We are trying to get this working in JBoss EAP 6.2 but for the moment we haven't been able to find the reason why it is failing.
In our application, super users are able to decide which role they want to use after login in the application. So first the user will have a role and then we want to change it. For this we are doing the following:
Subject sub = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
for (Principal p : sub.getPrincipals()) {
if ("Roles".equals(p.getName())) {
SimpleGroup group = (SimpleGroup) p;
group.removeMember(new SimplePrincipal(CONSTANT_SUPER_USER));
group.addMember(new SimplePrincipal(authorizationRole));
}
}
This is actually changing the role in the Subject. But afterwards when the authorization is being checked we get the following in the server's log:
[org.apache.catalina.authenticator] (http-/0.0.0.0:8080-11) We have cached auth type LOGIN for principal GenericPrincipal[userName(superuser,)]
As you can see, it is still getting the old value after modifying it.
We are using our own class extending SimplePrincipal. Checking the content of Faces.getRequest() we have seen that the request contains an userPrincipal of type JBossGenericPrincipal and inside it, it contains our extended SimplePrincipal. Checking both of them we have seen that:
JBossGenericPrincipal.roles contains superuser
JBossGenericPrincipal.subject.principals contains the modified SimpleGroup with the new authorization role
Just for your information, we had this working on Wildfly first and it worked perfectly, but we had to change to JBoss and found that this wasn't working properly. So we think it has to be something related to this specific JBoss version.
Has someone faced this problem? Any idea why this might be failing? I guess we need to put the correct role in JBossGenericPrincipal.roles somehow, but... how?
Any help is appreciated. Thanks!
Seems Red Hat doesn't recommend changing the roles after the authentication has been done. So the only solution was to logout and re-login the user with the new role.
Related
I'm currently troubleshooting a login issue for a deployed Moodle. Login page uses an alternate page which I have managed to identify. The alternate page considers everything except successful login as invalid or expired login or password.
Since some correct login and password are also getting the same issue.I am trying to restore the Moodle instance to use its default login page but did not find any $CFG->alternateloginurl configuration set in moodle.php. Kindly please provide any pointers you can think of on where to look next to restore the login page.
PS: I've also searched within the active theme, and there has not been any code changes. Uses a variant of Moove
Thank you
Rest assured that its a common issue
https://docs.moodle.org/401/en/Managing_authentication#Alternate_login_URL
There is an entry in the database
SELECT *
FROM mdl_config
WHERE name = 'alternateloginurl'
Note the value, just in case, then blank it out
UPDATE mdl_config
SET value = ''
WHERE name = 'alternateloginurl'
Then purge the cache to update Moodle
php admin/cli/purge_caches.php
When you do manage to log in, check which other authentication methods are active via
Site administration > Plugins > Authentication > Manage authentication
https://docs.moodle.org/401/en/Managing_authentication
The default methods are manual and email self registration
Although self registration is disabled by default in the settings on the same page (registerauth)
I know there's an earlier question with this subject here, but the OP never reported if the one answer resolved the issue. And since
Internal Server Error
is about as user-unfriendly as you can get, I would love to change this to something that feels more like "a message" than "an anvil dropped on your foot".
I have found one other SO post that tangentially relates to this issue (about that disappearing "duplicate emails" switch), but the problem is indeed not about whether or not to allow duplicate emails (or how to revive hidden admin controls) but how a very ordinary issue is communicated to the user - well, like how Keycloak notifies the user when they try and register with an existing username.
We're currently using the Docker version of Keycloak 12.0.4 with some customisations (a custom BCrypt module, some logging changes) running in IBM Cloud, using a Postgresql DB. We also added a custom theme & internationalisation. The same error occurs also when using the default Keycloak theme, though.
Here are our Login settings:
It turned out to be a configuration issue, but so deeply hidden that even the Keycloak developer who looked into the ticket I created had glossed over it.
The perpetrator was in menu Configure > Authentication > tab: Flows > choose dropdown: Registration > Profile validation radio button [o REQUIRED | o DISABLED]
This was set to disabled, which in effect prevents the duplicate email check in the registration form that the Realm settings > tab: Login form suggest are active. But then, of course, the database won't like that, with above-mentioned result.
This combination of settings should at least issue a warning, of course. I hope this will be corrected.
Trying to retrofit an old webforms application.
Got my configuration working so that it's prompting for login and successfully redirecting back to the application. The folks that manage the IP can see the response is generated.
However in the callback to my application the User is null. I'm told if it's configured correctly it should be populated.
We have a custom IHttpModule and that is where I can see getting hit with the call to /Saml2/Acs with the User not populated. I think this may be expected as the handler for that is supposed to populate the User, I think? However the following call (the returnUrl configured in sustainsys.Saml2) still has no User and I don't see any sort of error or anything.
Anyone with experience have an idea how to debug this?
The call to /Saml2/Acs should be taken care of by the Sustainsys.Saml2.HttpModule. It will process the response and then call the SessionAuthenticationModule to set a cookie that preservers the User across calls.
To get some more information about what's happening in the library, you can assign an implementation of ILoggerAdapter to Sustainsys.Saml2.Configuration.Options.FromConfiguration.SPOPtions.Logger to get some logging output from the library.
My issue turned out to be that I had another authentication module loaded before SessionAuthenticationModule and Saml2AuthenticationModule in the web config.
The comment in the example was
Add these modules below any existing. The SessionAuthenticatioModule
must be loaded before the Saml2AuthenticationModule
However in my case with I had another authentication module involved that needed to go last.
I am creating a startup hook script for liferay to add and preconfigure Roles for Liferay 6.2 behind the scenes.
Specifically I am looking to add the type of permissions that can be accessed through Control Panel > Roles > Actions> Define Permissions.
Currently I am able to add Liferay Roles, but have so far been unsuccessful in finding the correct way to add custom permissions to the Roles programmatically. I see there was a way to do this in prior Liferay versions, but do not see it here.
https://www.liferay.com/community/forums/-/message_boards/message/2965424
https://www.liferay.com/web/guest/community/forums/-/message_boards/message/124558
So far I have investigated RolePermissionUtil, RoleLocalServiceUtil, among other available services.
Let me know if this is available through the service to be added to a startup hook or if this can only be done in the UI.
It appears that the API has changed since these posts.
Thank you in advance for your help
Figured it out using ResourcePermissionLocalServiceUtil.setResourcePermissions and RoleLocalServiceUtil.
Eg.
RoleLocalServiceUtil.fetchRole(CompanyThreadLocal.getCompanyId(), "Role Name");
ResourcePermissionLocalServiceUtil.setResourcePermissions(CompanyThreadLocal.getCompanyId(), Role.class.getName(), ResourceConstants.SCOPE_GROUP_TEMPLATE, String.valueOf(role.getRoleId()), role.getRoleId(), new String[] {ActionKeys.VIEW, ActionKeys.UPDATE, ActionKeys.DELETE});
I used CompanyThreadLocal to obtain the Company Id because I am using this in a hook not a portlet, where typically it would be accessed through the theme display. Here I am just adding access to Roles, but other class namespaces could be added. (eg. "com.liferay.portlet.dynamicdatalists.model.DDLRecordSet")
I have configured request tracker4 to be an interdepartmental helpdesk solution. The current setup is that users will login to RT using LDAP. Once logged in there account is automatically created. However, their account is created with no privileges.
To fix this I have been having to go to Tools-->Configuration-->Select then put in the users DN name and clicking add I then have to check the box "Let this user be granted rights (Privileged)" I have also tried setting Set($AutoCreate, Privileged); but no luck.
I looked at the user accounts in the sqlite database and noticed that when new user logs in they are indeed created in the database. But with no privileges.
709|tuser3|*NO-PASSWORD*|||||||tuser3|||||||tuser3||tuser3|||||||||||||1|2013-03-08 13:47:38|1|2013-03-08 13:47:38
791|Mayra|*NO-PASSWORD*||||Mayra#**************||Main Office|Mayra Hernandez|||||||Mayra||Mayra||**************|||||||||||1|2013-04-03 21:46:36|1|2013-04-03 21:46:36
797|sdrakeford|*NO-PASSWORD*||Autocreated when added as a watcher||sdrakeford#**************|||Sophia C. Drakeford|||||||sdrakeford||sdrakeford|||||||||||||1|2013-04-04 13:18:58|1|2013-04-04 13:18:58
827|Robert.Troy|*NO-PASSWORD*||||Robert.Troy#*******************||Main Office|Robert Troy|||||||Robert.Troy||Robert.Troy||***************|||||||||||1|2013-04-04 16:11:58|1|2013-04-04 16:11:59
Am I missing something, because usually these things are quite obvious.
The $AutoCreate option takes a hashref with all of the default options you want to pass to the User Create method. Try something like:
Set($AutoCreate, {
Privileged => 1
});
(As an aside, it's generally not recommended to run a production instance on sqlite. You might want to consider converting to MySQL or Postgres.)