Why is LTPA Cookie missing in my WAS Liberty environment? - cookies

I have configured OIDC authentication (external OP) with WAS Liberty Profile version WebSphere Application Server 21.0.0.7/wlp-1.0.54.cl210720210629-1900.
While testing, the OIDC authentication is successful and I see the following cookies set by WAS on my browser:
JSESSIONID
WASReqURLOidcp1059877004
WASReqURLOidcp825245628
WAS_n1263819336
WAS_n1832376351
WAS_p2129763847
WASOidcStaten765589445
WASOidcCode
I do see these messages in my messages.log during server startup:
0000003b com.ibm.ws.security.token.ltpa.LTPAKeyInfoManager I CWWKS4103I: Creating the LTPA keys. This may take a few seconds.
0000003b com.ibm.ws.security.token.ltpa.LTPAKeyInfoManager A CWWKS4104A: LTPA keys created in 0.337 seconds. LTPA key file: jv-ltpa.keys
0000003b com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask I CWWKS4105I: LTPA configuration is ready after 0.341 seconds.
Also, in my server.xml I have NOT explicitly disabled LTPA token or cookie generation.
disableLtpaCookie="false"
Why isn't there an LTPA cookie being set in my browser?
Here is my server.xml
<?xml version="1.0" encoding="UTF-8"?>
<server description="Default Server">
<!-- Enable features -->
<featureManager>
<feature>javaee-8.0</feature>
<feature>microProfile-3.0</feature>
<feature>adminCenter-1.0</feature>
<feature>appSecurity-2.0</feature>
<feature>openidConnectClient-1.0</feature>
<feature>transportSecurity-1.0</feature>
</featureManager>
<openidConnectClient id="oidcBridge" clientId="removed"
clientSecret="removed"
discoveryEndpointUrl="https://my-op.com/.well-known/openid-configuration" signatureAlgorithm="RS256"
jwkEndpointUrl="https://my-op.com/.well-known/jwks.json" disableLtpaCookie="false"
allowDefaultSsoCookieName="true">
</openidConnectClient>
<basicRegistry id="basic">
<user name="admin" password="admin" />
<user name="user1" password="user1" />
<user name="user2" password="user2" />
<group name="users">
<member name="user1" />
<member name="user2" />
</group>
</basicRegistry>
<administrator-role>
<user>admin</user>
</administrator-role>
<!-- To allow access to this server from a remote client host="*" has been added to the following element -->
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443" />
<!-- Automatically expand WAR files and EAR files -->
<applicationManager autoExpand="true" />
<keyStore id="defaultKeyStore" password="removed" location="${server.config.dir}/jv-trust.p12" type="PKCS12" />
<ltpa keysFileName="jv-ltpa.keys" keysPassword="removed" expiration="1200" />
<webAppSecurity singleSignonEnabled="true" ssoDomainNames="app1.com" allowFailOverToBasicAuth="true"
ssoRequiresSSL="false" />
<application context-root="snoop" id="DefaultApplication"
location="${server.config.dir}/apps/DefaultApplication.ear" name="DefaultApplication" type="ear">
<application-bnd>
<security-role name="All Role">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
</application>
</server>

Related

There was and error downloading 'https://$metadata'. The request failed with http status 403: Forbidden - XAMARIN WEB REFERENCE WITH HTTPS

I managed to create a web service with self signed SSL through IIS. It's settings at first are set to Client Certificate to none and none required SSL. It is accessible by that time threw web browser and mobile web reference.
Web Browser
Xamarin Web Reference
But when I set the SSL settings to required, it is now forbidden in both. What am I missing in settings for SSL Configuration?
SSL Settings Thru IIS
Web Browser Forbidden Access
Xamarin Web Reference Forbidden Access
WebConfig
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<connectionStrings>
<add name="constring" providerName="System.Data.SqlClient" connectionString="Data Source = source;Initial Catalog = dbname; User ID = user; Password = pw" />
</connectionStrings>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation targetFramework="4.5" />
</system.web>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding maxReceivedMessageSize="10485760" name="SecureHttpBinding">
<readerQuotas maxStringContentLength="10485760"></readerQuotas>
<security mode="Transport">
<transport clientCredentialType="None"></transport>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
</configuration>
To access web service via HTTPS in web browser, I followed this link for creating temporary client certificate but I changed the step #5 to this command
makecert -sk MyKeyName -iv RootCaClientTest.pvk -n "CN=tempClientcert" -ic RootCaClientTest.cer -sr localmachine -ss my -sky exchange -pe
I changed the currentuser to localmachine and signature to exchange so that it will be in personal certificate store. When you access the site again, it will ask for client certificate and you can choose it to proceed.
For the main problem to access the service in visual studio xamarin via web reference (which is forbidden somehow).
I found this link to solve the forbidden problem. You can see the second post of (c)MarkoOkram for the solution.
"I am solved problem by saving web browser .wsdl and .xsd files on file system, change reference in those files to matching files. Than i succesfully add reference in visual studio to that file system .wsdl file." -(c) MarkoOkram
I downloaded the file WSDL and XSDs written in WSDL then retarget the filepath to their respective directories and it's done.
update: I also tried to import singleWSDL and it works without editing for xsd's

WSO2 AS - Secure Vault in webapp and jndi

I want to store a password for an api endpoint that will be used for any webapps.
In the file catalina-server.xml I put the following configuration
...
<GlobalNamingResources>
<Environment name="paci/connectionUrl" type="java.lang.String" value="http://10.0.0.1:1234/paci/v1.0"/>
<Environment name="paci/adminUser" type="java.lang.String" value="admin"/>
<Environment name="paci/adminPass" svns:secretAlias="Paci.AdminUser.Password" type="java.lang.String" value="password"/>
</GlobalNamingResources>
I configured secure vault using this doc for using the Cipher Tool.
cipher-tool.properties
Paci.AdminUser.Password=repository/conf/tomcat/catalina-server.xml//Server/GlobalNamingResources/Environment[#name='paci/adminPass'][#value],true
cipher-text.properties
Paci.AdminUser.Password=EnCrYpTeDvAlUe123
In the web-app I had to add link to the global resource in the META-INF/context.xml to make JNDI to resolve.
...
<Context>
<ResourceLink global="paci/connectionUrl" name="paci/connectionUrl" type="java.lang.String" />
<ResourceLink global="paci/adminUser" name="paci/adminUser" type="java.lang.String" />
<ResourceLink global="paci/adminPass" name="paci/adminPass" type="java.lang.String" />
</Context>
Here is my code:
Context initCtx = new InitialContext();
String paciPass = (String) initialContext.lookup("java:comp/env/paci/adminPass");
The value of paciPass is "password" and not the encrypted password. I don't know why the vault is not returning the encrypted pass.
What I have to do to the secure vault in wso2 resolve the alias in the JNDI?

Classic ASP - web.config deny rule not detecting cookie

I have taken on an Internet facing Classic ASP application (hosted on Windows-Server-2012 / IIS8) that is using Anonymous Access and I want to move to Forms Authentication. Although it is not straight forward, as it currently stands (with the Anon.Access set) the unauthenticated user (i.e. a user that has not yet logged on) can view a .pdf, .doc, etc file if they enter the exact URL path to the file (i.e. security thru obscurity).
The Problem
I am expecting when I am not logged on, I should not be able to see the .pdf's when entering the absolute URL (this is OK)
however I am also expecting when I do logon I should be able to see the .pdf's when entering the absolute URL (this does not happen - what does happen is when I enter the absolute URL of a pdf, I am re-directed back to the home page - I am still logged on but the cookie must not be detected within the authorization - i.e. the "deny" rule above responds with a rejection and sends me back to the home page - note the cookie exists and has not expired)
My Setup and What I have Tried
The Cookie is set via the following code
Response.Cookies("MyAuthCookie") = myGuid
Response.Cookies("MyAuthCookie").Expires = DateAdd("h", 6, Now())
Response.Cookies("MyAuthCookie").Path = "/"
I have tried to tie down access to the .pdf, .doc files via web.config authorization allow/deny rules as follows
<location path="myProtectedFolder">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<machineKey decryptionKey="XXXXXXXX99999999XXXXXXXX" validationKey="XXXXXXXX99999999XXXXXXXX" />
<authentication mode="Forms">
<forms name="MyAuthCookie" loginUrl="/index.asp" path="/" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
Modules have been configured as follows
<modules>
<remove name="FormsAuthentication" />
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
...and handlers as follows (to be processed by ISAPI)
<handlers>
<add name="pdfs64" path="*.pdf" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dll" resourceType="File" requireAccess="Read" preCondition="classicMode,runtimeVersionv4.0,bitness64" />
<add name="pdfs" path="*.pdf" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" resourceType="File" requireAccess="Read" preCondition="classicMode,runtimeVersionv4.0,bitness32" />
</handlers>
Other areas of note
I have the website set to Anon.Access and Forms Auth (I tried Forms Auth on its own).
I have given the website folder/sub-folders read/execute to both the AppPool identity user and "Authenticated Users"
I have marked the AppPool as .Net 2 (also tried .Net 4) with Integrated Pipeline (also tried Classic)
Any help would be greatly appreciated
I finished up creating a true FormsAuthentication cookie from the cookie within a HttpModule (config for the module is the modules section). This then accommodated the allow/deny rules.

Messages not being received by ADM client

I'm trying to send SNS messages to a Firephone and while I seem to be sending the messages (to somewhere), nothing appears to be getting through to my firephone.
I was able to use the code in the documentation to create the KindleMobilePushApp, was able to generate a RegistrationID, I created the security profile for the test app, etc. I'm assuming that I must have done something right if I'm getting a registration ID.
Then I tried to send a message to the phone, using the Kindle demo app to receive the message but nothing seems to come through, the "onMessage" method of ADMHandler is never called.
I tried to send message both via the AWS SNS console, and through the java app provided in the documentation (sns.samples.mobilepush), the Java app seems to be publishing something, but once again, its not coming through to my firephone, or at least not being received by my Receiver class.
I've never used SNS before, so I'm ot sure where the problem is coming form, whether I'm not sending to the right endpoint, or the somehow my app isn't getting the messages its supposed to be getting. CloudWatch is reporting same number for "messages published" and "messages failed" but really no clue what's happening to the message.
Any thoughts where I should be looking? Below my manifest, and publish results from the java sender program.
<!-- Copyright 2013 Amazon.com, Inc. or its affiliates. All Rights Reserved. -->
<!-- Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at -->
<!-- http://aws.amazon.com/apache2.0/ -->
<!-- or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -->
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:amazon="http://schemas.amazon.com/apk/res/android"
package="com.grapevine.snstest"
android:versionName="1.0" >
<uses-sdk
android:minSdkVersion="11"
android:targetSdkVersion="17" />
<!-- This permission ensures that no other application can intercept your ADM messages. It
should have the form packagename.permission.RECIEVE_ADM_MESSAGE where packagename is the
name defined in the "package" property of the manifest tag. -->
<permission android:name="com.grapevine.snstest.permission.RECEIVE_ADM_MESSAGE"
android:protectionLevel="signature"/>
<!-- Required permissions -->
<uses-permission android:name="com.grapevine.snstest.permission.RECEIVE_ADM_MESSAGE"/>
<uses-permission android:name="com.amazon.device.messaging.permission.RECEIVE"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<application
android:icon="#drawable/ic_launcher"
android:label="#string/app_name"
android:theme="#style/AppTheme" >
<uses-permission android:name="com.grapevine.snstest.permission.RECEIVE_ADM_MESSAGE"/>
<activity
android:name="com.grapevine.snstest.KindleMobilePushApp"
android:screenOrientation="portrait"
android:label="#string/title_activity_main"
android:launchMode="singleTop" >
<uses-permission android:name="com.grapevine.snstest.permission.RECEIVE_ADM_MESSAGE"/>
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<!-- Your application's API Key -->
<!--<meta-data android:name="AmazonAPIKey" android:value="#string/api_key"/>-->
<!-- Declare your ADMMessageHandlerBase implementation as a service -->
<service android:name="com.grapevine.snstest.ADMMessageHandler"
android:exported="false" />
<!-- You must explicitly enable ADM. You must also declare whether your application will run with or without ADM.
If you specify android:required="false", your app must degrade gracefully when ADM is unavailable. -->
<amazon:enable-feature android:name="com.amazon.device.messaging"
android:required="true" />
<receiver android:name="com.grapevine.snstest.ADMMessageHandler$MessageAlertReceiver"
android:permission="com.amazon.device.messaging.permission.SEND">
<uses-permission android:name="com.grapevine.snstest.permission.RECEIVE_ADM_MESSAGE" />
<intent-filter>
<action android:name="com.amazon.device.messaging.intent.REGISTRATION" />
<action android:name="com.amazon.device.messaging.intent.RECEIVE" />
<category android:name="com.grapevine.snstest"/>
</intent-filter>
</receiver>
</application>
</manifest>
Here's the output when I use the MobilePushApp sample program:
===========================================
Getting Started with Amazon SNS
===========================================
{PlatformApplicationArn: arn:aws:sns:us-west-2:308914227153:app/ADM/SNSTest}
{EndpointArn: arn:aws:sns:us-west-2:3089xxx53:endpoint/ADM/SNSTest/66xxxf-1f06-3xx1-b887-fxxxxbe19}
{Message Body: {"ADM":"{\"data\":{\"message\":\"Hello World! \"},\"expiresAfter\":1000,\"consolidationKey\":\"Welcome\"}"}}
{Message Attributes:}
Published!
{MessageId=90f09248-e65b-5713-a6da-debb8e5afcef}
Process finished with exit code 0
Whoops, this didn't work because SNS messaging wasn't enabled on the App in the developer portal.

Server Side Logging with Spring-WS

I have implemented a web services using JaxWS-Spring. I would like to log the XML being received. I have tried various attempts, among which to add the proper categories to my log4j.properties file and using interceptors. However I have always failed for one reason or another (logging seems to be ignored - adding interceptors to my application context gives other issues).
The following snippets from my project :
PS: I am using Spring 2.5.6
web.xml
<servlet>
<servlet-name>jaxws-servlet</servlet-name>
<servlet-class>com.sun.xml.ws.transport.http.servlet.WSSpringServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<!-- Mapping to redirect all requests from 'FaxWebService' to jaxws-servlet. -->
<servlet-mapping>
<servlet-name>jaxws-servlet</servlet-name>
<url-pattern>/FaxWebService</url-pattern>
</servlet-mapping>
applicationContext.xml
<!-- Bind the URL FaxWebService to our bean FaxWebService. -->
<wss:binding url="/FaxWebService">
<wss:service>
<ws:service bean="#faxWebService"/>
</wss:service>
</wss:binding>
<!-- Bean responsible of taking care of the webservice. -->
<bean id="faxWebService" class="com.connexo.icubeplus3.dispatcher.webservices.FaxWebService"
scope="singleton">
<property name="dummyMode" value="${fax.dummy.mode}"/>
</bean>
I doubt this has anything to do with Spring WS to be honest.
If you want to log the incoming messages in Spring WS, you want to raise the logging level for org.springframework.ws.client.MessageTracing.sent and org.springframework.ws.client.MessageTracing.received to TRACE. For example, in log4j config:
<logger name="org.springframework.ws.client.MessageTracing.sent">
<level value="TRACE" />
<appender-ref ref="stdout" />
</logger>
<logger name="org.springframework.ws.client.MessageTracing.received">
<level value="TRACE" />
<appender-ref ref="stdout" />
</logger>
You will have to write a handler to log it. There are various examples in the web, like http://docs.oracle.com/cd/E13222_01/wls/docs103/webserv_adv_rpc/handlers.html