I want to apply some APIM policies based on the clientId from which the request is coming from.
I want to validate the tokens coming from a particular client for certain claims and not for rest of the clients.
I am trying it by various ways, but none works and makes the policy return 500 internal server error for each request.
Can anyone help me know what am I doing wrong or how can this be done.
<set-variable name="authToken" value="#(context.Request.Headers.GetValueOrDefault("Authorization","Bearer").Split(' ').Last())" />
<choose>
<when condition = "#(((Jwt)(context.Variables["authToken"])).Claims["appid"].Contains("{{particularAppClientId}}"))">
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/some_tenant_id/.well-known/openid-configuration" />
<audiences>
<audience>{{clientId}}</audience>
<audience>{{ResourceId}}</audience>
</audiences>
<issuers>
<issuer>https://sts.windows.net/some_tenant_id/</issuer>
</issuers>
<required-claims>
<claim name="roles" match ="any">
<value>Task.Write</value>
<value>App.Setup</value>
</claim>
</required-claims>
</validate-jwt>
</when>
<otherwise>
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/some_tenant_id/.well-known/openid-configuration" />
<audiences>
<audience>{{clientId}}</audience>
<audience>{{ResourceId}}</audience>
</audiences>
<issuers>
<issuer>https://sts.windows.net/some_tenant_id/</issuer>
</issuers>
</validate-jwt>
</otherwise>
</choose>
Could you try getting and setting the token as follows instead?
context.Request.Headers.GetValueOrDefault("Authorization",string.Empty).Split(' ').Last().AsJwt()
The rest of the implementation, conditional, etc, looks valid to me as it aligns with the official sample: https://learn.microsoft.com/en-us/azure/api-management/policies/authorize-request-based-on-jwt-claims
Related
I'm using sustainsys.saml2.httpmodule. I would like to run some code to log the logout from an IDP initiated single log out. The user also does not seem to be logged out (IsAuthenticated is still true) after an IDP initiated single log out even though https://stubidp.sustainsys.com/Logout gives me a success result.
I can't seem to find anyone else needing the same functionality or having the same issues. My Sustainsys config is below.
<sustainsys.saml2 entityId="http://localhost:53758/Saml2"
returnUrl="http://localhost:53758/Common/Pages/Saml2Login.aspx"
authenticateRequestSigningBehavior="IfIdpWantAuthnRequestsSigned"
validateCertificates="false"
publicOrigin ="http://localhost:53758/">
<nameIdPolicy allowCreate="false" format="Unspecified"/>
<metadata cacheDuration="PT1440M" wantAssertionsSigned="true">
<organization name="ab" displayName="ab" url="https://www.example.com/" language="en" />
<contactPerson type="Technical" email="a#b.com" />
<requestedAttributes>
<add friendlyName ="Some Name" name="urn:someName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" />
</requestedAttributes>
</metadata>
<identityProviders>
<add entityId="https://stubidp.sustainsys.com/Metadata"
signOnUrl="https://stubidp.sustainsys.com"
logoutUrl="https://stubidp.sustainsys.com/Logout"
allowUnsolicitedAuthnResponse="true"
binding="HttpRedirect"
wantAuthnRequestsSigned="true">
<signingCertificate storeName="CertificateAuthority" storeLocation="CurrentUser"
findValue="cdf7090a433561a843b51198b0ba6456" x509FindType="FindBySerialNumber" />
</add>
</identityProviders>
<serviceCertificates>
<add storeName="CertificateAuthority" storeLocation="CurrentUser" findValue="2cfe21cb930c19a341e9e30a07a3c123" x509FindType="FindBySerialNumber" />
</serviceCertificates>
</sustainsys.saml2>
You can use the LogoutCommandResultCreated notification. It will get called both when the redirect to the Idp is about to happen as well as after the response has been received from the Idp.
I have a separate rest module named 'x' where I have used spring security with basic auth filter(username and password) in complete module therefore any request hitting this rest services should be logged-in but I have one page for forgot password where I am mapping in the same x module due to this auth filter I am unable to proceed. If I am logged in and going to this page and using the services of x module then its working fine but not in case of logged out users.
I tried these thing for not working
<http pattern="/forgotpass" security="none"/>
<intercept-url pattern="/forgotPassword" access="permitAll"/>
<intercept-url pattern="/forgotPassword" filter="none"/>
--> access="permitAll" does not work since it does permit all url but still it will authenticate with filter
and filter="none" is depricated not even able to start my jar when I put this thing.
security="none" gives 403 forbidden error sometimes or internal server error since I was changing the pattern "rest/forgotPassword" or "forgotPassword".
I resolved my problem by myself.
It was sequence that was having problem with.
I was using <intercept-url pattern="/forgotPassword" access="isAnonymous()"/>
after this <intercept-url pattern="/**" access="hasAuthority('USER')" />
I just order the line by putting "/forgotPassword" url on top of "/**"
Reason: It was overriding the request pattern in sequence it came first therefore it didnt allow to pass because role was missing in forgotpassword
We have a functioning application with multiple filter chain configuration. One of the first filter chains belongs to REST POST requests that requier no authentication:
...
<http pattern="/*.info**" entry-point-ref="infoEntryPoint" use-expressions="true" create-session="never">
<intercept-url pattern="/*.info" access="permitAll" />
</http>
<beans:bean id="infoEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<beans:property name="realmName" value="Info REST Realm" />
</beans:bean>...
It worked for GET and POST requests, but after upgrading to Spring Security 4, the POST requests are not captured by this filter chain, but the next filter chain captures them (and creates session and throws 403, doing right its job).
How could I fix it?
CSRF protection is switched on by default in Spring Security, it was switched off by default formerly. The following entry (inside the http tag) solved the problem:
<csrf disabled="true"/>
I'm attempting to create a logon token using the BOE BI Platform RESTful SDK v4.1 (using RESTClient).
A GET request to http://server:6405/biprws/logon/long/ returns:
<attrs xmlns="http://www.sap.com/rws/bip">
<attr name="userName" type="string" />
<attr name="password" type="string" />
<attr name="auth" type="string" possibilities="secEnterprise,secLDAP,secWinAD,secSAPR3">secEnterprise</attr>
</attrs>
A POST to http://server:6405/biprws/logon/long/ with a single header of Content-Type: application/xml and a payload of
<attrs xmlns="http://www.sap.com/rws/bip">
<attr name="userName" type="string">myAccount</attr>
<attr name="password" type="string">myPassword</attr>
<attr name="auth" type="string" possibilities="secEnterprise,secLDAP,secWinAD,secSAPR3">secWinAD</attr>
</attrs>
returns:
<error>
<error_code>FWM 00006</error_code>
<message>Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName#DNS_DomainName, and then try again. (FWM 00006)</message>
</error>
I've also tried attr name="userName" type="string">myAccount#mycompany.org</attr>, but with the same results.
A POST to http://server:6405/biprws/logon/adsso returns:
<error>
<error_code>RWS 00057</error_code>
<message>Method not allowed (RWS 00057)</message>
</error>
The credentials work with BI Launchpad and the CMC.
What am I missing?
First, a disclaimer -- I've only done REST WinAD with SSO, not manual logon. So I can't be absolutely sure that my suggestions below will fix your problem.
The call to /biprws/logon/adsso requires a GET not a POST, but that will likely not work until you have SSO working.
There are a few settings that are required for WACS to use WinAD, with or without SSO. The file is here:
SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\pjs\services\RestWebService\biprws\WEB-INF\web.xml
You will see a section commented out, starting with:
<!-- Kerberos filter section starts
Uncomment this section. Then set the following parameters:
idm.realm
idm.princ
idm.keytab
idm.kdc
idm.allowUnsecured
The values for these parameters should equal what was set in your system for BI launch pad. This is in:
SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties
The format of the file is different (global.properties is a simple properties file, but web.xml is xml). So you can't just copy/paste the section, but you can copy the individual values. For example, in global.properties, you might see:
idm.keytab=C:/WINDOWS/bosso.keytab
This would be done in web.xml as:
<init-param>
<param-name>idm.keytab</param-name>
<param-value>C:/WINDOWS/bosso.keytab</param-value>
<description>
The file containing the keytab that Kerberos will use for
user-to-service authentication. If unspecified, SSO will default
to using an in-memory keytab with a password specified in the
com.wedgetail.idm.sso.password environment variable.
</description>
</init-param>
Couple of references:
http://myinsightbi.blogspot.com/
https://techwriter79.wikispaces.com/file/view/sbo41sp5_bip_rest_ws_en.pdf
I am consuming an secured service hosted over basicHttpBinding
I have to pass credentials to the service for authenticatioon
Here’s the config setting for the client
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
While calling the service, I am getting following exception message
An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.
Message = "An invalid security token was provided (Bad UsernameToken Values)”
I not sure how to get it working I am curious if somebody can help me out or provide me any url where I could find the solution
When you create your MyServiceClient object you can set the username and password on the clientInstance.Credentials.UserName object.