Enabling CLIENT-CERT and FORM authentication in same web-app
Hi!
I try to enable same behaviour in WLS 8.1 SP4 as is available in WLS 9.2 (one can define in web.xml to have many <auth-method>s, for example <auth-method>CLIENT-CERT,FORM<auth-method>, which states that first one tries authentication with token (Single Sign On case, for example) and if it is not successful then go to log-in page.
My steps are as follows in my custom Servlet. We are using IE 6.0 as our web-client. We have configured our auth-method to be FORM, and in the <form-login-page> we have direction to that custom Servlet, which does the handling described below.
1. If client does not send tokens in request, then set response header:
response.setHeader("WWW-Authenticate", "Negotiate");
response.sendError(response.SC_UNAUTHORIZED);
This works fine and client starts to send his tokens
2. Now check token, if it is valid, let user in, if not forward him to custom log-in page, for example:
RequestDispatcher dispatcher = request.getRequestDispatcher("/login/login.html");
dispatcher.forward(request, response);
3. Client is forwarded to a log-in page as requested and he gives his credentials. Pushes OK
log-in page is as defined in edocs:
<form method="POST" action="j_security_check">
<table border=1>
<tr>
<td>Username:</td>
<td><input type="text" name="j_username"></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="j_password"></td>
</tr>
<tr>
<td colspan=2 align=right><input type=submit value="Submit"></td>
</tr>
</table>
</form>
Now the interesting thing happens (I have investigated TCP traffic at server machine): client (in this case IE) seems to override somehow the credentials (j_password and j_username for HTTP headers, does not send them at all) but keeps on sending this 'Authorize'-field with invalid token instead.
I have tried a Servlet that does not request WWW-Authenticate at all (in which case client does not start to send 'Authorize'-field). In this case those values are put to HTTP header OK and authentication is able to take place.
Anyone has any ideas how can I force my clients to send those values from the HTML FORM described above? SHould I set something at response while I do the forward to the custom log-in page. I have tried virtually everything I can imagine (which seems to be not too much :-))...
Solution found:
The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
In your web.xml, forward your 401 code to login page:
<error-page>
<error-code>401</error-code>
<location>/form_login_page.html</location>
</error-page>
There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works
Similar Messages
-
I want to run IIS and Form Server on same machine
Dear follows
I have problems , porblems is that i want to run IIS and Form
Server at same machine but i m facing some problems so please
inform me right proceduers to run this services at same machnine
now i m using Windows NT .
My secone problems is that i want to send emai via oracle
reports , actuall condition is that i have oracle report and i
want to add button and behind this boutton i want to add trigger
to send this report as a emai to client as txt/html format.There shouldn't be any problem running both forms server and IIS
on the same machine. Just make sure the ports that are used are
different. IIS's default port is 80, so either change this port
number or change it for the Forms server's web listener.
You can send reports to email if you use DESTYPE=MAIL. -
Infrastructure and forms server into same machine
Dear friends,
I am faching strange problem
, I install 9ias(9.0.2.0.1) infrastucture and form server into same machine,
after sucessfull installation it is mention infrastucture will run the port 7777 and form will 7778,
but after just installation it work into these ports but when i restats the system then port of infrastucture change and it is 7779.
now if i run forms the it give internal error 500,
then I stop fist infrastucture http server then http server of form
and again first start infrastucture hhtp server then form http server
now agin infrastructure server port id 7779(insted of 7777)
but now my form work properly.
every day i do this job , but some time this method fails then i have to again install server and have to repeate above mention job .
pls help me
With regards
Siddharth Singh
[email protected]Mid-tier listens on a lot of ports. On a std install (with both Infra and Mid-tier) Web-cache listens on port 7778 "in front of" httpd for OHS on 7779. So perhaps you forget to start web-cache? (run from BI home: webcachectl)
Perhaps the problem with Forms is related to X Toolkit? -
SharePoint 2013 Multiple authentication prompts for web apps
We have multiple web apps for MySite, collaboration portal and search centre. When users click on different URLs and access different portals non IE browsers prompt for credentials multiple times for
each Web app.
Is this some thing to do with
kerberos delegation set-up?
http://technet.microsoft.com/en-us/library/ee806870(v=office.15).aspx
sudesh withanageThis is basically the way its designed to work. Kerberos will help with authentication between different site collections on the same web app, but not different web apps. Since you have multiple web apps Kerberos Delegation of credentials does
not apply. It only happens on non-IE browsers because IE can be set to pass the OS credentials in the background by default. For other browsers you normally have to save a web site's credentials.
Paul Stork SharePoint Server MVP
Principal Architect: Blue Chip Consulting Group
Blog: http://dontpapanic.com/blog
Twitter: Follow @pstork
Please remember to mark your question as "answered" if this solves your problem. -
BASIC_PLAIN and CLIENT-CERT for SAML2 authentication
Hi,
I recently managed to set up kerberos on weblogic 10.3.5 using the negotiate provider so that I can log in to the console automatically with my windows authentication token.
I also have saml2 IDP set up on the same weblogic server for logging in to Salesforce.
I was hoping that I could configure weblogic to automatically log me in to Salesforce as well. The weblogic saml2.war file in WL_HOME/server/lib contains a web.xml file and I changed the login in this from BASIC_PLAIN to CLIENT-CERT. However when the call is made to /saml2/idp/login I get a 403 authorization denied message back. The debug seems to indicate that the browser did not return a SPGNEGO type token. If I revert back to BASIC_PLAIN I can log into Salesforce again, but only after entering my credentials in the basic auth window.
I wondered if anyone might have any tips to solve this?
Thanks,
Ed.Hi,
May be below links will be helpful
Check the following links.. you will get the information all about the securities...
http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm
Also read thru this link for message level security - https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Also find soeminformation in these links
http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
/people/aparna.chaganti2/blog/2007/01/23/how-xml-encryption-can-be-done-using-web-services-security-in-sap-netweaver-xi
Step by step guide for SSL security
step by step guide to implement SSL
Please go through below link for referance (above information is from below link)
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/3a/7cddde33ff05cae10000000a128c20/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/content.htm
General guide
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a09f3d8e-d478-2910-9eb8-caa6516dd7d9
Message level security
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Regarding message level you can encrypt the message using certificates.
For both of this basis team has to deploy the releavant certificates in XI ABAP Stack or Java stack.
Generally if the scenarios are intra company we dont use any transport level or message level security since the network is already secured.
Thanks
Swarup -
Web App Security Fallback (client-cert then form-based)
Can you setup a web application to fall back to form-based login if the
client-cert (i.e. identity assertion token) is not available. I think this
would be very valuable because once you've configured the web app to use the
"client-cert" authentication, you can't access the web app directly (i.e.
browser->weblogic server). You will always need to go through the perimeter
authenticator so the token gets sent.Solution found:
The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
In your web.xml, forward your 401 code to login page:
<error-page>
<error-code>401</error-code>
<location>/form_login_page.html</location>
</error-page>
There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works -
Is it possible to do machine and user authentication in same Authorization profile?
Hi,
I want to know is it possible to do machine authenticaiton and user authentication happen at the same time? Some thing like this...
Condition
IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND AD:exteranalgroup EQUAL Some_domain_user_group )
Permissions
then Vlan x
Basically i am trying to check a machine is part of domain and user is valid only then he should be able to have full access.
Any help will be of great value.Hi,
IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND AD:exteranalgroup EQUAL Some_domain_user_group )
- Not possible
As user and machine authentication occur at different contexts.
ACS cannot verify the both at the same time.
Using MAR, you can, though club the both together and achieve:
"machine is part of domain and user is valid only then he should be able to have full access"
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978
Tips for configuring MAR:
1) Set the client to perform user or computer authentication.
2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).
3) Enable MAR under the AD configuration page on ACS and set the aging time.
4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.
Rate if useful -
How to enable Client Cert Required, only for certain URL's in the webserver
WE are using netegrity siteminder for authentication and their plugin is executed as AuthTrans function. If I enable clientauth in server.xml ( which is basically turning on the client cert required for entire site), everything works fine. But If I want to turn that on only for certain URL's how do I do that.
I tried turning global clientauth off in server.xml and tried using PathCehck fn"get-client-cert" in obj.conf for the URL's that need client cert, but the problem is AuthTrans is getting executed first and my netegrity plugin is throwing an error saying it cann't find the cert.
What are diffrent options to enable cert required only for certian URL's.
ThanksWhat is the condition you want to match?
You can use get-client-cert in If tags in Web Server 7.0 :
For e.g. If the condition is matched, This gets a cert, requesting it if it is not already present and failing the request if it can't obtain an acceptable cert only on POST requests.
<If $url ~="*abc*>
PathCheck fn="get-client-cert" method="POST" dorequest="1" require="1"
</If>
or
<Object ppath="*abc*">
PathCheck fn="get-client-cert" dorequest="1" require="1"
<Object>
for more details :
http://docs.sun.com/app/docs/doc/819-2630/6n4thbiek?a=view#indexterm-380 -
XI 3.1 Client Tools and LDAP Authentication
I have Business Objects XI 3.1 SP2 installed. For the web clients (InfoView) single sign on and LDAP authentication are working correctly. However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
Take a look at note 1272536 (http://service.sap.com/notes)
Regards,
Stratos -
Hi,
We have to get all the claims providers associated with a web application and its identity claim encoding type using API.
For example:
If the identity claim of windows authentication is user name and the user name is a string, then we should get
"i:0#.w".
If the identity claim of forms authentication is
email and the provider name is "fba" , then we should get "i:0!.f|fba|".
The below link shows us to get all claims providers associated with a web application, but how do we get the identity claim encoding type of each provider?
http://msdn.microsoft.com/en-us/library/gg650432(v=office.14).aspx#SP_WCP_Tip3
using (SPSite theSite = new SPSite("http://someContosoUrl"))
// Get the web application.
SPWebApplication wa = theSite.WebApplication;
// Get the zone for the site.
SPUrlZone theZone = theSite.Zone;
// Get the settings that are associated with the zone.
SPIisSettings theSettings = wa.GetIisSettingsWithFallback(theZone);
// Get the list of authentication providers that are associated with the zone.
foreach (SPAuthenticationProvider prov in
theSettings.ClaimsAuthenticationProviders)
{ // Need to get the identity claims encoding type using the SPAuthenticationProvider
Is windows authentication's identity claim encoding type always i.0#.w or the identity claim is always the user name?
Thanks & Regards,
Kalai.If the requirement is to be able to convert claim identities to windows identities that can be used with other LOB/legacy application that still relies on NTLM/Windows Auth, then I would recommend to explore C2WTS.
Here are some references:
http://msdn.microsoft.com/en-us/library/office/ee539739(v=office.14).aspx
http://blah.winsmarts.com/2013-11-Use_C2WTS_to_get_a_classic_windows_identity_from_a_claims_identity.aspx
http://henrymcclain.blogspot.in/2013/05/claims-to-windows-token-service-c2wts.html
http://blogs.msdn.com/b/rodneyviana/archive/2011/02/20/claims-to-windows-token-service-c2wts-may-not-start-automatically-when-you-reboot-your-server-don-t-blame-sharepoint-for-that.aspx
http://blogs.msdn.com/b/russmax/archive/2010/05/27/understanding-sharepoint-2010-claims-authentication.aspx
Thanks!
These postings are provided "AS IS" with no warranties, and confers no rights. -
Client 32x and 64x instalation in same server
Hi all.
I have a Windows Server 2008 R2 64x with Oracle DB 11.2.0.1.0 64x and client 64x correctly installed and working
I need install the client 32x because some applications require.
Can someone help me with this case
Thank you
CarlosCarlos Codriansky wrote:
Hi all.
I have a Windows Server 2008 R2 64x with Oracle DB 11.2.0.1.0 64x and client 64x correctly installed and workingThe database install included the client software. No separate installation was needed.
>
I need install the client 32x because some applications require.Good architecture would not put the application on the same server as the database. And if the application is on a different server, it doesn't matter what client software is on the database server.
>
Can someone help me with this case
If you are determined to run the app on the same server as the database, and that app needs a 32-bit client, then install the 32bit client. Install it under the same ORACLE_BASE but in a different ORACLE_HOME.
Hint #1 when installing on Windows, Oracle wants to use a ORACLE_BASE that includes the name of the currently logged on user, like "c:\app\estevens". This is absurd. Override it to "C:\app\oracle".
Hint #2: name the HOME in such a way as you will know if you are looking at the 32-bit vs. the 64-bit home: c:\app\oracle\product\11.2.0\client_32 and c:\app\oracle\product\client_64.
Hint #3: Loose Windows. Get a real operating system.
Thank you
CarlosBut if you are determined to go with this architecture, all you have to do is ins -
Is strong 2FA with client cert and AD using AnyConnect possible?
Is it possible to configure AnyConnect to require a client cert that matches the AD username? Which attribute should be used? Common name (CN) or something else? Can anyone point me to the appropriate documentation on setting up this configuration?
Thanks in advance!Jaime,
If you want binary comparison of the certificate I believe it's only possible with EAP methods.
That being said, you can extract multiple things from certificate to be used a authentication username.
Have a look at this doc
http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html
It shows a couple of different ways to do this on ASA.
On IOS, I'd suggest looking at FlexVPN feature.
M. -
Webservices and forms authentication
Hello,
we have a jsf web application that uses forms authentication (using ProgrammaticLogin).
Now we want to provide some webservices that need authentication too, because only registered users hould be able to use the webservices.
Is there a way, that the webservices use the same authentication system as the webapp.
Or should we split it into different applications?
Thanks
Dirk
Edited by: Freak.2k on Mar 1, 2009 11:35 PMYou need to make different mechanism for authentication in web services as they are supposed to be consumed by another application not by a human being.
-
Flex 1.5 and 2 application in same web context
Has anyone been able to deploy both a Flex 1.5 and Flex 2
application (using FDS2) in the same web context? Or is this not
possible?
Thanks,
DarcyPlease remember that importing MPEG-2 video files has a hidden Gotcha included.
What might not need to be transcoded again in one project may well need to be retranscoded in another one, as it is going to depend on how full the project is.
To try & be more specific, imagine this situation:
Project 1:
Import a 90 minute MPEG-2 file encoded with a bitrate of 6Mb/sec.
This would not need to be re transcoded as long as the Audio is going to be Dolby Digital. If you want PCM, then it would have to be retranscoded.
Project 2:
Same Video file at the same bitrate.
Additional clip around 15 minutes long also.
The first clip will have to be retranscoded, as it's existing bitrate is too high to fit onto a single layer disc.
Do you see what I'm getting at?
If an MPEG file has to be retranscoded, you are getting a dreadful quality drop at this point, as you must recompress an already heavily compressed file.
Best solution is to use AVI wherever possible, and if you must use MPEG video, make very certain that the bitrate is correct, and will not need to be re transcoded.
Bottom Line:
The same files in the same projects with the same assets in both 1.x and 2.0 will be treated in the same way. If one does not need to be retranscoded, neither will the other one.
(Unless you have set a low limit on the default "maximum bitrate" preference. Setting a maximum of 7Mb/sec there, and importing an MPEG encoded at 7.5Mb/sec will naturally retranscode the file.) -
Possible to have two login configs in same web app?
Sorry for not having tried this first, my server and webapp are in a state
of flux at this moment, but I wanted to see what the consensus is out there,
not just whether I can or cannot make something work quickly.
If I have two types of things that might be called in my Web App (WAR) in
different ways (eg, browser accessing via HTTP by users that want to login
via pretty forms, and SOAP clients that may access functionality through the
same servlets (but with alternate Servlet Path Info after the servlet name
in the URL)), is there ANY way I can have multiple login configs, each tied
to a different security constraint within that web app?
In other words, with a servlet of /frazzleblitz and security constraints
like:
<security-constraint>
<web-resource-collection>
<web-resource-name>Foo</web-resource-name>
<url-pattern>/frazzleblitz/doFooBar</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>FoobarBrowserUsers</role-name>
</auth-constraint>
</security-constraint>
and the SOAP constraint (for all users of incoming SOAP requests):
<security-constraint>
<web-resource-collection>
<web-resource-name>Foo</web-resource-name>
<url-pattern>/frazzleblitz/doFooBar</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>FoobarBrowserUsers</role-name>
</auth-constraint>
</security-constraint>
where my frazzleblitz controller knows whether the incoming request is
browser vs SOAP based by the path info after the servlet name
Can I associate the first security constraint with a FORM based login
config, and the second security constraint with a BASIC AUTH login config
since I could in theory require SOAP clients to send in credentials in a
HTTP BasicAuth header, but I can't expect a SOAP client to be HTTP
Redirected to a login form and then to enter the right credentials into a
user type form and then be redirected back to an app...
Seems to me the J2EE Security spec is really lacking in the area of
programmatic authentication (allowing my SOAP code to get credentials out of
the request envelope and call an API to login myself). Yeah, WebLogic has
the ServletAuthentication weak() API, but these apps need to be J2EE
compliant and work across J2EE servers... Anybody know of any improvements
coming in the J2EE security space to address such functionality needs?
Thanks in advance
MikeSorry, hit send accidentally before finishing the second security
constraint - I've fixed it up below to reflect what I meant...
"Mike" <[email protected]> wrote in message
news:[email protected]...
Sorry for not having tried this first, my server and webapp are in a state
of flux at this moment, but I wanted to see what the consensus is outthere,
not just whether I can or cannot make something work quickly.
If I have two types of things that might be called in my Web App (WAR) in
different ways (eg, browser accessing via HTTP by users that want to login
via pretty forms, and SOAP clients that may access functionality throughthe
same servlets (but with alternate Servlet Path Info after the servlet name
in the URL)), is there ANY way I can have multiple login configs, eachtied
to a different security constraint within that web app?
In other words, with a servlet of /frazzleblitz and security constraints
like:
<security-constraint>
<web-resource-collection>
<web-resource-name>Foo</web-resource-name>
<url-pattern>/frazzleblitz/doFooBar</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>FoobarBrowserUsers</role-name>
</auth-constraint>
</security-constraint>
and the SOAP constraint (for all users of incoming SOAP requests):
<security-constraint>
<web-resource-collection>
<web-resource-name>Bar</web-resource-name>
<url-pattern>/frazzleblitz/doSOAPRequest</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SOAPUsers</role-name>
</auth-constraint>
</security-constraint>
where my frazzleblitz controller knows whether the incoming request is
browser vs SOAP based by the path info after the servlet name
Can I associate the first security constraint with a FORM based login
config, and the second security constraint with a BASIC AUTH login config
since I could in theory require SOAP clients to send in credentials in a
HTTP BasicAuth header, but I can't expect a SOAP client to be HTTP
Redirected to a login form and then to enter the right credentials into a
user type form and then be redirected back to an app...
Seems to me the J2EE Security spec is really lacking in the area of
programmatic authentication (allowing my SOAP code to get credentials outof
the request envelope and call an API to login myself). Yeah, WebLogic has
the ServletAuthentication weak() API, but these apps need to be J2EE
compliant and work across J2EE servers... Anybody know of anyimprovements
coming in the J2EE security space to address such functionality needs?
Thanks in advance
Mike
Maybe you are looking for
-
all i want to know is how can i check for viruses etc using firefox and where can i find the security settings or are you doing that automatically,it has also crashed when i opened a vcl player
-
HP Laserjet Pro m276nw - Black toner streak/bleeding down margin of page
I have had my laserjet pro 200 Color MFP M276nw for 1.5 years and experiencing this for the first time. When I print, the left margin of the page shows black and messy toner. What should I do? For drafts it's ok, but for professional level product
-
Is there a problem using Flashplayer with Macs?
I have been a Flashplayer user for sometime using a iMac (using Osx version 10.7.5) and have been experiencing a lot of problems recently when trying to visit various sites e.g. BBC News, Tom Tom for upgrades. The website state I need to download the
-
Scrolling problem with video buttons
Bonjour, (french and bad english !) To illustrate my question, see at http://www.8-16-chalonnais.org/Main.html, option 'videos reportages' : this site is under construction. There are some thumbs witch are buttons, every button plays a video. (some o
-
I'm going to buy a 2.1 system and i want to know what differences there are between P380 and T3000,and which one may be better for gaming. Thanks. PD: hope my english is not very bad