is there any way to configure cors for an adfs on premise?
Seems like the only option is ssl termination on a loadbalancer and manual adding the needed headers to the response.
ADFS supports federation protocols like SAML and WS-Fed.
Since CORS is not part of these protocols, it is not supported.
Related
I am a novice in SSL working on a Spring web application running directly off of an Apache Tomcat server. It is currently configured to be able to use LDAP (non-SSL) for authentication (this was set up by a previous developer). It also is running over http (also not SSL).
I want to be able to use both LDAPS and HTTPS.
My question is will I be able to use the same certificate to enable SSL for both LDAPS usage and HTTPS usage?
You can use the same certificate if:
you use the same server name in both cases or
if you have a certificate covering both names, with both names listed in the certificate, or
if they have some common domain suffix and you have a relevant wildcard certificate
Remember that certificates are used to prove the identity of some remote endpoint, and it is typically based on the hostname of the endpoint, as shown in some URLs, either for HTTPS or LDAPS.
RFC 6125 describes how identity is checked with certificates. Section 6 for the generic idea, and then appendix B.2 for HTTPS case and B.3 for LDAPS. They both use the name.
I am trying to implement mutual authentication (authentication with x509 client certificates) in Spring Cloud Gateway, but throughout my research, I haven't been able to figure out where to start.
From what I can see, authentication is not handled through Spring Cloud Gateway itself but instead should be done through Spring WebFlux -- please correct me if this is an incorrect assumption. I have found examples of implementing certification authentication through Spring Security, but I have not found any with WebFlux.
Can anyone offer some tips or even some code examples to get me on the right track with this?
You can configure it in src/main/resources/application.yml, e.g.
server:
# for testing or development without SSL certs (HTTP) use an "appropriate"
# non-secure port, e.g. 8080
# for HTTPS use an "appropriate" secure port, e.g. 8443
port: 8443
ssl:
# for HTTP set enabled to false, for HTTPS (with required client certs) set to true
enabled: true
# this is the spring cloud gateway _server_ cert
key-store: /etc/pki/tls/private/server.p12
key-store-password: servercertpassword
key-store-type: PKCS12
# this is the "bundle" of CA intermediate/root upon which the client cert has to
# match
trust-store: /etc/pki/ca-trust/extracted/java/cacerts
# this `client-auth` option is where you *require* mutual-TLS, it can alternatively
# be made optional
client-auth: need
trust-store-password: truststorepassword
trust-store-type: JCEKS
management:
# management port without SSL to allow monitoring/etc. without client certs
# e.g. /actuator/health
server:
port: 8080
ssl:
enabled: false
If you have a set of client certs, a server cert, and trust-store / CA bundle, this is an example of how to configure it in Spring Cloud Gateway.
An X509 PreAuthenticatedAuthenticationToken will be available in your application for successful connections made via mutual TLS, containing the principal/details of the client cert.
You are correct about gateway using webflux where there is no standard authentication mechanism such as spring mvc. The suggested way of authenticating is here:
https://docs.spring.io/spring-security/site/docs/5.2.5.RELEASE/reference/html/reactive-x509.html
I also found the code example here helpful in setting up the application.yml file.
https://github.com/spring-projects/spring-security-samples/tree/main/reactive/webflux/java/authentication/x509
This post may also be helpful:
Authentication by certificate for WebFlux?
This post is not with webflux but is helpful in understanding how to set up certificates:
https://www.baeldung.com/x-509-authentication-in-spring-security
Is possible to use Auth0 server over HTTP intead of HTTPS?
If yes, how to?
If not, why?
(I known the http is sniffeable)
It's not possible.
A secure transport layer is required on all of the communication flows used in the authorization protocols supported by Auth0: OAuth2, OIDC, SAML and WS-Federation. This is to ensure the security of items such as credentials, tokens, and personally identifiable information.
HTTPS is also required on mandatory for the administration Dashboard and every related service. Again, it wouldn't make sense to exchange information used to secure systems over an insecure protocol.
Can client certificates be used for authentication without HTTPS, only over HTTP on Windows IIS platform with ASP.NET ?
I need to authenticate a client using a digital certificate and i can't use HTTPS.
No you can't, at least if the client is a web-browser. Moreover, it doesn't have any sense.
Does WS-Security protocol require SSL for encrypting messages and for authenticating clients using certificates, or is WS-Security protocol independent of SSL and thus it doesn't use SSL to perform the encryption and certificate authentication?
thank you
SSL (and newer TLS) is apparently an alternative to WS-Security so I doubt it to be the case that ws-security requires SSL. http://en.wikipedia.org/wiki/WS-Security#Transport_Layer_Security_.28Without_WS-Security.29
You can encrypt and sign with WS-Security. That said SSL is a much more understood protocol with a very low overhead. SSL/TLS is not computationally expensive any more
So you should consider using SSL first and WS-Security if needed. WS-Security is an option if you use authentication based on security token formats, such as SAML, Kerberos, or X.509.