Dear friends. I encountered the following problem:
I developed a system service using Mule ESB. The aim was to processing
a large number of records and therefore during process there were frequent connections to
MS CRM Dynamics Onpremise. However, in the middle of treatment (after about 30 min, although
this time varies) each subsequent request ends with the following error:
Exception stack is:
1. The security context token is expired or is not valid. The message was not processed. (org.apache.cxf.binding.soap.SoapFault)
org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor: 133 (null)
2. The security context token is expired or is not valid. The message was not processed. (javax.xml.ws.soap.SOAPFaultException)
org.apache.cxf.jaxws.JaxWsClientProxy: 156 (http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/xml/ws/soap/SOAPFaultException.html)
3. Failed to invoke retrieveMultipleByQuery. Message payload is of type: HashMap (org.mule.api.MessagingException)
org.mule.module.dynamicscrmonpremise.processors.RetrieveMultipleByQueryMessageProcessor: 141 (http://www.mulesoft.org/docs/site/current3/apidocs/org/mule/api/MessagingException.html)
Could you tell me where I could make a mistake and how to fix it?
This in in the Best Practices section of the CRM development SDK.
https://msdn.microsoft.com/en-us/library/gg509027.aspx
To summarize, you'll have a class that is checking your WCF security token to make sure its valid, and to refresh it before it expires.
In addition, monitor your WCF security token (Token) and refresh it before it expires so that you do not lose the token and have to start over with authentication. To check the token, create a custom class that inherits from the OrganizationServiceProxy or DiscoveryServiceProxy class and that implements the business logic to check the token. Or wrap the proxy classes in a new class. Another technique is to explicitly check the token before each call to the web service. Example code that demonstrates these techniques can be found in the ManagedTokenDiscoveryServiceProxy, ManagedTokenOrganizationServiceProxy, and AutoRefreshSecurityToken classes in the Helper code: ServerConnection class topic.
Related
I'm building an SOA architecture which consists of a simple NGINX-based API gateway which forwards calls from browser clients to an appropriate backend API based on their prefix, for example:
/auth/login will route the call to the login endpoint on the Authentication service
/users/update/widget-1 will route the call to the update endpoint on the Users service
etc.
Each service has its own datastore and follows SOLID design principles. I use events on a queue to keep services informed about interesting things that happen to data that they both know about. For example, both the Users service and the Authentication service need to store the user's email address as it's used for authentication and emailing. So when a user's email is changed I queue a 'user email change' event onto a User Events queue. The Authentication service subscribes to this queue and uses the event to keep itself up to date.
For simple events, I can include enough details in the event to avoid needing more information. But, thinking ahead, what if a lot of changes have happened to the user and I have a datawarehouse that subscribes to every event type. I don't want to start having huge events - I would rather just include enough information for the interested service to use the event to trigger a call to ask for more details.
So the sequence in this example would be:
Client synchronously calls user update with JWT bearer token
User update service validates JWT and uses it to carry out the update
User update service generates a 'user updated' event to the queue, containing the User ID
Datawarehouse picks up the event and calls a 'get user details' endpoint on the User service to get full details of the update.
How do I authenticate the 'internal service call'? I can't use the original JWT as the internal request is happening asynchronously and the calling service doesn't have the JWT. It might not even be valid any more by the time the Datawarehouse requests the user details. It feels like I need some 'internal' JWT - for example, in this case, would the answer be for the Datawarehouse service to have the ability to generate its own JWT with its own private key then the User service checks the signature using the Datawarehouse service's public key? In which case, doesn't this mean each service would have to know about all the other services that could call it?
If it helps, my current implementation uses Lumen for the services with the jwt-auth package to check the JWT at the API level.
Any advice is appreciated, thanks.
I am developing a web application with Spring Boot and a React.js SPA, but my question is not specific to those libraries/frameworks, as i assume reporting client-side JS errors to the server (for logging and analyzing) must be a common operation for many modern web applications.
So, suppose we have a JS client application that catches an error and a REST endpoint /errors that takes a JSON object holding the relevant information about what happened. The client app sends the data to the server, it gets stored in a database (or whatever) and everyone's happy, right?
Now I am not, really. Because now I have an open (as in allowing unauthenticated create/write operations) API endpoint everyone with just a little knowledge could easily spam.
I might validate the structure of JSON data the endpoint accepts, but that doesn't really solve the problem.
In questions like "Open REST API attached to a database- what stops a bad actor spamming my db?" or "Secure Rest-Service before user authentification", there are suggestions such as:
access quotas (but I don't want to save IPs or anything to identify clients)
Captchas (useless for error reporting, obviously)
e-mail verification (same, just imagine that)
So my questions are:
Is there an elegant, commonly used strategy to secure such an endpoint?
Would a lightweight solution like validating the structure of the data be enough in practice?
Is all this even necessary? After all I won't advertise my error handling API endpoint with a banner in the app...
I’ve seen it done three different ways…
Assuming you are using OAuth 2 to secure your API. Stand up two
error endpoints.
For a logged in user, if an errors occurs you would
hit the /error endpoint, and would authenticate using the existing
user auth token.
For a visitor, you can expose a /clientError (or
named in a way that makes sense to you) endpoint that takes the
client_credentials token for the client app.
Secure the /error endpoint using an api key that would be scope for
access to the error endpoint only.
This key would be specific to the
client and would be pass in the header.
Use a 3rd party tool such as Raygun.io, or any APM tool, such as New Relic.
I'm new to Shiro. We are attempting to use Shiro with Stormpath. I've been trying to dissect the examples to come up with a solution to what I want to do, but I'm unsuccessful so far.
For now, I'm simply trying to create REST services to do what I want, and I'll tie a real client in later. This is what I'm trying to achieve as my first step:
I want to have a client hit a REST endpoint (login) on my server. My server would authenticate, and return a JWT to the client. This JWT would then be used to access secured endpoints on my server. (I have written Java code that can successfully authenticate against Stormpath).
My problem is the JWT. I expected that a JWT would be created for me, or at least easily accessible. I can't find a way to get one. I have seen sample code on how to build one, but that doesn't seem like the way I would expect to acquire one.
I have run through several examples, but most seem to deal with JSP interfaces, and I can't seem to make the leap to what I'm trying to do.
Is this approach reasonable? Any guidance is appreciated.
Edit 1
I now have a Java client that can authenticate using the Shiro servlet and retrieve a JWT. I have this running as a deployed application (war) in GlassFish. My next step is to use that JWT to authenticate against a different application that has my REST endpoints. This REST application doesn't need to know anything about how to authenticate - I just want to pass the JWT along in the call to a given REST endpoint and use Shiro (via annotations) to control access to the endpoint (if that is indeed possible). All of the examples I can find seem to be "all-in-one" examples (bundling JSP with Shiro/Stormpath configurations, etc). I'm trying to determine the minimum working configuration for securing REST endpoints and I'm having difficulty determining which pieces of the configuration I need.
Edit 2
I am using the Stormpath-Shiro-Servlet (as stolen from the Shiro Servlet example) as my authentication back-end. Using my Java client, I am sending a login request to the servlet, and I am indeed getting back a JWT. However, I am not able to successfully use the JWT to access my other rest resources. My rest calls result in this error:
org.apache.shiro.authz.UnauthenticatedException: This subject is anonymous - it does not have any identifying principals and authorization operations require an identity to check against. A Subject instance will acquire these identifying principals automatically after a successful login is performed be executing org.apache.shiro.subject.Subject.login(AuthenticationToken) or when 'Remember Me' functionality is enabled by the SecurityManager. This exception can also occur when a previously logged-in Subject has logged out which makes it anonymous again. Because an identity is currently not known due to any of these conditions, authorization is denied.
First, I don't understand why the servlet 'login' doesn't actually log me in and give me non-anonymous principle? Second, I am attempting to do everything on a separate client, so I don't have access to Subject.login (is this a correct assumption?).
Take a look at this example from github/stormpath-shiro
The JWT creation is managed for you by the Stormpath API. If you start up one of the examples, (the servlet one above, or the spring-boot-web example), after login, you will have a JWT cookie. There is background info in this blog post.
I'm working on releasing strompath-shiro now, but figured I'd include these link here so you can start looking.
I am looking at options to log client id for every request (if available), so that it can be used for reporting purpose to find out the number of request per client. Ids logs the client id for token request when LogLevel is Information. Looking at IDS code, we need to extract the client id from AuthenticationHeader or from Body of the request. Wanted to know if there anything that is already built into ids to do this. Any other ways to do this?
Absolutely!
Implementing the IEventService is what you're after.
An overview of all the events being transmitted to the IEventService can be viewed in the source of these internal extension methods; IEventServiceExtensions.
The AccessTokenIssuedEvent, AuthorizationCodeDetails and RefreshTokenDetails events will include the ClientId receiving the token - so you can create an audit log.
The default implementation of IEventService is the DefaultEventService, which will use the logging mechanism you're using for IdentityServer, but you can swap that out to log to a DB if you prefer.
I face a problem today regarding the connectivity with Orion public instance #http://orion.lab.fi-ware.org:1026/ngsi10/contextEntities/{entity_id}. While, two days ago, I got always connection to the orion public instance, always by using the same Authentication Token, I got from FI-WARE, Today when I'm trying to connect I get an error: "GET http://orion.lab.fi-ware.org:1026/ngsi10/contextEntities/urn:smartsantander:testbed:3337 returned a response status of 401 Unauthorized".
I was and continue to use the Jersey REST API so as to connect with NGS10 Orion REST API Implementation.
Is there any idea about what I have to do to solve the problem? Is this a problem in Orion Server side with the Authentication Service?
Thank you in advance!
Probably the token has expired. You can re-generated a fresh token runing the token_script.sh script, as described in the following document.
EDIT: the normal behaviour of the system is to cancel the token from time to time, so the best approach is regenerate it with a given periodicity (e.g. 24 hours). However, note that although you can manually regenerate the token and recofigure your application to use the new one as described above, it is better to program your application to do it automatically.
Please, have a look to the OAuth course in FI-WARE education platform and the Refresh Token section in the OAuth 2.0 RFC for more information.