In Symfony 2.8.
I want to list every URL's permission(e.g.roles) in order to find which URL is not protected.
The list result format is same as security config about access_control option.
How to do ?
As far as i know and after some research what you are looking for doesnt exist out of the box. You could look into expanding the php bin/console debug:router command to include what security checks exist for each.
Another option would be to manually go through all the routes listed in the debug output and look at the security requirements in the _profiler.
Related
I'm trying to build a Dockerized CouchDB to run in AWS that bootstraps authentication for my app. I've got a Dockerfile that installs CouchDB 1.6.1 and sets up the rest of the environment the way I need it. However, before I put it on AWS and potentially expose it to the wild, I want to put some authentication in place. The docs show this:
http://docs.couchdb.org/en/1.6.1/api/server/authn.html
which hardly explains the configuration properly or what is required for basic security. I've spent the afternoon reading SO questions, docs and blogs, all about how to do it, but there's no consistent story and I can't tell if what worked in 2009 will works now, or which parts are obsolete. I see a bunch of possible settings in the current ini files, but they don't match what I'm seeing in my web searches. I'm about to start trying various random suggestions I've gleaned from various readings, but thought I would ask before doing trial and error work.
Since I want it to run in AWS I need it to be able to start up without manual modifications. I need my Dockerfile to do the configuration, so using Futon isn't going to cut it. If I need to I can add a script to run on start to handle what can't be done there.
I believe that I need to set up an admin user, then define a role for users, provide a validation function that checks for the proper role, then create users that have that role. Then I can use the cookie authentication (over SSL) to restrict access to my app that provides the correct login and handles the session/cookie.
It looks like some of it can be done in the Dockerfile. Do I need to configure authentication_handlers, and an admin user in the ini file? And I'm guessing that the operations that modify the database will need to be done by some runtime script. Has anyone done this, or seen some example of it being done?
UPDATE:
Based on Kxepal's suggestion I now have it working. My Dockerfile is derived from klaemo's docker-couchdb, as mentioned below. The solution is to force the database to require authentication, but a fresh install starts out as Admin-Party. To stop that you have to create an admin user, which secures the system data but leaves other databases open. First, create an admin user in your Dockerfile:
RUN sed -e '/^\[admins\]$/a admin=openpassword\n' -i /usr/local/etc/couchdb/local.ini
(just following klaemo's sed pattern of using -e) and when CouchDB runs it will salt and hash this password and replace it in the local.ini file. I extract that password and replaced "openpassword" with this so that my Dockerfile didn't have the password in plain text. CouchDB can tell by the form of it not to hash it again.
The normal pattern to now secure the other databases is to create users/roles and use them in a validation function to deny access to the other databases. Since I am only interested in getting a secure system in place for testing I opted to defer this and just use the settings in local.ini to force everyone to be authenticated.
The Dockerfile now needs to set the require_valid_user flag:
RUN sed -e '/^\[couch_httpd_auth\]$/a require_valid_user = true\n' -i /usr/local/etc/couchdb/local.ini
And that requires uncommenting the WWW-Authenticate setting:
RUN sed -e 's/^;WWW-Authenticate/WWW-Authenticate/' -i /usr/local/etc/couchdb/local.ini
Which, since the setting shows Basic realm="administrator" means that the NSURLProtectionSpace in my iOS app needs to use #"administrator" as the realm.
After this I now have a Dockerfile that creates a CouchDB server that does not allow anonymous modification or reading.
This hasn't solved all of my configuration issues since I need to populate a database, but since I use a python script to do that and since I can pass credentials when I run that, I have solved most problems.
To setup auth configuration during image build, you need to check not API, but configuration for server admins. TL;DR just put [admin] section into local.ini file with your username and password in plain text - on start, CouchDB will replace password with it hash and CouchDB wouldn't be in Admin Party state.
P.S. Did you check docker-couchdb project?
Im trying to create a log-in/register system through Gigya, but can't seem to get it working. I get a couple of errors, with "Failed - Invalid site domain" being the most consistent one.
I've already double-checked my API keys and followed the developer guides on both Gigya and the respective social media.
Anyone know of a solution that I can try?
Try to set the Approved URLs on your Site settings section in https://console.gigya.com/
Include the URLs that you would like to use in this domain (we will validate this as part of our security policy). Please use a wildcard (*) to indicate sub-domains, e.g. .domain.com, or sub directory paths, e.g. www.domain.com/site/, that use the same configuration.
Read more here: http://developers.gigya.com/010_Developer_Guide/82_Socialize_Setup#Approved_URLs
I've inherited a Sitecore project and added a new alias to a set of existing aliases on an item within the content tree.
However, although I can visit the older aliases any of my new aliases seem not to work and lead to a 404.
I've tried publishing the content items and even System/Aliases however they still refuse to work.
Am I missing something obvious?
Several things could be preventing your aliases from working, some of which depend on the setup of your system:
Verify that your aliases were published. To do this, switch over to your Web DB and check to see if the aliases that you configured appear, as expected. If they are not published, be sure to run a publish on the Aliases folder (I suggest a Republish, just to be safe).
If after that your aliases are not working and are still not published, try running a full site Republish.
If they still won't publish, move on to number 3, below
If your aliases your aliases are not working and are published, try rebuilding the Link Database.
If your aliases are still not working, move on to numbers 2 and 4, below
Ensure that each alias that you defined is unique. Note that for a multi-site solution, being unique for the context site is not enough - if you have the alias defined for one of the sites and try to define it for the other it will not work - as the alias cannot be used differently for each site.
Note that this is the default behavior of Sitecore's AliasResolver
If necessary, you can customize the AliasResolver to allow you to specify a separate alias folder for each site, following this tutorial by Yogesh Patel.
(skip this if you completed step 1 and were able to publish your aliases successfully) Special Access Rights/Permissions are required in order to configure Sitecore aliases. I highly doubt that this is the issue, as you were clearly able to create alias items, but I am a fan of covering the base-cases first, so I would verify all the same.
If you do find that you are missing the necessary permissions and are trying to figure out how to configure them/if you have trouble finding what permissions you need then you should take a look at this article, by John West.
Also unlikely, but possible, is that redirects/rewrites were configured to send you to the 404 page from the URLs you set as aliases (it could be a RegEx that redirects all of the URLs that you tried to provide as aliases). Start by checking out your config files and/or IIS for Rewrites and Redirects. If you do not see anything, then check for redirects.
If redirects are your issue, then the Redirect Module is likely to be the culprit. Check if it is installed and configured to redirect your aliases to 404 pages
If the Redirect Module is not configured, check for custom redirection in your code
Hopefully this helps. Good luck and happy coding! :)
After checking the points raised by Zachary Kniebel I finally figured it was down to the scope of the items and how URL are generated.
For example we have:
Home/
Holidays/
Some Item
Now the alias could be Toads on Some Item. So I assumed the following URL would work:
http://www.example.com/holidays/some-item
http://www.example.com/holidays/toads
However, because aliases are system wide it dawned on me that really the alias was:
http://www.example.com/toads
This means in order to get the structure I wanted I had to create the alias Holidays/Toads instead of just Toads, replicating the tree structure as needed.
When I did this the aliases started working as expected.
I want to create a filter for a profile that looks at 2 things, a subdomain (subdom.mycomp.com) and a folder within the regular domain (www.mycomp.com/industrysolutions/).
Included is a screenshot of the current filter however it only reports on pages in the folder. I'm not sure if I'm on the right track?
Any suggestions?
I don't believe you can have two include filters to a profile. Like you said, the data just stops flowing in, so what I would do is create a filter for the hostname (see below), and then create an advanced segment that looks exclusively at the request URI's you're after.
Include Hostname subdomain\.mycomp\.com
Found this in another post but I needed to make some minor edits to make it work:
I have had WFFM running on a Sitecore instance for a while, but it has recently stopped working. When I go to "Form Designer" on an existing form, I get the standard Sitecore "The requested document was not found" page.
Requested URL: /applications/modules/web
User Name: sitecore\admin
Site Name: shell
If the page you are trying to display exists, please check that an
appropriate prefix has been added to the IgnoreUrlPrefixes setting in
the web.config.
Note that the requested URL is stated as /applications/modules/web instead of /applications/modules/web forms for marketers.
A lot of development has occurred on this site recently, so I'm not sure when exactly this started happening.
Additional: info:
Folder and file permissions are correct.
I've tried reinstalling the WFFM package, and made sure that all the files are in place.
Several processors have been added to the HttpBeginRequest pipeline, but I removed them all to test if they were the cause - they weren't.
I haven't upgraded Sitecore since WFFM was working and the version is correct.
No errors are logged
EDIT
This also seems to be affecting the Sitecore Security Editor:
Requested URL: /appl
User Name: sitecore\admin
Site Name: shell
If the page you are trying to display exists, please check that an
appropriate prefix has been added to the IgnoreUrlPrefixes setting in
the web.config.
EDIT 2
Further investigation with this is making me think it is related to the Requested URL. I originally thought the the "Not found" page was displaying the requested url incorrectly. However, if I attempt to goto mysite.com/sitecore/shell/applications/fake folder with spaces/fake page with spaces I get this error message:
Requested URL: /applications/fake folder with spaces/fake page with
spaces
User Name: sitecore\admin
Site Name: shell
If the page you are trying to display exists, please check that an
appropriate prefix has been added to the IgnoreUrlPrefixes setting in
the web.config.
As you can see the Requested Url is correct in the error message. So in relation to my problem, I think maybe Sitecore is requesting the wrong URL in the first place.
Additionally if I go to the go the following url by typing directly into the browser, then the Security Editor opens as expected:
mysite.com/sitecore/shell/Applications/Security/User-Editor
This is quite old now but I thought I'd provide an update for anyone else who encounters the problem.
Unfortunately, Sitecore support weren't able to help beyond pointing out that setting the addAspxExtension attribute to 'true' in the link provider seemed to solve the problem. This may have been acceptable except that extensionless URLs were important to the customer.
In the end I had to amend my link provider so that addAspxExtension is set to 'true' in the web config, and then I set it to false inside the GetItemUrl method for specified sites only.
So now whenever the context site is 'Shell' or 'Admin' etc, the extensions are added by default, but switched off in my main website.
Of course, this is a work around. I still don't know how to actually fix the problem
So the first thing that I am going to tell you is that I suspect that there is something wrong with your site declaration for Sitecore Modules. In your web.config, there's a site declaration for "modules_shell" and "modules_website". Those are where the code files that run the modules are usually located... a shell folder to run the parts that run in the Sitecore shell and a web folder to run the part that is accessed by the externally facing site. Please check your site declarations (and the form.config file) to make sure that you're not in live mode or something like that. I would definitely say that this is where you should start looking.
The next thing is to say that your comments about Sitecore not serving a url in the /sitecore/shell directory is really not surprising. Sitecore processes all requests unless you specifically tell it to ignore requests (like setting it in the IgnoreUrlPrefixes in web.config), it's going to try processing it. Like going to /sitecore/shell/applications gives me a layout error because it doesn't have anything set to handle that request. Now your error suggests that there is something wrong with Site declarations.. however, even if they were all right, it still wouldn't work.