Having client authentication set up on jBoss 7, I'd like to get access the client's certificate form inside an EJB, or inside a login module.
Is this possible?
Thanks
In case there is a servlet request (from JSF or ServletFilter) you can do:
ServletRequest servletRequest = (ServletRequest) facesContext.getExternalContext().getRequest();
X509Certificate[] x509Certificates = (X509Certificate[]) servletRequest.getAttribute("javax.servlet.request.X509Certificate");
Related
Via ASP.NET I have created a startup file that will use Azure AD to log in a user
e.g.
public void Configuration(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
{
ClientId = "42067b8d-b972-44e9-af86-ef60bc6d6fdb",
Authority = "https://login.windows.net/...com",
RedirectUri = "http://localhost:50560/content/story_html5.html",
PostLogoutRedirectUri = "http://localhost:50560/content/story_html5.html",
Scope = OpenIdConnectScope.OpenIdProfile,
ResponseType = OpenIdConnectResponseType.IdToken
});
}
And as you can see my RedirectUri in hitting a static file html file.
On my app registration in Azure portal my manifest for the replyUrls states
"replyUrls": [
"http://localhost:50560/content/story_html5.html"
],
So everything is working and connecting correctly.
(if I use a aspx for example the redirection would work)
However using the .html file I'm getting the error
HTTP Error 405.0 - Method Not Allowed
The page you are looking for cannot be displayed because an invalid
method (HTTP verb) is being used.
All I believe I need to do is add the html handler to Azure AD, does anyone know how to do this?
Thanks
This has nothing to do with Azure AD, but your configuration. Your end. Your Project. Your IIS config. Because sign-in response is a HTTP POST for security reasons. And static files handler in IIS does not accept anything beside GET for obvious reasons.
More information you will find here and there.
First, why would you want to redirect to a static page?! With the redirection after OIDC login, the IdP (Identity Provider, understand Azure AD in that case) sends valuable information which is needed by the OIDC middleware (understand the .UseOpenIdConnectAuthentication method) to be able to verify the token and initialize user session. By sending the sign-in response back to a static page you accomplish couple of things:
You cut out the OIDC middleware from the authentication - it is no longer able to process the response. Because it will not listen on static file requests. Static files are processed outside your OWIN authentication middleware.
Thus not able to verify authenticity of the user.
Thus not able to create secure cookie.
Thus not able to sign-in the user into your application.
Conclusion
Do not change the reply URL for your ASP.NET middleware, unless you explicitly and knowingly want to override the complete handling of sign-in responses.
I'm currently expanding the logging part of my ASP.NET Web API application but I'm having trouble identifying what encryption scheme is being used. As this logging is done through a DelegatingHandler I only have access to the HttpRequestMessage and HttpResponseMessage given to me through the middleware chain.
How do I Identify the https encryption type (SSL 3.0, TLS 1.0, TLS 1.3 etc..) used in a ASP.NET Web API DelegatingHandler?
I'm not sure if you're asking about whether the request is https or just http. If that's what you're looking for you just need httpRequestMessage.RequestUri.Scheme.
However it sounds like you're looking for more information about the certificate itself. Information about the SSL certificate isn't really a property of the individual request and can't be accessed from HttpRequestMessage or HttpResponseMessage as far as I'm aware. It's more a property of the application and machine configuration.
If you wanted to get information about the SSL certificate you could do something like this:
var store = new X509Store(StoreLocation.LocalMachine);
var certificateCollection = store.Certificates.Find(X509FindType.FindByThumbprint, "thumbprint", true);
var certificate = certificateCollection[0];
var version = certificate.Version;
var signatureAlgorithm = certificate.SignatureAlgorithm;
Obviously that's just one way to do it and there's more error handling you would want to do. The general idea is you probably have access to the certificate thumbprint used by the application through the app.config. If you use that you can look up the certificate information from X509Store as I did above. Then you'll have access to all kinds of properties.
Hope that helps!
I have a Spring Boot application, that is using Spring Security with OAuth 2.0. Currently, it is operating against an Authentication Server based on Spring Example code. However, running our own Auth Server has always been a short-term target to facilitate development, not a long-term goal. We have been using the authorization_code grant type and would like to continue using that, irrespective of the Auth Server implementation.
I am attempting to make changes to use OAuth 2.0 Endpoints in Azure Active Directory, to behave as our Authentication Server. So far, I have a successful call to the /authorize endpoint. But the call to get the /token fails with an invalid request error. I can see the requests going out.
It appears that parameters that Azure states as mandatory are not being populated in the POST request. Looking at the Azure doco, it expects the client_id to be defined in the body of the message posted to the endpoint, and that is not added, by default, by Spring.
Can anyone point me in the right direction for how I can add fields to the Form Map that is used when constructing the Access Token request? I can see where the AccessTokenRequest object is being setup in OAuth2ClientConfiguration....
#Bean
#Scope(value = "request", proxyMode = ScopedProxyMode.INTERFACES)
protected AccessTokenRequest accessTokenRequest(#Value("#{request.parameterMap}")
Map<String, String[]> parameters, #Value("#{request.getAttribute('currentUri')}")
String currentUri) {
DefaultAccessTokenRequest request = new DefaultAccessTokenRequest(parameters);
request.setCurrentUri(currentUri);
return request;
}
Should I be trying to define the map in a request.parameterMap spring property? If so, I'm not too sure how that works.
Or should I be using one of the interfaces defined in the AuthorizationServerConfigurerAdapter class?
I have the information to include when sending the AccessTokenRequest, I just don't know the best way to configure Spring to include it? Thanks for any help.
Actually, I found this out. I needed to change the client authentication scheme. Simply adding the following to my application properties added the client_id to the form....
security.oauth2.client.clientAuthenticationScheme=form
If you're using yaml, then yaml-ize it. Thank you Spring!
I have a strange issue that of course only occurs on our production box. It works on our test server and on my box.
I have an ASP.NET MVC 3 controller that is serving exposing a RESTful API. I have enabled anonymous users to call these service with the code shown below. Calling these methods via GET works just fine (using WebRequest). However, when trying to POST data (using HttpClient) it fails with a 401 error.
This web service is hosted within another IIS site which uses Windows Auth. But I configured this directory to allow Anonymous and disabled windows auth. It lives in /Areas/Services under the main site.
I have configured IIS to allow Anonymous authentication and even enabled it in the web.config. However, when I try to POST data to this controller, I get back "401 - Unauthorized: Access is denied due to invalid credentials". I don't want any credentials! Again, GET on this same controller works fine anonymously.
This seems to be a configuration issue (since it works in QA) but I do not know any other things to configure. I have been configuring IIS websites for anonymous/windows/forms auth for 10 years but have never run into anything like this before.
Here is the code that allows MVC 3 to serve these methods up to anyone:
[AuthorizeAnonymous]
public class LtWebsiteController : Controller
{
...
}
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = false)]
public class AuthorizeAnonymousAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
if (!(filterContext.Controller is LtWebsiteController))
base.OnAuthorization(filterContext);
}
}
This is driving me nuts! Please help.
You are likely missing HTTP headers for NTLM authentication. I would configure HttpClient to send the right credentials as part of the request.
HttpClientHandler handler = new HttpClientHandler()
{
UseDefaultCredentials = true
};
HttpClient client = new HttpClient(handler);
It's confusing since you are enabling anonymous authentication. But, with Windows Authentication the request needs to have proper headers. A 401 tells me the server flat out rejects the HTTP request.
http://www.asp.net/web-api/overview/security/integrated-windows-authentication
SessionTrackingMode allows you to specify that the Servlet Session is tied to an SSL Session. Tomcat supports this Tomcat SSL HOW-TO. Is there any mechanism to achieve this in Jetty?
For example if I do the following in my Servlet init;
#WebServlet(urlPatterns ={ "/session_test" })
public class SessionTestServlet extends HttpServlet {
private static final SessionTrackingMode[] modeArray = { SessionTrackingMode.SSL };
private static final Set<SessionTrackingMode> SESSION_TRACKING_MODES = new HashSet<>(Arrays.asList(modeArray));
#Override
public void init(ServletConfig config) throws ServletException {
super.init(config);
config.getServletContext().setSessionTrackingModes(SESSION_TRACKING_MODES);
}
then no session is created.
There appears to be no support for SessionTrackingMode.SSL in Jetty.
Just opened bug about it (as you are officially the very first person to ever ask about this functionality of the servlet spec)
https://github.com/eclipse/jetty.project/issues/161
Would be curious to know how this will work in the future, with HTTP/2 you don't have new SSL connections with each subsequent request, they'll just be tunneled within the same ALPN layer.
Update: 2014-Oct-2
To address Session ID Hijacking, there is a feature implemented in Jetty 9 that will change the session id after authentication. Bug-392247
This does a nice job in preventing hijacking of authenticated sessions by malicious 3rd parties. (Just start using SSL from your login forward)
Now, some background, in versions of Jetty prior to Jetty 9 (aka Servlet 3.1), we would create a new session object and copy over the old session data. This meant that we would also trigger the registered session listeners of this change.
This is no longer true with Jetty 9, as the new Servlet 3.1 introduced a new method HttpServletRequest.changeSessionId(), which a user can also call to force change the sessionId, and also HttpServletRequest.login(), which a user can call to programmatically log in. This is also accompanied with a requirement that if a session existed before those two calls (session object before == session object after), then there is no listener to be fired. This means we just change the sessionId and not the object.
What does this mean for Session ID Hijacking, nothing really, but its useful to know that these methods exist and what using them represents. :)