I have deployed two WSO2IS servers in cluster, the deployment seems to be working fine as the answer to the requests made are consitents and all the policy stuff is working.
But I get the same error for every request I make, which Im unable to find out the real meaning, if this is a normal behaviour or on the contrary, there is something wrong Im missing.
As you can see, first I get the "WARNING: Illegal acces attempt.." followed by a successful login with the default user (ADmin)...
[2014-04-14 12:57:36,293] WARN {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler} - Illegal access attempt at [2014-04-14 12:57:36,0292]
from IP address 10.6.10.11 while trying to authenticate access to service EntitlementService
[2014-04-14 12:57:36,423] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2014-04-14 12:5
7:36,423+0200]
I would appreciate your help,
Thanks in advance,
Jorge.
You are accessing the "EntitlementService" which is an admin service. Therefore you need to authenticate to access this service. Basically you need to send user/password in basic authentication header, In basic authentication, client normally sends the basic headers, when server gives an unauthorized responses. This is why, you would see above Illegal access attempt log in every time and after client sends the header, user would be authenticated. But you can avoid it by using Preemptive Authentication mode with basic authentication. If you are using a Httpclient library to send the request, you can enable it. Please refer this
Related
I'm trying to hit a web service using RestAssured. I'm struggling with authentication which is actually performed by a third party system. Details are given below:
My web service requires session ID & Cookie in the request header. Otherwise the service call will be failed.
For that I need to fetch Session Id & Cookie after the authentication.
Authentication is done by third party service and it takes the windows credentials for authentication.
When I launch my app URL on browser, say: 'XYZ.com/dim' it will be redirected to authentication service using a URL like:
http://hantweb.DOMAIN.com/authenticate/encdefault.asp?location=XYZ.com/dim
After the authentication it will again be redirected to actual application back.
I tried below code but it says: "401 - Unauthorized: Access is denied due to invalid credentials." even though my credentials are correct.
RestAssured.given().auth().basic("userID", "password").get("http://hantweb.DOMAIN.com/authenticate/encdefault.asp?location=XYZ.com/dim")
I'm confused no idea what I've missed here..
I did some trial and error and finally understood that I need to use .auth().ntlm(userId, password,"","") as the authentication. Here I'm using windows credentials as basic or any other auth type won't work in this case.
This answer can help someone in need.
We are using WSo2 IS 5.0.0 server and have enabled IWA which used windows user object and automatically logs into our application suite. We are seeing a problem where specific set of users are not automatically authenticated using the IWA mechanism. An HTTP 400 response is received for these users. We enabled trace logs on the WSo2 end and were able to track the request to a point after which the request gets terminated for some reason and are unable to see any exception or error in the trace logs.
Below is the link which has the trace for a successful user
http://pastebin.com/Gx3HW6xr
Link for Failed User
http://pastebin.com/3FJ8APkH
We need some pointers which will help us understand what is stopping these users from getting logged in.
According the symptoms you may reach the tomcat's header size limit. The NTLM Negotiation HTTP headers can be pretty large (mainly for users having many groups/roles). In the catalina-server.xml check the maximal header size (maxHttpHeaderSize) on the connector (by default it is 4kB or 8kB). Try to increase it to something more (54kB was ok for us).
I have configured the sample travelocity.com webapp to work with saml2 SSO following link configure SSO web app
But when i try to login using account i get following error message on browser
Here is what i get in logs:
TID: [0] [IS] [2015-03-10 21:06:26,835] WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} - Signature validation for Authentication Request failed. {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor}
After again i tried without restart of server i got this error:
TID: [0] [IS] [2015-03-10 20:30:51,261] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Context does not exist. Probably due to invalidated cache {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
I am not sure what is wrong. I have also installed latest service pack . I am using wso2is-5.0.0
Please help.
This same web application is working fine with WSO2IS. I have already tried out it..Details can be found from here as well
According to the error, it says Signature validation for Authentication Request failed it means that SAML2 Auth request that is sent by Web application has been signed and WSO2IS tries to validate the signature of it. WSO2IS does not validate the signature by default, you may have probably tick on following configuration in the SAML2 SSO configuration.
Enable Signature Validation in Authentication Requests and Logout Requests
Please verify it and un-tick it and see.
If you want to really validate the signature of SAML2 Auth requests, you need to tick it. Then you must chose the proper Certificate Alias value from the combo box. Please note proper value is NOT the wso2carbon.cert. Proper value is wso2carbon. Then it would work for you.
Second error may be related to browser cache, just clear the browser cache and try out.. (or open new browser)
Most probably this is a mismatch in the keystores.
Just copy
$WSO2IS/repository/resources/security/keystore.jks
To
$TOMCAT/saml2-web-app-pickup-dispatch.com/WEB-INF/classes
This way, both keystores are the same. Restart Tomcat and it should work fine.
Hey there code warriors and stack exchangers.
I have been trying in vain to set credentials for a web service. I wrote the webservice in Websphere (java ee) and it requires a username and password in the header for any of the services to be called. I can run it fine in SOAP UI, but I need to be able to hit it from a .net web client.
So far I have tried setting the credentials like so...
dlc.ClientCredentials.UserName.UserName = "idiotCreds";
dlc.ClientCredentials.UserName.Password = "someWhackyPWD";
And so far I have just recieved this exception
security.wssecurity.WSSContextImpl.s02: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6500E: There is no caller identity candidate that can be used to login. ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1#42304230
Which I am guessing is telling me that there are no credentials being set...
Even though I set the client credentials. Do I need to create and add a soap header manually here? I thought that was supposed to be handled by that client object? Any ideas fellas? Thanks
The question and answer in this SO thread will provide those who seek answers with the solutions they need.
https://stackoverflow.com/a/12159837/729820
So, we just got word today that one of our clients firewall is blocking our HTTP requests because "The [software] is sending anonymous packets to our firewall (a Microsoft TMG firewall) so the firewall is dropping the packets as anonymous access is [not] allowed."
For our connection code we are using c++ with curl and we fallback to IEDownloadToFile if needed. I didn't write the original code nor am I really a network programmer so I came here for help. So, my questions are: What are anonymous packets? What am I doing in curl that could cause anonymous packets? Where can I find more information about solving this problem? Thanks!
What they mean is your app has to authenticate with the firewall. That link provides a wealth of information concerning the TMG product. Your client probably has this configuration:
Require users to authenticate whenever
they request Web access. Every Web
session requires authentication.
When using this method, note the
following:
Anonymous Web access is disabled.
Forefront TMG requests user
credentials and validates them before
it checks the request against the
Firewall policy. If users fail to
authenticate, their access request is
denied.
This method is defined per network.
Most non-interactive clients, such as,
the Windows Update client, cannot
authenticate, and are therefore denied
access.
So when the user opens their web browser and tries to access a web page, they'll get a pop-up window asking for credentials because the firewall has intercepted their web request and sent its own authentication page. When the user authenticates, the firewall passes web traffic.
Your automated app does not authenticate with the firewall, so the firewall drops packets and your traffic is classified as anonymous.
Sorry, I don't know the solution on how to make your application authenticate with the firewall. If your app goes to specific URLs, the site operators could whitelist them.
According to this page, you should be getting error 407: proxy authentication required from curl. Try adding these options to the curl initialization, but you still have the problem of asking the user for their network credentials interactively:
CURLOPT_HTTPAUTH: add CURLAUTH_NTLM
CURLOPT_PROXYAUTH: add CURLAUTH_NTLM
set CURLOPT_FOLLOWLOCATION
There is no such thing as an 'anonymous packet' in standard networking parlance. Your client's firewall is making up terms, or there was a miscommunication somewhere along the line before the message got to you. Either way, you're going to need to get clarification from your client or the firewall's vendor or documentation.
I agree with bdonlan. In the context of http requests, "anonymous packets" is vague and ambiguous at best. Maybe they mean there is no referrer code? Or they require http-authentication? Or you need to establish a session key before being able to access the specific url you are requesting? You need actual technical details from your client.