I have to implement an SAML 2.0 identity provider with an WildFly server and picketlink, but I stuck at the authentication process. I followed the picketlink guide and also looked at the quickstarts on github but I still not get it working.
The problem is that my service provider sends an POST AuthnRequest to the wildfly server which redirects via a GET request to the login.jsp and then my SAMLRequest attribute is gone and then after a successful login the IDPFilter can't get the SAMLRequest attribute. Because of that the user is not authenticated on the service provider or redirected back to it.
I'm using a very basic FORM authentication which I configured in the web.xml of my identity provider project.
WildFly Version: 8.1.0-FINAL
Picketlink Version: 2.7.1.Final
firefox network monitoring:
picketlink.xml
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true"
AttributeManager="org.picketlink.identity.federation.bindings.wildfly.idp.UndertowAttributeManager"
RoleGenerator="org.picketlink.identity.federation.bindings.wildfly.idp.UndertowRoleGenerator">
<IdentityURL>${idp.url::http://localhost:7080/idp}</IdentityURL>
<Trust>
<Domains>locahost</Domains>
</Trust>
<KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
<Auth Key="KeyStoreURL" Value="/jbid_test_keystore.jks" />
<Auth Key="KeyStorePass" Value="changeit" />
<Auth Key="SigningKeyPass" Value="changeit" />
<Auth Key="SigningKeyAlias" Value="wildfly" />
<ValidatingAlias Key="localhost" Value="wildfly" />
<ValidatingAlias Key="127.0.0.1" Value="wildfly" />
</KeyProvider>
<MetaDataProvider ClassName="org.picketlink.identity.federation.core.saml.md.providers.FileBasedEntityMetadataProvider">
<Option Key="FileName" Value="/WEB-INF/classes/test_sp_metadata.xml"/>
</MetaDataProvider>
</PicketLinkIDP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2EncryptionHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />
</Handlers>
</PicketLink>
web.xml
...
<display-name>PicketLink Identity Provider</display-name>
<description>PicketLink Identity Provider Using a Servlet Filter</description>
<listener>
<listener-class>org.picketlink.identity.federation.web.listeners.IDPHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>IDPFilter</filter-name>
<filter-class>org.picketlink.identity.federation.web.filters.IDPFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>IDPFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
...
I hope you can help me with this problem...
Greetings, Chris
Related
We have deployed various stateless services on a 5 node cluster with -1 as instance count as Singleton partition scheme. Recently, we decided to deploy the few stateless services only on 3 nodes out of 5 by defining instance count as 3.
After deployment, the stateless services with -1 as instance count are working and responding with HttpStatus 200 Ok. however, a stateless service deployed with 3 instance node count are intermittently responding with HttpStatus 502 with following error (from fiddler):
The connection to 'someservername.centralus.cloudapp.azure.com' failed.
System.Security.SecurityException Failed to negotiate HTTPS connection with server.fiddler.network.https> HTTPS handshake to someservername.centralus.cloudapp.azure.com failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.
Below is the application manifest of deployed application for reference
<ApplicationManifest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ApplicationTypeName="MyService.ServiceFabricType" ApplicationTypeVersion="1.0.0.1.1" ManifestId="8747c387-a7fc-4b05-b189-b1c01958f066" xmlns="http://schemas.microsoft.com/2011/01/fabric">
<Parameters>
<Parameter Name="My_Service_ASPNETCORE_ENVIRONMENT" DefaultValue="" />
<Parameter Name="My_Service_InstanceCount" DefaultValue="3" />
</Parameters>
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="MyServicePkg" ServiceManifestVersion="1.0.0.1.1" />
<ConfigOverrides />
<EnvironmentOverrides CodePackageRef="code">
<EnvironmentVariable Name="ASPNETCORE_ENVIRONMENT" Value="[My_Service_ASPNETCORE_ENVIRONMENT]" />
</EnvironmentOverrides>
</ServiceManifestImport>
<DefaultServices>
<Service Name="MyService" ServicePackageActivationMode="ExclusiveProcess">
<StatelessService ServiceTypeName="MyServiceType" InstanceCount="[My_Service_InstanceCount]">
<SingletonPartition />
</StatelessService>
</Service>
</DefaultServices>
</ApplicationManifest>
and service manifest :
<ServiceManifest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ManifestId="59ea463b-5e4c-44f5-8982-5658b35d6c89" Name="MyServicePkg" Version="1.0.0.1.1" xmlns="http://schemas.microsoft.com/2011/01/fabric">
<ServiceTypes>
<StatelessServiceType ServiceTypeName="MyService" />
</ServiceTypes>
<CodePackage Name="Code" Version="1.0.0.1.1">
<EntryPoint>
<ExeHost>
<Program>MyService.exe</Program>
<WorkingFolder>CodePackage</WorkingFolder>
</ExeHost>
</EntryPoint>
<EnvironmentVariables>
<EnvironmentVariable Name="ASPNETCORE_ENVIRONMENT" Value="" />
</EnvironmentVariables>
</CodePackage>
<ConfigPackage Name="Config" Version="1.0.0.1.1" />
<Resources>
<Endpoints>
<Endpoint Name="ServiceEndpoint" Protocol="https" Type="Input" Port="9226" />
</Endpoints>
</Resources>
</ServiceManifest>
Is it mandatory to deploy a stateless service all nodes in service fabric?
If no, how the above scenario can be configured?
Note - Currently Service Fabric is configured with Silver durability tier and with reverse proxy in disabled state. Also did not get any relevant solution from this azure documentation.
I have a GWT application that I am trying to login using spring security. Currently, after a successful login, I am redirected back to the Login page. I am guessing this is because of my spring configuration and my lack of spring security knowledge.
In my spring-security.xml I define my intercepts like so:
<security:http auto-config="true">
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/**" access="isAuthenticated()" />
</security:http>
I am guessing that the issue is on the access=isAuthenticated() but I am not sure. I want it to redirect to the gwt page/app which will handle the view based on the role returned. I made a very simple gwt app with this method and it worked.
I am using the Spring generated login page and not a JSP.
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- This is where we configure Spring-Security -->
<security:http auto-config="true">
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/**" access="isAuthenticated()" />
</security:http>
<b:bean id="graplAuthentication" class="com.foo.rim.security.GraplAuthentication"/>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="graplAuthentication" />
</security:authentication-manager>
</b:beans>
This turned out to be two things.
1) I needed to add the user-expressions="true" so it would pick up the access=
<security:http auto-config="true" use-expressions="true">
2) I had a custom user Authentication class and forgot to set the the Authenticated boolean to true. Both of these got it working correctly.
I have a rest API with the Content-Type = application/json, provided by a tomcat server.
This means that all the responses are supposed to be in the json format.
The rest API is called by the WSO2 ESB to pass some data.
in case that the application providing the rest API is down (but the tomcat server is still up), the tomcat server replays with the http code=404 with the Content-Type=text/html (sending the HTML page "The requested resource is not available.") what results into the ESB error "Error while building message" exception and ESB crashes and losses the message.
Can you please suggest how to handle such a scenario? I'd need to receive the msg and react on this event. Is there perhaps a way how to dynamically switch content-types?
Can you try this with your own modification:
<?xml version="1.0" encoding="UTF-8"?>
<sequence xmlns="http://ws.apache.org/ns/synapse" name="fault_filter_based_http_status_code" trace="disable">
<filter regex="401" source="get-property('axis2', 'HTTP_SC')">
<then>
<makefault version="soap11">
<code xmlns:soap11Env="http://schemas.xmlsoap.org/soap/envelope/" value="soap11Env:Server"/>
<reason value="Unauthorized to access the resource"/>
<role/>
</makefault>
<send/>
</then>
<else/>
</filter>
<filter regex="500" source="get-property('axis2', 'HTTP_SC')">
<then>
<makefault version="soap11">
<code xmlns:soap11Env="http://schemas.xmlsoap.org/soap/envelope/" value="soap11Env:Server"/>
<reason value="Internal Server Error Occurred"/>
<role/>
</makefault>
<send/>
</then>
<else/>
</filter>
</sequence>
Take a look: http://harshcreationz.blogspot.com/2016/02/common-and-error-handling-sequences.html
I'm facing an issue where I need to open my Worklight development console using secure port so I can also open analytic server using secure port too.
I tried to find my answer in this:
IBM Worklight 6.0 - Mixed port numbers after enabling console login authentication?
But wasn't successful:
My server.xml is:
<server description="worklight">
<featureManager>
<feature>servlet-3.0</feature>
<feature>jndi-1.0</feature>
<feature>jdbc-4.0</feature>
<feature>restConnector-1.0</feature>
<feature>jsp-2.2</feature>
<feature>appSecurity-1.0</feature>
<feature>ssl-1.0</feature>
<!--
<feature>appSecurity-2.0</feature>
<feature>ldapRegistry-3.0</feature>
-->
<feature>localConnector-1.0</feature>
</featureManager>
<webContainer invokeFlushAfterService="false"/>
<webContainer com.ibm.ws.webcontainer.suppressLoggingServiceRuntimeExcep="true"/>
<webContainer deferServletLoad="false"/>
<!-- non standard ports were used to avoid future collision with other WebSphere products. -->
<httpEndpoint host="*" httpPort="10080" httpsPort="10443" id="defaultHttpEndpoint">
<tcpOptions soReuseAddr="true"/>
</httpEndpoint>
<!-- change Worklight server side logging:
change consoleLogLevel to INFO to see Worklight JavaScript Logger API output
(for example: in Worklight Adapters).
-->
<logging consoleLogLevel="AUDIT" copySystemStreams="false"/>
<!-- enable next element for Worklight Server traces.
change traceSpecification to enable fine grain printing to trace.log file.
<logging traceSpecification="com.worklight.*=debug=enabled"/>
-->
<applicationMonitor updateTrigger="mbean"/>
<!--
Thread pool
-->
<executor coreThreads="200" id="default" keepAlive="60s" maxThreads="400" name="LargeThreadPool" rejectedWorkPolicy="CALLER_RUNS" stealPolicy="STRICT"/>
<administrator-role>
<user>admin</user>
</administrator-role>
<keyStore id="defaultKeyStore" password="worklight"/>
<jndiEntry jndiName="ibm.worklight.admin.jmx.host" value="localhost"/>
<jndiEntry jndiName="ibm.worklight.admin.jmx.port" value="10443"/>
<jndiEntry jndiName="ibm.worklight.topology.platform" value="Liberty"/>
<jndiEntry jndiName="ibm.worklight.topology.clustermode" value="Standalone"/>
<!--
Worklight Console settings START ...
-->
<basicRegistry id="worklight" realm="worklightRealm">
<user name="demo" password="demo"/>
<user name="monitor" password="demo"/>
<user name="deployer" password="demo"/>
<user name="operator" password="demo"/>
<user name="admin" password="admin"/>
</basicRegistry>
<!--
JMX admin user JNDI entries
-->
<jndiEntry jndiName="ibm.worklight.admin.jmx.user" value="admin"/>
<jndiEntry jndiName="ibm.worklight.admin.jmx.pwd" value="admin"/>
<!--
Disabling security integration
-->
<httpSession securityIntegrationEnabled="false"/>
<!--
Declare the IBM Worklight Admin Services application.
-->
<application context-root="worklightadmin" id="worklight-management-service" location="worklight-management-service.war" name="WorklightServices" type="war">
<application-bnd>
<security-role name="worklightadmin">
<user name="admin"/>
</security-role>
<security-role name="worklightdeployer">
<user name="deployer"/>
</security-role>
<security-role name="worklightmonitor">
<user name="monitor"/>
</security-role>
<security-role name="worklightoperator">
<user name="operator"/>
</security-role>
</application-bnd>
<classloader delegation="parentLast">
<privateLibrary>
<fileset dir="${wlp.install.dir}/lib" includes="com.ibm.ws.crypto.passwordutil*.jar"/>
</privateLibrary>
</classloader>
</application>
<!--
Declare the IBM Worklight Admin Console application.
-->
<application context-root="worklightconsole" id="worklight-management-ui" location="worklight-management-ui.war" name="WorklightConsole" type="war">
<application-bnd>
<security-role name="worklightadmin">
<user name="admin"/>
</security-role>
<security-role name="worklightdeployer">
<user name="deployer"/>
</security-role>
<security-role name="worklightmonitor">
<user name="monitor"/>
</security-role>
<security-role name="worklightoperator">
<user name="operator"/>
</security-role>
</application-bnd>
</application>
<library id="DerbyLib">
<fileset dir="${wlp.user.dir}/shared/resources/derby" includes="derby.jar"/>
</library>
<!--
Declare the IBM Worklight Console admin database.
-->
<dataSource jndiName="worklightadmin/jdbc/WorklightAdminDS" transactional="false">
<jdbcDriver libraryRef="DerbyLib"/>
<properties.derby.embedded createDatabase="create" databaseName="${wlp.user.dir}/shared/resources/derbyDB/WLADMIN" user="WLADMINISTRATOR"/>
</dataSource>
<!--
... Worklight Console settings END
-->
<application id="_MobileBrowserSimulator" location="_MobileBrowserSimulator.war" name="_MobileBrowserSimulator" type="war"/>
<application context-root="/_analytics" id="_analytics" location="_analytics.war" name="_analytics" type="war">
<classloader delegation="parentLast"/>
</application>
<library id="worklight-6.2.0">
<fileset dir="${wlp.user.dir}/shared/resources" includes="worklight-jee-library-6.2.0.jar"/>
<fileset dir="${wlp.install.dir}/lib" includes="com.ibm.ws.crypto.passwordutil*.jar"/>
</library>
<application context-root="/MobileGRS" id="MobileGRS" location="MobileGRS.war" name="MobileGRS" type="war">
<classloader commonLibraryRef="worklight-6.2.0">
<privateLibrary>
<fileset dir="${wlp.user.dir}/shared/resources" includes="org.hsqldb.hsqldb_2.2.5.jar"/>
</privateLibrary>
</classloader>
</application>
<jndiEntry jndiName="MobileGRS/wl.analytics.queue.size" value="1"/>
<jndiEntry jndiName="MobileGRS/wl.analytics.url" value="http://localhost:10080/_analytics/data"/>
</server>
worklight.properties:
# HTTP or HTTPS
publicWorkLightProtocol=https
# For default port leave empty
publicWorkLightPort=10443
When I click on open worklight console from eclipse, it is opening port 10080:
http://192.168.0.102:10080/worklightconsole/index.html#
If I changed the port to 10443, I can't connect.
Am I missing something.
WL version 6.2.0.1
Thanks
As can be seen in your server.xml, you did not change the Analytics URL to be HTTPS and 10443...
<jndiEntry jndiName="MobileGRS/wl.analytics.url" value="http://localhost:10080/_analytics/data"/>
After that, accessing the console at https://localhost:10443/worklightconsole worked, as well as https://localhost:10443/_analytics/console.
The above URLs were of course prompted as unsafe because I did not add a valid SSL certificate to the server.
Note that the Analytics console URL in the Worklight Console still uses HTTP. You'll need to manually change that to HTTPS (couldn't find where to change that).
I am new to wso2 esb.
I am trying a simple web service program.
package testmart;
import javax.jws.WebService;
#WebService
public class testone {
public String testMethod()
{
return "success";
}
}
I am using glassfish server, created a proxy on wso2 esb by giving following details:
web service url: http://localhost:8080/testmart/testoneService
wsdl url :http://localhost:8080/testmart/testoneService?wsdl
After creating its showing "success" msg. But when I test it, the following error comes up:
<soapenv:Fault xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope" xmlns:axis2ns7="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Code>
<soapenv:Value>axis2ns7:Client</soapenv:Value>
</soapenv:Code>
<soapenv:Reason>
<soapenv:Text xml:lang="en-US" xmlns:xml="http://www.w3.org/XML/1998/namespace">
The endpoint reference (EPR) for the Operation not found is /services/testmart1.testmart1HttpSoap12Endpoint and the WSA Action = null. If this EPR was previously reachable, please contact the server administrator.
</soapenv:Text>
</soapenv:Reason>
<soapenv:Detail/>
</soapenv:Fault>
Below is my esb source view code:
<?xml version="1.0" encoding="UTF-8"?>
<definitions xmlns="http://ws.apache.org/ns/synapse">
<registry provider="org.wso2.carbon.mediation.registry.WSO2Registry">
<parameter name="cachableDuration">15000</parameter>
</registry>
<proxy name="testmart1"
transports="https http local"
startOnLoad="true"
trace="disable">
<description/>
<target>
<endpoint>
<address uri="http://localhost:8080/testmart/testoneService"/>
</endpoint>
<outSequence>
<send/>
</outSequence>
</target>
<publishWSDL uri="http://localhost:8080/testmart/testoneService?wsdl"/>
</proxy>
<sequence name="fault">
<log level="full">
<property name="MESSAGE" value="Executing default 'fault' sequence"/>
<property name="ERROR_CODE" expression="get-property('ERROR_CODE')"/>
<property name="ERROR_MESSAGE" expression="get-property('ERROR_MESSAGE')"/>
</log>
<drop/>
</sequence>
<sequence name="main">
<in>
<log level="full"/>
<filter source="get-property('To')" regex="http://localhost:9000.*">
<send/>
</filter>
</in>
<out>
<send/>
</out>
<description>The main sequence for the message mediation</description>
</sequence>
</definitions>
I read all post about this error but could not solve this problem.
Any sort of help would be highly appreciated as this was the first example I tried and stuck from hours.
Thanks in advance.
When you send the request check if the SOAPAction is set. If not, you can specify it in two ways:
ESB level
Set the property before the send mediator
<property name="SOAPAction" value="urn:SOAPAction" scope="transport"/>
Client level
You can specify the SOAPAction in the client side code. Specify it in the options as shown below.
options.setAction("urn:SOAPAction");
in web interface from WSO2 ESB click "Source View" for your proxy and put this lines:
...
<parameter name="serviceType">proxy</parameter>
<parameter name="disableOperationValidation">true</parameter>
...
before the tag:<description/>
On Websphere Application Server, in the same situation, it helped deleting the Temp folders while the server was stopped.
You are using Wso2ESB, so you must need to specify like this:
#WebMethod(action = "testMethod", operationName = "testMethod")
public String testMethod()
The above annotation has to be used in the Web service implementation class.