I use WSO2is 5.7.0 with my angular 6 app, i tried make api call from my app but i have a cors error: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at
I already activated the cors enabled in oauth and authenticationendpoint, i edited de WEB-INF/web.xml of both webapps with this lines:
<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
<init-param>
<param-name>cors.allowOrigin</param-name>
<param-value>*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
In authenticationendpoint i copy the cors libraries from oauth to authenticationendpoint webapps in lib folder and edited the pom.xml file with this lines:
<dependency>
<groupId>com.thetransactioncompany.wso2</groupId>
<artifactId>cors-filter</artifactId>
<version>1.7.0.wso2v1</version>
</dependency>
After this, restart the service, i and have the same problem Cross-Origin Request Blocked
in my angular app service i make the request as follow:
const httpHeaders = {
headers: new HttpHeaders()
.set('Content-Type', 'application/x-www-form-urlencoded')
.set('Access-Control-Allow-Origin', '*')
};
this.http.post<any>(`http://localhost:9443/commonauth`, payload, httpHeaders)
i think is neccesary enable cors support from tomcat but i don't know how do that, What other alternatives do I have besides enabling cors?
My sources:
https://docs.wso2.com/display/IS570/Invoking+an+Endpoint+from+a+Different+Domain
https://hasanthipurnima.blogspot.com/2016/05/applying-cors-filter-to-wso2-identity.html
The endpoint you are trying to invoke is registered as a servlet inside the Identity Server and you need to configure the web.xml file in repository/conf/tomcat/carbon/WEB-INF/ to apply the headers to your endpoint.
You can add the org.apache.catalina.filters.CorsFilter to the above-mentioned file to allow the required domains. More info can be found from tomcat documentation. Sample config would look like below.
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>https://www.somedomain.com</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/commonauth</url-pattern>
</filter-mapping>
Related
I am trying to fetch the WSO2-IS response when user enters wrong credentials from frontend. If I hit the same end point via postman then it returns a proper response shown as follows:
{
"error_description": "Client Authentication failed.",
"error": "invalid_client"
}
But when request is fired from the browser it throws CORS error saying:
request header field access-control-allow-credentials is not allowed by Access-Control-Allow-Headers in preflight response.
Although it works fine with correct user credentials.
Now since the request for authentication goes directly from client to WSO2 server I believe that no fixes are required in the backend. But I couldn't find a way to handle the same in frontend. Any kind of help will be appreciated. Thanks :)
The CORS error is occurring probably because you are running your frontend application on a separate host. If you are running WSO2 Identity Server 5.9.0 or later please try adding the following filter in your repository/resources/conf/templates/repository/conf/tomcat/web.xml.j2 file to allow CORS. If you are using an older version you can add the following filter in repository/conf/tomcat/web.xml file.
<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
<init-param>
<param-name>cors.allowOrigin</param-name>
<param-value>{ origin of your application }</param-value>
</init-param>
<init-param>
<param-name>cors.supportedMethods</param-name>
<param-value>GET, HEAD, POST, DELETE, OPTIONS, PATCH, PUT</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
I am using oidc JS cilent library OIDC JS
I have client code that connects to WSO2 IDP sever using openID connect endpoints.The flow is implicit configured on WSO2 server
WSO2 version :wso2is-5.3.0
The normal login works fine. When it comes to silent refresh for access-token it fails.
I am using "signinSilent" method of oidc to do silent login via iframe and get latest access token.
This works fine with Gluu server.
Here is the screenshot of error we are getting,
Error:
Refused to display '<idp authz url>' in a frame because it set 'X-Frmae-Options' to 'deny'
You can go to {carbonhome}/repository/deployment/server/webapps/oauth2/WEB-INF and add this to HttpHeaderSecurityFilter:
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>false</param-value>
</init-param>
This will disable the X-Frame-Options header and thus allow all domains. However, be careful when doing this. You can also set the antiClickJackingOptions and define the domains for which it is allowed.
In order to avoid this problem, the domain that will call the Identity Server, has to be added to the oauth2 web application shipped on WSO2 IS in its filter for CORS. To do it, just modify this file:
<wso2is_home>/repository/deployment/server/webapps/oauth2/WEB-INF/web.xml
And add the base URL you are going to allow in param-name cors.allowed.origins:
[...]
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param> <param-name>cors.allowed.origins</param-name>
<param-value>https://whatever.com, https://whatever2.com</param-value>
</init-param>
[...]
After modify this and restart WSO2 IS, the browser will not block it again
Has anyone successfully secured a web service using Active Directory credentials instead of an application specific username/password?
I have an application that talks to web services written with Axis2 1.5.1 and deployed on Tomcat 6.0.24, deployed on Linux, FWIW.
I have changed Tomcat from a JDBCRealm, authenticating against a database, to a JAASRealm, configured to access AD with Centrify (the client's preferred solution).
This works with web applications but for web services I get a 403 response.
I have tested using a simple Axis2 service (written with Axis2 1.5.1) and deployed against Tomcat 6.0.24 and 7.0.63. I've also tried with a web service written using Axis2 1.6.2. I get the same result in each case. I'm testing using a browser, BTW. When the service works I get xml; when it doesn't I get the error.
I'm wondering whether I need to change something in axis2.xml since even https://tomcat:8443/HelloWorld (my service is called HelloWorld) generates a 403.
Some configuration details...
I've changed the realm in server.xml to the following
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="CENTRIFYDC"
roleClassName="com.centrify.dc.tomcat.RolesPrincipal"
userClassName="com.centrify.dc.tomcat.LoginPrincipal" />
<Valve className="com.centrify.dc.tomcat.ContextValve" />
In web.xml I have added
<security-constraint>
<display-name>Security Web Service</display-name>
<web-resource-collection>
<web-resource-name>Secured Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>USER</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>CENTRIFYDC</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>USER</role-name>
</security-role>
I've mapped the USER role to one of my AD groups
Any suggestions or guidance or setups that have worked for someone would be very useful, thanks.
The 403 error is indicating the permission problem after authentication. It is because after SSO, the server will check for group membership to see if the user got proper permission. The 403 error is coming from the configuration part of role mapping. SSO to the server is actually working fine.
We would suggest you to try the following(the following example is using 5.5 version tomcat but it will be the same for later version):
Configure tomcat for Centrify
a. Configure tomcat for Centrify by using configure.pl:
cd /usr/share/centrifydc/java
./configure.pl
Enter /opt/apache-tomcat-5.5.25 when prompted for the tomcat directory.
Enter /usr/jdk1.5.0_15 when prompted for the java directory.
Enter y when prompted if you want to configure Tomcat for SSL
Enter n when prompted if you want to configure Tomcat for SSL communication with ADFS server
Take default for everything else.
Configure webdav for Centrify and use kerberos(SPNEGO) for authentication
a. Set the logon realm to CENTRIFYDC:
cd /opt/apache-tomcat-5.5.25/webapps/
mkdir webdav/META-INF
create webdav/META-INF/context.xml as:
<Context path="/webdav">
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="CENTRIFYDC"
roleClassNames="com.centrify.dc.tomcat.RolesPrincipal"
userClassNames="com.centrify.dc.tomcat.LoginPrincipal"/>
<Valve className="com.centrify.dc.tomcat.ContextValve"/> </Context>
b. Configure mapping of AD groups to roles for the jspwiki app.
cp /usr/share/centrifydc/java/templates/centrifydc.xml webdev/WEB-INF/centrifydc.xml
modify RoleMapping section in webdev/WEB-INF/centrifydc.xml as follow:
<RoleMapping separator=";">
<Role name="user" group="*" user="*"/>
<Role name="#ROLE2#" group="#GROUP2#"/>
<Role name="#ROLE3#" user="#USER3#"/>
</RoleMapping>
c. Configure web.xml to use kerberos(SPNEGO) for authentication:
Edit web.xml and add
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>Default</realm-name>
</login-config>
<!--
OPTIONAL: Add CentrifyFilter to set the authenticated user's attributes
such as group membership in HTTP headers. You must also configure the
<SetHeaders> element in centrifydc.xml to set user attributes in HTTP
headers.
This filter is not needed if you do not want the authenticated
user's attributes set in HTTP headers.
-->
<filter>
<filter-name>CentrifyFilter</filter-name>
<filter-class>com.centrify.dc.wbase.DCFilter</filter-class>
</filter>
<!--
OPTIONAL: Apply (map) CentrifyFilter to the url patterns in the
<security-constraint> section of this application to set the
authenticated user's attributes in HTTP headers.
This <filter-mapping> is not needed if you do not want the
authenticated user's attributes set in HTTP headers.
-->
<filter-mapping>
<filter-name>CentrifyFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>ProtectedResource</web-resource-name>
<url-pattern>/index.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>
An test role
</description>
<role-name>user</role-name>
</security-role>
You could also refer to the Centrify Java Guide p.135 for the example for role mapping configured as follow:
Extensible Markup Language (XML) files, like the centrifydc.xml file, are structured documents that contain a set of supported elements enclosed in opening and closing angle (< >) brackets. The elements can be required or optional depending on the requirements of the application. The following is an example of how the key elements defined in the centrifydc.xml file:
<Centrifydc>
<enableAuthSchemes>Negotiate,NTLM,Basic</enableAuthSchemes>
<adclientSocket>/var/centrifydc/daemon</adclientSocket>
<RoleMapping>
<Role name=”role1” group=”arcade.com/Users/Sales”/>
</RoleMapping>
</Centrifydc>
Although the template centrifydc.xml file contains some default settings, these default settings should be modified in the copy of the centrifydc.xml file you place in an application’s WEB-INF directory. The following table describes the elements you can set in the centrifydc.xml file.
If you need any further assistance, please feel free to contact Centrify Technical Support directly.
There were a couple of problems. The first was an error was in the server.xml file. JAASRealms can accept several classes for role and user so the properties are roleClassNames and userClassNames as follows
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="CENTRIFYDC"
roleClassNames="com.centrify.dc.tomcat.RolesPrincipal"
userClassNames="com.centrify.dc.tomcat.LoginPrincipal" />
The second issue is around using several applications which use different authorization. The centrifydc.xml file maps roles when the app is first authenticated. However, if org.apache.catalina.authenticator.SingleSignOn is enabled then the roles are set only for the application that performs the authentication. Thereafter, only the roles set in the authenticating application's centrifydc.xml file are set. Other applications will see that the user is already authenticated but does not have the necessary authorization and fail with a 403 error.
In different applications use the roles user, USER and manager then the logging-in application must set up all three roles when it authenticates.
I am using PrimeFaces 5.0 and tomcat 7 and my application is in AWS.
I am trying to use PrimeFaces push. I have implemented a sample application and it is working with my local system. If i deploy the code to AWS it fails.
Xhtml code
<p:socket onMessage="jsFunctionToCall" channel="/service/push"/>
Web.xml
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>org.atmosphere.cpr.AtmosphereInterceptor</param-name>
<param-value>org.atmosphere.interceptor.ShiroInterceptor</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>Push Servlet</servlet-name>
<servlet-class>org.primefaces.push.PushServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<async-supported>true</async-supported>
</servlet>
<servlet-mapping>
<servlet-name>Push Servlet</servlet-name>
<url-pattern>/primepush/*</url-pattern>
</servlet-mapping>
Java code
#PushEndpoint("/service/push")
public class ServicePushResource {
#OnMessage(encoders = {JSONEncoder.class})
public String onMessage(String count) {
return count;
}
}
Pushing message:
EventBus eventBus = EventBusFactory.getDefault().eventBus();
eventBus.publish("/service/push", String.valueOf("msg"));
I am getting the error message that
WebSocket connection to 'ws://example.com/primepush/service/push?X-Atmosphere-tracking-id=0&X-Atmosphere-Framework=2.2.4-javascript&X-Atmosphere-Transport=websocket&X-Atmosphere-TrackMessageSize=true&X-atmo-protocol=true' failed: Error during WebSocket handshake: Unexpected response code: 501
After this error there is another error message that
Websocket failed. Downgrading to Comet and resending push.js.xhtml?ln=primefaces&v=5.1:1
Failed to load resource: the server responded with a status of 501 (Not Implemented) http://example.com/primepush/service/push?X-Atmos…ng&X-Atmosphere-TrackMessageSize=true&X-atmo-protocol=true&_=1422008343786
On inspecting both the error message, I found that the p:socket component is failing with transport as 'WebSocket' and it is trying with 'long-polling' which is not implemented. So my question is whether AWS support 'WebSocket' if not what is the workaround for that?
Currently WebSocket is not supported with AWS. The work aroud is to use AWS EB loadbalancer with TCP/SSL. I did this by changing the protocol from HTTP to TCP in loadbalancer configuration. But this won't work alone, need to tell beanstalk to communicate directly to tomcat in case of websocket. This can be done using a configuration file which can be added as specified in this post.
Documentation of Primefaces 5.0 says to use Atmosphere 2.1.3. I had had similar problem as you when I tried to use 2.2.x version. The current version I use is 2.1.4 and it works for me fine. Maybe you could try this also.
The other case is that firefox browser throws wss connection error (but primepush works anyway).
Please refer also to:
https://bugzilla.mozilla.org/show_bug.cgi?id=594502
Im working on the developpment of webservices in JAVA implemented with CXF 2.5.2.
Im using apache Tomcat as web server.
I need to add HTTPS Security in some webservice method, i would like to know the best to implement HTTPS Security.
I heard that I can configure HTTPS in web.xml by specifing security constraint...or I can configure HTTPS in Apache tomcat for any method.
My ideas about advantage and disadvantage about each solution,
I think the advantage to configure https in web.xml is to localize in the same webapp of webservice.
The advantage in apache tomcat configuration let to not be coupled to any webapp.
Iam sure there is more way to implement HTTPS.
Thank you !
Configuring security in web.xml ( for example )
<security-constraint>
<web-resource-collection>
<web-resource-name>REST Service </web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test</realm-name>
</login-config>
<security-role>
<role-name>User</role-name>
</security-role>