Adding URL Excemption for Keycloak - keycloak

I'm new to Keycloak so I apologize if this is an easy question.
I have to have my entire website hidden behind Keycloak, except for one or two urls. These endpoints are necessary for our rest server, so stuff like "/rest/service/status" should not be challenged.
What is the best way to accomplish this?

You can add security exemption for the URL using web.xml or spring-security.xml like
<security:http pattern = "/YOUR_URL/**" security = "none"/>

Related

Facebook OAuth SSO Issue

I have a JavaEE Application. I am trying to implement OAuth.
But I am facing some strange issues:
As per the documentation to manually building the sign in web flow I have to provide a link like this https://www.facebook.com/dialog/oauth?client_id=1231298371123&display=popup&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fc%2Fportal%2Fauth%2Ffacebook_login%3F&scope=email,public_profile,user_birthday&response_type=code%20token which will open the dialog. But the dialog is not opening.
And when the SSO is successful FB is redirecting to the url given above but the problem is FB is appending the query strings like state, code, etc with #. Something like: http://localhost:8080/c/portal/auth/facebook_login?#state=ASDASDASDASD&access_token=EAANXZAlBTi........ Because for this I cannot get the parameters in Java.
Do any one came across this kind of issue.
Please help.
Not sure if I understood the question right but if you want to read the string after # you can use the following code
URI uri = new URI("http://test.com/#something=some");
String fragment = uri.getFragment();
fragment will be everything after #

Set SSL after Login/Authentication in Kentico

I have requirement that once user has logged in and is authenticated URL should be changed to SSL and when he logs out url is back to HTTP.
I am aware about Properties in webpart where we can set YES/NO/INHERITS/NEVER.
I am able to set HTTPS permanently but not dynamically.
Any suggestion/help is appreciated.
I'm not aware of any functionality within Kentico to do this, but you should be able to create a webpart and place it on the masterpage. This web part would just check the current user, and if there is a user that is logged in redirect to https version and vice versa.
You could also add some logic to make sure it doesn't do this in the the edit tab in cmsdesk.
You can check the user with
CMSContext.CurrentUser
Some help with redirecting to the secure page can be found at
asp.net c# redirecting from http to https
As rocky said there is not functionality out of the box that will do this for you.
You need to create a web part like it was suggested by Lukek that checks that the user is logged in and redirects them to the https address.
The code below will redirect.
if (!Request.IsLocal && !Request.IsSecureConnection)
{
string redirectUrl = Request.Url.ToString().Replace("http:", "https:");
Response.Redirect(redirectUrl);
}
As suggested bu lukek you need to check the CMSContext.CurrentUser however I would also use the HttpContext.User property.
That will enforce the request to be https.

Custom URL parameters lost after OpenAM login redirection

I'm using OpenAM for authentication on my application. I access to my app using such URL:
http://my.company.com/appfolder/appservlet?lang=EN&user=test
On first access, OpenAM agent catches the URL and redirect my browser to the authentication page using this redirection URL:
...openam/UI/Login?goto=http%3A%2F%2Fmy.company.com%3A8080%2Fappfolder
After correct authentication, I'm finally redirected to the following URL:
http://my.company.com/appfolder
This is logic since this is the URL referenced in goto param. But it's not the same than original one: the servlet and custom params (lang and user) are missing.
Any idea how to configure my agent to make it keep servlet and params after redirection ?
take a look at this step of the tutorial "Add Authentication to a Website using OpenAM".
In section "Creating An Access Policy" -> "Wildcard matching" is your answer:
The wildcard * in policy URLs does not match '?'. As such if you
wish to allow GET parameters to be submitted then a second policy for
http://webserver.example.com/*?* is required.
Thanks for your answer. As mentionned in my previous comment, the adding of new policy does not resolve my issue. Actually, I'm not sure to understand how the policies can solve the issue since the goto parameter is generated by the J2EE agent, which acts before policies are applied (as far as I know... I'm maybe wrong).
Anyway, I could solve my problem by re-compiling the J2EE Agent: I've build a new agent.jar based on v3.0.3 available at forgerock. Then I replaced the AmFilterRequestContext.class by a new one, build on source available here:
http://www.docjar.com/html/api/com/sun/identity/agents/filter/AmFilterRequestContext.java.html
With this new agent, my goto is now correct, and redirection works well (and I don't have to define any policy).
The strange thing is that I don't understand why it works now ! I couldn't find any difference between java source mentionned above and uncompiled version of original class! I just added some System.out.println to get variables values and functions results, and built the jar. After restaring my jboss, the goto was correct. I'll try to understand why this finally work now when I've time.

ASP.NET Web API Authorization with AuthorizeAttribute

Using the new ASP.NET Web API beta. I can not seem to get the suggested method of authenticating users, to work. Where the suggested approach seems to be, to add the [Authorize] filter to the API controllers. For example:
[Authorize]
public IEnumerable<Item> Get()
{
return itemsService.GetItems();
}
This does not work as intended though. When requesting the resource, you get redirected to a login form. Which is not very suitable for a RESTful webapi.
How should I proceed with this? Will it work differently in future versions?, or should I fall back to implementing my own action filter?
Double check that you are using the System.Web.Http.AuthorizeAttribute and not the System.Web.Mvc.AuthorizeAttribute. This bit me before. I know the WebAPI team is trying to pull everything together so that it is familiar to MVC users, but I think somethings are needlessly confusing.
Set your authentication mode to None:
<authentication mode="None" />
None Specifies no authentication. Your application expects only anonymous users or the application provides its own authentication.
http://msdn.microsoft.com/en-us/library/532aee0e.aspx
Of course then you have to provide some sort of authentication via headers or tokens or something. You could also specify Windows and use the built in auth via headers.
If this site is mixed between API and actual pages that do need the Forms setting, then you will need to write your own handling.
All the attribute does is return an HttpUnauthorizedResult instance, the redirection is done outside of the attribute, so its not the problem, its your authentication provider.
Finally, I've found a solution at:
ASP.NET MVC 4 WebAPI authorization
This article shows how you can fix this issue.
You are being redirected to login page because forms authentication module does this automatically. To get rid of that behavior disable forms authentication as suggested by Paul.
If you want to use more REST friendly approach you should consider implementing HTTP authorization support.
Take a look at this blog post http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-membership-provider/
ASP.NET 5 Introduced the new Microsoft.AspNet.Authorization System which can secure both MVC and Web API controllers.
For more see my related answer here.
Update:
At that time 2 years ago it was Microsoft.AspNetCore.Authorization.
As #Chris Haines pointed out. now it resides on
Microsoft.AspNetCore.Authorization.
From .NET core 1.0 to 2.0 many namespaces have been moved i think.
And spread functionality between .net classic and core was obscure.
That's why Microsoft introduced the .net standard.
.net standard
Also, look at my answer for:
How to secure an ASP.NET Web API
There is a NuGet package I have created which you can use for convenience.
If you're using a Role, make sure you have it spelled correctly :
If your role is called 'Administrator' then this - for instance will not work :
[System.Web.Http.Authorize(Roles = "Administator")]
Neither will this :
[System.Web.Http.Authorize(Roles = "Administrators")]
Oops...
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
[Produces("application/json")]
[Route("api/[controller]")]
public class CitiesController : Controller
{
[HttpGet("[action]")]
public IActionResult Get(long cityId) => Ok(Mapper.Map<City, CityDTO>(director.UnitOfWork.Cities.Get(cityId)));
}
Use
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
Filter with authentication type

IIS7 URL rewrite + subdomain + ASP.Net MVC2

So I am working on a project with multiple areas and we would like to configure IIS to rewrite our requests to make the urls nicer. I have been messing around with the URL rewrite module all day and I cannot get the desired results.
Example:
I currently have a long url like 'http://register.example.com/Registration/Register/New' where Area = Registration, Controller = Register...
I would like the user to request the site by 'http://register.example.com' and it hits the register controller which I have configured to default to the 'New' action. Because I gave the subdomain of register, IIS knows that it will be using the 'Registration' area.
The finish url would be something like 'http://register.example.com/Register/Finish'
Is this possible?
Thanks,
John
seeing as how you have marked MVC in your tags, you realize you can do this with a route.
''# Default Catch All MapRoute
routes.MapRouteLowercase( _
"Registration", _
"{controller}/{action}/{step}", _
New With {.controller = "Register", .action = "Registration", .step = "New"})
Then you just make a separate "website" in IIS to host the registration application.
PS... IMO sub-domains are overrated and often bad practice for the implementation you are describing. A sub-domain is used to describe a physical computer (IE your SQL server could be on sql.domain your web is on both domain and www.domain, and your email is on smtp.domain), it should not be used to separate sections of a single website. Also, many search engines index http:/subdomain.example.com separate from http://www.example.com, so your SEO values go way way down.