I have create my configuration file for the second user store here: /opt/wso2am-1.7.0/repository/deployment/server/userstores i named it with the name of my domain (sub_dom_local.xml my domain is sub.dom.local)
and I set as primary user store a jdbc store.
When I try to login with a domain user name I obtain this error:
[2014-06-25 10:48:39,828] ERROR - System error while Authenticating/Authorizing User : [Ljava.lang.Object; cannot be cast to [Ljava.lang.String; {org.wso2.carbon.core.services.authentication.AuthenticationAdmin}
I am sure than I have insert the correct username and password, I enabled the debug loggr and I see in the log that the Authentication procedure connected to the Active directory and retrieve all the information.
If I insert a wrong password i do not have the error but I have the information for the wrong password.
Could you help me?
Thanks Jack
When the ActiveDirectoryUserStoreManager is enabled it seems we need to enable GetAllRolesOfUserEnabled property in Authorization manager as follows in user manager configuration
`<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
<Property name="GetAllRolesOfUserEnabled">true</Property>
</AuthorizationManager>
`
Otherwise it is throwing the exception you have mentioned.
Try this configuration:
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
...
<Property name="MemberOfAttribute"/>
...
</UserStoreManager>
You do not specify the MemberOfAttribute.
Matteo
Related
In order to test this function, I chosed Abnormal Request Count option, which is in Alert Management menu of Api Store, and added a restful api. Then I called this api for many times by Postman.
The carbon.log, which is in <API-M_ANALYTICS_HOME>/wso2/worker/logs, recorded the following error message:
[2020-10-19 11:03:36,094] ERROR {org.wso2.siddhi.core.stream.output.sink.Sink} - Error on 'APIM_ALERT_EMAIL_NOTIFICATION'. Dropping event at Sink 'email' at 'EmailNotificationStream' as its still trying to reconnect!, events dropped '<strong>Message:</strong>A request from a new IP (10.9.16.77) detected by user:admin#carbon.super using application:devMap owned by admin#carbon.super. <br><br> <strong>Type:</strong>UnusualIPAccess <br><br> <strong>AlertTimestamp:</strong>2020-10-19 11:03:35'
[2020-10-19 11:06:10,307] ERROR {org.wso2.siddhi.core.stream.output.sink.Sink} - Error on 'APIM_ALERT_EMAIL_NOTIFICATION'. Dropping event at Sink 'email' at 'EmailNotificationStream' as its still trying to reconnect!, events dropped '<strong>Message:</strong>Abnormal request count detected during last minute using application devMap owned by admin#carbon.super for api :全球风向查询, abnormal request count:9. <br><br> <strong>Type:</strong>AbnormalRequestsPerMin <br><br> <strong>AlertTimestamp:</strong>2020-10-19 11:06:10'
About detailed configuration, I referred the following links:
Configuring Alerts:
https://docs.wso2.com/display/AM260/Configuring+Alerts#ConfiguringAlerts-ConfiguringalertsviatheStore
Enabling Notifications:
https://docs.wso2.com/display/AM260/Enabling+Notifications
According to these documents, I did the following things:
1.Open the <API-M_ANALYTICS_HOME>/conf/worker/deployment.yaml file to configure the sender email address. The sample code is shown below:
siddhi:
extensions:
...
-
extension:
name: email
namespace: sink
properties:
username: abcd#163.com
address: abcd#163.com
password: xxxx
...
2.Go to the <API-M_ANALYTICS_HOME>/resources/apim-analytics/ directory. Copy the APIM_ALERT_EMAIL_NOTIFICATION.siddhi file and paste it in the <API-M_ANALYTICS_HOME>/wso2/worker/deployment/siddhi-files directory.
3.Set the email server configurations in the <API-M_HOME>/repository/conf/output-event-adapters.xml file under the section.
<adapterConfig type="email">
<!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust
based authentication rather username/password authentication -->
<property key="mail.smtp.from">abcd#163.com</property>
<property key="mail.smtp.user">abcd</property>
<property key="mail.smtp.password">xxxx</property>
<property key="mail.smtp.host">smtp.163.com</property>
<property key="mail.smtp.port">25</property>
<property key="mail.smtp.starttls.enable">true</property>
<property key="mail.smtp.auth">true</property>
<!-- Thread Pool Related Properties -->
<property key="minThread">8</property>
<property key="maxThread">100</property>
<property key="keepAliveTimeInMillis">20000</property>
<property key="jobQueueSize">10000</property>
</adapterConfig>
4.Log in to the Management Console and click Main > Resource > Browse. Browse to the /_system/config/apimgt/applicationdata/tenant-conf.json file and click Edit as Text.Set the NotificationsEnabled property to true as shown below:
"NotificationsEnabled":"true",
"Notifications":[{
"Type":"new_api_version",
"Notifiers" :[{
"Class":"org.wso2.carbon.apimgt.impl.notification.NewAPIVersionEmailNotifier",
"ClaimsRetrieverImplClass":"org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever",
"Title": "Version $2 of $1 Released",
"Template": " <html> <body> <h3 style=\"color:Black;\">We’re happy to announce the arrival of the next major version $2 of $1 API which is now available in Our API Store.</h3>Click here to Visit WSO2 API Store</body></html>"
}]
}
]
I've also checked APIM_ALERT_EMAIL_NOTIFICATION.siddhi:
#App:name("APIM_ALERT_EMAIL_NOTIFICATION")
#App:description('Send email to all the subscribers of a particular alert')
#source(type="inMemory", topic="APIM_EMAIL_NOTIFICATION", #map(type='passThrough'))
define stream EmailAlertStream (
type string,
message string,
alertTimestamp string,
emails string);
#sink(type='email', content.type="text/html", #map(type ='text', #payload('<strong>Message:</strong>{{message}} <br><br> <strong>Type:</strong>{{type}} <br><br> <strong>AlertTimestamp:</strong>{{alertTimestamp}}')),subject='Alerts from WSO2 APIM Analytics',to='{{emails}}')
define stream EmailNotificationStream (
type string,
message string,
alertTimestamp string,
emails string);
from EmailAlertStream
select *
insert into EmailNotificationStream;
As you can see, there is nothing special.
Have I missed anything to do? I don't know what the problem is, please help me.
As per the exceptions you received. Looks like there are issues with connecting to the SMTP server. Can you please check the configurations and check there are any restrictions to use your email.
ex: in Gmail, you have to enable 'untrusted applications' to access Gmail.
I've found the reason of this problem.
By reading the source code (EmailSink.java), I know the information of SMTP Server should be configured in APIM_ALERT_EMAIL_NOTIFICATION.siddhi, otherwise the analytic server is going to use smtp.gmail.com by default.
I am using local entry to register the parameters and not to leave fixed in the artifacts, I do not know if it is better solution.
Everything works when I create the local entry in ESB Config, but when I create in the project registry resource I can not read correctly.
I am using code below to read local entry and write to a property:
<Property description = "SetPPSUserName" expression = "get-property ('registry', 'conf: /local-entries/PPS_Username.xml')" name = "SetPPSUserName" scope = "default" type = "STRING" />
Problem, is that it loads the entire xml contents of the local entry and not only the content, example as the property:
SetPPSUserName = "<localEntry key="PPS_Username" xmlns="http://ws.apache.org/ns/synapse"><![CDATA [content test blablab]]></ localEntry>"
Correct would be:
SetPPSUserName = "content test blablab"
NOTE: When I upload the CAR to the site, the local entry of the project registry resource does not appear in the local entry list of the management console.
Message translated from Portuguese to English with google translator
Try this:
Set type = OM in property instead of STRING.
<Property description = "SetPPSUserName" expression = "get-property ('registry', 'conf: /local-entries/PPS_Username.xml')" name = "SetPPSUserName" scope = "default" type = "OM" />
<log level="custom">
<property name="call_testProp" expression="$ctx:SetPPSUserName" type="STRING"/>
</log>
UPDATE 1:
My localEntry inside registry:
<localEntry key="PPS_Usernamelocal" xmlns="http://ws.apache.org/ns/synapse">
<a>
<b>TEST</b>
</a>
</localEntry>
My property and log mediator inside an esb proxy:
<property name="PPS_Username"
expression="get-property('registry','conf:/localentries/PPS_Username.xml')"
scope="default"
type="OM"/>
<log level="custom">
<property name="PPS_UsernameB" expression="$ctx:PPS_Username//syn:a/syn:b" xmlns:syn="http://ws.apache.org/ns/synapse"/>
</log>
My ESB response:
[2017-02-22 16:21:42,680] INFO - LogMediator PPS_UsernameB = TEST
Not sure if I got it right.
If you want to access a registry resource within a proxy you have to execute the following steps.
1.) create "Registry Resource Project"
2.) add a "Registry Resource" to that project. Because I faced some problems in the past with creating resources directly in dev studio, I always create a test/XML file with the content on my local disk and select "Import from file system" wen creating the resource
3.) create a CAR for the "Registry Resource Project"
4.) Open the pom.xml from the CAR project and change the "Server role" to "EnterpriseServiceBus" otherwise it won't get deployed to the ESB.
5.) Export the CAR and deploy it to the Server
Then you're able to access it inside the Proxy like this.
<property name="registryValue" expression="get-property('registry','gov:/path/property1.txt')"/>
Hope that helps.
I'm migrating my app from wso2is-5.2.0 to wso2is-5.3.0.
In user-mngt.xml I have from 5.2.0
<Property name="PasswordJavaRegEx">^[\S]{1,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{1,30}$</Property>
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 1 to 30 characters</Property>
In the wso2is-5.3.0 carbon console, I put the same values from Identity Providers > Resident > Password Policies > Password Pattern
and restart wso2is, but I still cannot create a user from webservice, getting the following error :
Caused by: org.wso2.carbon.user.core.UserStoreException: Password at
least should have 6 characters
at org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener.handleEvent(IdentityMgtEventListener.java:626)
at org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener.handleEvent(IdentityMgtEventListener.java:585)
at org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener.doPreAddUser(IdentityMgtEventListener.java:194)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:1514)
whether I check "Enable Password Policy Feature" or not in the carbon console, my values are not taken into account...
Is there a third way (registry ?) to change password policy ?
Regards
You need to set the matching values for Password Policy Min Length (to 1 in your case) and Password Policy Max Length (to 30 in your case) at Resident IdP -> Password Policies -> Password Patterns.
All of the min length, max lengths, and pattern should be matched by the given password to become a valid one.
While adding a user in WSO2 Identity Server (Eg. sreedhar#xyz.com) following error is thrown.
Could not add user PRIMARY/sreedhar#xyz.com. Error is: Username sreedhar#xyz.com is not valid. User name must be a non null string with following format
I changed the regular expression too as below
^[_A-Za-z0-9-\\+]+(\\.[_A-Za-z0-9-]+)*#+[A-Za-z0-9-]+(\\.[A-Za-z0-9]+)*(\\.[A-Za-z]{2,})$
It is working in a simple java application.
Help appreciated, please
You can change the user-mgt.xml file as follows to add email usernames,
<Property name="UsernameJavaRegEx">^[\S]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
You can user complex regular expressions as well.
Thanks
Isura
I am using Spring 4, with Spring Security 4 to secure web-services. A normal web-service worked fine without security. My secured web-services also seemed to work great working locally and with unit testing.
We are using the SiteMinder example, which means we have authentication happenind from a remote authority. This delivers a token to the browser when we login. We pass the authentication token with a request header, and this is pulled from customerUserDetailsService. That class and methods pull the token from the header, authenticates the user against that remote authority, and we get a username. From that username, we make a DAO call to our database to get the User Details and their Roles, which in the Spring Security Context uses the roles to grant authority. This is all working fine, and we get an authenticated user and we have thier roles/grantedAuthorities.
So, as previously stated, we are now just securing web-services with spring-security.xml to secure the web-services based on the role of the user. Again, this all seemed to work fine with unit testing. We had a token for a user who did not have access to web-sites and we correctly got back a 403 error. When we used a token for a user who did have the right role, was able to execute the web-service.
Now I am trying to deploy this into a new environment, and I am not having much luck.
So, I have a spring-security.xml that looks like:
<http use-expressions="true" auto-config="false" entry-point-ref="http403EntryPoint">
<!-- Additional http configuration omitted -->
<intercept-url pattern="/records/authorizedRecords" access="hasRole('portalUser')" />
<intercept-url pattern="/records/myCode" access="hasRole('portalUser')" />
<intercept-url pattern="/users/email" access="hasRole('appAdmin')" />
<custom-filter position="PRE_AUTH_FILTER" ref="openAmFilter" />
</http>
<beans:bean id="openAmFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<beans:property name="principalRequestHeader" value="openam_token"/>
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:property name="userDetailsService" ref="customUserDetailsService"/>
</beans:bean>
</beans:property>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="preauthAuthProvider" />
</authentication-manager>
<beans:bean id="customUserDetailsService" class="com.agmednet.server.security.CustomUserDetailsService"></beans:bean>
<beans:bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
When we tried access to:
<intercept-url pattern="/users/email/*" access="hasRole('appAdmin')" />
this did not seem to match:
/rest/users/email/myemail#someemail.com
so I changed it to:
<intercept-url pattern="/rest/users/email/*" access="hasRole('appAdmin')" />
And I get this from the log.
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/rest/trials/integratedtrials'; against '/rest/users/email/*'
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Public object - authentication not attempted
DEBUG: org.springframework.security.web.FilterChainProxy - /rest/trials/integratedTrials reached end of additional filter chain; proceeding with original chain
DEBUG: org.springframework.security.web.access.ExceptionTranslationFilter - Chain processed normally
DEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
At this point, I know we have an authenticated user, the username, and the roles are listed right there in the logs. We seem to find a matching URL in the spring-security.xml, the URL matches, the roles match, and now I feel we should be executing the logic behind the web-service, but I get an error message:
Apache Tomcat/8.0.30 - Error report
/services/rest/users/email/myemail#someemail.com
The requested resource is not available.
I am absolutely floored here .... unsecured web-services work great. I have to be missing something? Is it with the word "rest" in the URL? Web-services have always worked when they were unsecured. I added security and add unit tests to test this all out, and now I am unsure of what happened?
The problem is that I am an idiot!!!!
In the /WEB-INF/web.xml file I had this defined:
<servlet-mapping>
<servlet-name>springmvc</servlet-name>
<url-pattern>/api/*</url-pattern>
</servlet-mapping>
I suppose that is why when I call any RESTful web-services with:
/rest/users/email/myemail#someemail.com
it doesn't work.
But when I use:
/api/users/email/myemail#someemail.com
now it works.
Conclusion: I am an idiot!!!