I am developing a soap web service using https channel. The user credentials and roles are defined in a property file.
<security:http authentication-manager-ref="basicauthenticationManager" pattern="/webservice" entry-point-ref="basicAuthEntryPoint" access-denied-page="/WEB-INF/views/ws404.html" use-expressions="true">
<security:intercept-url pattern="/webservice/*" access="hasAnyRole('ROLE_USER')" requires-channel="https"/>
<security:intercept-url pattern="/webservice" access="hasAnyRole('ROLE_USER')" requires-channel="https"/>
<security:custom-filter ref="basicAuthenticationFilter" after="BASIC_AUTH_FILTER" />
</security:http>
<security:authentication-manager id="basicauthenticationManager">
<security:authentication-provider >
<security:user-service properties="classpath:users.properties">
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
When I call the web service only once I dont get any DEBUG error message but when called in a loop get the following error
ERROR
11:53:13,721 DEBUG [FilterSecurityInterceptor] Previously Authenticated: org.springframework.security.authenti
cation.AnonymousAuthenticationToken#90556c3e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticate
d: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#1de6: RemoteIpAddre
ss: 10.11.160.39; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
11:53:13,722 DEBUG [AffirmativeBased] Voter: org.springframework.security.web.access.expression.WebExpressionV
oter#19c0b5c, returned: -1
11:53:13,723 DEBUG [ExceptionTranslationFilter] Access is denied (user is anonymous); redirecting to authentic
ation entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(Abstract
SecurityInterceptor.java:205)
The server processes the request successfully, how can I suppress or avoid this DEBUG message.
As explained in the Spring Security FAQ, this isn't an error, it's logged at debug level.
If you want to suppress it just disable debug-level logging for the Spring Security package. For example, if you are using logback for logging (as used in the Spring Security sample applications, change DEBUG to INFO on this line.
Related
I am having a recurring issue with shinyproxy (currently 2.5.0 - based on Springboot) hosted within a kubernetes cluster (currenty a single node). I'm using Auth0 with SAML. Traffic goes through a Nginx ingress controller that does TLS termination and has a fairly basic configuration. What I don't understand is that I will get the following error, but only once in a while. If I try to login, I will get the error, but then after that, if I go back to the login page and try to log in again, everything works fine.
o.s.security.saml.log.SAMLDefaultLogger : AuthNResponse;FAILURE;[Auth0 URN];;;org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a12g399012cidi7i2i3ha3ha4h6e6jc
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:175)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:219)
...
This made me think of a cookies problem, however adjusting the shinyproxy server/proxy configuration for cookies did not change anything. Shinyproxy configuration has:
server:
secure-cookies: true
proxy:
same-site-cookie: None
In the browser when I try to log in I get the following error message:
Error
Status code: 200
Message: Error validating SAML message
Stack Trace:
org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message
...
Anyone has an idea of what I am missing? I would really appreciate it! Thank you!
We are not able to call the ChallengeQuestionManagementAdminService from Angular code. Getting an error stating Invalid remote address
Included the user credential in Authorization. Able to consume the service using SOAP UI but not from Angular.
Admin service : ChallengeQuestionManagementAdminService
Error:
[2019-03-26 03:33:54,314] WARN {org.wso2.carbon.core.services.authentication.AuthenticationUtil} - Could not find IP address for domain name : 10.44.1.25:51954
[2019-03-26 03:33:54,315] ERROR {org.wso2.carbon.core.services.authentication.AbstractAuthenticator} - Invalid remote address detected.
org.wso2.carbon.core.common.AuthenticationException: Authentication Failed : Invalid remote address passed - 10.44.1.25:51954
at org.wso2.carbon.core.services.authentication.AuthenticationUtil.validateRemoteAddress(AuthenticationUtil.java:178)
at org.wso2.carbon.core.services.authentication.AuthenticationUtil.getRemoteAddress(AuthenticationUtil.java:156)
at org.wso2.carbon.core.services.authentication.AbstractAuthenticator.getRemoteAddress(AbstractAuthenticator.java:304)
at org.wso2.carbon.core.services.authentication.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:136)
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.isAuthenticated(AuthenticationHandler.java:180)
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.authenticate(AuthenticationHandler.java:105)
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.invoke(AuthenticationHandler.java:66)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
[1] is the nearly corresponding code. You can check the logic. What is the version of Identity Server you are using ? If you are familiar with remote debugging, you can debug the code to find root cause [2].
[1] https://github.com/wso2/carbon-kernel/blob/4.4.x/core/org.wso2.carbon.core.services/src/main/java/org/wso2/carbon/core/services/authentication/AuthenticationUtil.java#L167
[2] https://medium.com/#gayanmadusanka_80721/how-to-debug-component-in-wso2-identity-server-ce15a366e9bf
Post the request you are sending from Angular through postman and check if its successful. if yes, make sure you are sending all the required headers from Angular, else you might be missing some headers in place or your request schema might miss some params.
Headers to be included
headers.set( 'Accept', '*/*');
headers.set( 'Content-Type', 'text/xml;charset=UTF-8');
headers.set( 'Authorization', `Basic ${authToken}`); <!--should send base64encode(username:password) specific to account. -->
headers.set( 'SOAPAction', 'urn:setUserChallengeAnswers');
I am trying to log into my WSO2 management console. It is containerized and hosted in an AWS EC2 instance. I can navigate to the console login page, but when I try to login I get a 403 Forbidden message.
Navigation to login page is okay
Forbidden error
I know that the cause of this issue is that my login page is not posting the X-CSRF-Token.
Example of the form data posted in my "bad" request:
The console of my WSO2 instance prints an error like this:
WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:IP_ADDRESS, method:POST, uri:/carbon/admin/login_action.jsp, error:required token is missing from the request)
Example of the form data posted in a "good" request in a local WSO2 instance:
What I have tried:
I have tried turning compression "off" as suggested by this post: wso2 api manger carbon page gives 403 Forbidden
I am not using JDK 1.8.0_151 which is labeled as a version with a bug.
I am able to circumvent the issue if I disable the csrfguard in Owasp.CsrfGuard.Carbon.properties but this is a security risk.
I have sticky sessions enabled
Any ideas on why the posting to the login_action.jsp page would return a 403?
EDIT
I failed to mention in the post that I am using TLS termination with an AWS load balancer. I am almost certain that my issue has something to do with that. This line from my console output details what my error is:
Referer domain https:LOAD_BALANCER_URL/carbon/admin/login.jsp does not match request domain: http://LOAD_BALANCER_URL/carbon/admin/js/csrfPrevention.js
You can see that the referer is using https but the request is using http. I believe that I want the request domain to be https, but I'm not sure how to do that. I think that the first page is making a call to login.jsp with https and the login.jsp page is making a call to the csrfPrevention.js page but changing the protocol to http.
Please refer the OS and JDK incompatibilities matrix and make sure you are not using one of these OS JDK pairs.
Do you have a load balancer fronting your Identity Server? If so, please verify that you have enabled sticky sessions in your LB. You can find sample NGINX the configurations in the guide - docs.wso2.com/display/CLUSTER44x/Configuring+NGINX
Lower the version of java JDK to 1.8.0_144.If it's not worked go to this location
wso2Servers/wso2is-5.5.0/repository/conf/security .
There is a file name Owasp.CsrfGuard.Carbon.properties.
In that file, there is a line
org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
set this to
org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = false
This worked for me.
I'm trying out the WSO2 Identity Server.
I downloaded the version 5.4.0, and started the server on my Windows machine with wso2server.bat --run.
If I try to login to the console with the default credentials (admin / admin), I get an error 403 - Forbidden, and the console shows this message:
WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:0:0:0:0:0:0:0:1, method:POST, uri:/carbon/admin/login_action.jsp, error:required token is missing from the request)
Is there something else I need to configure before I can try out the console?
This is a known issue with JDK 8u151. You can use JDK 8u144.
Ref: https://docs.wso2.com/display/AM210/Installation+Prerequisites
Simple fix ... go to directory "wso2ei-6.2.0\conf\security"
and open the "Owasp.CsrfGuard.Carbon.properties" file with any text editor (line number 49)
# If csrfguard filter is enabled
org.owasp.csrfguard.Enabled = true
change it to false
# If csrfguard filter is enabled
org.owasp.csrfguard.Enabled = false
I am trying to send and receive messages from a local workgroup machine (Windows 7), call it the 'client', to Service Bus 1.0 set up on a workgroup server (hosted on AWS EC2). After many trials and research I'm unable to send messages from the client machine to the server. I've followed a number of articles that appear to indicate that it is possible to do, but I cannot resolve the authentication issue I'm seeing.
Connecting to Windows Server Service Bus on AWS
Microsoft Service Bus on a Windows Workgroup
I note the Microsoft system requirements appears to indicate that it is "not supported" and "not possible". My question is can this be done, and has anyone had success? Any help would be greatly appreciated.
msdn.microsoft.com/en-us/library/windowsazure/jj193011(v=azure.10).aspx
My attempts include using either the WindowsTokenProvider and OAuthTokenProvider. I get the same result:
System.UnauthorizedAccessException: The token provider was unable to provide a security token while accessing 'https://xx.xx.xx.xx:9355/ServiceBusDefaultNamespace/$STS/Windows/'. Token provider returned message: ''. ---> System.IdentityModel.Tokens.SecurityTokenException: The token provider was unable to provide a security token while accessing 'https://xx.xx.xx.xx:9355/ServiceBusDefaultNamespace/$STS/Windows/'. Token provider returned message: ''. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
The Service Bus namespace is set up with AddressingScheme "Path" for a workgroup install. And the client side connection string includes the IP to reach the server, and I've set a RemoteCertificateValidationCallback before creating the queues.
Endpoint=sb://xx.xx.xx.xx/ServiceBusDefaultNamespace;StsEndpoint=https://xx.xx.xx.xx:9355/ServiceBusDefaultNamespace;RuntimePort=9354;ManagementPort=9355;WindowsUsername=SBUser;WindowsDomain=[NotUsed];WindowsPassword=[Password]
Code to attach to the remote queue and send a message is as follows:
ServiceBusConnectionStringBuilder connBuilder = new ServiceBusConnectionStringBuilder(ConfigurationManager.AppSettings["Microsoft.ServiceBus.ConnectionString"]); // Gets the connection string above
TokenProvider tokenProvider = WindowsTokenProvider.CreateWindowsTokenProvider(connBuilder.StsEndpoints, new NetworkCredential(connBuilder.WindowsCredentialUsername, connBuilder.WindowsCredentialPassword));
MessagingFactorySettings messagingFactorySettings = new MessagingFactorySettings();
messagingFactorySettings.TokenProvider = tokenProvider;
MessagingFactory messagingFactory = MessagingFactory.Create(connBuilder.GetAbsoluteRuntimeEndpoints(), messagingFactorySettings);
requestQueue = messagingFactory.CreateQueueClient("RequestQueue");
...
requestQueue.Send(sendMessage); // Fails here
The server account is SBUser with a password and I have left the domain/host specified blank on the token provider. I note that the Event Viewer on the server shows the authentication being attempted is the client's user account not the one from the token provider. Why is this? I'm obviously missing something in order to authenticate on the server.
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: [ClientLogin]
Account Domain: [ClientMahcine]
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Appreciate any help. Thanks.
Try with the OAuthTokenProvider and make sure that connBuilder is passing the right values.
TokenProvider tokenProvider = TokenProvider.CreateOAuthTokenProvider (connBuilder.StsEndpoints, new NetworkCredential(connBuilder.WindowsCredentialUsername, connBuilder.WindowsCredentialPassword));
Once you try this, please, reply with the exception you get in your client. Also, in the server, search for a event in the Service Bus section that would give more details about the exception.
With that information we should continue to the next step.
Did you get to the bottom of this?
I have managed to get around the exact same issue by setting the Fully Qualified domain name of the server that the certificate is bound to in the client machine hosts file.
So where you have entered the IP address in the connection string, you should instead enter 'AMAZONA-PQxxxxx'. And in your hosts file, have the 'AMAZONA-PQxxxxx' resolve to the IP address.
we had the same issues. Server W2k12R2, standalone, Workgroup; Client Windows 7, same Workgroup.
It's necessary to have the same user accounts on both systems. Looks like this is some kind of "authentication proxy stuff" running.
Take a look at the compatibility matrix mentioned above:
http://msdn.microsoft.com/en-us/library/windowsazure/jj193011(v=azure.10).aspx
Thank you,
Holger