I'm using WSO2 5.10.0 and I configured it in order to use a JDBC User Store. The RDBMS is PostgreSQL.
I noticed that WSO2 IS is using a case-insensitive username strategy to let the access to the resources. Basically I can user my username all in uppercase or lowercase and I'll always be able in get the access. I need strongly to avoid this. I tried what there is written here https://is.docs.wso2.com/en/latest/setup/configuring-the-authorization-manager/#configuring-the-authorization-manager_1 but I can always get the access by using case-insensitive usernames
Is there any configuration I'm missing? Or is this the only way to get the access?
Angelo
EDIT
As suggested i changed my user store as I show:
#COME PRIMARY STORE USO IL DB POSTGRESQL
[user_store]
type = "database_unique_id"
url = "jdbc:postgresql://XXXX:YYYY/wso2is_primary_user_store"
username = "user"
password = "pwd"
driver = "org.postgresql.Driver"
properties.CaseInsensitiveUsername = false
I tried to access with an user both by using username in lower case and in upper case.
EDIT 2
I changed the deoplyment.toml in this way:
#COME PRIMARY STORE USO IL DB POSTGRESQL
[user_store]
type = "database_unique_id"
properties.CaseInsensitiveUsername=false
[database.user]
url = "jdbc:postgresql://xxx:yyy/wso2is_primary_user_store"
username = "username"
password = "password"
driver = "org.postgresql.Driver"
[realm_manager]
data_source = "WSO2USER_DB"
In this way for new users usernames are case sensitive. For old users usernames seem to remain case insensitive. I need to deeply investigate.
By default in WSO2 Identity Sever the Case Insensitive Username configuration is in active state. You can deactivate that configuration by adding the following configuration to the deployement.toml file located in IS-HOME/repository/conf/deployement.toml location.
[user_store]
properties.CaseInsensitiveUsername = false
Also if you need to change the configurations for a JDBC User Store please refer https://is.docs.wso2.com/en/latest/setup/configuring-a-jdbc-user-store/
Related
Is it possible to change UserName regex validation in WSO2IS. Because when I'm syncing users from my database to WSO2IS, some users failed due to username validation. Some user's username property not match with the validation. Below is my error response. So is it possible to change this validation.
{"schemas":["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],"Operations":[{"bulkId":"qwerty1","method":"POST","response":"{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"scimType":"invalidValue","detail":"31301 - Username sysadmin#gmail.com is not valid. User name must be a non null string with following format, [a-zA-Z0-9._\\-|//]{3,30}$","status":"400"}","status":{"code":400}}]}
You can change the username regex by adding the following config to the deployment.toml and restart the server. (Note: If [user_store] is already defined in the deployment.toml add these configs under the same tag). Add the regex values within the inverted commas as you required.
[user_store]
username_java_regex=""
username_java_script_regex=""
Refer:
https://is.docs.wso2.com/en/latest/setup/working-with-properties-of-user-stores/#working-with-properties-of-user-stores
Yes, you can change the username regex validation in WSO2IS. Since you are trying to validate the email address pattern as the username you can try using the following configuration in the [IS-Home]/repository/conf/deployment.toml file under [user_store] section.
[user_store]
username_java_regex="^[a-zA-Z0–9._-]+#[a-zA-Z0–9.-]+\\.[a-zA-Z]{2,4}$"
username_java_script_regex="^[a-zA-Z0–9._-]+#[a-zA-Z0–9.-]+\\.[a-zA-Z]{2,4}$"
If you want to validate a different regex pattern, you can add that regex pattern in the above configuration.
I am configuring WSO2 fully distributed platform and I have configured two WSO2 ISKM servers using the below database configurations.
[user_store]
type = "database_unique_id"
[database.apim_db]
type = "mysql"
url = "jdbc:mysql://localhost:3306/apim_db"
username = "apimadmin"
password = "apimadmin"
[database.shared_db]
type = "mysql"
url = "jdbc:mysql://localhost:3306/shared_db"
username = "regadmin"
password = "regadmin"
But this configuration returns the following error in the second server.
Caused by: org.wso2.carbon.user.core.UserStoreException: Using sql : INSERT INTO UM_SYSTEM_USER_ROLE (UM_USER_NAME, UM_ROLE_ID, UM_TENANT_ID) VALUES (?,(SELECT UM_ID FROM UM_SYSTEM_ROLE WHERE UM_ROLE_NAME=? AND UM_TENANT_ID=?), ?) Duplicate entry 'wso2.anonymous.user-1--1234' for key 'UM_USER_NAME'
Then I changed the DB configuration as below,
[user_store]
type = "database"
Here both servers started, but cannot log into the management console with admin, admin credentials. It shows as incorrect username password. How to fix this issue?
This worked with the DB configuration
[user_store]
type = "database_unique_id"
after clearing the data in UM_SYSTEM_USER_ROLE table and restart the servers.
Using flask-ldap3-login to query AD for my web app logins. Works for everyone; but, for users who have "()" in their First name in AD. Here's the Debug log.
UN-SUCCESSFULL LOGIN
DEBUG:root:Validating LDAPLoginForm against LDAP
DEBUG:flask_ldap3_login:Opening connection with bind user 'mybinduser#mydomain.com'
DEBUG:flask_ldap3_login:Successfully bound to LDAP as 'mybinduser#mydomain.com' for search_bind method
DEBUG:flask_ldap3_login:Performing an LDAP Search using filter '(&(objectclass=person)(sAMAccountName=ebadu))', base 'DC=mydomain,DC=com', and scope 'SUBTREE'
DEBUG:flask_ldap3_login:Opening connection with bind user 'CN=Badu\, Ericka (EB),OU=HELPDESK,DC=mydomain,DC=com'
DEBUG:flask_ldap3_login:Directly binding a connection to a server with user:'CN=Badu\, ericka (EB),OU=HELPDESK,DC=mydomain,DC=com'
DEBUG:flask_ldap3_login:Authentication was successful for user 'ebadu'
DEBUG:flask_ldap3_login:Searching for groups for specific user with filter '(&(objectclass=group)(uniqueMember=CN=Badu\, Ericka (EB),OU=HELPDESK,DC=mydomain,DC=com))' , base 'DC=mydomain,DC=com' and scope 'LEVEL'
ERROR:flask_ldap3_login:malformed filter
DEBUG:flask_ldap3_login:Destroying connection at <0x7f8629604c50>
DEBUG:flask_ldap3_login:Destroying connection at <0x7f8628eabf98>
SUCCESFULL LOGIN
DEBUG:root:Validating LDAPLoginForm against LDAP
DEBUG:flask_ldap3_login:Opening connection with bind user 'mybinduser#mydomain.com'
DEBUG:flask_ldap3_login:Successfully bound to LDAP as 'mybinduser#mydomain.com' for search_bind method
DEBUG:flask_ldap3_login:Performing an LDAP Search using filter '(&(objectclass=person)(sAMAccountName=mpeters))', base 'DC=mydomain,DC=com', and scope 'SUBTREE'
DEBUG:flask_ldap3_login:Opening connection with bind user 'CN=Peters\, Mike,OU=HELPDESK,DC=mydomain,DC=com'
DEBUG:flask_ldap3_login:Directly binding a connection to a server with user:'CN=Peters\, Mike,OU=HELPDESK,DC=mydomain,DC=com'
DEBUG:flask_ldap3_login:Authentication was successful for user 'mpeters'
DEBUG:flask_ldap3_login:Searching for groups for specific user with filter '(&(objectclass=group)(uniqueMember=CN=Peters\, Mike,OU=HELPDESK,DC=mydomain,DC=com))' , base 'DC=mydomain,DC=com' and scope 'LEVEL'
DEBUG:flask_ldap3_login:Destroying connection at <0x7f8629683828>
DEBUG:flask_ldap3_login:Destroying connection at <0x7f8628e91048>
The AD logs says "An account was successfully logged on"; however, the user does not log in to the app. The user has no issues login in with the AD credentials anywhere else.
What might be the issue?
This is the flask-ldap3-login code:
LDAP_USER_RDN_ATTR = 'cn'
LDAP_USER_LOGIN_ATTR = 'sAMAccountName'
LDAP_BASE_DN = 'DC=mydomain,DC=com'
LDAP_REQUIRED_GROUP = 'ou=helpdesk,dc=mydomain,dc=com'
LDAP_USER_SEARCH_SCOPE = 'SUBTREE'
But "malformed filter" usually means that the LDAP query sent to AD isn't valid somehow. I asked about odd characters on the account, since if some special characters are not encoded properly, they can be misinterpreted as special characters used in LDAP queries.
It could be a bug in your code, or a bug in flask-ldap3-login. If you show your code, I might be able to give you some pointers.
Also, see if you can enable debug logging. It may tell you what the actual filter is that made it bomb. I'm not familiar with flask-ldap3-login, but, looking at the documentation, this might do it?:
app.config['DEBUG'] = True
SOLVED! Seems to be solved in the latest version of flask-ldap3-login. I did not upgrade but modified existing code:
Replaced this:
`search_filter = '(&{group_filter}({members_attr}={user_dn}))'.format('`
`group_filter=self.config.get('LDAP_GROUP_OBJECT_FILTER'),`
`members_attr=self.config.get('LDAP_GROUP_MEMBERS_ATTR'),`
`user_dn=dn`
with this:
`safe_dn = ldap3.utils.conv.escape_filter_chars(dn)`
`search_filter = '(&{group_filter}({members_attr}={user_dn}))'.format(`
`group_filter=self.config.get('LDAP_GROUP_OBJECT_FILTER'),`
`members_attr=self.config.get('LDAP_GROUP_MEMBERS_ATTR'),`
`user_dn=safe_dn`
I suppose to make a web application where the users can login in this platform with username and password (I want to make a MySQL database to stare username and password).
After when the user is logged, he selects a file from his computer and send this file on server.
I want encrypt this file to a group of users (I want use HybridABE cryptography with Charm Crypto).
Now I have these architectural/programming question.
Suppose that we have this program:
from charm.toolbox.pairinggroup import PairingGroup,GT
from charm.adapters.abenc_adapt_hybrid import HybridABEnc as HybridABEnc
from charm.schemes.abenc.abenc_waters09 import CPabe09
group = PairingGroup('SS512')
cpabe = CPabe09(group)
hyb_abe = HybridABEnc(cpabe, group)
policy = '((ONE or THREE) and (TWO or FOUR))'
msg = "hello world this is an important message."
(master_secret_key, master_public_key) = hyb_abe.setup()
attr_list = ['THREE', 'ONE', 'TWO']
secret_key = hyb_abe.keygen(master_public_key, master_secret_key, attr_list)
cipher_text = hyb_abe.encrypt(master_public_key, msg, policy)
decrypted_msg = hyb_abe.decrypt(master_public_key, secret_key, cipher_text)
Where can I save the Master Private Key and the Master Public Key ? On a directory server like file ? On database ?
Where can I save the secret key of user ?
An Attribute-based Encryption system is usually created once and has only one master secret key and public key pair.
The master secret key is stored on the server that generates the user secret keys. Since there is usually only one master secret key, you can even generate it and put it into the source code of your server code. Of course, you can include it in the server database.
User secret keys have to be given to users. Remember to give your users some kind of (public) identifier along with the user secret key so that you can manage the list of attributes that a certain user has at the server-side. Otherwise, you will have a headache when you try to update attributes, because you will need to contact users with their new user secret key.
The master public key (usually called "public parameters" or simply "public key") is public. It's a good idea to include it in the package that you give to your users. You can also create an API endpoint so that interested "users" can ask your server for the public key.
For one of our FBA enabled SharePoint site, we need to access various web services. I know that we need to invoke Authentication.asmx before we make any other SP web service call.
How do I get the currently logged in user's username & password to pass to the Authentication.asmx service?
Thanks.
Update: I tried Marek's solution with a known username and password and got a 401 for Authentication.asmx. So probably some settings are off. The admin is looking into it.
MembershipUser user = Membership.GetUser();
string username = user.UserName;
string password = user.GetPassword();
Authentication auth = new Authentication();
auth.CookieContainer = new CookieContainer();
LoginResult result = auth.Login(username, password);
if (result.ErrorCode == LoginErrorCode.NoError)
{
CookieCollection cookies = auth.CookieContainer.GetCookies(new Uri(auth.Url));
Cookie authCookie = cookies[result.CookieName];
Lists lists = new Lists();
lists.CookieContainer = new CookieContainer();
lists.CookieContainer.Add(authCookie);
lists.GetListCollection();
}
However, depending on the settings of the membership provider (is password stored in plain text, encrypted or hashed? is it required to pass the security answer to get the password?) retrieving the password may be more difficult or even impossible and you will need to ask the user for it.