In WSO2 Identity Server 5.3.0 in carbon.xml there is still the XSS prevention config which was introduced with 5.0.0 SP1. It is described in the documentation as well.
<XSSPreventionConfig>
<Enabled>true</Enabled>
<Rule>allow</Rule>
<Patterns>
<!--Pattern></Pattern-->
</Patterns>
</XSSPreventionConfig>
The configuration is read by the tomcat XSSValve. But in the default installation WSO2IS package the tomcat valve configuration is missing. Basically leaving the XSSPreventionConfig useless.
Is the configuration still needed? Can I remove the configuration from carbon.xml or do I need to configure XSSValve in tomcat?
Related
Vulnerable JS Library jquery-3.4.1.js reported in Wso2 identity server 5.11.0.
I recently installed wso2 identity server 5.11.0 on my linux server and intregrated my application with it.
During ZAP scan below vulnerbaility is reported:
Vulnerable JS Library jquery-3.4.1.js reported in Wso2 identity server 5.11.0
Reported URL :
https://myapplicationurl.com/authenticationendpoint/libs/jquery_3.4.1/jquery-3.4.1.js
Does WSO2 provide any fix for this. It seems the authenticationendpoint application of wso2 uses this js and I am not sure of the impact if I just replace it with higher version of jquery.
Please refer to the WSO2 Security reporting process
at https://wso2.com/security. WSO2 discourages discussing security issues in public forums.
Nevertheless, most of the reported vulnerabilities of JQuery are not a threat to WSO2IS when it comes to their usage. Because those vulnerabilities reside in specific functions of JQuery and those functions are not used at all or not used in a vulnerable way.
After I installed WSO2 EEM (Enterprise Mobility Manger), I could add device to device management. But I couldn't open the Publisher/Store, all the page will jump to the https://localhost:9443/publisher/acs or https://localhost:9443/samlsso. Should I to install the WSO2 Identity Server or config the SSO for it?
You don't need to install any identity components or configure sso explicitely. They are already there in vanilla EMM. When you go to https://localhost:9443/publisher, it should be redirected to login page.
https://localhost:9443/authenticationendpoint/login.do
Then when you enter credentials it should redirect you in below urls.
1) https://localhost:9443/publisher/acs
2) https://localhost:9443/publisher
If this doesn't work for you, there should be exceptions in log file. Please check that.
There was a missing part in EMM documentation in the SSO configuration section[1]. Hope you are trying out this VM. Please follow the steps which are given in here in order to get publisher and store working properly.
The reason which you encountered becuase of app-manager.xml file that is in the /repository/conf directory didn't properly configure.
<SSOConfiguration>
<!-- URL of the IDP use for SSO -->
<IdentityProviderUrl>https://<EMM_HOST>:<EMM_HTTPS_PORT>/samlsso</IdentityProviderUrl>
<Configurators>
<Configurator>
<name>wso2is</name>
<version>5.0.0</version>
<providerClass>org.wso2.carbon.appmgt.impl.idp.sso.configurator.IS500SAMLSSOConfigurator</providerClass>
<parameters>
<providerURL>https://<EMM_HOST>:<EMM_HTTPS_PORT></providerURL>
<username>admin</username>
<password>admin</password>
</parameters>
</Configurator>
</Configurators>
</SSOConfiguration>
1.https://docs.wso2.com/display/EMM201/General+Server+Configurations
I am trying to install apps using wso2 app manager, but its not actually getting installed on my device. I am attaching the log below
You can install apps on your device with APP Manager(APPM) and Enterprise Mobility Manager(EMM)combination. Follow below steps to integrate those two products and install apps on your device through app manager. These steps were extracted from here
There are two separate cases for APPM and EMM integration
APPM and EMM on a single JVM. ex : EMM standalone pack.
APPM and EMM on separate JVMs. ex : clustered scenario
For the first case, EMM standalone vanilla pack should work without changing any configuration.
For the second case, There are some configurations which should be done. Follow the below steps to configure APPM and EMM on a separate JVMs.
If you run APPM and EMM on same machine change the port offset of one pack. Let's change the port offset of APPM pack.
i) Change the port offset of carbon.xml to 10 which is in /repository/conf directory.
ii) Since APPM default authentication mechanism is SAML SSO change the port of IdentityProviderUrl also in app-manager.xml
<!-- URL of the IDP use for SSO -->
<IdentityProviderUrl>https://localhost:9453/samlsso</IdentityProviderUrl>
<Configurators>
<Configurator>
<name>wso2is</name>
<version>5.0.0</version>
<providerClass>org.wso2.carbon.appmgt.impl.idp.sso.configurator.IS500SAMLSSOConfigurator</providerClass>
<parameters>
<providerURL>https://localhost:9453</providerURL>
<username>admin</username>
<password>admin</password>
</parameters>
</Configurator>
</Configurators>
</SSOConfiguration>
iii) Change the port offset to 9453 for all the ports found in sso-idp-config.xml which is located in /repository/conf/identity directory.
Now setting port offset is done.
Now create a mobile app by going to App Manager publisher. publish it and it will be available in APPM store.
Create an OAuth application in EMM by following article How to map existing oauth apps in wso2.
Open the app-manager.xml in APPM and find for a configuration called MobileAppsConfiguration. change ActiveMDM property to WSO2MDM.
ex: WSO2MDM
Change the MDM properties named as WSO2MDM as follows. Change the port to EMM port of ServerURL and TokenApiURL. Here client key and client secret is which returned from EMM when OAuth application is created.
<MDM name="WSO2MDM" bundle="org.wso2.carbon.appmgt.mdm.restconnector">
<Property name="ImageURL">/store/extensions/assets/mobileapp/resources/models/%s.png</Property>
<Property name="ServerURL">https://localhost:9453/mdm-admin</Property>
<Property name="TokenApiURL">https://localhost:9453/oauth2/token</Property>
<Property name="ClientKey">veQtMV1aH1iX0AFWQckJLiooTxUa</Property>
<Property name="ClientSecret">cFGPUbV11yf9WgsL18d1Oga6JR0a</Property>
<Property name="AuthUser">admin</Property>
<Property name="AuthPass">admin</Property>
</MDM>
Enroll your device in MDM.
Now you can install apps using app manager store to devices enrolled in EMM.
When testing the WSO2 identity server rel. 5.1 using the Travelocity tool, I see a number of error messages recorded in the log file, telling:
"Server is not picking up the client certificate. Mutual SSL authentication is notdone"
The message repeats every 3 minutes.
Where is the missing certificate stored that needs to be updated to connect the Travelocity to the WSO2 IdP without writing error logs? In the travelocity.jks store at the client side, I currently see an alias entry for localhost and another entry for the IDP.
I've raised the debug level at the log4j.properties to the values:
log4j.logger.org.wso2.carbon.user=DEBUG
log4j.logger.org.wso2.carbon.identity=DEBUG
log4j.logger.org.wso2.carbon.idp.mgt=DEBUG
This is actually not an error log. This is a debug log. If you removed the following debug level entry from the log4j.properties file you will not see this.
log4j.logger.org.wso2.carbon.identity=DEBUG
MutualSSLAuthenticator is a carbon authenticator which is shipped by default with WSO2 IS 5.1.0. This authenticator is by default enabled from the authenticators.xml file located at
IS_HOME/repository/conf/security/ directory. This is actually not getting invoked by the SAML authentication flow, or OpenID flow which you might be trying with the Travelocity sample application. But, the log gets printed as the framework checks if the authenticator is capable of handling the authentication.
This authenticator is used with the OOTB supported Workflow Management Feature [1], for server to server authentication.
You can also disable this authenticator by commenting out the below configuration at authenticators.xml file, and yet, authentication with Travelocity sample application will work successfully.
<Authenticator name="MutualSSLAuthenticator">
<Priority>5</Priority>
<Config>
<Parameter name="UsernameHeader">UserName</Parameter>
<Parameter name="WhiteListEnabled">false</Parameter>
<Parameter name="WhiteList">
</Config>
</Authenticator>
[1]https://docs.wso2.com/display/IS510/Workflow+Management
this is my first question in Stackoverflow and i'm new in WSO2 ESB. I installed the 4.9.0 version of ESB and also installed Application Server feature on it. WSO2 ESB can not manage HttpSession. Can u help me please to solve this problem?
I already tried to change this parameter to true or false:
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<secure>false</secure>
</cookie-config>
</session-config>
in ESB_HOME\repository\conf\tomcat\web.xml
Application server feature installed well i think. I can start my app and its working till i trying to use httpsession to manage users session and authentication.
Somebody had the same problem?