If you add security settings twice to the same address match, but with different roles, are the roles added to the previous roles or are they overwritten (or something else)?
For example, what kind of security settings would result from the following calls:
serverControl.addSecuritySettings("address1", "role1", "role1", "role1", "role1", "role1", "role1", "role1", "role1", "role1", "role1");
serverControl.addSecuritySettings("address1", "role2", "role2", "role2", "role2", "role2", "role2", "role2", "role2", "role2", "role2");
(ServerControl is ActiveMQServerControl.)
Is there a way to list the current security settings in ActiveMQ Artemis (programmatically or otherwise)?
If you add security settings twice to the same address match, but with different roles the previous roles are overwritten.
Multiple roles can be added in a single call, e.g.:
serverControl.addSecuritySettings("address1", "role1, role2", "role1, role2", "role1, role2", "role1, role2", "role1, role2", "role1, role2", "role1, role2", "role1, role2", "role1, role2", "role1, role2");
Yo can check current security settings using ActiveMQServerControl.getRoles or ActiveMQServerControl.getRolesAsJSON, i.e.
serverControl.getRolesAsJSON("address1")
Related
My users has a birthDate attribute:
I created a mapper in client:
Yet it can't be seen in access token:
{
"exp": 1646589516,
"iat": 1646589216,
"jti": "7cee1468-8d80-4f14-a118-b07477c1e1e7",
"iss": "http://localhost:8080/realms/...",
"aud": "account",
"sub": "f:fd2a5a5a-c7a0-4e74-81a8-916a85885f98:...",
"typ": "Bearer",
"azp": "...",
"session_state": "efce7a63-2a8f-438d-b4a1-f5d979a00c81",
"acr": "1",
"realm_access": {
"roles": [
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid profile email",
"sid": "efce7a63-2a8f-438d-b4a1-f5d979a00c81",
"email_verified": false,
"preferred_username": "..."
}
Can it happen that the keycloak caching somewhere? (I cleared the caches at Realm --> Caches)
I am desperate... Every tutorial does this and it is not working for me.
Update: I could test it on a server that is remote and it is working. Where the hell the keycloak is caching and screwing me?
---------------------------------------------------------------------------
Update2: deleted the keycloak & reinstalled so start from 0:
created realm: ep
created client: ep
Here we can see the user has an attribute birthDate with value my-custom-birth-date:
I go Clients --> ep client --> Mappers and create a mapper like this:
Clients --> ep --> Client Scopes --> Evaluate --> Evaluate button we can see that the birthDate can be found there (last row, also the default birthdate can be seen):
If I evaluate on the user P...o then you can see the access token does not contains the birthDate attribute:
If I use postman to request a token for this user, the access_token looks like this:
Still missing the attribute birthDate.
I repeated every action I did above and in the remote keycloak the attribute can be seen (the last one on the image):
---------------------------------------------------------------------------
So I found the problem:
Here is my keycloak folder and the path to it:
I copied the data folder to here thinking I won't need to recreate the realm/client/etc:
Whenever I reinstalled the keycloak, I deleted the keycloak-17.0.0 folder and reinstalled to the same place:
After I deleted both data and keycloak-17.0.0 and recreate the realm/client/mappers/etc, it is working perfectly...
No idea why did the keycloak checked for configurations/settings/caches a folder above in the tree...
I am trying to enable SSO capabilities for Apache Zeppelin, using Apache Knox, which is configured to redirect auth requests to a Siteminder IdP.
The issue I am having is related to the NameID format configuration, and the signing configuration.
No matter what I configure in the sp/idp metadata, the NameID format used is
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
And the requests are always being sent with Signed requests set to true.
My SP configuration is as follows:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</NameIDFormat>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"/>
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="1" isDefault="true" Location="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"/>
</SPSSODescriptor>
I activated a SAML tracer and attempted the logon user journey. The AuthNRequest being sent to the Siteminder IdP based on this configuration looks like this:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"
Destination="https://test-siteminder.com/test/saml2sso"
ForceAuthn="false"
ID="_yp52mio0oj4ho2niijmnnaikgbkid9tnc5h5ear"
IsPassive="false"
IssueInstant="2020-02-17T10:19:24.279Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="pac4j-saml"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
NameQualifier="https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client"
>https://knox.test.com/gateway/knoxsso/api/v1/websso?pac4jCallback=true%26client_name=SAML2Client</saml2:Issuer>
I can see a signature value in the Parameters section of the request, which is why I'm assuming that the AuthNRequest is signed (though my understanding of this is minimal, so that could be a wrong assumption!).
Can anyone help explain why the NameIDFormat is coming through as entity, as opposed to unspecified?
Does Apache knox support SAML1 protocols?
Thanks in advance!
You mentioned NameID format to be urn:oasis:names:tc:SAML:2.0:nameid-format:entity in your post but in the code you pasted it is urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, just a copy paste error ? Looks like protocolSupportEnumeration is also referencing SAML 1 protocol. Knox uses Pac4J under the hood which does not support SAML 1, this might be the reason.
I'm currently doing a school assignment where we need to setup JAAS so it is import i use JAAS and not another security module.
When i'm trying to add: principalsQuery=select Password from Principals where PrincipalID=? to my authentication module in the WebUI I get invalid format error since it doesn't allow spaces(it accepts when there are no spaces).
Whenever i google the problem i see the standalone.xml configured with module options that include spaces. I've tried to include it in my standalone.xml (see below) but it won't work and the webUI keeps giving me the error.
<authentication>
<login-module code="test" flag="required">
<module-option name="dsJindiName" value="java:/MySqlDS"/>
<module-option name="principalQuery" value="SELECT password from user where username = ?" />
</login-module>
</authentication>
my datasource is configured as follows
<datasource jndi-name="java:/MySqlDS" pool-name="MySqlDS">
<connection-url>jdbc:mysql://localhost:3306/Kwetter</connection-url>
<driver-class>com.mysql.jdbc.Driver</driver-class>
<driver>mysql-connector-java-5.1.47.jar_com.mysql.jdbc.Driver_5_1</driver>
<security>
<user-name>root</user-name>
<password>root</password>
</security>
<validation>
<valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"/>
<background-validation>true</background-validation>
<exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"/>
</validation>
</datasource>
The DsJindiName works and is accepted by the login-module. But the principalQuery keeps giving me the error. My thinking is that the legacy security is not correctly support anymore any thoughts?
Solution:
I've figured out I needed to use Elytron to use JAAS. Using this guide
a problem occurs at the last step, the jbos-web.xml doesn't accept Elytron application security domains and errors at compiling. However, when you set the standard security domain in undertow it'll build and work like expected.
Team,
I have a question on Single Sign On using Kerberos Authentication.
We have generated a keytab file for the domain like "POC.MAIL.COM" and our server is hosted on "SW.MAIL.COM". As our application runs on Websphere Application Server, we tried to set the Kerberos configuration as given in the document (page no:167)http://www.redbooks.ibm.com/redbooks/pdfs/sg247771.pdf .
We are facing the an error saying that "Cannot get credential for principal service HTTP/server1.SW.MAIL.COM#SW.MAIL.COM". Can someone help me in resolving the issue..?
Please post a comment if any additional information is required..
When I try to set the krb5.conf and keytab file on "Kerberos Authentication Mechanism page", we are getting this error.
When I ran the command klist as per your input, I got the output as below
"Key table: /etc/krb5/pocsso.keytab
Number of entries: 1
[1.] principal: HTTP/server1.sw.mail.com#POC.MAIL.COM
KVNO: 12
"
UPDATE
.
Ticket cache: FILE:/tmp/krb5cc_38698
Default principal: pocsso1#POC.MAIL.COM
Valid starting Expires Service principal
01/09/2014 16:15 02/09/2014 02:21 krbtgt/POC.MAIL.COM#POC.MAIL.COM
renew until 08/09/2014 16:15
Specify it only on the Global security > SPNEGO web authentication, not on the Kerberos configuration page. If keytab path is correct in your krb5.conf file, it is enough to provide just path to conf file (keytab is optional).
UPDATE
In the filter definition you should have:
Host name: server1.sw.mail.com
Kerberos realm name: POC.MAIL.COM
Filter criteria: yourFilterCriteria
Trim Kerberos realm from principal name - checked
See configuration details here: Enabling and configuring SPNEGO web authentication using the administrative console
Minimal configuration in web.xml for Java EE security. And you have to have Application Security enabled in the server configuration, and mapped userRole to some users/groups from registry.
<security-constraint>
<display-name>constraint</display-name>
<web-resource-collection>
<web-resource-name>all resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>userRole</role-name>
</auth-constraint>
</security-constraint>
A bit of a late answer.
Regenerate the keytab file by running the ktpass command as:
ktpass -out file.keytab -princ HTTP/server1.SW.MAIL.COM#POC.MAIL.COM -mapuser your-user -pass your-pwd -ptype KRB5_NT_PRINCIPAL
Solving the error:
org.ietf.jgss.GSSException, major code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Cannot get credential for principal HTTP/appserver.example.com#EXAMPLE.COM
boils downs to the following rules when generating the keytab file:
The principal service must follow the format
<service name>/<fully qualified hostname>#KerberosRealm
Double check the spelling of the principal service
The service name must be all upper case, that is HTTP and not http
The Kerberos realm must also be all upper case, and
The host name must be found in the /etc/host file or the DNS server.
Sources:
http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/usec_kerb_auth_mech.html
http://www.redbooks.ibm.com/redbooks/pdfs/sg247771.pdf (page 477)
I am working on a project using Netbeans with Glassfish 3.1 and am trying to implement LDAP authorization. To do so, I also have an LDAP-enabled Apache2 server using mod_jk. The gist is, when an user visits any page on the site in the /sng/ directory, the Apache server should ask for credentials and forward the user to the Glassfish server that is running that part of the site.
Apache is properly queueing for, and accepting, LDAP credentials and then forwarding the user to the appropriate area. But it seems that the REMOTE_USER variable is either not being set by Apache and/or not sent by mod_jk. Related configuration files and code snippets follow:
httpd.conf
<Location />
AuthBasicProvider ldap
AuthLDAPURL ldap://mainframe/ou=People,dc=dtch,dc=com?uid?sub
AuthzLDAPAuthoritative off
AuthType Basic
AuthName "LDAP"
require valid-user
Options Indexes FollowSymLinks MultiViews +Includes
</Location>
conf.d/jk
JKWorersFile /path/to/workers.properties
JkShmFile /path/to/mod_jk.shm
JkLogFile /path/to/mod_jk.log
JkLogLevel info
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
workers.properties
worker.list=worker1
worker.worker1.port=8009
worker.worker1.host=127.0.0.1
worker.worker1.type=ajp13
sites-enabled/000-default
...
JkMount /*.jsp worker1
JkMount /sng/* worker1
web.xml
<filter>
<filter-name>RemoteUser</filter-name>
<filter-class>path.to.RemoteUser</filter-class>
</filter>
<filter-mapping>
<filter-name>RemoteUser</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
RemoteUser.java
//...
public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain )
throws IOException, ServletException
{
if( request instanceof HttpServletRequest )
{
HttpServletRequest httpServletRequest = ( HttpServletRequest )request;
String username = httpServletRequest.getHeader( "REMOTE_USER" );
if( username == null )
{
// enter here every time
}
// ...
}
//...
}
Finally I have registered a listener in the Glassfish control panel:
In short, I have no idea why null is being returned constantly and my searches on the internet have been of no help. Thanks in advance for any input you may provide.
note: httpServletRequest.getRemoteUser( ) provides the same null result.
I too had this problem. I found an answer by accident on another post. You have to update your server.xml in tomcat as follows:
<Connector protocol="AJP/1.3" port="..." ...
tomcatAuthentication="false" />
The tomcatAuthentication must be specified. Once I made the update, bounced tomcat, getRemoteUser() worked for me.
I was never able to retrieve a RemoteUser header, but I found a work-around in the form of the authorization header. Using getHeader( "authorization" ) returned to me a string in the form of:
Basic XXXX:YYYY
Where X is the username, and Y the password of the user accessing the page through Apache/mod_jk.
The portion of the string following 'Basic ' (X:Y) was Base64 encoded, so after decoding it with MiGBase64 I was finally provided with an username that I could use.