Basic access authentication

Similar Messages

• Safari 5.1 HTML5 HTTP basic access authentication issue video does not load

  I have a .m4v video referenced in a page with the HTML5 video tag in a folder which is in a password protected folder housed on iPage.
  Safari 5.0.5 plays the video fine.  Safari 5.1 fails to load/play the video in the protected folder.  If I move the video to a not protected folder, Safari 5.1 plays it fine.
  This is on iPage.  Back on MobileMe all is fine with 5.1.
  I think this is a HTTP basic access authentication issue with 5.1.
  Anyone have similar issue? Work around?

  Yes, I can also confirm this behaviour. This is in Safari 5.1.1, but I also see the exact same thing in WebKit nightlies.

• Basic HTTP Authentication

  Hi everyone,
  I'm trying to make a portal/gateway environment where a user can be automatically logged in other applications using Basic HTTP Authentication.
  To do this I have enabled the Basic HTTP Authentication in the psconsole (under Secure Remote Access > default > Core).
  I have also added a couple of LDAP attributes in the Portal LDAP: sunPortalGatewayWWWAuthorization.
  Are these the only two steps needed? Or am I forgetting something?
  Could someone tell me how the values in the sunPortalGatewayWWWAuthorization can be formed? I am currently using someone else's code, which used to work on a Portal Server 6 environment. I'm not sure if I understand well how those Basic Authentication values are formed.
  Thanks a lot!
  Sten

  Thank you Yvan, for your reply.
  I have looked at the Access Manager in the old environment, and did not see any SSO functionality being enabled.
  The old environment does not have a psconsole, so I was not able to check the settings over there.
  What bothers me, is that I do not know what kind of values should be stored in the sunPortalGatewayWWWAuthorization attribute. A basic http authentication string would look like this: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
  (This would be a Base64 encoding of Aladdin:open sesame).
  But in the Portal LDAP it seems that everything is encoded in Base64. As far as I understand the code is doing the following:
  - Make-up string: "+hostname+|Authorization: Basic +username+:+password+"
  - additionally, it looks like the whole string is being encrypted too, using a PBEWithMD5andDES algorithm
  Is this a requirement for the Gateway? Or is this for some kind of security reason? And is this correct?
  Thanks,
  Sten

• Basic http authentication not working when consuming Web Service in BPEL.

  Hi,
  I am consuming an AXIS Web Service from BPEL 10.1.3. The Web Service uses basic http
  authentication so we need a way to get username and password into the http
  header. In the Oracle BPEL Process Manager Administrator's Guide 10g
  (10.1.3.1.0) section 1.3.4.1 HTTP Basic Authentication (10.1.2.0.2) is stated
  that this can be done using the properties httpUsername and httpPassword. I
  have set the 2 for the partner link in bpel.xml but username and password does
  not get in to the http header. Has anybody got an idea?
  Regards Pete

  I'm having the same sorts of problems with 10.1.3.1.0. I've got a deployed BPEL suitcase that's trying to hit a BASIC AUTH-secured web service running on a WebLogic 8.1 server. I've set up my partner link according to the documentation, and the BPEL console Descriptor tab even shows the parameters correctly:
  partnerLinkBindings      
  client      
       wsdlLocation      awardService.wsdl
  spsAwardSubmitPartnerLink      
       basicHeaders      credentials
       basicUsername      ko1
       basicPassword      xxxxx
       wsdlLocation      IAwardDraftServiceRef1.wsdl
  However, when I funnel the resultant call to the endpoint specified in IAwardDraftServiceRef1.wsdl, none of the fields I would expect show up in the HTTP header:
  POST /pd2WebServices/service/IAwardDraftService HTTP/1.1
  Host: vm-orcl-app-srv:4444
  Connection: Keep-Alive, TE
  TE: trailers, deflate, gzip, compress
  User-Agent: Oracle HTTPClient Version 10h
  SOAPAction: ""
  Accept-Encoding: gzip, x-gzip, compress, x-compress
  Content-type: text/xml; charset=UTF-8
  Content-length: 3800
  <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><env:Body><IAwardDraftSubmitNew xmlns="http://www.caci.com/pd2/pub">
  <IAwardDraft>
  <accessController/>
  <agreementEndDate/>
  Is there some other configuration piece I'm missing?? I've tried the other variation using httpBasicHeaders, with the same results. I even noted that the "Oracle® BPEL Process Manager Administrator's Guide" says that "Starting with Oracle BPEL Process Manager release 10.1.3, all partner link properties are automatically propagated into the HTTP header." I've tried putting "extra" parms in the partner link bindings, but they don't show up either.
  What am I missing??
  Thanks,
  Mike

• How to do .1x port based network access authentication through ACS

  How to do .1x port based network access authentication through ACS.

  Hi,
  802.1x can authenticate hosts either through the username/password or either via the MAC address of the clients (PC's, Printers etc.). This process is called Agentless Network Access which can be done through Mac Auth Bypass.
  In this process the 802.1x switchport would send the MAC address of the connected PC to the radius server for authentication. If the radius server has the MAC address in it's database, the authentication would be successful and the PC would be granted network access.
  To check the configuration on the ACS 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/noagent.html
  To check the configuration on an ACS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1053005
  Regards,
  Kush

• Embedding basic http authentication credentials in JNLP file

  I want to embed basic http authentication credentials in the JNLP file.
  Basically, I want the jars to be behind basic http authentication in order to distribute the application only to authorized users (I understand this is not strong security, but it's fine for my purposes) who are all on Windows, and once the java app is initially installed, I never want to have to enter the http login credentials again.
  So I set up the http authentication and in the jnlp file I have:
  <jnlp
       spec="1.5*"
  codebase="http://username:[email protected]"
       href="program.jnlp">
  This doesn't seem to phase the JWS authenticator. So on the first launch from the desktop shortcut I put the credentials in manually and select "save this password in my password list". It seems like I'm in the clear as the next time I launch the application from a desktop shortcut I am not asked for any credentials, but every time the Windows machine is restarted, I get the JWS authenticator again...the password is no longer saved.
  Is there a way to embed the username/password in the JNLP file to get past the JWS authenticator without having to retype the username and password every time the machine is restarted? Or to permanently save the password in the JWS authenticator password list? Or any other way to set it up where once the application is initially installed, the http authentication credentials never have to be manually entered again?
  Thanks!

  Hi everybody,
  I manage to do almost all (I suppose), but I need last help.
  Through SM59 I created the HTTP Destination needed; then, I implemented the code given by SAP here:
  http://help.sap.com/saphelp_47x200/helpdata/en/2d/64d053e74911d6b2e400508b6b8a93/content.htm
  I ran the program, and it gives me the error: "Binder not found for soapAction = null.
  I suppose that I should give the link to the soapAction, but I don't know where in the code.
  Have you any idea?
  Thanks and Regards,
  Francesco

• Internationalizing Basic HTTP authentication browser dialog for UserID

  Is it possible to have multibyte user ID for Basic HTTP authentication? Based on RFC2617 user ID has to be *Text, which basically is ASCII. But I thought maybe someone has a workaround for this limitation. Our entire web app is internationalized, we use UTF-8 as encoding for JPS pages and request processing, and that all works fine, but there is one area where we use Basic HTTP authentication, and so far I was not able to find a way to internatianalize that. Once the resource is reqested, we process request in the servlet and if the user is not authenticated we send authentication challenge response to the browser. Response encoding is set to UTF-8. After user enters the credentials, I process those in the same servlet , again using UTF-8. Of course when I tried to input the japanese ( multibyte)userID, the authentication is failing. I think the browser is corrupting DBCS data once it Base64 encodes it... Does anyone have ideas whether it is possible to internationalize this at all?

  You'll probably need your own ServletFilter to process the authentication header, since servers will mostly decode headers in the locale encoding, regardless of any charset in the Content-type header of the request. Getting browsers to use UTF-8 encoding before base64 might be a bit tricky though.
  It is probably better to use form based login. The procedure for getting UTF-8 encoded form parameters is a well understood FAQ for this forum.

• ISE Admin Access Authentication to RADIUS Token Server

  Hi all!
  I want to use an External  RADIUS Token Server for ISE Admin Access Authentication and Authorization.
  Authentication works, but how do I map the users  to Admin Groups? Is there a way  to map a returned RADIUS Attribute  (IETF "Class" or Cisco-AVPair "CiscoSecure-Group-Id") to an Admin Group?
  Thanks in advance,
  Michael Langerreiter

  ISE 1.3 does have an bug: Authentication failed due to zero RBAC Groups.
  Cisco Bug: CSCur76447 - External Admin access fails with shadow user & Radius token
  Last Modified
  Nov 25, 2014
  Product
  Cisco Identity Services Engine (ISE) 3300 Series Appliances
  Known Affected Releases
  1.3(0.876)
  Description (partial)
  Symptom:
  ISE 1.3 RBAC fails with shadow user & Radius token
  Operations > Reports > Deployment Status > Administrator Logins report shows
  Authentication failed due to zero RBAC Groups
  Conditions:
  RBAC with shadow user & Radius token
  View Bug Details in Bug Search Tool
  Why Is Login Required?
  Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
  Bug Details Include
  Full Description (including symptoms, conditions and workarounds)
  Status
  Severity
  Known Fixed Releases
  Related Community Discussions
  Number of Related Support Cases
  Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.

• NAC Clean Access Authentication not doing anything

  Hi!
  I have instaled an NAC solution, using oob with acl's.
  When i get to the Clean Access Authentication page, using the right user and password, or an worng one, the page keeps showing up, requesting to authenticate and without any errors.
  Did this happened to anyone?
  TKX
  Miguel

  Hi Miguel,
  The configuration so far looks OK.
  The only test I would suggest would be to keep the clients on a vlan/subnet different from the CAS untrusted IP's subnet.
  I am telling this because usually we have the following:
  1. Clients are being assigned to a trusted vlan/subnet, for which we have an IP address configured in the CAS as a managed subnet and assigned to that vlan.
  2. In this case, clients are getting an IP on the same subnet as the untrusted interface of the CAS, which is not doing any kind of vlan tagging.
  As a further test, you could for example keep the clients on a subnet that is not the same as the one for the CAS untrusted interface and add the corresponding managed subnet for that client vlan.
  Alternatively, you could configure the CAS untrusted interface to tag traffic on the same vlan where clients are getting an IP, but this is usually more tricky.
  This suggestion comes from the fact that what you are experiencing (clients continuously re-prompted for authentication) is often seen when the CAS is not configured for the proper managed subnets.
  One more thing to verify is that the user being authenticated is not falling under the Unauthenticated Role.
  This could happen for example when configuring an Authentication Provider with the default role as Unauthenticated and mapping rules: if mapping rules are not triggered correctly, the default Unauthenticated Role will be assigned and the client will keep getting the authentication prompt.
  If these further points didn't show any improvements, I would recommend to keep following this through a TAC Service Request:
  http://tools.cisco.com/ServiceRequestTool/create/launch.do
  Regards,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Podcasts: Restricted access authentication required?

  Whenever I try to access my podcasts, it asks for restricted access authentication. I've never given the information required and iTunes crashes when the information is not given. How do I get rid of the Authenticator? Or alternately, how do I simply access my iTunes without it crashing?
  Any help would be great appriciated, I've been trying for days to work around it.
  FYI: iTunes is on a windows 7 OS.

  The posting should read as... log in to area "Protected" on www.Itmaps.net

• JAAS NTLoginModule for basic http authentication

  Hi all,
  Can someone point me to the right direction on this subject? I'd like to use JAAS' NTLoginModule to get a user's credentials, then use those credentials to authenticate the user into something that requires a basic http authentication... specifically, a domino web service. (I don't want the user to have to type in his/her password).
  First, is this even doable? and Second, what would I need to do to get this working?
  Thanks in advance.

  I am using IIS 6 with Windows Integrated Authentication which passes all HTTP requests to Tomcat 5.5 for processing via the ISAPI plug-in jk1.2 It does nothing else. Don't ask the obvious, I can't tell you. It just is.
  I have a new requirement for a new web application on our intranet. I would like to be able to identify my users without them typing anything in. How can I capture any part of the Window's user credential's from within my Java web application on Tomcat?
  I'm looking at HttpServletRequest.getRemoteUser() and HttpServletRequest.getUserPrincipals() and I'm thinking I can (minus establishing my own Tomcat realms, etc...).
  Any thoughts? Even if you don't know how, just tell me if you know this can be/is being done somewhere.

• Bug: HTTP Basic Access Authorization in browser non-functional.

  Upon visiting any site that requires a username and password via HTTP Basic Access Authorization ( http://en.wikipedia.org/wiki/Basic_access_authentication ), a prompt shows up, as one should. There are two fields, which oddly are not denoted Username and Password. In any case, attempting to enter the proper username and password in those fields does not work! You will be reprompted until finally the server rejects you.
  I have tried this on numerous websites already, and have checked the passwords to ensure they were correct. 
  Post relates to: Pre p100eww (Sprint)

  I can confirm this bug too on the Palm Emulator for webOS (v1.2.0.33 currently). I do not have a physical Palm Pre to test this on, but I would expect that the emulator emulates the hardware's behavior too (else, what's the point of an emulator?). I've seen mixed reports on this particular issue. That is, I've seen at least one other person complaining about this problem on the real hardware, and yet, I've also seen another person who doesn't appear to have any such issues.
  I'll cut straight to the technical details. If I use hello:world as the login in a browser that does work correctly for basic HTTP auth, I see the following header in the sniffed packet:
  Authorization: Basic aGVsbG86d29ybGQ=
  However, when the Palm Pre (emulator) fails to log in, I see the following in the header:
  Authorization: Basic aGVsbG86d29ybGQA
  Clearly, the Palm is doing something incorrectly when it encodes the authorization details. It seems to be including an additional nonprintable character at the end (a terminating null?) when it encodes, which results in the different encoding. Considering the fact that various web browsers and Base64 encoding libraries I've tested agree with the former encoding, and not the latter, I'm inclined to believe that the Palm Pre is completely in the wrong here. Of course, why this doesn't seem to be happening to all users, though, is an oddity for which I have absolutely no potential explanations.
  Message Edited by Ultima on 11-07-2009 02:48 PM

• ASA Remote Access Authentication with LDAP Server

  Thank you in advance for your help.
  I am configuring an ASA to authenticate with a ldap server for ipsec vpn access.  My customer has 3 networks that are to be accessed by remote users.  However they want to be able to say that one user can get to 2 of the networks and not the 3rd.  So basically they want control over what network behind the firewall each user can access.  This seems doable from my reading and I had planned to creating a group for each network that needs accessible and either do attribute maps to each group with a separate group created on the ldap server for authentication.  Basically a ldap group on the ldap server that will have the users name in the group in order for access.  I can restrict access via acl's or filtering to force my group to only be allowed access to a specific network.  Here is the problem I am having now.
  The ldap server has been created and seems to be working fine.  I have created my AAA groups and servers and I have done the ldap test with a test user vpntest and a password on the ldap server.  When I run the authentication test from the ADSM or command line I get a good authentication successful message.  So I configured a vpn client remotely and attempted to authenticate to this group and it says there is no user by that name.  Below is a paste of the debug.  The second part is when I did a successful test from the ASDM or CLI and it worked great.  The first part is when I attempted from the vpn client.  It all looks the same from the search criteria.  What am I missing here or does anyone more knowledgeable see anything that I am doing wrong.  Can this be done this way or should I try radius.  The customer was just adament about using ldap.
  extvpnasa5510#
  [243] Session Start
  [243] New request Session, context 0xd5713fe0, reqType = 1
  [243] Fiber started
  [243] Creating LDAP context with uri=ldaps://130.18.22.44:636
  [243] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
  [243] supportedLDAPVersion: value = 2
  [243] supportedLDAPVersion: value = 3
  [243] No Login DN configured for server 130.18.22.44
  [243] Binding as administrator
  [243] Performing Simple authentication for  to 130.18.22.44
  [243] LDAP Search:
          Base DN = [ou=employees,o=msues]
          Filter  = [uid=vpntest]
          Scope   = [SUBTREE]
  [243] User DN = [uid=vpntest,ou=employees,o=msues]
  [243] Talking to iPlanet server 130.18.22.44
  [243] No results returned for iPlanet global password policy
  [243] Fiber exit Tx=386 bytes Rx=414 bytes, status=-1
  [243] Session End
  extvpnasa5510#
  [244] Session Start
  [244] New request Session, context 0xd5713fe0, reqType = 1
  [244] Fiber started
  [244] Creating LDAP context with uri=ldaps://130.18.22.44:636
  [244] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
  [244] supportedLDAPVersion: value = 2
  [244] supportedLDAPVersion: value = 3
  [244] No Login DN configured for server 130.18.22.44
  [244] Binding as administrator
  [244] Performing Simple authentication for  to 130.18.22.44
  [244] LDAP Search:
          Base DN = [ou=employees,o=msues]
          Filter  = [uid=vpntest]
          Scope   = [SUBTREE]
  [244] User DN = [uid=vpntest,ou=employees,o=msues]
  [244] Talking to iPlanet server 130.18.22.44
  [244] Binding as user
  [244] Performing Simple authentication for vpntest to 130.18.22.44
  [244] Processing LDAP response for user vpntest
  [244] Authentication successful for vpntest to 130.18.22.44
  [244] Retrieved User Attributes:
  [244]   sn: value = test user
  [244]   givenName: value = vpn
  [244]   uid: value = vpntest
  [244]   cn: value = vpn test user
  [244]   objectClass: value = top
  [244]   objectClass: value = person
  [244]   objectClass: value = organizationalPerson
  [244]   objectClass: value = inetOrgPerson
  [244] Fiber exit Tx=284 bytes Rx=414 bytes, status=1
  [244] Session End

  Hi Larry,
  You can map AD group memberships to specific group policies on the ASA, you can find that configuration here:
  - http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
  Let me know if further assistance is required!
  Please proceed to rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• Is it possible bypass basic file authentication in glassfish using default

  I have a glassfish application with basic authentication enabled and a single user setup in the file security realm wth a single group named 'internal'.
  My web.xml is setup with an auth-constraint limited to 'internal' role, my glassfish-web.xml maps the group 'internal' to the role 'internal'
  I have one cluster with an app ('api') running that is already accessed internally without the need for authentication.
  I am trying to set up a standalone instance with a seperate config (publicapi) that runs the same app but can only access functionality of the publicapi rather than the api
  My approach has been to add basic authentication to api with a default principal (internal) in its config. The principal is mapped to a user (internal) in the file security realm that has a single group in its list of 'internal'. My understanding was this would be able to bypass the basic authentication when using this config but it has not.
  This is my config within the api project: glassfish-web.xml
  <glassfish-web-app error-url="">
  <class-loader delegate="true"/>
  <jsp-config>
  <property name="keepgenerated" value="true">
  <description>Keep a copy of the generated servlet class' java code.</description>
  </property>
  </jsp-config>
  <security-role-mapping>
  <role-name>internal</role-name>
  <group-name>internal</group-name>
  <principal-name>internal</principal-name>
  </security-role-mapping>
  </glassfish-web-app>
  web.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
  <security-constraint>
  <display-name>Limit non-internal principals</display-name>
  <web-resource-collection>
  <web-resource-name>Secure Application</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>internal</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>Secure Area</realm-name>
  </login-config>
  <security-role>
  <description>Only accssible to internal roles</description>
  <role-name>internal</role-name>
  </security-role>
  </web-app>
  and sun-web.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 Servlet 2.5//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
  <sun-web-app error-url="">
  <security-role-mapping>
  <role-name>internal</role-name>
  <group-name>internal</group-name>
  <principal-name>internal</principal-name>
  </security-role-mapping>
  </sun-web-app>
  So is my understanding of being able to bypass the basic authentication using glssfish default principal flawed? Do default principals match to a user / group list that is added in the Glassfish control panel and therefore assocated with the same roles / groups? Any other info on how to correctly map the default principal to a security group and bypass authentication would be very useful. Thank you

  Haii
  your jsps or struts will not do that kind of client side jobs..u write a java script and do that.......
  regards
  Shanu

• ITunes U Basic Access

  I am an iTunes newbee. I have been trying to set up our iTunes U site using basic authentication for course tracks. However, I can only get downloads to work by making them public. At this point, we don't want to use a transfer script.
  Basically, I want one password per course. The student would click to download a track, and it would ask for a password. The same password would access each track in a course.
  If anyone could help, I would greatly appreciate it.
  Thanks,
  April

  Hi April,
  With the excetpion of AppleIDs (which can be used to administer an iTunes U site), iTunes U does not deal with passwords at all. There is no way to assign a password to an iTunes U course. In addition, iTunes does not give you a way to display a password dialog when a student clicks on a course because Apple does not deal with authentication. In effect, Apple defers authentication to us.
  However…
  You -could- use the same -credential- for every course at your site. This would likely do the very same thing you want to do with passwords. You could assign the credential to everyone who authenticates to your iTunes U portal website. Have you had a chance to explore how credentials work in iTunes U yet?