I have implemented a simple java web application with tomcat realm authentication(Custom FORM authentication). Now, I'm trying to add a second authentication page for the user(two-factor authentication, I'm using Google authenticator). As far as I have referred the Tomcat documentation, we can specify only one login-config.
I tried adding a filter and also tried managing whether the user has finished the Two-Factor authentication manually with session and tokens.
Is there a way to add the second authentication in the web.xml or the server.xml. So, tomcat should handle whether the user has finished both the authentication.
Thanks in advance.
Tomcat only starts one login process. That process may decide to ask the user for more than one credential but tomcat is not aware of it.
So, you should create a filter and/or login servlet that handles authentication for the tomcat container. That filter/servlet (combination) must prompt for all desired credentials.
If you do not use a framework for your application that already has an authentication layer, you are essentially writing your own 2FA implementation.
Related
We've built an internal ODATA API that is hosted on IIS. It's been up and running for some time and everything works as expected.
Now, I have a specific application (Tableau Desktop) that needs to connect to some of the ODATA API endpoints. Tableau Desktop can't use Windows authentication when connecting to ODATA (I'm aware that Tableau Server can), so I thought I would look into a way to override the default authentication.
My problem is this: IIS, being the host, controls authentication to all endpoints using Windows authentication. I want to override the host authentication to allow a user to connect to Tableau using Basic authentication on specific endpoints.
If Windows authentication is enabled at all, it overrules any attempts I make to force Basic authentication.
Is it possible to turn off Windows authentication for specific endpoints/controllers?
I tried doing it by adding these tags, but it doesn't work:
[OverrideAuthentication, OverrideAuthorization]
[Authorize, IdentityBasicAuthentication]
public class ProjectTrackingController : ODataController
The IdentityBasicAuthentication tag is a custom authorization component I put together to check basic credentials. This custom component gets hit every time I make a request, but even though I type my credentials into the browser/Tableau, the request gets passed along with the "Negotiate" header that appears to have a key for Windows credentials. There never appears to be an attempt at authorizing the HTTP request with Basic auth.
There does not appear to be a way to override the parent level authentication as it stands. Since we are authenticating with IIS, the code cannot override the NTLM authentication required by IIS. Even though I added tags for Basic authentication, IIS restricts this at the top level.
We are going to switch to HTTPS (which needs to be done anyway for better security) and then enable Basic auth in IIS rather than NTLM. This should resolve the current issues we are seeing when connecting Tableau.
Good afternoon,
Here I am working on Symfony 4 and on the Symfony Security module.
I need to customize the authentication of my users without using plugins such as Fosuser.
This is for the following reasons:
The user connects to a "main" server (ldap) with his login/password
I need to be able to retrieve his credentials to test his account on other ldap servers in parallel.
When the user is authenticated on the main one, the user is redirected to a page telling him if everything is ok or not on the other servers. In case it is not, he has the possibility to update his account.
But the documentation deals with "simple" cases and here I am a little lost.
I tested several possibilities (authentication with Guard, test of creation of a personalized provider...) without results.
I would need to understand the mechanisms of symfony authentication to create a custom authentication.
If anyone has a lead to guide me, that would be great.
Thank you in advance.
I think you need to divide your action into 2 stages:
Authenticate by LDAP against first server, i.e. with Symfony LDAP Component - this can be done by standard authentication form and FOSUserBundle
When you are already authenticated interact with second server in controller action. This can be done by writing entire code in Controler or in service designed to interact with this LDAP server. You can even use the same Symfony LDAP Component as before, but you will need to configure another instance of service by hand.
HI have the following scenario:
1) i'm authenticated against some aSP.NET web site and my session time out expires in 24 hours.
2) after several time I would like to run query against asp.net Web Service located on the site using existing authentication.
What should I add to cookie Container? I how do sent existing cookie to Web service?
Thank you in Advance.
Danny.
A web service call is just an http call so it will come under the existing authentication.
I am assuming here that you are issuing this from the browser?
If not - e.g. if you are doing it from a console application, then you will have to interact with the site as if you were a user. Some more details are her http://www.ksingla.net/2006/08/sample_forms_authentication_test_in_csharp/
Basically you need to issue a post to login to the login page - track all of the cookies etc - and then start issuing your WS calls with those cookies.
Another option is here http://en.gli.sh/Blog/post/NET-Interoperability-Between-Smart-Client-and-Internet-Explorer-Using-Cookie-based-Authentication.aspx which is reading the correct cookie info from the windows machine you are on - relies on you being logged into the website and also trusted to be able to get to that file.
Alternatively you can look into implementing WSE or WCF solution.
I'm getting a 401 (access denied) calling a method on an internal web service. I'm calling it from an ASP.NET page on our company intranet. I've checked all the configuration and it should be using integrated security with an account that has access to that service, but I'm trying to figure out how to confirm which account it's connecting under. Unfortunately I can't debug the code on the production network. In our dev environment everything is working fine. I know there has to be a difference in the settings, but I'm at a loss with where to start. Any recommendations?
Have you looked in the IIS logs?
I would also recommend looking in the Security event log on the server for authentication failures. You should find a footprint of the failed authorisation attempt here. Be warned though - it is not unusual to get 10s of security events a second, so ideally you need to be able to access the event log as the requests are failing.
If you do not specify which credentials to use in your ASP.NET page when you instantiate the web service then I believe it defaults to NT_Authority\Anonymous.
If you're using System.Net.CredentialCache then your web service needs to be in a trusted domain, accessed over HTTPS and using either NTLM, Kerberos or Digest Auth otherwise it does not pass the credentials from the cache.
http://msdn.microsoft.com/en-us/library/system.net.credentialcache.defaultcredentials.aspx
http://msdn.microsoft.com/en-us/library/system.net.credentialcache.defaultnetworkcredentials.aspx
http://msdn.microsoft.com/en-us/library/system.net.credentialcache.defaultcredentials.aspx
Perhaps the production server uses a different user for its application pool than your dev environment? I once spent a day figuring that one out. Another option would be the (lack of) impersonation in the web.config
I am in the process of writing an application that will need multiple forms of authentication.
The application will need to support authentication to Active Directory, but be able to fail back to a SQL Membership Provider if the user is not in Active Directory. We can handle the failing to the SQL Provider in code based on the username provided because the username will be a different format than the Active Directory username.
Is this even possible? What I mean is, can I use membership and use both ActiveDirectoryMembershipProvider and SqlMembershipProvider together or will I have to roll my own?
Another additional added complexity is that I would like to automatically authenticate my internal users based of Windows Authentication back to AD, but use Forms Authentication for users not on our internal network, or users that are using the SQL Provider.
These will most likely be separate servers, one internal, and the other external so I have a lot of planning to do to figure out the data replication, and how I will authenticate the AD users if they hit the outside server etc.
I am wondering what thoughts are out there as I start down this road. Is what I am wanting to do even possible without me rolling my own, or is there a way to mesh these together?
Thanks for the reply.
The reason I asked originally was because I was able to get this specific senerio working about 7 years ago using IIS to authenticate and then passing back the credentials to a Lotus Domino Server Web App. If the user was not authenticated via the Windows Authentication/ISS then Domino would handle the authentication. This was what I was looking to do here, but really couldn't think of a way to make it work in IIS.
As for the rest of your reply, I think you are on to the way that I will need to take. I have thought this through and tossed it around in my head a lot. The application will be somewhat different on the two servers anyway since there is going to be limited access to the data on the external server anyway. The fact that so much is going to be different already I may just treat these as two applications, thus negating the need to use two types of authentication in the same application anyway.
I am playing around with the idea already of writing my own authentication/login window for the external server, and if the user trys to log in with their AD credentials on the external server I will be able to detect that and redirect them to the internal server. If they are not on the local network or VPN'd in they will simply not get access. This part still has some thought process to go though so I am not sure.
As an additional thought - is there a way to pull just enough of AD into a SQL database to allow me to authenticate users to the SQL database from the external server using their AD credentials, without creating any security issues? I hope I am clearly typing what I am thinking....
Thanks again!
Tim
This is the way I've handled a similar situation based on this info:
Configured the application to use Forms authentication.
Set the LoginUrl to a page called WinLogin.aspx.
In WinLogin.aspx, use Request.ServerVariables["LOGON_USER"] to get the username then call FormsAuthentication.RedirectFromLoginPage( authorizedUserName, false ) to log them in. I guess you can manually check Active Directory as this point as well.
Create an html page that redirects to a page called Login.aspx
Login.aspx is your standard username/password login.
In IIS, Enable Integrated Authentication and Anonymous on the entire site, but deny anonymous access to WinLogin.aspx.
In IIS, set your 401 errors to the page created in step 3.
What basically happens is that when an unauthenicated user hits the site, they're redirected to WinLogin.aspx. Since anonymous is turned off, integrated security makes a check. If that passes, your custom code in WinLogin can run. If the integrated security check fails, a 401 error occurs. Your custom 401 page redirects to Login.aspx where the user can log in using their username and password with the SQL provider.
As far as I know, Web Applications are configured to use either Windows Authentication or Forms Authentication, but not both. Therefore, I do not believe it is possible to automatically authenticate internal users while requiring others to enter a username / password.
You could authenticate to Active Directory or a SQL user store via Forms authentication by using a custom provider. However, the AD users would still need to enter their username and password. Although I've never combined these two methods, I have used Forms authentication to authenticate against both sources at one time or another.
With that said, I think you may want to consider reducing the "flexibility" of your system. If you have an external facing server and an internal facing server, you could simply change the provider configuration on each copy of the application to go against a different source. Then, you could configure the internal one to use Windows (automatic) authentication and the external one to use Forms authentication.
IMHO, I believe that internal users should not be using the external server to access the application. If they are, they should have a user account stored in SQL, completely separated from their AD account. Basically, when someone accesses the application externally, they are acting as an external user, irregardless of their physical location.
Well, it is possible to use ActiveDirectoryMembershipProvider and SqlMembershipProvider, but this requires you design your log on page with your own code instead of the Login controls.
About the mix authentication (Windows and Forms), as far as I know only IIS 7 makes it easy and clean. See this post for details,
http://mvolo.com/blogs/serverside/archive/2008/02/11/IIS-7.0-Two_2D00_Level-Authentication-with-Forms-Authentication-and-Windows-Authentication.aspx