I'm updating one of our installers for .NET 4.0 and IIS 7.5, and one of the tasks is to switch the AppPool over to use its own identity. I have found this fairly trivial in WiX using the IIS Extension, but I'm struggling with two extra sets of permissions that we define, specifically to grant write permissions to the AppPool Identity:
<Directory Id="LOGS_LOCATION" Name="logs">
<!-- SourceDir\logs -->
<Component Id="LogsFolder" Guid="{3A7C38C7-6604-4063-A425-D62427B21AEE}" KeyPath="yes" DiskId="1">
<CreateFolder>
<!-- SYSTEM account is automatically given access, but set other ACEs here to avoid Users having access -->
<Permission User="Administrators" GenericAll="yes"/>
<Permission User="[ASPNET_USER]" Domain="[ASPNET_DOMAIN]" GenericRead="yes" GenericWrite="yes" Read="yes" Delete="yes" DeleteChild="yes" Traverse="yes"/>
<!-- IIS5: ASPNET, IIS6: NetworkService, IIS7: AppPool identity -->
</CreateFolder>
</Component>
</Directory>
ASPNET_USER and ASPNET_DOMAIN are defined to be AppPoolName and IIS APPPOOL respectively (where AppPoolName exactly matches the name of the App Pool).
When I run the installer, I get a 1609 error stating that IIS APPOOL\AppPoolName is not a valid identity and the installation fails. How can I specify the App Pool Identity to the Permission element so that the web app can write to the logs directory? Do I need to use a different identity?
That's an interesting question.
When you author a Permission element, it results in the record(s) of the LockPermissions MSI table. According to the MSDN, the records in this table are served by the InstallFiles, CreateFolders and WriteRegistryValues actions. When CreateFolder element is a parent, it's obviously CreateFolders action.
The security account corresponding to the ApplicationPoolIdentity is created when the appropriate AppPool is created. Now, ConfigureIIs action is scheduled later in the sequence than CreateFolders. It obviously doesn't make any sense to move ConfigureIIs before CreateFolders.
I'm not sure this will work, but I would try the following:
Replace Permission element with PermissionEx element (the one from WiXUtilExtension). It covers the functionality of Permission, plus adds more flexibility (for instance, not overwriting the ACLs, but appending).
Move the SchedSecureObjects action (the one responsible for handling PermissionEx stuff) after ConfigureIIs action (the one responsible for IIS stuff) if it's not there already.
Now by the time permissions are to be set, the appropriate security account should exist. You might also want to play with the way you reference it, for instance, with or without the domain part.
Related
I'm using ApacheDS as directory server which is used in applications like Gogs (Git server like GitLab). My idea is to create groups like gogs-users and restrict the login to those group, so that only users who are member of that group are able to login. I have created a groupOfNames for this and a testuser, which is added to the gogs group.
The type of gogs-users is groupOfNames and it has an attribute member which contains the DN of my user (uid=testuser,ou=Users,DC=example,DC=com). So I'm able to see, who is a member of this group.
But I would like to see all groups where a user is a member of. When I open the testuser, I see no attribute that could tell me, that he's a member of gogs-users. I remember that the proprietary Active Directory had an attribute called memberOf whch was queryable in a filter like (&(objectClass=inetOrgPerson)(memberOf=CN=gogs-user,DC=example,DC=com)). That would be exactly what I need.
How can I get this in a free LDAP implementation? I see no way except defining a custom attribute - Which I had to maintenant per hand. That's not good, I would like to have an automated solution, that keep care of those attribute.
Things I already tried
https://stackoverflow.com/a/34502363/3276634 No changes
https://morenews.blogspot.de/2010/12/adding-active-directory-properties-to.html No changes, too
Note: I did a complete reset after each scheme import, to make sure, that my tests are not influenced by previous changes.
Here are Queries that will go either way but ONLY work for Microsoft Active Directory:
Resolves all members (including nested) Security Groups (requires at least Windows 2003 SP2):
(memberOf:1.2.840.113556.1.4.1941:=CN=gogs-user,DC=example,DC=com)
And
All Groups a User is a member of including Nested Groups
(member:1.2.840.113556.1.4.1941:=CN=UserName,CN=Users,DC=YOURDOMAIN,DC=NET))
We plan to implement a company-internal portal with Liferay 6.2. Since many of the team members are not within the company's network, the access has to be allowed from the internet.
Now I see a big problem with the Guest role, since it 1) can access Guest-viewable content without login and 2) this is the default selection when for example uploading a document.
What I really need, is that only the login page is generally viewable, but all other sites and content is only visible to logged-in users, without the need to explicitely assign the permissions for each item correctly.
So the question is, can I prevent the guest role to access anything beyond the login page, so to say eliminate it from everything within the portal?
Update:
It was proposed to use only private pages. While this might work, it implies as far as I know, that each user has to be member of the site. But then it's no longer possible to have a site structure with different users participating in different sites and still be able to view public infomation (meaning public for all logged-in users) - or am I wrong?
Update 2:
I agree to a solution where one has to prevent the assignments to the guest role programmatically, via hook or via deeper changes in liferay. Yet, I like to double-check that administrative and think of a periodic database job or program using the API which check for relations to the guest role which came in around the hook or by wrong permission settings of a user and delete them again. How could that be done?
When a document is uploaded through a private page, the permissions actually default to be not accessible to "Guest". This is guaranteed easiest if you don't have any public pages.
Also, you can access the API and change the default permissions once a document gets uploaded (no need to override core Liferay functionality like defaults): Just write a service hook that overrides the upload of a document with a version that sets the permissions you want right after a document has been uploaded. This will catch all other upload attempts, e.g. through services, Webdav etc.
Edit (after your comment): Added the link to Dev Guide. The actual use of the API is a bit too much to update this answer with on the fly. You might want to look at old examples like sevencogs (part 2) to get used to the actual API, but DevGuide will describe how to write the plugin in the first place.
You could still use the public pages etc. and disable the guest's VIEW permission on every element but the login page and it's resources.
Now, as you have already noticed, the fact that, by default, whenever creating any content the Guest gets the VIEW permission is a substantial problem.
I'd suggest to simply override the <guest-defaults> values in Liferay's core portlets' resource permission files (the ones in ROOT/WEB-INF/classes/resource-actions/) to remove these default values. If it's not clear to you on how to do it, see, e.g., this forum topic: https://www.liferay.com/community/forums/-/message_boards/message/486154 .
All you need to do is delete all public pages. Every page that you create should be private. Don't worry about login page, reset password and self-registration (if allowed), by default they are public.
Hope this helps.
I'm trying to set a container managerd security a realm for my web app (JSF 2.1 + hibernate). I have noticed that Tomcat 7 can only use one type of realm at a time.
To use Tomcat in netbeans (7.0) i have to create an accout of manager-script role. In addition to work with Tomcat manager I also need another role. This is a big problem for me because the tables I'm using for JDBCRealm are viewes from actual tables that store users and roles and I would like not to store both of the roles in the same db that my program uses.
Is there a way to make JDBCRealm and UserDBRealm work together? That would be a relief.
here is the code from server.config:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://localhost:3306/realm?user=login&password=pass"
userTable="users"
userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles"
roleNameCol="role_name" />
tomcat uses only the last one he finds in the file. They work fine separetly
Use a CombinedRealm (doc, javadoc):
Realm implementation that contains one or more realms. Authentication
is attempted for each realm in the order they were configured. If any
realm authenticates the user then the authentication succeeds. When
combining realms usernames should be unique across all combined
realms.
Maybe you are already using the LockOutRealm (doc, javadoc) which is a subclass of CombinedRealm and it's in the default config of Tomcat.
I am building a Sharepoint web part that will be used by all users, but can only be modified by admins. The web part connects to a web service which needs credentials. I hard coded credentials in the web part's code.
query.Credentials = new System.Net.NetworkCredential("username", "password", "domain");
query is an instance of the web service class
This may not be a good approach. In regard with security, the source code of the web apart is available to people who are not allowed to see the credentials.
In normal ASP.net applications, credentials can be written into web.config and encrypted. A web part doesn't have a .config file associated. There is a application-level .config file for the whole sharepoint site, but I don't want to modify it for a single webpart. I wonder if there is a webpart-specific way to solve the credential problem? Say we provide a WebBrowsable property of that web part so that privileged users can modify credentials. If this is desirable, how should I make the property displayed in a password ("***") rather than in plain text?
Thanks.
Create custom toolpart, check for condition like SPWeb.UserIsWebAdmin, if so, render fields needed for credentials (input textbox, masked textbox etc).
Read the user name and password out of an encrypted section of the configuration file. See https://web.archive.org/web/1/http://blogs.techrepublic%2ecom%2ecom/programming-and-development/?p=448 for more info on programmatic uses.
In addition to the above, you can store the credentials (securely, of course) on the server, be it config file symlinked in, a file in a known location (e.g., common directory) or even (not recommended) in the environment.
A bonus of this method is it allows dev/test/whatever to have different credentials and not interfere with production while developing/testing/etc.
If you want the web part to be independent of other parts of the system, a property is the simplest option. The main downside to that approach is that you can't set permissions for individual properties, so users will see it. You could have the value be a hash (calculated elsewhere by the admin before adding the web part) but I don't think I'd call that a good solution.
If you want to provide ui to admins only, you should create a custom settings page (CustomAction + layouts page) which saves the credentials in a site property, possibly encrypted so that they can only be read by your custom code in the web part and settings page.
I`d like to know which properties/functions must have which privileges to be used. Is there such a list?
For example, when developing code, how can I know which properties or functions will work for site members, visitors or owners?
It's not so much about properties and functions. It is really for any time you are trying to execute a bit of code that the current user would not ordinarily have permission to run. For example, say you wanted to create a subsite based on some user-provided info when the user adds an item to a list. The user doesn't have privs to explicitly create such a site on his own. In a list item event receiver you would use a RunWithElevatedPrivileges block to create this subsite. That way the site gets created as the application pool owner rather than as the logged-in user, and you avoid the security issue. Of course, you will want to be careful what you do in such a block.