I am trying to configure a custom user provider in synfony 2 to create a login mechanism using the DB as a storage system. Just as the tutorial says I have added this definition to my security.xml
<provider name="in_db">
<entity class="Nourdine\BusinessBundle\Entity\AuthenticatedUser" property="username" />
</provider>
unfortunately this break everything and I get a nasty:
InvalidConfigurationException: Unrecognized options "entity" under
"security.providers.in_db"
What am I doing wrong?
thanks
Which tutorial are you following?
The official cookbook is recommended: http://symfony.com/doc/current/cookbook/security/custom_provider.html
In your security config, you are giving the User class as a provider. Big difference.
Your UserProvider needs to be a service. You then provide it's service id under providers.
Unless you are trying to use the AuthenticatedUser's repository?
Related
I created a presto custom password authenticator plugin (internal) by making a copy of the LDAP plugin and modifying it. You can see that code here: https://github.com/prestodb/presto/tree/master/presto-password-authenticators/src/main/java/com/facebook/presto/password.
I created copies of the Authenticator, AuthenticatorFactory, and the config, and modified them to basically just take a user/password from the config and to only allow that user in. I also put the new class in the PasswordAuthenticatorPlugin registration code.
I can see the plugin loading when presto is started, but it doesn't appear to do anything despite no errors being present. What am I missing?
Note: I had already found a solution to this, I'm just recording it on SO as I originally came here and found no help.
To make a custom password plugin work, you actually need HTTPS enabled for communication with the coordinator. You can actually see this recommendation at the bottom of their documentation:
https://prestodb.github.io/docs/current/develop/password-authenticator.html
Additionally, the coordinator must be configured to use password authentication and have HTTPS enabled.
So, the steps to make it work are:
Make sure your main config.properties has "http-server.authentication.type=PASSWORD".
Make sure you add a password-authenticator.properties next to config properties with content like the sample in the link above. But make sure you use your string from your authenticator as the name, and that you add your configuration properties instead (user name and password).
Set up a JKS store or a real certificate (some instructions here from Presto for JKS: https://prestodb.github.io/docs/current/security/tls.html).
Add SSL config to your config.properties.
http-server.https.enabled=true
http-server.https.port=8443
http-server.https.keystore.path=/etc/presto-keystore/keystore.jks
http-server.https.keystore.key=password123
Set up your JDBC driver to use the same key store.
I wrote up a blog on it with a bit more detail as well if any of that doesn't make sense. But after doing all this, you should find that it does require a password and it does enforce your plugin.
https://coding-stream-of-consciousness.com/2019/06/18/presto-custom-password-authentication-plugin-internal/
I deployed JDG on OpenShift Online with the following
- Image stream "jboss-datagrid71-openshift-rhel7.json" v1.2
- username 'admin' with role 'admin' and '___schema_manager'
- And given the permissions of READ, WRITE, EXEC, ADMIN, ALL for both the roles. Tried with just 'ALL' also.
- Refer images, Config-env-vars.png and Cache-env-vars.png within the Info.zip for the environment configurations done. (Available # https://drive.google.com/file/d/12EWF1AUB4d60mP_gmTkN4Qlh2pzzv6xi/view?usp=sharing)
While deploying client-side Java application (basically Hotrod with security enabled and with Protobuf based query feature), we are getting the following exception. Attached the logs from the DataGrid server and client application pods
Caused by: org.infinispan.client.hotrod.exceptions.HotRodClientException: java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject with principal(s): [SimpleUserPrincipal [name=admin], InetAddressPrincipal [address=10.131.14.124/10.131.14.124], admin#ApplicationRealm, admin#ApplicationRealm, ___schema_manager#ApplicationRealm, admin, ___schema_manager]' lacks 'WRITE' permission
FYI,
I use the following version of Infinispan from redhat repository
<version.org.infinispan>8.4.2.Final-redhat-1</version.org.infinispan>
In Java, while creating a Configuration Builder, I did in this way. Full code is available # https://github.com/techtantric/JDG-Remote-Hotrod-Secured
ConfigurationBuilder builder = new ConfigurationBuilder();
builder.addServer()
.host(host)
.port(hotrodPort).security().authentication().serverName("jdg-server").saslMechanism("DIGEST-MD5").callbackHandler(new LoginHandler("admin", "password".toCharArray(), "ApplicationRealm")).enable()
.marshaller(new ProtoStreamMarshaller()); // The Protobuf based marshaller is required for query capabilities
cacheManager = new RemoteCacheManager(builder.build());
Please help us resolving this issue. Thanks in advance.
You should not be touching the ___schema_manager role.
I have created a custom federated authenticator in WSO2-APIM/IS and have enable Just-In-Time Provisioning.
Since in API Manager when an application is created a corresponding service provider will be created as well. I want to have all service provider be using my custom authenticator as default which, I think, can be done by editing the file repository\conf\identity\identity-providers\default.xml
However I can not find the information in the documentation on the format of this file which I need to configure my custom federated authenticator and enable JIT Provisioning. Can anyone please guide me to the configuration detail of this file.
Below is the default repository\conf\identity\identity-providers\default.xml
<IdentityProvider>
<IdentityProviderName>default</IdentityProviderName>
<DisplayName>default</DisplayName>
<IdentityProviderDescription></IdentityProviderDescription>
<Alias></Alias>
<IsPrimary></IsPrimary>
<IsFederationHub></IsFederationHub>
<HomeRealmId></HomeRealmId>
<ProvisioningRole></ProvisioningRole>
<FederatedAuthenticatorConfigs></FederatedAuthenticatorConfigs>
<DefaultAuthenticatorConfig>
</DefaultAuthenticatorConfig>
<ProvisioningConnectorConfigs>
<!--<ProvisioningConnectorConfig>
<ProvisioningProperties>
</ProvisioningProperties>
</ProvisioningConnectorConfig>-->
</ProvisioningConnectorConfigs>
<!--<DefaultProvisioningConnectorConfig></DefaultProvisioningConnectorConfig>-->
<ClaimConfig></ClaimConfig>
<Certificate></Certificate>
<PermissionAndRoleConfig></PermissionAndRoleConfig>
<JustInTimeProvisioningConfig></JustInTimeProvisioningConfig>
</IdentityProvider>
Thank you very much in advanced.
As per the code here, It should be in the following format.
<JustInTimeProvisioningConfig>
<UserStoreClaimUri></UserStoreClaimUri>
<ProvisioningUserStore>PRIMARY</ProvisioningUserStore>
<IsProvisioningEnabled>true</ProvisioningEnabled>
</JustInTimeProvisioningConfig>
Change the ProvisioningUserStore to reflect yours.
I created a key/value map using the platform API defined in this doc. I used the API-scoped url to create a key/value map named countrymap.
https://api.enterprise.apigee.com/v1/o/{org_name}/apis/{api_name}/keyvaluemaps
and plugged in the sample weather api I made while following the tutorials.
However I could not seem to refer to this map when I added a KeyValueMapOperations policy inside the API proxy. I tried adding a mapIdentifier="countrymap" to the definition (based on the samples) but it still does not see it.
<KeyValueMapOperations async="false" continueOnError="false" enabled="true" mapIdentifier="countrymap" name="keyvaluemapoperations-2">
<DisplayName>KeyValueMapOperations-2</DisplayName>
<FaultRules/>
<Properties/>
<ExclusiveCache>false</ExclusiveCache>
<ExpiryTimeInSecs>-1</ExpiryTimeInSecs>
<Get assignTo="my.country" index="1">
<Key>
<Parameter ref="apigee.countryCode"></Parameter>
</Key>
</Get>
<Scope>organization</Scope>
</KeyValueMapOperations>
The policy works if I add an <InitialEntries> definition to the code above.
According to the Key/Value Maps docs:
Key/ValueMaps provide an API for storing arbitrary name/value pairs
that can be access at runtime by custom policies, or for other custom
runtime requirements such as protocol support.
Do custom policies include the KeyValueMapOperations policy? What am I missing here?
As you mentioned, you put the KeyValueMap in the scope of the api. To access that KVM, you'll need to use:
<Scope>apiproxy</Scope>
See the details for configuring the policy here.
Step 1: Verify if teh keyvalumap is correctly created:
/v1/o/{org_name}/apis/{api_name}/keyvaluemaps" --> this should list the countrymap KVM
Step 2: Populate the KVM before trying to do a GET call on it.You can populate it either by using API Calls (apigee.com/docs/api/api_methods/62-update-keyvaluemap) , or by Using PUT operation of KeyValueMapOperations as shown here (apigee.com/docs/api-services/content/persist-data-using-keyvaluemap)
Step 3: Check the entries of KVM
/v1/o/{org_name}/apis/{api_name}/keyvaluemaps/countrymap
Step 4: You can use the same KeyValueMapOperations Polices as given in example to do a get on the KVM
I was also facing this issue and after making below change in KeyValueMapOperations, it started working for me.
<Scope>apiproxy</Scope>
<Parameter>apigee.countryCode</Parameter>
I have an ACS namespace with a WS-Federation identity provider set up. Since I'm using Visual Studio 2012, I used the Identity and Access Tool to create the relying party. The tool uses the realm and return url values that I give it when it creates the relying party (I use the Azure cloud service url where I'm deploying my project - i.e. http://myapp.cloudapp.net). There is only one rule in the rule group for my relying party after I run the tool - Pass through all claims for [Relying Party]. I tested the ACS for my app with just that one rule, and also after generating all the rules for the WS-Federation identity provider.
Regardless of the rules in the rule group, I get the error in the title of my question. My browser is redirected to ACS, however for some reason it can't find the correct relying party. I have created an ACS namespace, identity provider, and relying party in two different Azure accounts, with exactly the same result.
I've also tried publishing my project to the Azure cloud service with both http and https endpoints, and both endpoints yield the same result.
The WS-Federation identity provider's federation metadata is coming from Windows Azure Active Directory.
UPDATE
FederationConfiguration section from web.config:
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://[MyNamespace].accesscontrol.windows.net/v2/wsfederation" realm="http://[MyApp].cloudapp.net/" requireHttps="false" />
</federationConfiguration>
UPDATE 2:
Still no solution. It looks like the issue stems from the fact that I set up my own ACS identity provider, and downloaded the federation metadata from Windows Azure Active Directory (WAAD) for that identity provider. That essentially chains 2 ACS instances together. When my app redirects to my ACS, it passes my app's url as the realm. Then, my ACS redirects to the identity provider, WAAD, and passes its own url as the realm. That's why the error I get back has the strange characteristic of a relying party identifier = the url of my own ACS admin portal. I'm not sure why it's not passing the realm all the way through from my app to WAAD.
Well, the answer to this was much more obscure than I had expected - I had to run the following powershell script against my CRM Online WAAD:
Connect-MsolService
Import-Module MSOnlineExtended -Force
$replyUrl = New-MsolServicePrincipalAddresses –Address "https://lefederateur.accesscontrol.windows.net/"
New-MsolServicePrincipal –ServicePrincipalNames #(“https://lefederateur.accesscontrol.windows.net/”) -DisplayName “LeFederateur ACS Namespace” -Addresses $replyUrl
This told WAAD to recognize my ACS namespace, so it wouldn't throw the error saying the ACS namespace was not a valid relying party identifier. Read the whole process here:
http://www.cloudidentity.com/blog/2012/11/07/provisioning-a-directory-tenant-as-an-identity-provider-in-an-acs-namespace/
Thanks to Azure support, I'm now past the error.
Go into the Azure ACS Management Portal. Open Relying Party Applications, and select the relying party you have configured for this app. Make sure that the field "Realm" matches exactly what you have for Realm in the web.config under <federationConfiguration><wsFederation realm=""/>.
All you require is to setup access to ACS in Active directory
After installing powershell Azure Commandlets, run the below commands as mentioned by Andrew
Connect-MsolService
Import-Module MSOnlineExtended -Force
$replyUrl = New-MsolServicePrincipalAddresses –Address "https://xxx.accesscontrol.windows.net/"
New-MsolServicePrincipal –ServicePrincipalNames #("https://xxx.accesscontrol.windows.net/") -DisplayName "xxx ACS Namespace" -Addresses $replyUrl
In case anyone else stumbles on this, double check your realm code here:
wsFederation passiveRedirectEnabled="true" issuer="must match endpoint" realm="must match audience URI " requireHttps="true"
AND
<add key="ida:Realm" value="must match audience uri" />
<add key="ida:AudienceUri" value="must match audience uri" />
my issue was a / at the end of my URI that I added instinctively - i.e. https://somuri.com/ - whereas the portal setting was https://someuri.com
Removal of the / worked.