality is working fine . I am just wondering what the id parameter is that is being sent to identity server
https://foobar.net/identity/ui/login?id=216257a45dbd3041eee88fa8aa5d3b0cidc
and more specifically can i use that, in some form, to add a button on identity server to send the user back to the page that they came from. To be clear the post login redirect is working fine . once the user logs in with his/her credentials it automatically sends them back to the website. However there are 2 senarios that i want to take into account to extend the redirection.
case 1 : If the user clicks login from the website and then is like "nah dont really want to log in anymore have to afk and deal with some stuff just get me out of here will come back to it later"
case 2 : The user is not registered yet and clicks the login button from the website instead of the register button . On the login in page there is a "dont have an account? create one now" button. But in its current form it redirects to the registration with no way to set the same flow as the login where there is an automatic redirect back to the website, which will actually be a specific page that tells the user that he has registered and has a time period to check his email to authenticate himself to the site.
This is using an angular app with the set configuration for the OidcTokenManager as
var config ={
authorization_url:'https://foobar.net/identity/connect/authorize',
client_id:'foobar_id',
redirect_uri:'http://localhost:5060/callback.html', // for testing
response_type:'token token_id',
scope:'fooscopes',
authority:'https://foobar.net/identity',
popup_redirect_uri:'http://localhost:5060/login-dialog.html',
silent_renew: true
};
Any help would be awesome . thanks
The id parameter that is passed to the login page is part of how IdentityServer manages the state for pending authorization requests. It's the id of the cookie that holds the SignInMessage that IdentityServer uses internally.
For case 2 if you click one of the additional links the id is passed along. It is then the responsibility of the custom page to get the user back to the login page with that id. I believe we have samples showing this.
Is there any provision like, say for visitor user of web application. he is doing say search or trying any functionality, which is allowed for the visitor user and at certain action need to be logged in and if has no credential then need to sign up and return back to the same action page where he was before login/sign up. Is it possible to handle this at application or session level in mvc 5?
Yes, this is handled for you out of the box when you create a new ASP.NET MVC Project. To try this, do the following:
Create a new ASP.NET MVC 5 Project.
Open the Home Controller, and place an [Authorize] Attribute above the "About" action.
Navigate to the "About" menu option at /About.
You will automatically be redirected to the login page. Note that the login URL now reads "/Account/Login?ReturnUrl=%2FHome%2FAbout". This is how the initiating URL is passed into the login page.
Log into the site. After logging in, note that you are redirected back to the "/About" page that you were trying to initially access.
Of course this is not bullet proof. If you try to register before logging in you will notice that you are no longer redirected back to that initial page, but it is a start.