when I use a proper SSL Certificate on my Web-Site I get bugs in joomla which don't appear if using an unknown certificate of http:
When logging in with wrong credentials, I get to the error page 500 instead of validation and instead of the message "Username or password are wrong ..." faded in.
When registering and the wrong text in ReCaptcha is tipped instead of validation the data in all the fields is deleted and no message about wrong captcha is faded in.
What am I doing wrong when using the proper SSL-Certificate?
Note to ReCaptcha:
In K2 I put the script source metioned here.
Putting
RewriteCond .*(/component/users/?view=login) off
at the end of my .htaccess didn't help.
Technical data, which may be relevant:
SSL-Certificate: GeoTrust RapidSSL
CMS: Joomla! 2.5.9 Stable
Login-Form: Standard-Module of Joomla
Register-Form: Authentication-Plugin of Joomla + K2 2.6.2
Thank you very much in advance.
I have solved the problem. It wasn't an SSL issue.
These paths in configuration.php were not correct at the root and I've overlooked it :(
public $log_path = '/SERVER_PATH/JOOMLA_INSTALLATION/logs';
public $tmp_path = '/SERVER_PATH/JOOMLA_INSTALLATION/tmp';
So when you log on with wrong credentials or type a wrong ReCaptcha text, joomla tries to create the directories mentioned above. If joomla fails to do it (and it was the case), instead of validation by login form and ReCaptcha you get the strange behavior, described in my previous post.
#Lodder: I'll update my K2 next time
#Jobin Jose: Yes, I activated SSL adminside.
Related
I know there's an earlier question with this subject here, but the OP never reported if the one answer resolved the issue. And since
Internal Server Error
is about as user-unfriendly as you can get, I would love to change this to something that feels more like "a message" than "an anvil dropped on your foot".
I have found one other SO post that tangentially relates to this issue (about that disappearing "duplicate emails" switch), but the problem is indeed not about whether or not to allow duplicate emails (or how to revive hidden admin controls) but how a very ordinary issue is communicated to the user - well, like how Keycloak notifies the user when they try and register with an existing username.
We're currently using the Docker version of Keycloak 12.0.4 with some customisations (a custom BCrypt module, some logging changes) running in IBM Cloud, using a Postgresql DB. We also added a custom theme & internationalisation. The same error occurs also when using the default Keycloak theme, though.
Here are our Login settings:
It turned out to be a configuration issue, but so deeply hidden that even the Keycloak developer who looked into the ticket I created had glossed over it.
The perpetrator was in menu Configure > Authentication > tab: Flows > choose dropdown: Registration > Profile validation radio button [o REQUIRED | o DISABLED]
This was set to disabled, which in effect prevents the duplicate email check in the registration form that the Realm settings > tab: Login form suggest are active. But then, of course, the database won't like that, with above-mentioned result.
This combination of settings should at least issue a warning, of course. I hope this will be corrected.
I have created a Shiro Realm to use with x509 certs based on this extension.
The "protected X509AuthenticationInfo doGetX509AuthenticationInfo(X509AuthenticationToken token)" method is executed (i.e. getAuthenticationInfo(token)), validates my user and seems to execute the return X509AuthenticationInfo.
However, after that, the page stays blank! It is not redirected anywhere. If I use instead "anon", or the basic authentication, then my page is displayed correctly (to verify that the page should not be blank). What can be happening?
shiro.ini
[main]
x509Realm = com.flowersforyou.shiro.myRealm
securityManager.realms = $x509Realm
x509 = org.apache.shiro.web.filter.authc.X509AuthenticationFilter
[urls]
/** = x509
EDIT
I tried to use
x509.loginUrl = /err.xhtml
[urls]
/err.xhtml = anon
/** = x509
But it is still showing a blank page so I don't think I was redirected anywhere when the validation failed
EDIT
My answer explains what is possibly happening but now how to fix it. So I suppose that blank page is because something failed (null pointer or whatever). However, I suppose this should raise a 500 error via an Exception, as everything else. When the 500 error is raised, my app will capture it and show a custom error page. This is not happening here. Any solution to capture that error?
I think I have discovered what is happening...
I am missing a Credential Matcher in my .ini:
sha256Matcher = org.apache.shiro.authc.x509.X509CredentialsSha256Matcher
x509Realm.credentialsMatcher = $sha256Matcher
Without this, I suppose the authentication fails (either because there is no matcher set or because it is using a default one that doesn't understand certs but plain passwords) and it is silently finishing with a blank page (perhaps I have to define somewhere where to go if the authentication fails). If someone knows where to do it, or why exactly I am getting a blank page, please tell me to complete the answer.
EDIT
As for the blank page, I found that no exception was being raised. More details here.
I followed this tutorial to index some files in the fileadmin. Now I am at the point "Then manually process the entry: (...)". The problem is that I get this errormessage when I click on the green "refresh-Button":
Can someone tell me what am I doing wrong and why I am not authorized to Crawl through my page as the message: Error: 401 Authorization Required Authorization R... tells me.
By the way: i did not forget to add the user: _cli_crawler .
Thanks in advance
If you have use HTTP Authentication in your project then you can use baseUrl something like below. For more details clike here
http://user:pass#www.mydomain.com/
I think you add htpassword in your site that prevent pages to being indexed.
so remove first htaccess password protection and after try to reindex again.
How can I build the rsa hash of the Typo3 login in php manually? I need to create a spider script which just goes to every site, and the problem is therefor I have to be logged in. So I thought I do the loggin via CURL. But then I saw this rsa hash of the password and now I don't know how to convert a password like "blablabla" into such a rsa hash.
Can anyone help me?
You might find some help out of auto login extension here: http://typo3.org/extensions/repository/?id=23&L=0&q=auto+login
Or debugging tx_rsaauth_sv1::authUser. An RSA-decrypt function is called there. However I don't have the time to really dive into it right now.
Another solution is to login once and save the cookies. Then send those cookies with your CURL request.
To make the cookies valid for a longer period, you could temporarily change the backend session time-out setting before logging in. Like so:
$TYPO3_CONF_VARS['BE']['sessionTimeout'] = strtotime('+1 year')-time();
You can add/change this line in typo3conf/localconf.php (Typo3 < 6) or typo3conf/AdditionalConfiguration.php (Typo3 6+).
I need some help troubleshooting.
I've just upgraded my 1.3 site to 2.0 (with the intent of going on to 2.1). I get the actual page running, content is read from DB etc, but I cannot log in to the admin panel!
Just to make sure I didn't forget the password I did
<?php echo sha1('password' . 'salt'); ?>
Taking the salt from the DB, and the output is the same as is stored in the DB. But still I cannot log in. The log in prompt just reloads, no error message or anything. Any ideas?
I've also tried clearing cache/sessions/etc, and even a different browser to no affect.
Crossposted from the PyroCMS forum: https://www.pyrocms.com/forums/topics/view/19323
OK, since there doesn't seem to be any good suggestions found either here or on the PyroCMS forums and my site is very small content wise I decided to just wipe everything and do a clean install of the latest build instead.
Not a very good solution for future reference, but it will have to do.
From my checklist (it's been a while since I had this happen to me):
If you didn't get an incorrect password error, it may well be you were just being redirected back to the login page before the details were even checked. You can run into issues with enabling the 'Remove index.php from URL' in .htaccess - in /system/cms/config/config.php try changing
$config['index_page'] = 'index.php';
to $config['index_page'] = '';
or (as you've hinted):
clear the contents of default_ci_sessions table
clear the cookies for the domain (a quicker way is to just open a new Google Incognito window which won't have any cookies).
Also - you can initiate a password reset for the admin password using the ordinary user login form if you or someone else does ever forget it (don't though).