I am following link https://www.ibm.com/developerworks/websphere/library/techarticles/1505_kumar/1505_kumar.html for SOAP web-service consumer. Same method I am applying for SOAP web-service provider.
I want to access username and password in esql to authenticate both consumer and provider. Is there any way to access user name and password of provider from SecurityProfiles Configurable Service in ESQL so it can be validate with Consumer credentials .
User Name and Password is plan text .
I have done following things
1. Created Policy
2. Created Bindings
3. Created User ID & security profile
mqsisetdbparms SBBROK -n SecurityID -u sbuser -p sb.123456
mqsicreateconfigurableservice SBBROK -c SecurityProfiles -o
WSSecurityProfile -n
"propagation,idToPropagateToTransport,transportPropagationConfig" -v
"TRUE,STATIC ID,SecurityID"
Configured Bar file & sets(Policy, Binding & security Profile) on SOAPInput node.
Deploy My Flow
After that, I assumed that, on these provider polices,binding, profile. provider can authenticate consumer user name and password.
I am using iib version 10.0.0.15.
I'm not sure I fully understood the question.
All I can tell you is the following: The credential provided by the one calling your service will be stored on this location : Properties/IdentitySourcePassword and Properties/IdentitySourceToken right after your input node.
IF not set to static, the SOAP Request you are doing will use the credentials at this location as well. Otherwise, it will use the defined user password in the mqsisetdbparms command.
So you can access the input credentials in your ESQL code like this :
SET callerUser=InputRoot.Properties.IdentitySourceToken;
SET callerPassword=InputRoot.Properties.IdentitySourcePassword;
For the credentials stored via the mqsisetdbparms, I don't know any way to access it and to be honest I don't see the point.
A solution, if you really need this, is to change your static user / password by a dynamic one, and set it directly in your ESQL at these locations with something like this :
SET myUser = 'Username'
SET myPassword = 'Password123'
SET callerUser=InputRoot.Properties.IdentitySourceToken;
SET callerPassword=InputRoot.Properties.IdentitySourcePassword;
##The comparison you want to do here
SET OutputRoot.Properties.IdentitySourcePassword = myPassword
SET OutputRoot.Properties.IdentitySourceToken= myUser
Of course hardcoding the user / pass is not the right solution, it is just an exemple, but you can easily store it on a database and retrieve if from the ESQL
Related
I've checked the docs, but so far haven't found how to change the default admin password in ActiveMQ Artemis 2.27.1 created when using the artemis create command.
Here are the contents of the etc/login.config:
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
debug=false
reload=true
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
};
These are the contents of artemis-users.properties:
admin = ENC(1024:EE12ADBFA02C8DB4AF73E22F44C9BD2C12861A2CD01186CA07A874FAA824A757:BA04C1C3F55B0F68EFB2804BB001EAC2C5105EC1662DCBF96E158F9DA3E0C1BB9D8ECA2FF77BBD391938BCB1E69D865322981AB134BF81B1378AFBBE9C040350)
#admin = ENC(1024:389da8e6db1d6dc50b300ec99ea5604a)
I tried masking the the password as described here, (this is the commented admin), but got invalid credentials when I tried to login after restarting the server.
I generated it like this:
./artemis mask <plaintextPassword>
By default credentials are stored in the etc/artemis-users.properties. Each line represents a user and its password in the format:
<user> = <password>
Passwords are hashed by default and stored using the ENC() syntax, but you can use plain text password if you want. Also, by default any changes to artemis-users.properties and artemis-roles.properties are reloaded automatically (since reload=true in login.config) so there's no need to restart the broker.
More details are available in the documentation for the PropertiesLoginModule.
If you want to update the file manually with a hashed password you need to use the following command in the bin directory:
$ ./artemis mask --hash <password>
This is documented in the "Masking Passwords" chapter.
Additionally, if you have at least one valid, working user account with the manage permission or if you have anonymous login enabled then you can use the user commands to list, add, remove, and reset users. As before, more details can be found in the documentation.
Amplify CLI authentication with Cognito user pools currently has two main modes, signin with username or with email. In the former case email uniqueness as a required user attribute is not being enforced.
Cognito service by itself supports the "Also allow sign in with verified email address" option (AWS Console, User Pool Attributes-section) but it can be set only upon user pool creation (i.e. can not be modified later - checkboxes are disabled). Is it possible to enforce no duplicate emails within the user pool while allowing users to authenticate with username or with email?
To summarize, my use case requires:
Verifying/enforcing email attribute uniqueness at the Cognito level when signing up users via Amplify's Auth.SignUp;
Keeping username-based login but allowing users to login with their email as well (that is, Auth.SignIn with email or username supplied as the username-argument).
When you add the user pool with amplify add auth choose 'Username' as the method with which you want users to sign in when prompted.
If you aren't prompted with this choice, you might need to try amplify add auth again but this time choose Manual configuration when prompted at the beginning.
Once you've completed the entire auth set up via amplify add auth, BEFORE you run amplify push for the first time, run amplify override auth.
This creates a new override.ts file which you can edit with AWS CDK code to customise your Cognito resources beyond the abilities the CLI allows.
You can find the override.ts file at:
amplify\backend\auth\<your_app_name>\override.ts
Inside the override file, add the following line into the empty function that's made for you:
resources.userPool.aliasAttributes = ['email'];
Now you can save the file, and run amplify push and hopefully your new user pool will show in the AWS Console that you've successfully configured it to allow user name and email sign in together.
You have to make sure you write the override code before amplify push or your user pool will be created in the cloud, and attempting to override this sign in functionality after the user pool has been created throws an error as it's read only.
If you find yourself in that position, you'll need to create a new user pool, you can't modify the existing one.
I want to make a simple flow for registration app.
User sign up with only email -> The verification/registration link is sent to the email -> People register (putting in their password) on that link
I've googled anything but haven't found any way to make it with AWS Cognito.
Looks like Cognito is forcing users to sign up with at least email AND password to get the confirmation link
You can sign up users with adminCreateUser API call. They will receive an email with temporary passwords. This approach is configurable.
See: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html
Use: AdminCreateUser
Create a new user profile by using the AWS Management Console or by calling the AdminCreateUser API. Specify the temporary password(will be your user's password) or allow Amazon Cognito to automatically generate one.
Specify whether provided email addresses and phone numbers are marked as verified for new users.
Specify custom SMS and email invitation messages for new users via the AWS Management Console.
Specify whether invitation messages are sent via SMS, email, or both.
After successful user creation,
1. authenticate user using same user credentials
Use: SDK calls InitiateAuth(Username, USER_SRP_AUTH)
2. After success of initateAuth, amazon Cognito returns the PASSWORD_VERIFIER challenge with Salt & Secret block.
3. Use RespondToAuthChallenge(Username, <SRP variables>, PASSWORD_VERIFIER
4. Amazon Cognito returns the NEW_PASSWORD_REQUIRED challenge along with the current and required attributes.
5. The user is prompted and enters a new password and any missing values for required attributes.
6. Call RespondToAuthChallenge(Username, <New password>, <User attributes>).
7. After successful password change user can be able to login using same credentials added by you.
Short answer
- In that case, you can specify the temporary password(will allow Amazon Cognito to automatically generate one.).
- all user users will be forced to change their password only at first login.
I have a WSO2IS install in development configured with the OOTB PRIMARY user store and a secondary Active Directory user store. When signing in to WSO2IS Mgt Console I can sign in as an Active Directory user, but only if I provide the domain name like DEVUSERS/devadmin.
I have been experimenting with lots of different settings and I'm pretty sure I had it working at one point so I could sign in with either a PRIMARY user store user (admin) or a DEVUSERS Active Directory user without providing the domain name, but can't reproduce it now.
I should add that I really don't care if DEVUSERS can sign in to mgt console. I just need to authenticate them when they sign in to my web application that uses OIDC to have WSO2IS handle the authentication. I have a Service Provider configured for my web application connection.
I have tried replacing the OOTB PRIMARY user store with my DEVUSERS user store. With that setup users can sign in to my application without providing domain name, so that part works fine. But, the DEVUSERS user I am using to connect the user store (i.e. ConnectionName) doesn't have the 'admin' permission, so can't perform some mgt console functions.
You can log in to the IS with any user in primary or secondary user store either specifying a domain name or without a domain name.
Once you try to log in to the system by specifying the domain, IS will look at the specified domain user store to authenticate the user. Otherwise, it will go through all the define user stores starting from primary user store.
In your case, the devadmin user may be exisiting in the primary user store with another password.
I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines). I am also using the so called WSO2 IS Admin services.
As mentioned in the heading I am consuming the UserProfileMgtService
(https://url:port/services/UserProfileMgtService?wsdl).
In combination with it I am using OAuth2TokenValidationService
(https://url:port/services/OAuth2TokenValidationService?wsdl).
If I pass valid access token to the OAuth2TokenValidationService I am able to fill in with data OAuth2TokenValidationResponseDTO object by using the Validate method of the OAuth2TokenValidationService. As result I am able to extract the authorizedUser and pass it to the getUserProfile method of the UserProfileMgtService. I am using the standard carbon.super domain and I am using the email as username. For example I am passing the following two parameters to the getUserProfile:
"admin#admin.com#carbon.super" as username
"default" as profileName
And as result I receive the following message:
UserNotFound: User admin#admin.com#carbon.superdoes not exist in: PRIMARY
If I remove the "#carbon.super" from the authorizedUser, everything is fine and I am able to get the user profile information. This is quite important for me since I am using multitenancy of the IS and there is a case that I might have the following users:
admin#admin.com#test.net
admin#admin.com#test2.net
I noticed that this service was not working this way in WSO2 IS 5.0.0. I started experiencing this issue after the upgrade.
Is this a desired behavior and is introduced because of the change in the API in IS 5.2.0? If so is there another way to be able to get the user profile using the "username"+"tenant-domain"(that is retrieved by the OAuth2TokenValidationService as authorized user when passing valid access token).
Is it possible that this is caused because of misconfiguration? If so which is the file that needs to updated and what exactly should be modified in it?
Is there a place where more information could be retrieved for the WSO2 IS 5.2.0 Admin Services?
Thanks in advance.
UserProfileMgtService in Identity Server is an Admin Service. In WSO2 Admin Services, the tenant domain is identified by authenticated user and it should not pass with username.
username should be tenant free username.
So, you can remove carbon.super portion from the username and then it will work.
In tenant setup, you need to authenticate with a tenant user (Ex admin#admin.com#test.net) in order to access these API. So, like in the super tenant, you can use tenant free username and then it will work.
For example, if you want to get user profile of user : testuser#admin.com in tenant domain test.net, your request should be like bellow image.
Thanks
Isura.