We are using Grails Spring Security Rest plugin 1.5.2 with Grails 2.5.2.
Unfortunately it doesn't seem to report any reason of why a login failure occurred. The only thing we get from the login request is HTTP 401.
We have a mechanism where after a number of login failures we set the accountLocked property of the User, so the account becomes disabled/locked.
We would like to get at least a JSON response of why the login failed, like "User account is locked", "Bad credentials", "No such user", etc.
Is there a way to do this with current versions that we use?
The plugin doesn't support that out of the box. However, you can easily workaround it by replacing RestAuthenticationFailureHandler with your own implementation and wiring it in resources.groovy as restAuthenticationFailureHandler.
Related
I am trying to send post request to create a toolchain on ibm cloud but getting this error mentioned in screenshot since last three days.
Why this error is coming up,am i doing something wrong?
Also i checked ibm none of the servers are down,cloud is normal
EDIT:So now i am able to create the toolchain,seems it was Authorization token error.
But now i am not Able to add a delivery pipeline through an api to an existing toolchain,is this functionality provided in IBM?
We are trying to understand your situation, but we have not been able to reproduce that Error 500 and "IBM Cloud console is down for maintenance" error you're seeing.
Could you try it again and let us know the datestamp&timezone of when you tried (so we can check our logs)?
Also can you give us the details of your default region, please?, as in if you open
https://cloud.ibm.com/devops/toolchains
does it redirect to:
https://cloud.ibm.com/devops/toolchains?env_id=ibm%3Ayp%3Aeu-de
or to some other non-(eu-de) region?
We did see this entry in the log files:
[2019-07-31T15:06:43.934] [ERROR] template-v2 - Failed to read template from repo https://github.com/open-toolchain/simple-toolchain, branch master, type null: Authorization header contains invalid or expired credentials.
but that occurs when using an invalid Authorization header token, and the response to the browser is not Error 500, but is Error 400 with:
"errorDetails\":\"Property 'access_token' either missing or empty \"
Also, when attempting to create the open-toolchain/simple-toolchain template, it doesn't work; it gives Error 400:
"description":"Failed Schema Validation at prod-region,prod-organization,prod-space,api-key for pipeline"
but creating a toolchain works ok using the repository:
https://github.com/open-toolchain/headless-toolchain
You can provision a toolchain with components such as a delivery pipeline using a GET request. The building blocks are described in the documentation for the IBM Cloud Continous Delivery service as part of creating a "Deploy" button.
There are some tutorials that use that deploy button to build more complex solutions, like the secure-file-storage, logistics-wizard-toolchain, or insurance-toolchain.
The GET request starts off a more complex flow because you need to log in, often provide values, etc. So I would recommend to try that request in a browser and not POSTMAN.
I am now able to create toolchain using POST request.
I was using wrong token for Authorization and got confused since no error message was shown instead "IBM cloud is under maintenance" popped up.
TL:DR - How can I get the Azure Application Gateway to pass 5.xx errors from the App Service to my browser? Currently the Application Gateway swallows any 5.xx error generated by the App Service and delivers a "502 - Web server received an invalid response while acting as a gateway or proxy server" error. I want to see the underlying error. And, I guess have the Application Gateway ignore the error and just pass everything directly through from the App Service to my browser.
I've turned on Application Logging for the App Service. I can see some 5.xx errors in the LogFiles/DetailedErrors folder. But I think I'm missing some understanding of what Kentico does when it throws a 5.xx error. Normally if you're on a normal server or locally, you don't see the generic 503 page as your browser is redirected to the 'Invalid license key' page.
I don't know what sort of internal (black) magic Kentico does to deliver this page, rather than the normal asp.net 503 Service Unavailable page. But this page is very useful to see, as it gives an idea of what's really wrong with the Kentico configuration.
Background:
Kentico seems to use some 5.xx errors for information. eg, the licence check throws a 503 error, instead of a useful 200 status with a message that you need to check your license.
We have a MVC Kentico 11 MVC site. It hosts multiple websites. We are trying to set up an Azure Application Gateway that points to two App Services, one MVC, one for Kentico admin.
So far I have the Kentico admin working properly - multiple domains can all access the CMSDesk via the Application Gateway. However, the MVC site is problematic. I can only get the default domain for the App Service to work. All other domains show a 502 error.
I'm thinking that the 'default' domain of the App Service works properly because the Application Gateway isn't forwarding the domain properly to the App Service, but I don't know how to verify this. And it's just my latest theory, and it's pretty shaky - if I remove the app, and just put static .htm files there, I can browse to them without error.
It seems that the "502 - Web server received an invalid response while acting as a gateway or proxy server" message is served up by the Application Gateway for any 5.xx error generated by the App Service, essentially hiding details of any Server Errors issues that may arise. eg: The Kentico license error generates a 503 that is preseneted as a problem with this module: "PageHandlerFactory-Integrated-4.0", rather than the obvious 'invalid license' screen that you normally see when Kentico is hosted on a normal server.
The Invalid license error will only show for the Admin site, not the MVC site. Never looked into what happens when that error is displayed, just always go in and add my missing license. If you want to get the full error, I would make sure you are logging all errors in your MVC into the Event log in Kentico.
In your Global.asax.cs file, you can probably do something like this:
public void Application_Error(Object sender, EventArgs e)
{
Exception exception = Server.GetLastError();
EventLogProvider.LogException("MVC", "EXCEPTION", exception);
}
Then you should be able to see the error in the Admin Event log.
This post may help with capturing errors in MVC better. I did something like this answer for displaying errors on the MVC site.
As soon as the Application Gateway detects a backend as unhealthy, you'll see the 502 error.
You can adjust the Health probe in your Application Gateway, so that the probe matching conditions include code 503. For example, set the condition to 200-503.
After you've done that, you should see the 503 page from Kentico.
Does Camel-Http4 supports Basic Authentication?
Followed this and other posts
Camel http4 download file using Basic authentication over Https
I am using camel 2.17.3 version. using camel-http4 component. The route sends a https4 multipart request to a REST endpoint . The REST service is behind the siteminder. Have truststore/ketstore/cert all setup and it works fine, just sending basic auth is causing trouble.
Using postman i was able to call REST services with basic auth. However, all the calls from camel route fails and get HTTP error 403.
I tried below options to get it working:
Added basic auth to the HttpConfiguration - got HTTP error 401
Added "Authorization" header to the route, as mentioned in the above link - got HTTP error 403
and Added method,user,pass to HTTP_Query - 403 also clear text password is visible in the siteminder logs, this is not good, so dropped trying this option.
please help resolve this issue with some working example and explain the cause.
Is camel dropping http headers?
also i now thinking should I consider using other available components netty/jetty/cxf?? But I prefer getting HTTPs4 working :)
thanks
To help others with an working example, here is how I got it...
1) Check the site-minder policy and also ensure the user have correct permissions for the services.
2) Passing user/password as query parameter isn't safe (at least it wasn't in my case) Clear text password was exposed in site-minder.
3) setting header (Authorization)
apache-camel-basic-http-auth
I want to integrate keycloak security features to my spring boot based rest apis.
I am using KeyCloak 1.3.1 Final.
Now this is pure rest based api and am doing my testing through postman
I have got my rest api secured and when i try to access it do asks me for authorization, but am not able to execute my request. basically am locked out of my api.
I will quickly list out things that I have already done
Created a spring boot rest api and tested it. It works fine.
Modified my gradle for KeyCloak and configured it as per this document
Configured my keyCloak for the "bearer only" application
I tried to generate access token, but I was not able to. Therefore I created another Client in keycloak with "confidential" and used this client to generate the access token (both the clients were pointing to same application. Am not sure if this is correct)
With this access token, I am trying to make api call but am getting 401
Again am using this document.
I am new to both keycloak and spring.
So what I want to ask here is how can we generate the access token for testing a rest api in a scenario like one which is here.
Any useful resource on KeyCloak that can help me out here. As of now I dont have a clue as to where the problem is? Is it with my api or with how I have configured the KeyCloak.
Also since I am new to spring and I just could not found a decent document on how to configure cloak for spring boot. If you can help with that as well.
Moving further on this I was informed on the KeyCloak mailing list that spring boot adapter only supports basic authentication, and so I decided to incorporate the spring security adapter itself.
I did that and when am running the application and providing creds am still not able to make it work. However something interesting is happening. I am being redirected to http://127.0.0.1:8090/sso/login
I double checked it and that is not the redirect url i have provided.
???
Any idea why?
(Once again am new to it and learning about spring and security on way through this project. So please bear with me.)
So after spending quite a good amount of time and getting some help from keycloak user list here is how i got it to work.
Use Spring Security instead of spring boost security adapter (as I have already mentioned in the the edit, boot adapter is only for basic authentication)
There documentation does a decent job of explaining out everything else refer to that.
I am still testing the whole thing and will document it out for future references.
I am using the builtin Local DB (MySql) in DreamFactory and I am trying to access a GET on https://my_dsp/rest/db/my_table from Postman as a guest(without any kind of authentication). I am getting
"context": null,
"message": "No application name header or parameter value in request.",
"code": 400
Here is what i did as per the instruction
1. Setup Schema and added data to the existing Database service which comes with the dsp
2. Set up a role name and desc
3. gave a GET service access(Database) to the role with Component * for all. Nothing is done in User tab or lookup key
4. Ticked on Config - > allow guest user and selected the role
Its working fine from API Docs (/db/{table_name}) but cant access it from Postman or other place. All the settings are updated and I flush the system cache as well. What am I exactly missing? Some help will be highly appreciated.
Thanks
This error is unrelated to your guest access configuration or your DB configuration. You have failed to provide an application name header or URI parameter in your API call. I recommend you review the product documentation on the basics of making a call to DreamFactory.
In short, in Postman, you will need to either provide your application name in a URI parameter, like
https://my_dsp/rest/db/my_table?app_name={myappname}
Or as an HTTP header, like
X-DreamFactory-Application-Name: {myappname}
I recently answered this with a step-by-step guide on the DreamFactory forum here.