We want to use URL as a datasource in JRXML inside JasperStudio, which requires HTTP authentication. Hence, we are using DataAdapter for invoking the URL & getting the data. As per our understanding, DataAdapter supports only basic HTTP authentication. But due to security concerns, we don't want to use dataadapter with basic HTTP authentication.
Please let us know if Jasper has any advanced authentication mechanisms while using a URL as a data source.
Related
There are multiple requests being passed in signing in of the application since its using Sitefinity - Azure AD B2C Authentication and there are some values being passed in each requests such as nonce, state properties, id token etc. The workflow is quite complicated when having a peek into the values/token being passed across the requests of login. Though I have created/tried with all the values that are getting as the response of previous requests, still the login is not happening. Also, I went through some documents of B2C authentication with Sitefinity and its architecture and I got to know that the token being generated by the Sitefinity is an internal process and the response of that token cannot be fetched from a previous response/ client side.
Workarounds that I did:
Integrated selenium into Jmeter and automated the login scenarios and stored the cookie generated. Then used these cookie and token in following internal requests- This approach worked fine.
Hardcoded a live cookie in Cookie Manager and send the internal requests - This also worked fine.
I am wondering if there is any other possibilities in logging in because the above two methods are not reliable in long run. Anyone have idea about generating the token id locally and pass that to JMeter. for example creating a .exe file which generates the Sitefinity token.With this we will be able to pass or execute the .exe file in OS Process Sampler in Jmeter and fetching the token from its response.
Or
Any other approach?
I assume you are using the OpenIdConnect authentication provider that is built into Sitefinity?
So, basically when a user clicks on the Login button, he is being redirected to:
/login/LoginExternalProvider/OpenIdConnect/
Here Sitefinity replies with a redirection to:
/Sitefinity/Authenticate/OpenID/connect/authorize?client_id=sitefinity&....
which in turn redirects to
/Sitefinity/Authenticate/OpenID/login?signin=....
and this finally redirects to the external authentication provider.
(yeah, it is a complex workflow).
So, if you try to load test only the first request (/login/LoginExternalProvider/OpenIdConnect/) - wouldn't it then follow the redirect responses automatically (sorry, not familiar with jmeter)?
Those responses contain the correct cookies that Sitefinity has created, etc.
As per Sitefinity documentation:
Sitefinity CMS uses claims authentication, implemented on top of IdentityServer3, certified by OpenID Foundation. It allows implementing single sign-on and access control for modern web applications and APIs. It uses OAuth2 and OpenID Connect protocols.
Standardized authentication, based on OpenID Connect with JWT, certified IdentityServer3.
Given you're capable of logging in using your browser - you can replicate the same requests using JMeter's HTTP Request samplers, it's just a matter of correlation - the process of extracting the dynamic data from the responses and using them in the next requests.
You can refer OpenID Connect - How to Load Test with JMeter article for example JMeter script implementation
I am using ADFS 2.0 and WIF to authenticate and authorize my users to an ASP.Net MVC 4 application, WebAppA. WebAppA uses WebClient.DownloadString(url) to call another WebAppB and I would like to pass the delegated user's credentials to WebAppB to retrieve customized content for the user.
I see several examples of a web application calling a WCF service using CreateChannelActingAs, but this is not quite my situation.
Is there a way for WebAppA to retrieve the ActAs (or OnBehalfOf?) token for WebAppB and pass it with WebClient to WebAppB? I have seen a few possibilities, including the "bearer" Authorization header and inserting a cookie into the headers, but I don't quite understand these examples and it seems like something's missing, like how to use the BootstrapContext from WebAppA to retrieve and serialize the token for WebAppB.
Thanks for any help!
--Mark
Yes, you could have WebAppA call the STS and request an ActAs token for WebAppB, using the original token (the one intended for WebAppA) as the input, but this is normally used for web services (and it might be overkill). Looks like you are just GET'ing a page from WebAppB. Why not just use basic auth, SSL and pass a parameter of the user making the request? (in essence using a trusted subsystem approach).
I have an ASP.NET web service that I can access via a windows program but now I want to secure the web service. I can secure the web service using forms authentication. How do you access the secured web service from a windows forms application?
Although this is not the right approach, tt is theoretically possible to use forms authentication in the manner you describe. This could be accomplished by either:
Using a WebRequest to send your requests in raw form to the web service. This will involve inspecting the response, extracting the relevant forms-authentication fields, and sending a response back which logs the user in. This will generate a cookie which you must send along with each subsequent response to the service
Generate the FormsAuhentication authentication cookie yourself. This is complex as it involves synchronising the machine key on the calling application, and artificially manipulating the headers being sent to the machine hosting the service.
Display the forms-authentication form for the user to log in to at the beginning of a session requiring interaction with the web-service. You can then harvest the generated cookie and present it to the service in HTTP headers as in option (2).
As you can see, these methods are highly complex, and are fundamentally a hack to use forms-authentication where it was never intended.
Microsoft intended us to use either Windows authentication, or SSL certs to secure access to ASP.NET web services. See HTTP Security and ASP.NET Web Services on MSDN.
If you are able to use WCF, then a few more options present themselves, including the ability to build a custom authentication mechanism into the SOAP, with some support from WCF.
For the most part, securing web services is one of the trickiest parts of the job. Many live solutions which I have seen are compromises such as the ones above.
It seems the answer is no. Forms authentication is a cookie-based mechanism, and your WinForms app won't be able to hold and relay the cookies (without some serious workarounds, if at all).
A potential workaround that I wrote up when researching your question attempted to use a NetworkCredential object, but that didn't work. Also tried was the ClientCredentials in .NET 4.0.
var ss = new MySecureWebService.MyServiceSoapClient();
ss.ClientCredentials.UserName.UserName = "abc";
ss.ClientCredentials.UserName.Password = "123";
string asmxReturn = ss.HelloWorld(); //exception returned here
The console app was still presented with the login html page when calling the webmethod.
Other Suggestions
If you have the source to your web service, extract its logic out into an assembly of its own. Reference that assembly in your WinForms app, and it's just as if you're calling the web service.
I understand that your goal is to reuse the app that's deployed, but the next best thing would be to use the same logic/implementation via .dll reference.
This might help: http://dotnetslackers.com/articles/aspnet/Securing-ASP-Net-Web-Services-with-Forms-Authentication.aspx.
I have one VS application named Dotnetpanel, which provides a lot of webservices.
I created another another VS application say TestModule in which I need to create the webservice client. But when I try to create a client and call the webservice in TestModule, an error occured"The request failed with HTTP status 401: Unauthorized." From one of articles I have read that
DotNetPanel API implemented as a set of SOAP Web Services.
Requirements:
WSE 3.0 or Basic Authentication
****Each API call should have user’s credentials provided****
Basic Authentication:
For interacting with DotNetPanel API you should use Basic Authentication. DotNetPanel recognizes “Authorization” header with the user credentials provided in the following format: username:password.
So my question is I have a user credentials which can pass to the TestModule and after that how can I call the DotnetPanel webservices from the TestModule with Basic Authentication.
Regards
Fenix
Sounds to me that you have to send those credentials as a parameter to the web service.
Try to call the web service url to see its methods. When calling to the web service directly from the browser, you have to be able to see a list of methods, then search for the method you're trying to use and click on it. You'll see the SOAP request and response definitions. You can take a look at what parameters is the web service expecting. I think if it asks you for credentials, there has to be a couple of param for that there.
Hope it helps.
I am confused about authentication with BlazeDS. Most of the few examples I have found for authentication and authorization in BlazeDS and consequently Java Servlets in general make use of HTTP basic and digest authentication and realms for authorization. These examples are very simplistic and involve XML files with the user credentials rather than using a database. My past experience in web applications used form based logins and sessions for authentication and authorization, but I am not sure how to do this with Flex apps with BlazeDS backends.
What I want to do is have some way to access some service on the backend to handle authentication like an HTML form and some way to store session data in a cookie for authorization, but I am having trouble finding relevant details using cookies in BlazeDS and Flex applications.
If HTTP authentication with either basic or digest authentication is the best way, then is there any resource to find out how to authentication users with the credentials stored in the database rather than an XML file?
I am not particularly interested in web frameworks since I would like to understand how to authenticate/authorize users with a plain Servlet and BlazeDS.
Authentication with BlazeDS and Flex is no different than with traditional web apps. Flex uses the same networking stack as the browser. So just follow instructions for securing your app server and then it should just work. If you want to have the login form in Flex then you can just send the credentials to j_security_check (for form based auth). Alternatively you can call login on the channelSet. Spring Security and Spring BlazeDS Integration M2 makes this very easy. Check out the Test Drive for a great sample (the usernames and passwords are still in an XML file but you can easily following the Spring documentation to move those to a database or LDAP server).