I have created a Shiro Realm to use with x509 certs based on this extension.
The "protected X509AuthenticationInfo doGetX509AuthenticationInfo(X509AuthenticationToken token)" method is executed (i.e. getAuthenticationInfo(token)), validates my user and seems to execute the return X509AuthenticationInfo.
However, after that, the page stays blank! It is not redirected anywhere. If I use instead "anon", or the basic authentication, then my page is displayed correctly (to verify that the page should not be blank). What can be happening?
shiro.ini
[main]
x509Realm = com.flowersforyou.shiro.myRealm
securityManager.realms = $x509Realm
x509 = org.apache.shiro.web.filter.authc.X509AuthenticationFilter
[urls]
/** = x509
EDIT
I tried to use
x509.loginUrl = /err.xhtml
[urls]
/err.xhtml = anon
/** = x509
But it is still showing a blank page so I don't think I was redirected anywhere when the validation failed
EDIT
My answer explains what is possibly happening but now how to fix it. So I suppose that blank page is because something failed (null pointer or whatever). However, I suppose this should raise a 500 error via an Exception, as everything else. When the 500 error is raised, my app will capture it and show a custom error page. This is not happening here. Any solution to capture that error?
I think I have discovered what is happening...
I am missing a Credential Matcher in my .ini:
sha256Matcher = org.apache.shiro.authc.x509.X509CredentialsSha256Matcher
x509Realm.credentialsMatcher = $sha256Matcher
Without this, I suppose the authentication fails (either because there is no matcher set or because it is using a default one that doesn't understand certs but plain passwords) and it is silently finishing with a blank page (perhaps I have to define somewhere where to go if the authentication fails). If someone knows where to do it, or why exactly I am getting a blank page, please tell me to complete the answer.
EDIT
As for the blank page, I found that no exception was being raised. More details here.
Related
Trying to retrofit an old webforms application.
Got my configuration working so that it's prompting for login and successfully redirecting back to the application. The folks that manage the IP can see the response is generated.
However in the callback to my application the User is null. I'm told if it's configured correctly it should be populated.
We have a custom IHttpModule and that is where I can see getting hit with the call to /Saml2/Acs with the User not populated. I think this may be expected as the handler for that is supposed to populate the User, I think? However the following call (the returnUrl configured in sustainsys.Saml2) still has no User and I don't see any sort of error or anything.
Anyone with experience have an idea how to debug this?
The call to /Saml2/Acs should be taken care of by the Sustainsys.Saml2.HttpModule. It will process the response and then call the SessionAuthenticationModule to set a cookie that preservers the User across calls.
To get some more information about what's happening in the library, you can assign an implementation of ILoggerAdapter to Sustainsys.Saml2.Configuration.Options.FromConfiguration.SPOPtions.Logger to get some logging output from the library.
My issue turned out to be that I had another authentication module loaded before SessionAuthenticationModule and Saml2AuthenticationModule in the web config.
The comment in the example was
Add these modules below any existing. The SessionAuthenticatioModule
must be loaded before the Saml2AuthenticationModule
However in my case with I had another authentication module involved that needed to go last.
I have such problem: If page on my sites doesn't exists it always does redirect at main page, but I want to display 404 error.
Example: example.com/sdasadsasad - I see main page. How I can fix it? I tried add in localconfiguration
'pageNotFound_handling' = '/';
'pageNotFound_handling_statheader' = 'HTTP/1.1 404 Not Found';
but it doesn't help.
TYPO3 7.6.11
Look in the description of the install tool for the settings. There is described what setting doing what.
So an String in pageNotFound_handling will fetch the page entered and display this, true or 1 will display an error message.
I recommand to create an error page like example.com/404.html within TYPO3 and enter 404.html in pageNotFound_handling so you can customize the error.
If you want only to shown an error enter trueor 1 in the pageNotFound_handling setting.
We were experiencing the same problem. We have curl enabled ($GLOBALS['TYPO3_CONF_VARS']['SYS']['curlUse'] = 1). Due to our configuration, curl was not able to fetch the error page because the SSL certificate could not be verified.
Be careful, the following idea is ugly:
You might find out more about the problem by editing TypoScriptFrontendController.php: Find the function pageErrorHandler (about line 2000 -- who writes such long files?!), find the call to GernalUtility::getUrl() and add as fourth parameter a new array variable. var_dump it instead of the call to HttpUtility::redirect. You should get the curl error if there is one.
On our server-side authentication with Facebook we get a random and weird issue. Facebook calls the call back URL two times with the same code. This is only happening for some users and not on every login.
This is the flow we have implemented on our side: https://developers.facebook.com/…/manually-build-a-login-fl… . We have been using it since the beginning of 2013 and we haven't noticed any issues so far.
And this is the error we get when we are exchanging the code for an access token the second time.
{"error":{"message":"This authorization code has been used.","type":"OAuthException","code":100,"fbtrace_id":"traceID"}}
We tried to log this issue as a bug on https://developers.facebook.com/bugs but unfortunately it doesn't work.
It keeps showing unexpected error. Not to mention that i was unable to find the correct bug category.
Any idea on how we can fix this?
Thanks!
Could it be that users are clicking twice to process auth service? Try disabling the button before calling Facebook auth service
What language are you using?
I just had this problem in Ruby using Devise for Rails. I had created an omniauth.rb initializer file, and added a config line item in the devise.rb initializer file.
If you did this too, you can remove the omniauth.rb initializer file and you should be good to go!
I am at this step in getting my app started in the documentation:
https://developers.facebook.com/docs/appsonfacebook/tutorial/#auth
In there is a code block that (supposedly) forwards the user to a request dialog asking permission to access certain bit of information about them. I've placed this code block into the PHP script that my canvas URL points to, and changed the $app_id and $canvas_page to my application ID and canvas URL respectively. Instead of getting the expected dialog, I receive this following error from facebook:
"An error occurred. Please try again later."
No other details about the error are present. I've tried some variations of the script, and have even tried loading up this URL directly just to see if that would work. Note that I've replaced YOUR_APP_ID and YOUR_CANVAS_PAGE with the appropriate values and made sure that spelling and/or punctuation are correct:
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_CANVAS_PAGE&scope=email,read_stream
For the redirect URL, I've tried prepending it with http://, https://, and no prefix at all. All with the same result.
My question: is the example in the documentation broken, or is the oauth link provided in the documentation currently down? The vague nature of the error is somewhat frustrating since I can't tell if it's something I'm doing wrong or if it's facebook's oauth function that's at fault.
So, the problem was that instead of using the numeric application ID that facebook assigned for me when I originally created the app as the YOUR_APP_ID parameter in the OAuth URL, I was using the application namespace string. Facebook didn't understand this sort of request, and returned the generic error message.
Once I used the numeric app ID, the OAuth dialog popped up to ask permission to access my account, as expected.
I am adding Facebook login to my existing asp.net application. I have added a Facebook login button to my login screen. Now, I click Facebook's login button and in IE 9 it throws client-side exception in all.js on Line 22: if(a.params)b.fbCallID=a.id;
Even after that exception I see the Facebook login screen and can log in, and in the main browser window I get the auth.login event, so I can live with that.
But, if I am already logged in to Facebook, I come to the page and click Facebook login button, I briefly see the empty popup window, then I get teh same client-side exception, and then I get no event in the main browser window, so I don't know if the user logged in so I can't redirect them to another page.
I tried the channelUrl trick but it didn't help.
Any suggestions what's going on?
I found this hack that fixed the issue for me; add this line right after you call FB.init():
// Hack to fix http://bugs.developers.facebook.net/show_bug.cgi?id=20168 for IE7/8/9
FB.UIServer.setLoadedNode = function (a, b) {
FB.UIServer._loadedNodes[a.id] = b;
};
The reason it is happening (from the websites and documents I have read, and believe me, I've read a LOT) is that IE refuses cross-site javascript, and it sees the all.js as crossing the sandbox border. A good discussion can be found here.
Some people say that adding the channel.html file works, but we have tried all flavors of that, and have not had any success. (Remember that the http or https must match the page sending the request.)
Microsoft makes reference to this same issue and their advice is to add the site to trusted sites (that doesn't help). Old advice (from last year) is to add CP="HONK" as your compact privacy policy, but I think that bug was fixed, and it was cookie-related.
What seems to be happening to us is that the login actually continues, and the callback gets called properly, but the main thread that should complete outside of the login call stops executing (because of the error). So, any functions outside the login fail to execute after the login call.
If anyone has a way to get IE to not throw the exception or to create a workaround for this issue, I am desperate to have it. Any info needed I will be happy to provide, but a sample is here:
enter code here
code before login here...
FB.login(function(response){
callback stuff here... This part fires.
});
main thread stuff here... This fails because of permission denied error.