I had posted a question here regarding setting the EnableSslCertificateVerification setting yo true how it doesn't work on Windows. SSL handshake fails.
I found out that this is solved by adding the SslCaLocation setting as follows:
"Dev-on-Windows": {
"commandName": "Project",
"environmentVariables": {
"Kafka__BootstrapServers": "myloadbalancer.myhost.corp:9094",
"Kafka__EnableSslCertificateVerification": "true",
"Kafka__SchemaRegistryUrl": "myschemareg.myhost.corp:8081,myschemreg2.myhost.corp:8081",
"Kafka__SecurityProtocol": "SaslSsl",
"Kafka__SslCaLocation": "cacert.pem",
"Kafka__SaslMechanism": "Gssapi",
"Kafka__ClientId": "DotNetCoreReferenceApplication",
"Kafka__ErrorTolerance": "Moderate",
"Kafka__Debug" : "all",
"ASPNETCORE_ENVIRONMENT": "Development"
},
"applicationUrl": "https://localhost:5001;http://localhost:5000"
},
Where cacert.pem file is simply the concatenation of the signatures PKs of the certificates. That works.
I am not sure why that is needed when ideally it should be able to check the trusted root store on Windows.
UPDATE
Two certs are required. One of them is in the Trusted Root Certificate Authorities and the other is in the Intermediate Certificate Authorities.
I removed the SslCaLocation configuration and simply imported the second certificate from the Intermediate store to the Root store and it worked.
Does Confluent Client Lib for Kafka / librdkafka for Windows not look into the Intermediate Certificate Store?
I have MongoDb 4 running fine as Service on win 10.
as soon as I set authorization: enabled
in the mongo config file:
C:\MongoDB4.0\bin\mongod.cfg
It was
#security:
I have set it to:
security:
authorization: enabled
The service will not start, and displaying Error 1053
I dont see anything in the server log or mongodb log
Any idea what I did wrong?
I had the same problem, but in my case what solved was replacing the tab for two spaces in the authorization: enabled line, like this:
# Configuration using TAB not working
security:
authorization: enabled
# Configuration using two spaces working
security:
authorization: enabled
C:\MongoDB4.0\bin\mongod.cfg
change
#snmp:
mp:
to
#snmp:
#mp:
it works for me.
In my case I first commented it, it caused 1053 error, so I had to remove comment and set -
security:
authorization: disabled
For me MongoDB 4.2, this thing works to run the service on Windows 10.
security:
authorization: enabled
Not sure exactly but I think there is issue related to space and colon.
I'm building a symfony REST Api in which I'm trying to get HWIOAuthBundle, FOSUserBundle and LexikJWTBundle working all together.
I followed this gist for the HWIOAuthBundle/FOSUserBundle integration.
Now I'm getting the facebook login form when hitting the /login route. But after submition I get this error :
[2/2] HttpTransportException: Error while sending HTTP request
[1/2] RequestException: Failed to connect to graph.facebook.com port 443: Bad access
INFO - Matched route "hwi_oauth_service_redirect".
CRITICAL -
Uncaught PHP Exception HWI\Bundle\OAuthBundle\OAuth\Exception\HttpTransportException:
"Error while sending HTTP request"
at C:\myProject\vendor\hwi\oauth-bundle\OAuth\ResourceOwner\AbstractResourceOwner.php
line 257
DEBUG -
Notified event "kernel.request" to listener
"Symfony\Component\EventDispatcher\Debug\WrappedListener::__invoke".
...
I'm now looking for help about this. Or any other way to get those bundles to work together.
config.yml :
hwi_oauth:
# list of names of the firewalls in which this bundle is active, this setting MUST be set
firewall_names: [auth]
http_client:
timeout: 10000
verify_peer: false
max_redirects: 1000
ignore_errors: false
fosub:
username_iterations: 300
properties:
# these properties will be used/redefined later in the custom FOSUBUserProvider service.
facebook: facebook_id
# an optional setting to configure a query string parameter which can be used to redirect
# the user after authentication, e.g. /connect/facebook?_destination=/my/destination will
# redirect the user to /my/destination after facebook authenticates them. If this is not
# set then the user will be redirected to the original resource that they requested, or
# the base address if no resource was requested. This is similar to the behaviour of
# [target_path_parameter for form login](http://symfony.com/doc/2.0/cookbook/security/form_login.html).
# target_path_parameter: _destination
# an optional setting to use the HTTP REFERER header to be used in case no
# previous URL was stored in the session (i.e. no resource was requested).
# This is similar to the behaviour of
# [using the referring URL for form login](http://symfony.com/doc/2.0/cookbook/security/form_login.html#using-the-referring-url).
# use_referer: true
# here you will add one (or more) configurations for resource owners
resource_owners:
facebook:
type: facebook
client_id: {id}
client_secret: {secret}
scope: ""
infos_url: "https://graph.facebook.com/me?fields=name,email,picture.type(square)"
options:
display: popup
security.yml :
firewalls:
auth:
pattern: ^/api/minisite/user/auth
anonymous: true
stateless: true
form_login:
check_path: /api/minisite/user/auth/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
username_parameter: username
password_parameter: password
require_previous_session: false
oauth:
resource_owners:
facebook: "/api/minisite/user/auth/facebook/login/check-facebook"
login_path: /api/minisite/user/auth/facebook/login
check_path: /api/minisite/user/auth/login_check
failure_path: /api/minisite/user/auth/facebook/login
oauth_user_provider:
#this is my custom user provider, created from FOSUBUserProvider - will manage the
#automatic user registration on your site, with data from the provider (facebook. google, etc.)
service: my_user_provider
logout: true
anonymous: true
access_control:
- { path: ^/api/minisite/user/auth, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/minisite, roles: IS_AUTHENTICATED_FULLY }
Configure this in your config.yml file.
hwi_oauth:
http_client:
verify_peer: false
Setting this allows you to turn off SSL verification.
I got the same problem using HWI on localhost. I don't know, but if it's your case, try to upload your work on a server. The reason of this issue is that your are using the port 80, but facebook need that you use the port 443 or use ipv6.
Hope this help
So i am building a symfony2 api using fosrestbundle fosuserbundle and LexikJWTAuthenticationBundle and when i want to acces to /api/users.json to post a new user i get a 401 error Bad Credentials.
i tried to add a line in access control this way :
- { path: post_user, role: IS_AUTHENTICATED_ANONYMOUSLY }
but it didn't work.
i also tried :
- { path: post_user, role: IS_AUTHENTICATED_ANONYMOUSLY, methods:[POST] }
how can i exclude only the post endpoint ?
The solution is to create a new firewall disabling authentication on a url pattern. The tricky thing is that security configuration also allows you to select the methods covered by the firewall.
Just add this in your firewalls in security.yml :
public:
methods: [POST]
pattern: ^/api/users
security: false
you have now access to your endpoint on post method and get put and delete will still require whatever authentication protocol you use :)
Do mind when using Adel's solution and using #Security Annotations in your controller or actions you get this exception :
The token storage contains no authentication token. One possible reason may be that there is no firewall configured for this URL.
This can be circumvented by replacing security: false with anonymous : true. So the complete solution is :
public:
methods: [POST]
pattern: ^/api/users
anonymous : true
With have a ADF application on Weblogic 10 that has occasional access to a Java applet. The Java applet is loaded whenever it's needed and not loaded whenever it isn't. The applet is currently in the public_html/applet folder.
When we set the SSL configuration to requiring a client certificate, when the Java applet loads, it'll constantly ask for a client certificate:
Request Authentication
Identification required. Please select certificate to be used for authentication.
This is annoying to users and the Java Applet doesn't need authentication. Is there any way we can disable the authentication or remove the prompt?
Here's the embedded applet code:
Edit: Things I've already tried:
1) Setting the Applet up on HTTP instead of HTTPS; I get a warning about mixed content and still get the authentication pop-up.
2) Created a minimal applet that only types out "HELLO WORLD" in the console, still get the authentication pop-up
Here's the console window:
Java Plug-in 1.6.0_35
Using JRE version 1.6.0_35-b10 Java HotSpot(TM) Client VM
User home directory = C:\Users\mfan
security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.
security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.
security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
basic: Added progress listener: sun.plugin.util.GrayBoxPainter$GrayBoxProgressListener#1df073d
basic: Plugin2ClassLoader.addURL parent called for https://192.168.130.99/app/applet/HelloWorld.jar
network: Cache entry not found [url: https://192.168.130.99/app/applet/HelloWorld.jar, version: null]
network: Connecting https://192.168.130.99/app/applet/HelloWorld.jar with proxy=DIRECT
network: Connecting http://192.168.130.99:443/ with proxy=DIRECT
security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading SSL Root CA certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecacerts
security: Loaded SSL Root CA certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecacerts
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading Deployment SSL certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecerts
security: Loaded Deployment SSL certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecerts
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment session certificate store
security: Checking if SSL certificate is in Deployment permanent certificate store
security: KeyUsage does not allow digital signatures
(and here's where the prompt comes up).
You said that your applet not requires client authentication so you can put your applet jars on http location. Then you have to specify the codebase parameter to this http location. For example if you put your jar as a resource on http://public.test/somewhere/myApplet.jar you can specify:
codebase = http://public.test/somewhere/
archive = myApplet.jar
However I think that this is probably a configuration issue, you can configure your web server to request a client certificate authentication optionally an not required on applet location.
Hope this helps,
EDIT:
You can put your webLogic behind a proxy (like apache http server), an configure proxy to require the client certificate only in a specific location. A configuration sample for apache http server case looks like:
##
## SSL Virtual Host Context
##
<VirtualHost myHost:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/server.crt
SSLCertificateKeyFile conf/server.key
SSLVerifyClient none
SSLVerifyDepth 10
SSLOptions +StdEnvVars +ExportCertData
JkMount /myWeb loadBalancer
JkMount /myWeb/* loadBalancer
<Location /myWeb/login/certificateLoginLocation>
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCACertificateFile conf/trustedCA.cer
SSLVerifyClient optional
SSLVerifyDepth 10
SSLOptions +StdEnvVars +ExportCertData +OptRenegotiate
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteRule .* http://myHost/myWeb/accesForbbiden.htm
</Location>
</VirtualHost>
well, i not sure about weblogic, i am using jboss and i know that there is no way to do this.
so what we did is install an apache in front, served as reverse proxy
and the configuration look
Listen vgw_mgmt:443
<VirtualHost vgw_mgmt:443>
DocumentRoot /srv/www/
SSLEngine on
SSLCipherSuite HIGH
SSLProtocol all -SSLv2
SSLOptions +ExportCertData +StdEnvVars
SSLCertificateFile /etc/httpd/ssl/server-mgmt.pem
SSLCertificateKeyFile /etc/httpd/ssl/server-mgmt.key
SSLVerifyDepth 3
SSLCACertificateFile /etc/httpd/ssl/trustedca-mgmt.pem
SSLVerifyClient none
ProxyPass /webmgr/ ajp://webapps:8009/webmgr/
<Location /webmgr/>
SSLVerifyClient optional
</Location>
<Location /webmgr/javascript/>
SSLVerifyClient none
</Location>
</VirtualHost>
so, whenever user hit https : // pro xy /webmgr/, client authentication is prompt (the reason we use "optional" instead of "required", is because we want to display nice error page tell customer you need to provide cert to login)
and, my applet stored inside /webmgr/javascript/applet.jar
so when applet load
<applet archive="applet.jar" codebase="/webmgr/javascript/" name="jsapplet" id="jsapplet" code="myapps.mylittleprogram" height="1" width="1"></applet>
it will skipped the client authentication.
Since our application is on http and https, I just set the archive to http:// and it works fine now.