Where does ${authAdminUrl} come from and how do I manipulate it? - keycloak

I'm trying to setup a (dockerized) keycloak instance but, after successful login, its' Security-admin-console keeps redirecting me to an internal URL instead of the URL I have setup in dns. Looking into the settings, its Root URL is set to ${authAdminUrl}. I could override this value with an actual URL but I'd much rather change the value of the variable. So where does ${authAdminUrl} come from, and more importantly, how do I manipulate it?

Actually the whole admin base URL (including scheme and port) can be configured in the standalone.xml file,
section <spi name="hostname">.
There you can add a property "adminUrl".
It's briefly mentioned in the Installation Guide, Hostname/Default provider.
Example:
<spi name="hostname">
<default-provider>default</default-provider>
<provider name="default" enabled="true">
<properties>
<property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
<property name="forceBackendUrlToFrontendUrl" value="false"/>
<property name="adminUrl" value="https://myhost:10443/auth"/>
</properties>
</provider>
</spi>

TLDR: environment variable KEYCLOAK_HOSTNAME
A little more nuanced:
The value for the placeholder ${authAdminUrl} is a complete URL, whereas the environment variable KEYCLOAK_HOSTNAME is only the hostname; so without protocol, port number, or path. In my case, this doesn't matter because I'm not doing anything special with these so the default url formed with the custom hostname is good for me.

Related

Keycloak openid-connect/3p-cookies/step1.html not found error

I am trying to configure my Keycloak hostname. I have a frontend URL for the public requests and an admin URL not publicly exposed :
Frontend URL : http://localhost:8080/auth
Admin URL : http://localhost:8081/auth
I have the following hostname configuration in my standalone-ha.xml file :
<spi name="hostname">
<default-provider>${keycloak.hostname.provider:default}</default-provider>
<provider name="default" enabled="true">
<properties>
<property name="frontendUrl" value="${env.FRONTEND_URL}"/>
<property name="forceBackendUrlToFrontendUrl" value="false"/>
<property name="adminUrl" value="${env.ADMIN_URL}"/>
</properties>
</provider>
...
Now I can't access the Keycloak admin console (localhost:8081/auth/admin). It only loads a white page with the following error in the console :
GET http://localhost:8080/auth/realms/master/protocol/openid-connect/3p-cookies/step1.html?version=6rmi9 404 (Not Found) check3pCookiesSupported #keycloak.js?version=6rmi9:1314 Promise.then (async) (anonymous) #keycloak.js?version=6rmi9:350
I cannot update the "keycloak.js" file as seen in some answers because it is not an adapter but the builtin file from Keycloak. I also have updated the Content Security Policy of the master realm with the following :
frame-src 'self' http://localhost:8000 http://localhost:8080 http://localhost:8081; frame-ancestors 'self' http://localhost:8000
Have I overlooked anything ?

How to add a domain name to an existing WCF REST web service?

I have an existing WCF REST service running on an Azure Windows Server 2012 using IIS8. Let say 1x.2x.3x.4x:7777/InvService.svc/RESTquery is how my users currently use the service.
I am wanting to replace the IP address with a hostname, say www.testDomain.com so the user will can then use www.testDomain.com:7777/InvService.svc/RESTquery.
After obtaining the domain name from GoDaddy, assigning IP 1x.2x.3x.4x, and testing it (my default site on the server comes up, hence why I am using port 7777). When I try www.testDomain.com:7777/InvService.svc/RESTquery I get a "Connection Timed Out" error.
I believe I am needing to add or change something inside my Web.config file but cannot seem to find the right answer. Here is what my current unsuccessful Web.config file looks like.
<services>
<service name="WCFInventoryService.InvService">
<endpoint address="RESTquery" behaviorConfiguration="restPoxBehavior"
binding="webHttpBinding" contract="WCFInventoryService.IInvService" />
<identity>
<dns value="www.testDomain.com" />
</identity>
</endpoint>
<host>
<baseAddresses>
<add baseAddress="http://www.testDomain.com/"/>
</baseAddresses>
</host>
</service>
</services>
What am I doing wrong? or should try?
I solved my problem. The problem was how the domain was set up in GoDaddy. In the GoDaddy account, the domain was set up to forward to the IP address and not to point to. Once I removed the forwarding record and changed the A record to point to the IP address in the GoDaddy account, the WCF service was accessible by using www.testDomain.com:7777/InvService.svc/RESTquery

Create logon token using BI Platform RESTful SDK

I'm attempting to create a logon token using the BOE BI Platform RESTful SDK v4.1 (using RESTClient).
A GET request to http://server:6405/biprws/logon/long/ returns:
<attrs xmlns="http://www.sap.com/rws/bip">
<attr name="userName" type="string" />
<attr name="password" type="string" />
<attr name="auth" type="string" possibilities="secEnterprise,secLDAP,secWinAD,secSAPR3">secEnterprise</attr>
</attrs>
A POST to http://server:6405/biprws/logon/long/ with a single header of Content-Type: application/xml and a payload of
<attrs xmlns="http://www.sap.com/rws/bip">
<attr name="userName" type="string">myAccount</attr>
<attr name="password" type="string">myPassword</attr>
<attr name="auth" type="string" possibilities="secEnterprise,secLDAP,secWinAD,secSAPR3">secWinAD</attr>
</attrs>
returns:
<error>
<error_code>FWM 00006</error_code>
<message>Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName#DNS_DomainName, and then try again. (FWM 00006)</message>
</error>
I've also tried attr name="userName" type="string">myAccount#mycompany.org</attr>, but with the same results.
A POST to http://server:6405/biprws/logon/adsso returns:
<error>
<error_code>RWS 00057</error_code>
<message>Method not allowed (RWS 00057)</message>
</error>
The credentials work with BI Launchpad and the CMC.
What am I missing?
First, a disclaimer -- I've only done REST WinAD with SSO, not manual logon. So I can't be absolutely sure that my suggestions below will fix your problem.
The call to /biprws/logon/adsso requires a GET not a POST, but that will likely not work until you have SSO working.
There are a few settings that are required for WACS to use WinAD, with or without SSO. The file is here:
SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\pjs\services\RestWebService\biprws\WEB-INF\web.xml
You will see a section commented out, starting with:
<!-- Kerberos filter section starts
Uncomment this section. Then set the following parameters:
idm.realm
idm.princ
idm.keytab
idm.kdc
idm.allowUnsecured
The values for these parameters should equal what was set in your system for BI launch pad. This is in:
SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties
The format of the file is different (global.properties is a simple properties file, but web.xml is xml). So you can't just copy/paste the section, but you can copy the individual values. For example, in global.properties, you might see:
idm.keytab=C:/WINDOWS/bosso.keytab
This would be done in web.xml as:
<init-param>
<param-name>idm.keytab</param-name>
<param-value>C:/WINDOWS/bosso.keytab</param-value>
<description>
The file containing the keytab that Kerberos will use for
user-to-service authentication. If unspecified, SSO will default
to using an in-memory keytab with a password specified in the
com.wedgetail.idm.sso.password environment variable.
</description>
</init-param>
Couple of references:
http://myinsightbi.blogspot.com/
https://techwriter79.wikispaces.com/file/view/sbo41sp5_bip_rest_ws_en.pdf

Xmpp user login authentication from another database

I'm new in XMPP, recently I have installed and configure openfire admin control by defining IP (localhost), port (5222) and new database named: openfire in MySql.
But my usernames and their passwords are in another database, is there any steps to configure in openfire so that it can check the user authentication in my own created database instead of checking it's(openfire) own created usertable ofuser.
I'am Adding TAGS here,
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file stores bootstrap properties needed by Openfire.
Property names must be in the format: "prop.name.is.blah=value"
That will be stored as:
<prop>
<name>
<is>
<blah>value</blah>
</is>
</name>
</prop>
Most properties are stored in the Openfire database. A
property viewer and editor is included in the admin console.
-->
<!-- root element, all properties must be under this element -->
<jive>
<adminConsole>
<!-- Disable either port by setting the value to -1 -->
<port>9099</port>
<securePort>9091</securePort>
</adminConsole>
<locale>en</locale>
<!-- Network settings. By default, Openfire will bind to all network interfaces.
Alternatively, you can specify a specific network interfaces that the server
will listen on. For example, 127.0.0.1. This setting is generally only useful
on multi-homed servers. -->
<!--
<network>
<interface></interface>
</network>
-->
<connectionProvider>
<className>org.jivesoftware.database.DefaultConnectionProvider</className>
</connectionProvider>
<database>
<defaultProvider>
<driver>com.mysql.jdbc.Driver</driver>
<serverURL>jdbc:mysql://localhost:3306/openfire?rewriteBatchedStatements=true</serverURL>
<username encrypted="true">87d776abae54f5b4c95c78b78420a6967a9429e9e6d7a5c0</username>
<password encrypted="true">7a1603cafdfe1383ea0e284360172ca8c94b37314dbd5390</password>
<testSQL>select 1</testSQL>
<testBeforeUse>false</testBeforeUse>
<testAfterUse>false</testAfterUse>
<minConnections>5</minConnections>
<maxConnections>25</maxConnections>
<connectionTimeout>1.0</connectionTimeout>
</defaultProvider>
</database>
<jdbcProvider>
<driver>com.mysql.jdbc.Driver</driver>
<connectionString>jdbc:mysql://localhost:3306/mydb?user=root;password=root</connectionString>
</jdbcProvider>
<provider>
<auth>
<className>org.jivesoftware.openfire.auth.JDBCAuthProvider</className>
</auth>
<user>
<className>org.jivesoftware.openfire.user.JDBCUserProvider</className>
</user>
</provider>
<jdbcAuthProvider>
<passwordSQL>SELECT upwd FROM users WHERE uname=? and usertype=2 and delflag=0</passwordSQL>
<passwordType>md5</passwordType>
</jdbcAuthProvider>
<jdbcUserProvider>
<loadUserSQL>SELECT CONCAT(ufname,ulname) AS name,uemail as email FROM users WHERE uname=? AND usertype=2 AND delflag=0</loadUserSQL>
<userCountSQL>SELECT COUNT(*) FROM users WHERE usertype=2 AND delflag=0 AND inactive=0</userCountSQL>
<allUsersSQL>SELECT uname FROM users WHERE usertype=2 AND delflag=0 AND inactive=0</allUsersSQL>
<searchSQL>SELECT uname FROM users WHERE usertype=2 AND delflag=0 AND inactive=0</searchSQL>
<usernameField>uname</usernameField>
<nameField>ufname</nameField>
<emailField>uemail</emailField>
</jdbcUserProvider>
<setup>true</setup>
</jive>
Here is a official openfire documentation for exact your case:
https://www.igniterealtime.org/builds/openfire/docs/latest/documentation/db-integration-guide.html
First, editing openfire.xml wont make any expected change with your openfire. even after you restart it.
You should edit that configuration from SERVER -> System Properties . OR you can directly modify database in ofproperty values.
but be carefull.. none of my JDBC authentication seems work if use my own user table. even if i set it to PLAIN password. and their MD5 looks different than standart md5 hashing method

Accept facebook login into my REST API

I have a backend server (Java / Spring / Spring Security).
Currently when users from mobile app login, they simply submit their username/password and Spring Security creates a Session and assign it to the request with a JSESSIONID.
We would now also have a button on the mobile app "Login with Facebook". Here is my understanding of how it will work.
mobile app uses facebook SDK to get an "access_token"
mobile app retrive USer Profile from facebook (name,surname,email etc..)
mobile checks (against MY server) if the username is unique
If username unique, call MY REST api, with something like this /login/facebook POST over SSL and passing the access_token, email, username etc...)
my server then checks if the access_token is valid
GET graph.facebook.com/debug_token?
input_token={token-to-inspect}
&access_token={app-token-or-admin-token}
If yes, if the UID returned by facebook is already present in my local database, I signin the user as follow:
SecurityContextHolder.getContext().setAuthentication(
new UsernamePasswordAuthenticationToken(username, null, ROLE_USER));
If i don't find the UID, I just create a new user and login the user.
and from now on every request made to the server by the mobile will have the SESSION (created and attached by spring security) and the mobile app is authenticated
Could someone tell me if this is a good way of doing things ?
Should I stop using sessions and switch to Spring-Security-OAUTH2 ?
EDIT 1
Based on Dave advices here is the updated spring-security config:
<!- handle login by providing a token-->
<security:http pattern="/login/facebook" auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
<security:custom-filter ref="facebookLoginFilter" position="FORM_LOGIN_FILTER"/>
<security:intercept-url pattern="/**" access="isAuthenticated()" />
</security:http>
<bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<constructor-arg value="/login/facebook"></constructor-arg>
</bean>
<!-- handle basic username + password logins-->
<security:http auto-config="true" use-expressions="true" entry-point-ref="forbiddenEntryPoint">
<security:form-login login-processing-url="/security_check" authentication-failure-handler-ref="authFailureHandler"
default-target-url="/" always-use-default-target="true" authentication-success-handler-ref="authSuccessHandler" />
...
my others patterns..
...
</security:http>
<bean id="forbiddenEntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<bean id="authSuccessHandler" class="my.package.AuthenticationSuccessHandlerImpl"/>
<bean id="authFailureHandler" class="my.package.AuthenticationFailureHandlerImpl"/>
<bean id="facebookLoginFilter" class="pl.jcommerce.ocean.web.ws.controller.FacebookLoginFilter">
<property name="requiresAuthenticationRequestMatcher" ref="loginRequestUrlHandler"></property>
<property name="authenticationManager" ref="authManager"></property>
</bean>
<security:authentication-manager id="authManager">
<security:authentication-provider ref="facebookAuthenticationProvider" />
</security:authentication-manager>
<security:authentication-manager>
<security:authentication-provider ref="webServiceUserAuthenticationProvider" />
</security:authentication-manager>
<bean id="loginRequestUrlHandler" class="org.springframework.security.web.util.matcher.RegexRequestMatcher">
<constructor-arg index="0" value="/login/facebook" />
<constructor-arg index="1" value="POST" />
<constructor-arg index="2" value="false" />
</bean>
Facebook is already using OAuth2 server side, and provides its own native SDK for clients, so I don't see any advantage in your case of using OAuth2 in your server as well, unless your use case extends beyond what you outline above. Spring OAuth2 also has client side support, but not in a native app, so I don't really see anything at all wrong in principle with your proposal. You didn't say in any detail where you would set the security context up in your server, and I think that might be an important detail -- it has to happen in the security filter chain in the right place to get the session to be updated.
I took a crack at implementing something like this based on Dave Syer's answer here along with the Spring Security Angular materials he put together. To see an example see my forked github repo, specifically the classes in the security package.