I configured my Jenkins server to only use HTTPS and enabled security.
As well I don't like anybody who's not logged on to see the Dashboard (even if it would be empty). Here for I disabled the 'read' access for 'anonymous'.
So far all this works exactly to my likings :)
But wanting to add some build notification functionality to remote clients by e.g. using something like 'CCtray' I run into trouble. The access to the https://<SERVER>/cc.xml now only works for logged in users.
Where I would have liked to be able to get those notifications for 'anonymous'.
Probably combining these wishes is kind of contradictory - I suppose?
Maybe someone has a better idea which could match my likings?
Possibly any other notification tool which can be used???
For the Mercurial hook triggering the sw-builds I can use a construction like
curl --cacert <CERTIFICATE> https://<USER>:<PASSWORD>#<SERVER>/job/MyPROJECT/build?delay=0sec
But a similar approach for the URL in CCtray doesn't seem to work.
I've just started using the cctray Jenkins transport extension. Early days, but it seems to work as advertised and is connecting to our secure server perfectly happily.
Currently, the only significant limitation seems to be that if your password expires there's no way to re-enter your credentials.
For Jenkins servers without anonymous access, you can use Catlight build notification tool. You can provide access token or username/password to authenticate to your server.
I you have a self-signed ssl certificate, make sure that you add it to trusted by OS. That way, most applications will recognize it and connect to server without warnings.
Adding to #MrBlueSky 's answer, you can avoid the password expiration hassle; simply use a Jenkins-issued API Token instead of your password.
Log into Jenkins
Click your username (in the upper right corner)
Click Configure (in the left navbar)
Click Show API Token
Use this token in place of your password when setting up the Jenkins Transport settings
Related
My problem is that the oAuth gets denied on our test server but it works on our live and development (local) servers.
Is there something specific what I have to configure to make it work on antoher server?
I compared the platform folder with test and live, both are identical.
I created same oAuth logins on both servers, didn't work.
I tried to login through the ip, to avoid apache, didn't helped.
Now I am kind of lost where to look next.
To test my login I use Swagger or Postman with this url: https://test.shop/authorizationserver/oauth/token with Basic Authorization.
The reponse is: {"error":"invalid_client","error_description":"Bad client credentials"} but it is wrong.
This is the configuration for the user:
I had besides this problem, an equal one on the live system. Our apache removed the Authorization from the header to get the Backoffice working, which is protected through the htaccess. When I was researching this problem, I got the same error as this one. Now everything works fine on live. I corrected the same thing on test, tried even uninstall apache, but the login is still not working.
You need configure oAuthClient for SmartEdit by running following Impex:
INSERT_UPDATE OAuthClientDetails;clientId[unique=true];resourceIds;scope[mode=append];authorizedGrantTypes;accessTokenValiditySeconds;authorities;clientSecret;;smartedit;hybris;basic,permissionswebservices,previewwebservices;password,client_credentials;3600;;;
For details, please see:
Configuring oAuthClient for SmartEdit
Can you please check if the configurations are similar? If yes then there is something env specific and needs to be debugged individually.
We fixed the problem by pasting the correct "OAuth client secret" into the "Password" and "Verify password" field. This was initialized via impex with an old value (but not visible to the user in the dialog as seen in the lower screen).
I am trying to record an internal website for which i need to enter credentials that is not same as the windows credential. Later on the same test needs to be run for more than one user. i know how to use the csv file to pass the parameters - username and password.
For Windows Authentication i have added Authorization manager.
From Fiddler i checked it was NTLM authentication(though i am not sure yet) and i did enter the values for NTLM authentication in Authorization Manager.
Now when i try and record the internal website - i cannot even go to homepage after the windows credentials, it keeps on spinning.
When i check the Authorization Manager, i find an extra line added for kerberos Authentication as shown in Picture:
My query here is:
1)why is it recording it as kerberos
2)where is it saving the username and password
3)why is it not loading the website- always keeps spinning and i have to stop it
4)I have tried Kerberos settings and then record, but its not working either , could it be i am using the wrong values in the kerb5.conf file , how do i debug.
Kind of stuck at the moment.
Thanks for help!
If you're uncertain what authentication is being used under the hood - just ask around, application developers or network administrators should be aware of the external authentication scheme. You can also try using a 3rd-party tool like Kerberos Authentication Tester
I don't think you can record and replay Windows authentication so it makes sense to start recording some time after the login screen as long as you can login using JMeter
Looking into JMeter source
// if HEADER_AUTHORIZATION contains "Basic"
// then set Mechanism.BASIC_DIGEST, otherwise Mechanism.KERBEROS
In case of Kerberos credentials are saved directly in the HTTP Authorization Manager in form of ${AUTH_LOGIN} and ${AUTH_PASSWORD}, real credentials are not stored anywhere
Most probably your application doesn't receive valid authentication context therefore it cannot proceed
Add sun.security.krb5.debug=true line to system.properties file (lives in "bin" folder of your JMeter installation), JMeter restart will be required to pick the property up.
More information:
Windows Authentication with Apache JMeter
JAAS and Java GSS-API Tutorials
An existing Win2016 server with IIS10 prompts for creds on a simple website set up with Windows Authentication. A new server does not.
I have an existing Win2016 server running IIS. I set up a simple website with one .htm page that says Hello World. If I turn on Windows Authentication only, the browser continually prompts for username/password. I want Kerberos authentication only, so the Providers list contains Negotiate only. Enable Kernel-mode authentication is selected. The app pool is running as Network Service. The target browser is Chrome.
After many hours going nowhere with this problem, I decided to build a new box with the same spec. After setting up the site in the same way, I do not get prompted by the browser! Strange!
Both boxes are domain joined and seemingly have the same GPOs applied.
Can anyone advise on how I can get the first server to behave like the second? Unfortunately moving to the new box is not an option at this stage. Any help on a structured methodology for diagnosing the Kerberos exchange between server and client would be most helpful.
Thank you.
I've been asked to support 2 URLs for JMX access to our server:
A secure one (service:jmx:rmi://localhost/jndi/rmi://localhost:2020/jmxrmi)
An insecure one: (service:jmx:rmi://localhost/jndi/rmi://localhost:2020/insecure-jmxrmi)
The insecure one is primarily for demo purposes - no it won't be used during production.
I can create a custom ConnectorServer for /jmxrmi and provide an interceptor to use our security mechanism to verify credentials. If I just create a vanilla second ConnectorServer (no 'env' properties), however, using jconsole -debug to access it initially tries secure access, and puts up the dialog about that failing, then asking if I want to try it insecurely.
The docs I've read from Oracle/Sun indicate that I can disable password auth and SSL using a couple of command-line -D switches. But then does that not mess with the /jmxrmi secure access?
How do I support both secure and non-secure connections at the same time? Note that I don't need them using the same URL, of course.
Thanks!
This is a tough one. When you disable auth and SSL you do it per JVM.
The JMXRMP protocol can not distinguish between secured and non-secured connection. You either set up the security and it will be used or not. I think the best shot would be using a custom ConnectorServer and put up with the messages JConsole produces.
I am currently using expressjs with node.js as my rest server for my website. Currently users can login on to my website and start some actions through ui. They want to automate this stuff and I am looking for ways to achieve that. Some of the ways I can think is:
Create a new request which can take login creds as part of reuest parameters and execute the desired the actions. My users would have to save their password as pain text for automations which doesn't seem OK to me.
login using ssh similar to how bitbucket/github takes our public ssh key and lets up do codepush with out writing the password everytime. How do I implement this kind of setup. My users want to execute everytime they deploy in test machine. So they will put my script in server restart script.
If I have to adda new ssh based authentication, are there any npm modules which can help me with implementation?
I am using mean.io boiler plate code and login is currently is based on default login protocol of theirs, where in I save the hashed password and compare that during login.
I think dealing with public-private key pairs is probably more trouble than it is worth. Perhaps you can go with a third option:
Allow users to generate API keys from your web interface. The keys will be "long" randomly generated strings (GitHub uses a 40 character long hexadecimal string for its keys). They can be used for making API requests in place of a password in a username-password pair. For additional security, allow users to limit a key's usage to a certain IP (range).
Also, make sure your application is being served over HTTPS if it is not already.
Example flow:
User tim generates a random API key on your site (aisjd8auasdjsd80j43j).
tim wants to make a request to your API. In the request, tim sets an authorization header:
GET /api/v1/list-all HTTP/1.1
Host: example.com
X-API-Auth: tim:aisjd8auasdjsd80j43j
...
Your API verifies the X-API-Auth header, checking if tim owns the given API key.
Your API returns the requested information on sucess.
Also, it may be worth using using HTTP basic authentication instead of the custom X-API-Auth header, as I did in the above example. I believe it would be slightly easier in command line tools like curl to make HTTP basic authentication requests, rather than setting a custom header.