AD Authentication and credentials encryption
Hello,
I need to authenticate to Active Directory using different credentials through the System.DirectoryServices.DirectoryEntry in a PowerShell-script. Security is a huge deal in the environment I'm working in, and I have not been able to find a clear answer on
this.
As the DirectoryEntry.AuthenticationType documentation says, since .NET Framework 2.0, the default AuthenticationType is "Secure". Now, apparently using the Secure AuthenticationType in a AD context means the following: "Active Directory Domain
Services uses Kerberos, and possibly NTLM, to authenticate the client." What I need to make sure of is that the credentials are not passed in clear-text over the network. Is it sufficient to rely on the Secure authentication type or should I specify additional
AuthenticationTypes, in which case what would be the most secure combination?
Additionally to this, another security concern would be that the password would be stored in local memory until the next time the .NET garbage collection takes place, since there is no native method of disposing System.String. Can I use the System.GC.Collect-method
to remove the clear-text passwords from memory? I've read that this is not good practice as it can potentially cause performance issues, but looking at this from a security-perspective, it may be worth looking into anyways if it can remove the string from
memory.
I am not sure if this is the right forum to ask these kind of questions, but figured it would be worth a shot.
Thanks,
Andreas
It's better to never store the password as a string at all (never mind the fact that it's sitting in a plain text PowerShell script file.) For example, using a character array allows you to zero out the memory whenever you like:
# The characters of "SecretPassword", obtained with the command:
# [int[]]"SecretPassword".ToCharArray() -join ', '
$chars = [char[]](83, 101, 99, 114, 101, 116, 80, 97, 115, 115, 119, 111, 114, 100)
$securePassword = New-Object securestring
foreach($char in $chars)
$securePassword.AppendChar($char)
$securePassword.MakeReadOnly()
[Array]::Clear($chars, 0, $chars.Count)
This is better than relying on the garbage collector for strings, which would simply make the string's memory available again (without zeroing it out), but it's still not perfect. The CLR may have moved the character array around before it was zero'ed,
leaving older copies of it around
Best is to not hard-code the password at all, in any form. Read it from secure storage somewhere directly into a SecureString (such as by using the ConvertTo-SecureString / ConvertFrom-SecureSting cmdlets without the -AsPlainText switch; this encrypts
the data using DPAPI by default.)
Similar Messages
-
Unable to connect to Wi-Fi connection using WPA2 PSK authentication and encryption type TKIP
I was referred to here from this thread at the Windows Insider Program: http://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_web/unable-to-connect-to-wi-fi-connection-using-wpa2/07bae1ed-c7fb-4f85-9d26-5549cc23e57a?msgId=2eb70420-fe35-494b-a13d-dcacd4d55eb9&rtAction=1426697691002
My issue is copy/pasted below:
Original Title: TKIP selection in WiFi network settings
I have a workplace WiFi connection using WPA2 PSK authentication and encryption type TKIP.
On the machine I used to test Windows 10, I had a previous installation of Windows 7 professional which connected to my workplace WiFi using the above settings. After installing Windows 10, my workplace wifi settings were imported and worked fine.
Windows 10 had a system crash, and since I had deleted my previous windows installation, I performed a complete reinstall of Windows 7. However, when I went to install Windows 10 again, I had not taken the time to set up my workplace Wifi on Windows
7 before installing Windows 10. As a result, I had to set up my workplace wifi as a new connection in Windows 10.
When going to set up the wifi connection, the encryption type was grayed out, but appeared to default to AES. Searching the internet suggested that Windows 8.1 did not need a encryption type selected, because Windows could automatically determine
if it was TKIP or AES, hence why the option to select encryption type was grayed out. However, after completing the setup of my workplace wifi, Windows 10 could not connect to my workplace wifi. After restoring Windows 7 with a factory reset, and setting up
the workplace wifi (the encryption type selection was not grayed out and I manually selected TKIP encryption), my workplace wifi was working again.I was referred to here from this thread at the Windows Insider Program: http://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_web/unable-to-connect-to-wi-fi-connection-using-wpa2/07bae1ed-c7fb-4f85-9d26-5549cc23e57a?msgId=2eb70420-fe35-494b-a13d-dcacd4d55eb9&rtAction=1426697691002
My issue is copy/pasted below:
Original Title: TKIP selection in WiFi network settings
I have a workplace WiFi connection using WPA2 PSK authentication and encryption type TKIP.
On the machine I used to test Windows 10, I had a previous installation of Windows 7 professional which connected to my workplace WiFi using the above settings. After installing Windows 10, my workplace wifi settings were imported and worked fine.
Windows 10 had a system crash, and since I had deleted my previous windows installation, I performed a complete reinstall of Windows 7. However, when I went to install Windows 10 again, I had not taken the time to set up my workplace Wifi on Windows
7 before installing Windows 10. As a result, I had to set up my workplace wifi as a new connection in Windows 10.
When going to set up the wifi connection, the encryption type was grayed out, but appeared to default to AES. Searching the internet suggested that Windows 8.1 did not need a encryption type selected, because Windows could automatically determine
if it was TKIP or AES, hence why the option to select encryption type was grayed out. However, after completing the setup of my workplace wifi, Windows 10 could not connect to my workplace wifi. After restoring Windows 7 with a factory reset, and setting up
the workplace wifi (the encryption type selection was not grayed out and I manually selected TKIP encryption), my workplace wifi was working again. -
Authentication - clear text/encrypted
Hi all,
I have got another thread open about Set-OutlookProvider as I am having issues with 20-odd XP machines off the domain using OutlookAnywhere.
My question is about authentication when using Outlook Anywhere:
If you setup the proxy as follows (see screenshot):
Is the password sent in clear text or not???? I thought it was, but I have been running packet captures with Wireshark and cheking the output and cannot find the password in clear text.
Am I correct in assuming that by ticking the box "connect using SSL Only" and even not using the option to connect with proxies with certificate will send the credentials encrypted rather than in clear text?
Would appreciate comments.
RegardsCheck the connection settings in your dialog above - you are using HTTPS. So unless your WireShark is running as a man-in-the-middle, you are getting encrypted traffic. Notice also that you will only use SSL - the checkbox is selected
and you can't change it. So your clients will always use SSL for their OA connections - and their traffic will always be encrypted (including the credential traffic). -
An issue with authentication and authorization on ISE 1.2
Hi, I'm new to ISE.
I have an issue with authentication and authorization.
I have ISE 1.2 plus patch 6 installed on VMware.
I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
I created authentication and authorization rules with Active Directory as External Identity Source. Also I applied authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
What should I do to resolve this issue?
Switch configuration:
testISE#sh runn
Building configuration...
Current configuration : 7103 bytes
! Last configuration change at 12:20:15Tue Apr 15 2014
! NVRAM config last updated at 10:35:02 Tue Apr 15 2014
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname testISE
boot-start-marker
boot-end-marker
no logging console
logging monitor informational
enable secret 5 ************
enable password ********
username radius-test password 0 ********
username admin privilege 15 secret 5 ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 172.16.0.90 server-key ********
aaa session-id common
clock timezone 4 0
system mtu routing 1500
authentication mac-move permit
ip dhcp snooping vlan 1,22
ip dhcp snooping
ip domain-name elauloks
ip device tracking probe use-svi
ip device tracking
epm logging
crypto pki trustpoint TP-self-signed-1888913408
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1888913408
revocation-check none
rsakeypair TP-self-signed-1888913408
crypto pki certificate chain TP-self-signed-1888913408
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh version 2
interface FastEthernet0/5
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/7
interface Vlan1
ip address 172.16.0.204 255.255.240.0
no ip route-cache
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
deny icmp any host 172.16.0.1
permit ip any any
ip radius source-interface Vlan1
logging origin-id ip
logging source-interface Vlan1
logging host 172.16.0.90 transport udp port 20514
snmp-server community public RO
snmp-server community ciscoro RO
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 172.16.0.90 ciscoro
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-Alex
address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key ******
ntp server 172.16.0.1
ntp server 172.16.0.5
endYes. Tried that (several times) didn't work. 5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts. Kept getting error message that username and password invalid. Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick. Think there is an issue with imap.gmail.com and IOS 6.0.1. I'm sure the 5 of us suddently experiencing this issue aren't the only ones. Apple will figure it out. Thanks.
-
How to get ADF authentication and authorization working on server
I am having an issue with deployment & ADF authentication and authorization.
From the below testing results, you can see that I am unable to log in when I have deployed my app to my standalone server with both ADF security authentication and authorization turned on. I have included web.xml, jazn-data.xml and the page/server error I am receiving.
When making an attempt to log in I get the following results:
Running Locally with ADF Authentication: Works Fine
Running Locally with ADF Authentication & Authorization: Works Fine
Deployed to server with ADF Authentication: Works Fine
Deployed to server with ADF Authentication & Authorization: Doesn’t Work
What I have already tried: Removed all anonymous grants, using the same database credentials as the app user, deploying app twice (on the redeploy not including the login credentials & app policies at the application properties). Various modifications to web.xml e.g. welcomefilelist etc
JDeveloper Version: 11.1.2.4
Server Web Logic: 10.3.6
Server ADF: 11.1.1.16
Page Error when trying to log in:
Error 401--Unauthorized
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
Server error when trying to log in:
Servlet failed with Exception oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'wpd.mobility.view.pageDefs.homePagePageDef' 'VIEW'.
at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:182)
at oracle.adf.controller.internal.security.AuthorizationEnforcer.internalCheckPermission(AuthorizationEnforcer.java:162)
at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:116)
at oracle.adfinternal.controller.state.ControllerState.checkPermission(ControllerState.java:663)
at oracle.adfinternal.controller.state.ControllerState.initializeUrl(ControllerState.java:700)
at oracle.adfinternal.controller.state.ControllerState.synchronizeStatePart2(ControllerState.java:531)
at oracle.adfinternal.controller.application.SyncNavigationStateListener.afterPhase(SyncNavigationStateListener.java:59)
at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.afterPhase(ADFLifecycleImpl.java:530)
at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchAfterEvent(LifecycleImpl.java:120)
at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchAfterPagePhaseEvent(LifecycleImpl.java:168)
at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchAfterPagePhaseEvent(ADFPhaseListener.java:131)
at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:74)
at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:53)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:447)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:202)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:508)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:125)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:293)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:199)
at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Web.xml
<?xml version = '1.0' encoding = 'windows-1252'?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
<context-param>
<param-name>javax.faces.PARTIAL_STATE_SAVING</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<description>If this parameter is true, there will be an automatic check of the modification date of your JSPs, and saved state will be discarded when JSP's change. It will also automatically check if your skinning css files have changed without you having to restart the server. This makes development easier, but adds overhead. For this reason this parameter should be set to false when your application is deployed.</description>
<param-name>org.apache.myfaces.trinidad.CHECK_FILE_MODIFICATION</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<description>Whether the 'Generated by...' comment at the bottom of ADF Faces HTML pages should contain version number information.</description>
<param-name>oracle.adf.view.rich.versionString.HIDDEN</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<description>Security precaution to prevent clickjacking: bust frames if the ancestor window domain(protocol, host, and port) and the frame domain are different. Another options for this parameter are always and never.</description>
<param-name>org.apache.myfaces.trinidad.security.FRAME_BUSTING</param-name>
<param-value>differentOrigin</param-value>
</context-param>
<context-param>
<param-name>javax.faces.FACELETS_SKIP_XML_INSTRUCTIONS</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.FACELETS_DECORATORS</param-name>
<param-value>oracle.adfinternal.view.faces.facelets.rich.AdfTagDecorator</param-value>
</context-param>
<context-param>
<param-name>javax.faces.FACELETS_RESOURCE_RESOLVER</param-name>
<param-value>oracle.adfinternal.view.faces.facelets.rich.AdfFaceletsResourceResolver</param-value>
</context-param>
<filter>
<filter-name>JpsFilter</filter-name>
<filter-class>oracle.security.jps.ee.http.JpsFilter</filter-class>
</filter>
<filter>
<filter-name>trinidad</filter-name>
<filter-class>org.apache.myfaces.trinidad.webapp.TrinidadFilter</filter-class>
</filter>
<filter>
<filter-name>adfBindings</filter-name>
<filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>JpsFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>trinidad</filter-name>
<servlet-name>Faces Servlet</servlet-name>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>adfBindings</filter-name>
<servlet-name>Faces Servlet</servlet-name>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>adfBindings</filter-name>
<servlet-name>adfAuthentication</servlet-name>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<listener>
<listener-class>oracle.adf.mbean.share.connection.ADFConnectionLifeCycleCallBack</listener-class>
</listener>
<listener>
<listener-class>oracle.adf.mbean.share.config.ADFConfigLifeCycleCallBack</listener-class>
</listener>
<listener>
<listener-class>oracle.bc4j.mbean.BC4JConfigLifeCycleCallBack</listener-class>
</listener>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>resources</servlet-name>
<servlet-class>org.apache.myfaces.trinidad.webapp.ResourceServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>BIGRAPHSERVLET</servlet-name>
<servlet-class>oracle.adf.view.faces.bi.webapp.GraphServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>BIGAUGESERVLET</servlet-name>
<servlet-class>oracle.adf.view.faces.bi.webapp.GaugeServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>MapProxyServlet</servlet-name>
<servlet-class>oracle.adf.view.faces.bi.webapp.MapProxyServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<init-param>
<param-name>success_url</param-name>
<param-value>/faces/Pages/homePage.jspx</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>resources</servlet-name>
<url-pattern>/adf/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>resources</servlet-name>
<url-pattern>/afr/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>BIGRAPHSERVLET</servlet-name>
<url-pattern>/servlet/GraphServlet/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>BIGAUGESERVLET</servlet-name>
<url-pattern>/servlet/GaugeServlet/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MapProxyServlet</servlet-name>
<url-pattern>/mapproxy/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>resources</servlet-name>
<url-pattern>/bi/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>adfAuthentication</servlet-name>
<url-pattern>/adfAuthentication</url-pattern>
</servlet-mapping>
<mime-mapping>
<extension>swf</extension>
<mime-type>application/x-shockwave-flash</mime-type>
</mime-mapping>
<mime-mapping>
<extension>amf</extension>
<mime-type>application/x-amf</mime-type>
</mime-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>/faces/pages/*.</url-pattern>
<url-pattern>/faces/*.</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>valid-users</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>adfAuthentication</web-resource-name>
<url-pattern>/adfAuthentication</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>valid-users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>valid-users</role-name>
</security-role>
</web-app>
Jazn-data.xml
<?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
<jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data.xsd">
<jazn-realm default="jazn.com">
<realm>
<name>jazn.com</name>
<users>
<user>
<name>*****</name>
<display-name>*******</display-name>
<description>******</description>
<credentials>********<credentials>
</user>
</users>
<roles>
<role>
<name>support</name>
<display-name>support</display-name>
<members>
<member>
<type>user</type>
<name>mobile</name>
</member>
</members>
</role>
</roles>
</realm>
</jazn-realm>
<policy-store>
<applications>
<application>
<name> myapp </name>
<app-roles>
<app-role>
<name>mob_mobile_support</name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<display-name>mob_mobile_support</display-name>
<description>support role</description>
<members>
<member>
<name>mobile</name>
<class>oracle.security.jps.internal.core.principals.JpsXmlUserImpl</class>
</member>
</members>
</app-role>
</app-roles>
<jazn-policy>
<grant>
<grantee>
<principals>
<principal>
<name>SUPPORT</name>
<class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.adf.share.security.authorization.RegionPermission</class>
<name> myapp.view.pageDefs.*</name>
<actions>view</actions>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<name>mob_mobile_support</name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.adf.share.security.authorization.RegionPermission</class>
<name> myapp.view.pageDefs.addapplicationPageDef</name>
<actions>view</actions>
</permission>
<permission>
<class>oracle.adf.share.security.authorization.RegionPermission</class>
<name>Pages.addappmsgtypPageDef</name>
<actions>view</actions>
</permission>
<permission>
<class>oracle.adf.share.security.authorization.RegionPermission</class>
<name>Pages.addoperationPageDef</name>
<actions>view</actions>
</permission>
<permission>
<class>oracle.adf.share.security.authorization.RegionPermission</class>
<name> myapp.view.pageDefs.homePagePageDef</name>
<actions>view</actions>
</permission>
<permission>
<class>oracle.adf.share.security.authorization.RegionPermission</class>
<name> myapp.view.pageDefs.loggingSearchPageDef</name>
<actions>view</actions>
</permission>
<permission>
<class>oracle.adf.share.security.authorization.RegionPermission</class>
<name>myapp.view.pageDefs.workHistoryPageDef</name>
<actions>view</actions>
</permission>
</permissions>
</grant>
</jazn-policy>
</application>
</applications>
</policy-store>
</jazn-data>Read Frank's article http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html
Then you have to check if the user use use to login are defined in the stand alone server. If you server is running in production mode there is no automatic user or role migration. You have to to this by yourself.
Once you have check that the users are present, you have to check if the enterprise roles are mapped to the corresponding application roles.
Timo -
I have a site that requires authentication. In the past i have logged in using firefox with the following format
http://username:password@sitename:siteport/specificsiteurlinfo
and gotten in just fine. I just set up a new computer with a new instance of firefox and try the same thing but I now get the following popup-
"You are about to log in to the site "sitename" with the username "username", but the website does not require authentication. This may be an attempt to trick you.
Is "sitename" the site you want to visit?"
When I click "yes" Firefox appears to try to go to the site without any authentication and I of course get a 403 Forbidden error.
I have tried reverting back to old versions of Firefox with no luck.
Any advice would be greatly appreciated.
Thank you.The purpose of that warning is to alert you to the possibility of being fooled by a link with login credentials at the beginning. On your old computer you might have tweaked this setting to limit when the warning appears:
http://kb.mozillazine.org/Network.http.phishy-userpass-length
This article discusses the steps to adjust that setting to fit your needs: [http://fix.lazyjeff.com/2011/04/disable-firefox-login-prompt.html]. -
Setting Authentication and SSL Settings by folder/file in ColdFusion 10
Am attempting to upgrade to ColdFusion 10 (patched to current level) on our development network. We are running Windows Server 2008 R2. On both of the below instances it worked fine with ColdFusion 8 and 9.
On the first instance the entire site is SSL with the exception of one directory. The entire site is set to Anonymous Authentication Disabled and Windows Authentication Enabled for the entire site except for the one directory that is not SSL. On ColdFusion 10, that one directory that is not supposed to be SSL and have anonymous authentication will not allow access unless you hit it with an https: and authenticate. It ignores the settings for that directory and uses the overall site settings.
On another instance the entire site is set to Anonymous Authentication except one file (login.cfm) is set to Windows Authentication. When you enter that site it hits the login.cfm, if you authenticate it gives you more options. If you don't you still get in but without the extra options. The system ignores the Windows Authentication and defaults to the overall site's setting of Anonymous Authentication. I have tried setting the authentication at the site level to both Anonymous and Windows then going through individual directories and changing them to what they should be, but the settings are ignored and it uses the overall site settings.
Is Tomcat somehow overriding the page/folder specific SSL and or Authentication settings?Charlie, I appreciate you helping rule out the possible discrepancies in the installation. As far as server configuration, all testing is being done on two virtual Windows Sever 2008 R2 64 bit boxes running IIS 7.5 One of the boxes was upgraded from ColdFusion 9.01 and one that is a new install on a new virtual machine. The CF9.01 box has been processing both the SSL and non-SSL properly. The only changes I made to the CF9.01 I upgraded was to turn on CGI in the IIS settings. Both servers show the same problems so I kind of ruled out the new server vice upgrade issue. I checked the inheritance and all of the files have the same windows user's permissions. I have imported the SSL certificates into the JRE\security\lib\certs. I am guessing those are imported correctly otherwise it would not allow the SSL to work at all. All SSL/windows authentication has been set up through IIS, I have not tried to modify any Tomcat settings.
I created a .htm file and put it in both a directory that is SSL protected and one (ScheduledTasks) that is not SSL protected. It worked fine. That is if it was in a directory that should have been protected by SSL it prompted me for my CAC and pin. When I put it in the ScheduledTasks directory and tried opening it with a stander http:// it worked fine. I then tried to open a .cfm in the same directory and I got the standard 403-Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied. -
Authentication and Authorization Problems with IIS 6 and Jrun 4
Hello all,
I am using IIS 6 with JRun 4 as my app server, and I am having problems trying to get authentication and role authorization with Windows Integrated Authentication to work. I have set up IIS 6 to pass-through the authentication credentials to Jrun, without using an anonymous user. What I have done is written a small test servlet that displays the username of the logged in user, and then tries to check if a user is in a test role that I set up in my database. I have specified that a roles table is to be used by specifying a JDBCLoginModule in Jrun's auth.config file. The code for the servlet is below:
package testauthenticationapp;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.*;
import javax.servlet.http.*;
public class SecureTestServlet extends HttpServlet {
private static final String CONTENT_TYPE =
"text/html; charset=windows-1252";
public void init(ServletConfig config) throws ServletException {
super.init(config);
public void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException,
IOException {
response.setContentType(CONTENT_TYPE);
PrintWriter out = response.getWriter();
out.println("<h3>REMOTE USER: " + request.getRemoteUser() + "</h3>");
if (request.getUserPrincipal() != null){
out.println("<h3>" +request.getUserPrincipal().getName() + "</h3>");
} else{
out.println("<h3>User Principal is null</h3>");
if (request.isUserInRole("Test_Role")){
out.println("<h3>User is in Test_Role</h3>");
} else {
out.println("<h3>User is NOT in Test_Role</h3>");
out.close();
1. What I am seeing is that when request.getRemoteUser() is called, the username information is what I expect it to be. It is of the form <Domain>\<Username>. When I try to redisplay the username using the request object's Principal object, the call to request.getUserPrincipal() returns null. This is a little confusing to me since I thought that essentially getRemoteUser() was a short cut for calling getUserPrincipal().getName(), and if I get something for getRemoteUser, getUserPrinicipal should return something as well. I guess they work differently at some level. Has anyone ever encountered this before?
2. When I call request.isUserInRole("Test_Role"), it returns false. I've checked the role name being called for typos in both my database and in the code, and that does not seem to be the case. I think the setup in auth.config is properly configured because I have created many other applications using declaritive FORM based authentication, and the role information was retrieved fine from the database. I would think that when I use request.isUserInRole in my servlet code it would use the same role information, but I could be wrong since this is a different type of authentication. Do you think that the reason request.isUserInRole() is returning false could be tied to the fact that request.getUserPrincipal() is returning null (even though getRemoteUser() is returning a valid username)? How does request.isUserInRole() get its user information, by using getUserPrincipal().getName() or getRemoteUser()?
Any help that is provided is appreciated. Thanks in advance.Try This...
Close All Open Apps... Perform a Reset... Try again...
Reset ( No Data will be Lost )
Press and hold the Sleep/Wake button and the Home button at the same time for at least ten seconds, until the Apple logo appears. Release the Buttons.
http://support.apple.com/kb/ht1430 -
Authentication and authorization for a custom connector
I have the following problem: I have a software which tries to connect with the server through its own custom RMI connector.
So I have the RMI Connector deployed via Mlet-Service. I have written a small TestClient and can get a RemoteMBeanServer with RemoteMBeanServer rs = getRemoteMBeanServer(), but if I try to call something like rs.getMBeanCount() I get :
com.sap.engine.services.jmx.exception.JmxSecurityException: Caller Guest not authorized, only role administrators is allowed to access JMX
So the WebAS considers someone who tries to connect with this connector as guest. How do can I get authentication and autorization to access the JMX parts? The manual seems only to cover JSP and webapplications, where it is possible to configure a role for them. I only have this connector.jar, configuration and mlet-file.
I still have the option to use JAAS authentication with this connector, then I have to configure it differently and, the more difficult, to implemend
a method "public Subject authenticate(Object credentials)" where credentials are two Strings with user and passwd. But I am not quite sure how to fill the Subject with useful information.
Thanks in advance
NilsJmx is secured resource and only administrator role user
can access it.
If your code is running in a servlet you can define
the servlet to run as administrator
1. Add in the web.xml
<security-role>
<role-name>AnyName</role-name>
</security-role>
2. Add in the web-j2ee-engine.xml
security-role-map>
<role-name>AnyName</role-name>
<server-role-name>administrators</server-role-name>
</security-role-map>
If you are runnig from a remote client you just have to
Properties connectionProperties = new Properties();
connectionProperties.setProperty(
Context.INITIAL_CONTEXT_FACTORY,
"com.sap.engine.services.jndi.InitialContextFactoryImpl");
connectionProperties.setProperty
(Context.PROVIDER_URL, "<host:p4port>");
connectionProperties.setProperty
(Context.SECURITY_PRINCIPAL, "<ADMIN USER>");
connectionProperties.setProperty
(Context.SECURITY_CREDENTIALS, "<PASSWORD>");
MBeanServerConnection mbsc =
JmxConnectionFactory.getMBeanServerConnection(
JmxConnectionFactory.PROTOCOL_ENGINE_P4,
connectionProperties); -
Certificate Based Authentication and SSL
To whom it may concern,
I have installed SJES on Solaris 9 x386 (intel version). Everything is running fine, the mails are also coming and going.
Now, I need Certificate based authentication and SSL. I have downloaded versign.com trial certificate and have install it succesfully in the Messaging Server Console -- > Manage Certificates. The certificate is also visible in its tab.
Next, I followed the documentation and enable ssl by using ./configutil utility. And also restarted the server.
I am running my Messenger express (http) like this :
http://testing.xyz.com:8100
(I am using port 8100 for http access to mails). After restarting the mail server, I tried :
https://testing.xyz.com:8100 also,
http://testing.xyz.com:443 also,
https://testing.xyz.com:443 also,
but I cannot see the login page of the mail server. All the above mention url i tried and just given error "the connection was refused when attempting to contact testing.xyz.com. I CAN ONLY SEE THE LOGIN PAGE WHEN I WRITE THE OLD HTTP ADDRESS: i.e. http://testing.xyz.com:8100
And I also checked the logs and the server is having no problem in starting and there is not a single word regarding SSL enabling in the logs.
Please help me out, it's really a strange behaviour. I am using SunONE Messaging Server 6.0.
Thanking you,
Farhan Ahmed,
System Engineer
Dubai, UAE.Dear jay,
I am pasting a line from imap and http logs ... i don't know what this error means and how to resolve it.
[29/Dec/2004:14:42:45 +0100] testing imapd[888]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
strange thing is that my certificate name is lowercase server-cert and also i can see in the GUI console the certificate name as lowercase and I have also set this parameter encryption.rsa.nssslpersonalityssl = server-cert (all lowercase), but the error in the log tells it as "Server-Cert" !!!! though it is "server-cert"
i got this line from the http log:
[29/Dec/2004:14:42:47 +0100] testing httpd[894]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
I haven't missed the sslpassword.conf file step. I have placed the same password which i provided while generating the certificate request in the GUI.
Help me out what this errors means and how to resolve them. I have also copied the cert7.db and key3.db to /opt/SUNWms*/config directory from the /var/opt/mps/serverroot/alias
Thanking you,
Farhan Ahmed,
System Engineer,
Dubai Internet City, Dubai, UAE. -
802.1x multipoint authenticator and security issue
Hi everybody
Let say we have following set up:
host1
host2 ) ----------------hub------ f1/0-switch( authenticator)-------------------------Radius server.
host3
The switch is configured as follows.
Switch(config)#interface FastEthernet 1/0
Switch(config-if)#dot1x port-control auto
Switch(config-if)#dot1x host-mode multi-host
Let say only host1 has valid credentials and the rest hosts i.e h2,h3 are rogue hosts. host1 sends authentication request and successfully authenticated and switch transition its port to an authorized state. But does it not mean the other hosts h2 and h3 which were not authenticated but yet are able to access network ?
thanks and have a great weekend.This board is more for Wireless Security not LAN. but I would think it's because you are connecting through a hub instead of a switch. Hubs share the data, so when the switch gets the auth for the valid client it turns that port as it should.
Now an invalid client connects and because the port is already thinking the client is valid, it passes all the traffic.
Make sense?
Steve
Sent from Cisco Technical Support iPhone App -
SAP authentication and SSO into BI4 with multiple SAP systems
We have already setup SAP authentication and SSO between ECC6 and BI4, e.g. to run CR 2011 reports with data based on ECC infosets, or BEx (operational BI on ECC). ECC is the main point of entry for users, so ECC user accounts and role imports are used in BI4.
Now if we add BW to this, with Crystal or WebI or Analysis OLAP sourcing data from BW, can we still leverage detailed authorizations in BW on the corresponding BW user - with user accounts and role imports in BI4 still being ECC-based?Hi,
Let's say the trust relationship is setup between those systems. Then the simple example is to use Enterprise authentication in BI4, and assertion tickets are issued when making requests to ECC or BW. I assume LDAP/AD authentication would work as well.
>> You also have to setup trust between the BI 4 and ECC & between BI4 and BW. Thats part of the setup for the SSO Token Service.
But does this scenario rule out SAP authentication or not? I was hoping that I can still logon to BI4 with an ECC-issued logon ticket, and then BI4 would nevertheless issue assertion tickets for my BW alias.
>> And that is still possible. Setup the SSO Token Service, setup the aliases for the users. then you could logon with ECC credentials and run a BW report because the token service would then generate the token towards the BW system.
ingo -
Is it possible to bypass JAAS authentication and use Authorisation alone?
I have to implement jsp level security (by checking roles) for my JSF application.
Authentications in my appln are done by a different servers. I don't want to disturb that.
I have to implement authorisation alone using JAAS.
Is it possible to bypass JAAS authentication and use Authorisation alone?
I am using custom login module( implements DatabaseLoginModule) for authorisation.
Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
Any help would be great.
Thanks,
Adhil.JI have to implement jsp level security (by checking roles) for my JSF application.
Authentications in my appln are done by a different servers. I don't want to disturb that.
I have to implement authorisation alone using JAAS.
Is it possible to bypass JAAS authentication and use Authorisation alone?
I am using custom login module( implements DatabaseLoginModule) for authorisation.
Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
Any help would be great.
Thanks,
Adhil.J -
JAAS Authorization and Credentials
Hi,
I am adapting an access control system to operate as a JAAS authentication and authorization service. There is a lot of doco covering creation of custom authentication but far less on the authorization side. Any pointers welcome.
My question is: What is the role of a Subject's "credentials" in the authorization scenario?
From what I can see a Subject's credentials aren't even available to the authorization service under JAAS? When application code calls methods such as SecurityManager.checkPermission() it seems that a Subject's Principals are passed down to the authorization engine (the Policy) but not the Subject's credentials.
A ProtectionDomain also has an array of Principals rather than credentials.
I would like to base the access decisions made by the authorization engine (a custom Policy) on a Subject's credentials. Is there a way? I could just use my credential class as a Principal (with some minor changes) but the information in my class does not represent an idenity, it is a "credential"!
Any tips gratefully received.When application code calls methods such as SecurityManager.checkPermission() it seems that a Subject's Principals are passed down to the authorization engine (the Policy) but not the Subject's credentials.The Subject's public credentials are available via Subject.getPublicCredentials if the JAAS login module has set them up. But the Policy shouldn't need them at this stage. The Subject has already been authenticated by the JAAS login module. All the Policy should be is interested in is what this Subject can do. The credentials aren't for that, they are for authenticating his identity. See below for further discussion.
A ProtectionDomain also has an array of Principals rather than credentials.Again it doesn't need them. Only the JAAS login module needs them.
I would like to base the access decisions made by the authorization engine (a custom Policy) on a Subject's credentials.You should base it on the Subject itself and its Principals. Specifically the idea is that he has one or more RolePrincipals that name the roles he is allowed to act as in the application.
So you write a JAAS LoginModule that inspects the credentials, Principal, name etc and adds RolePrincipals to the subject according to what he is now allowed to do. Then your custom Policy just looks for the appopriate Principal in the Subject. If there, OK, if not, bang you're dead.
From one point of view this is an efficiency measure. From another point of view it is an essential normalization. You could have millions of credential sets that all map to the same role. And you certainly don't want your Policy to be concerned with individual credentials, only with the Roles they map to. -
Aironet 1310 using Peap Auth and AES encryption??
I have 2 1310 wireless briges in a point to point configuration with the root bridge acting as my ACS server..
I am currently running Leap Authentication and with Wep encryption but would like to upgrade this to use Peap and AES if possible??
I'm wondering if anyone has upgraded their solution to this type of encryption?
thanksWhat IOS version are you running ? 12.4(25d)JA is the last supported IOS version for this product. So you should go with that image.
If you are using AP as AAA server, then I think only EAP-FAST, LEAP & MAC authentication is supported. Not anything else.
Here is WGB (workgroup bridge) configuration with EAP-FAST & you can get an idea how to configure EAP-FAST if you choose to. (In your case you have to configure root bridge & non-root bridge in two respective AP)
http://mrncciew.com/2013/04/28/wgb-with-eap-fast/
HTH
Rasika
**** Pls rate all useful responses ****
Maybe you are looking for
-
Itunes unknown error [-50] but only on my login...
o my fricken god this thing is driveing me crazy. I have had an ipod nano since christmas with everything working perfectly till about a month ago. right about then my itunes stoped opening. whenever i tried to open itunes it would give me this error
-
My itunes video won't load into my ipod
I just received my ipod and have been using it for a week now and I have been purchasing music videos and stand up comedians through itunes. One video (about 22 min. long) was purchased and downloaded fine into my ipod. The video played fine, no prob
-
i cant figure out to download itunes, all that shows up so far it the download now on the webpage, but then after that im lost.
-
Cr2 files are icons instead of previews as of today!
My raw files are only viewable as thumbnail previews in bridge instead of in finder! I have always been able to see the previews in finder until today. Same camera (canon 7D) as always. I have checked the view options for the folder, set the default
-
Hi After restoring the cold backup I need to recreate the controlfile. Do I need to recover afterwards? since I created new controlfile. or just alter database open; Oracle 9i, user managed backups