I am trying to use Spring Security v3.2 for a project. At the moment I always use a coldfusion file that calls other files to build up the view. So all my urls go trough index.cfm?blablah.
Now I am stuck with allowing the anonymous user enter the home view. Following Spring Security request matcher is not working with regex, I made up the this code:
<http use-expressions="true">
<intercept-url pattern="^.*index.cfm\?action=home.*$" access="permitAll" />
<intercept-url pattern="/root/index.cfm" access="isAuthenticated()" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login />
</http>
But whatever I try, I always enter the login field.
After more trying I found a solution:
<http request-matcher="regex" pattern="^.*index.cfm\?action=home.*$" security="none"/>
<http use-expressions="true">
<intercept-url pattern="/root/index.cfm" access="isAuthenticated()" />
<intercept-url pattern="/root/**" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login />
</http>
Related
I am creating new proxy for web services in Karaf 4.4.1 with Camel 3.18.1 and cxf 3.5.3.(I've tried it on older versions too 4.4.0, 3.18.0, 3.5.2). And it works fine, but I have a problem with MTOM attachments. For some reason it adds several times number 1000 into the message. And it is not every 1000 bytes. The spaces between them are different (from 377 to 4157 bytes). Here is picture of comparison of my incoming messages. The bad one goes through proxy and the good one don't:
comparsion 1
comparsion 2
Does anyone knows where is the mistake?
Here is my blueprint:
...
<camelcxf:cxfEndpoint id="SrvEndpoint">
<camelcxf:properties>
<entry key="dataFormat" value="CXF_MESSAGE" />
<entry key="ws-security.ut.no-callbacks" value="true"/>
<entry key="ws-security.validate.token" value="false"/>
<entry key="schema-validation-enabled" value="true" />
<entry key="lazyStartProducer" value="true" />
<entry key="mtom-enabled" value="true" />
</camelcxf:properties>
<camelcxf:inInterceptors>
<ref component-id="SrvWsSecInterceptor" />
<ref component-id="SrvAuthenticationInterceptor"/>
<ref component-id="SrvLoggingInInterceptor"/>
</camelcxf:inInterceptors>
<camelcxf:outInterceptors>
<ref component-id="SrvLoggingOutInterceptor"/>
</camelcxf:outInterceptors>
</camelcxf:cxfEndpoint>
<!-- this is the Camel route which proxies the real web service and forwards SOAP requests to it -->
<camelContext id="SrvRoute" trace="false" xmlns="http://camel.apache.org/schema/blueprint">
<route>
<!-- CXF consumer using CXF_MESSAGE format -->
<from uri="cxf:bean:SrvEndpoint"/>
<!-- Need to remove the http headers which could confuse the http endpoint -->
<removeHeaders pattern="CamelHttp*"/>
<!-- Don't know why but if not set returns empty response header and body -->
<setProperty name="CamelCXFDataFormat"><constant>PAYLOAD</constant></setProperty>
<!-- send proxied request to real web service -->
<to uri="{{SrvProxy.target.url}}?throwExceptionOnFailure=false"/>
</route>
</camelContext>
I've tried to change dataFormat to PAYLOAD and clean it from authentication and validation but nothing helped.
I am using cfhttp to try to pull some json from one of our organizations APIs. I have the code working when trying to pull example json from one of our own servers, but when I point it to the API itself I receive a connection failure. This is the code:
<cfhttp method="get" url="http://[url]/api/menu">
<cfhttpparam type="URL" name="id" value="[guid]">
</cfhttp>
<cfset FileWrite("#application.tempDirPath#/temp.json", CFHTTP.FileContent)>
I have replaced the real values with [url] and [guid].
I have tried accessing this url in a browser at https://[url]/api/menu?id=[guid] and it works perfectly fine, indicating that my machine has no problem reaching that url. The url is a server in our network that I can access as long as I'm on the company VPN.
Things that I have tried:
The live code should point to https. I've tried both http and https.
I've tried hitting the home page at that same url and it also results in a connection failure, but works in a browser.
I've tried this same code with http://www.google.com, and that downloads the Google html without issue.
I've tried restarting ColdFusion and my machine.
I've tried disabling compression via headers:
<cfhttp method="get" url="http://[url]/api/menu">
<cfhttpparam type="header" name="Accept-Encoding" value="deflate;q=0" />
<cfhttpparam type="header" name="TE" value="deflate;q=0" />
<cfhttpparam type="URL" name="id" value="[guid]">
</cfhttp>
I do not have access to the target server. I can ask those who do have access for help, but their conclusion at this point is "this is a ColdFusion problem.", so I'm not sure how much help I can get. This makes it impossible for me to check for Firewall rules or user-agent restrictions; suggestions on ways to test for those things locally would be welcome.
Edit
Per comments on this question I determined that http is just redirecting to https at that address. So I followed the instructions provided at ColdFusion https connection failure to import the certificate. After doing so I followed the instructions to verify that the cert was imported successfully. I then restarted CF Server.
After that I ran my code again and dumped the cfhttp struct as a whole into the temp file. This was the result:
<?xml version="1.0" encoding="UTF-8"?>
<STRUCT ID="1">
<ENTRY NAME="Errordetail" TYPE="STRING">I/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target</ENTRY>
<ENTRY NAME="Mimetype" TYPE="STRING">Unable to determine MIME type of file.</ENTRY>
<ENTRY NAME="Statuscode" TYPE="STRING">Connection Failure. Status code unavailable.</ENTRY>
<ENTRY NAME="Filecontent" TYPE="STRING">Connection Failure</ENTRY>
<ENTRY NAME="Responseheader" TYPE="STRUCT">
<STRUCT ID="2" />
</ENTRY>
<ENTRY NAME="Text" TYPE="BOOLEAN">true</ENTRY>
<ENTRY NAME="Charset" TYPE="STRING" />
<ENTRY NAME="Header" TYPE="STRING" />
</STRUCT>
I recently developed a cordova App that is uploaded to google play store. I tested this app on my mobile and simulators for weeks and everything works fine. However, when i download the same app from the playstore it fails to call any of the web services and such doesn't display any content.
cordova : 9.0.1
npm : 6.10.1
cordova-android : 7.0.0
I have gone through every line of code and i can't seem to find the problem, i replaced every single call to window.localStorage to a global variables just to be able to fix what i thought would be the problem.
<?xml version='1.0' encoding='utf-8'?></code>
<widget defaultlocale="en-US" id="com.test.fr" version="1.0.6" android-versionCode="100050" xmlns="http://www.w3.org/ns/widgets" xmlns:cdv="http://cordova.apache.org/ns/1.0" xmlns:vs="http://schemas.microsoft.com/appx/2014/htmlapps">
<content src="index.html" />
<access origin="*" />
<preference name="SplashScreen" value="screen" />
<preference name="windows-target-version" value="8.1" />
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />
<allow-intent href="tel:*" />
<allow-intent href="sms:*" />
<allow-intent href="mailto:*" />
<allow-intent href="geo:*" />
<platform name="android">
<allow-intent href="market:*" />
</platform>
<platform name="ios">
<allow-intent href="itms:*" />
<allow-intent href="itms-apps:*" />
</platform>
<platform name="android">
<icon src="www/res/icon/android/fr_mobile_icon.png" density="ldpi" />
<icon src="www/res/icon/android/fr_mobile_icon.png" density="mdpi" />
<icon src="www/res/icon/android/fr_mobile_icon.png" density="hdpi" />
<icon src="www/res/icon/android/fr_mobile_icon.png" density="xhdpi" />
</platform>
<plugin name="cordova-plugin-device" version="2.0.2" />
<plugin name="cordova-plugin-websql" version="0.0.10" />
<plugin name="cordova-plugin-dialogs" version="2.0.1" />
<plugin name="cordova-plugin-file" version="4.3.3" />
<preference name="target-device" value="handset" />
<preference name="BackupWebStorage" value="local" />
<preference name="android-targetSdkVersion" value="28" />
<preference name="android-minSdkVersion" value="17" />
<preference name="android-maxSdkVersion" value="29" />
<preference name="AndroidPersistentFileLocation" value="Compatibility" />
<plugin name="cordova-custom-config" spec="5.1.0" />
</widget>
Worst part.... No error shown on the device, it just doesn't work.
First of all, you need to figure out what is the output of this error. To allow debug on a release build use android:debuggable on application tag at AndroiManifest.xml (https://developer.android.com/guide/topics/manifest/application-element).
Then, plug the device to your computer and in dev settings (on your device) enable usb debugging. Then, navigate to chrome://inspect/#devices - your device should be appearing and will be a link to your webview.
With the inspector openned, do the request and look to the error on console tab.
I think there's a high chance that the error is a CORS error, may your production server has CORS eabled and then you need to use cordova-plugin-whitelist correctly to send a origin to the server, read more about cordova-plugin-whitelisthere: https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/
Try adding android:usesCleartextTraffic="true" to the <application> in the AndroidManifest.xml or as below using config.xml
<platform name="android">
<edit-config file="app/src/main/AndroidManifest.xml" mode="merge" target="/manifest/application">
<application android:usesCleartextTraffic="true" />
</edit-config>
</platform>
android:usesCleartextTraffic Indicates whether the app intends to use cleartext network traffic, such as cleartext HTTP. The default
value for apps that target API level 27 or lower is "true". Apps that
target API level 28 or higher default to "false". More info
Cleartext is any transmitted or stored information that is not
encrypted or meant to be encrypted. When an app communicates with
servers using a cleartext network traffic, such as HTTP, it could
raise a risk of eavesdropping and tampering of content which is why in latest Android devices, it's set to false by default.
Been wasting a full day arround this problem.
This had never happen to me before.
My service is working in an Azure machine.
I'm trying to generate a .svclog file to trace whats causing my ios app not being able to login on https, but the svclog file is not being generated.
I tried to use fiddler to capture the requests but i get nothing when i try to login by the app.
If I try to use the app with http address im able to login but the svclog is also not generated.
If I use tcptrace i can see a request and an answer but it is encrypted.
I have given permissions to "Everyone" on the folder at c:\logs\
any idea what i might be missing here? is there some sort of pre requirement to make the tracer work
This is my system diagnostics in web.Config:
<system.diagnostics>
<sources>
<source name="System.ServiceModel.MessageLogging" switchValue="Verbose">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add initializeData="c:\logs\myMessages.svclog" type="System.Diagnostics.XmlWriterTraceListener"
name="messagelistener" traceOutputOptions="DateTime, Timestamp">
<filter type="" />
</add>
</listeners>
</source>
</sources>
<sharedListeners>
<add initializeData="C:\logs\Traces.svclog" type="System.Diagnostics.XmlWriterTraceListener"
name="xmlTraceListener" traceOutputOptions="Timestamp">
<filter type="" />
</add>
</sharedListeners>
<trace autoflush="true" />
</system.diagnostics>
I see there are quite a few questions regarding this particular problem. I have spent a day and a half trying all the different suggestions. None so far have worked for me and I'm at a loss as to what to do next. So I'm appealing to the vast knowledge base found here with the hopes that somebody will see the problem and help me out. At one time, a couple of years ago, I had this all working for me, several PCs ago. But when I had to change to a new PC, I was unable to make it work then or any time since but was able to work around it. Now I need to resolve this for a current assignment.
I have a SOAP WCF WebService running in IIS (not IIS Express) on my local machine.
I created an App Pool. Basic Settings are .NET Framework v4.0.30319 with Integrated pipeline mode. Advanced settings have Identity set to ApplicationPoolIdentity.
I created a website (not using the default website.)
Two bindings defined:
We have a client and a Service self-signed certs that we use for development and QA. I have the Service cert assigned to the https binding. The webservice communicates to another wcf service via net.tcp.
In the basic settings, I have defined the physical path to c:\inetpub\websitename. In order to connect successfully, using Test Settings..., I had to connect as a Specific User, using my network domain userid and password. I haven't yet found a way to get around that.
In Advanced Settings.... Application Pool is set to the app pool I created. Physical path is c:\inetpub\wwwroot\websitename. Enabled Protocols set to http,net.tcp.
I am able to browse successfully to the website.
Here is the web.config for the web service:
<system.serviceModel>
<client>
<endpoint address="net.tcp://10.100.13.28:8102/Acord/201307" behaviorConfiguration="NetTcpCertificatesBehavior" binding="netTcpBinding" bindingConfiguration="NetTcpCertificatesBinding" contract="AcordContract.IAcordService201307" name="AcordEndpoint">
<identity>
<certificateReference findValue="7da522dd75f3fca2687837b7b67e117a8700ec62" isChainIncluded="false" storeLocation="LocalMachine" x509FindType="FindByThumbprint" />
<!--<dns value="localhost" />-->
</identity>
</endpoint>
<endpoint address="net.tcp://qaschedapp:8002/IMS/201210" behaviorConfiguration="NetTcpCertificatesBehavior" binding="netTcpBinding" bindingConfiguration="NetTcpCertificatesBinding" contract="IdentityManagementContract.IIdentityManagementService201210" name="IMSEndpoint">
<identity>
<certificateReference findValue="7da522dd75f3fca2687837b7b67e117a8700ec62" isChainIncluded="false" storeLocation="LocalMachine" x509FindType="FindByThumbprint" />
</identity>
</endpoint>
</client>
<services>
<service name="AcordWebService.AcordWebService" behaviorConfiguration="Visible">
<endpoint address="" binding="basicHttpsBinding" contract="AcordWebService.IAcordWebService201307" bindingConfiguration="BasicHttpsBinding">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="https://10.100.13.28:51448/" />
</baseAddresses>
</host>
<!--binding for clients outside the firewall calling from C# with WCF using certs -->
<endpoint address="net.tcp://10.100.13.28:8122/AcordWebService.svc" binding="netTcpBinding" bindingConfiguration="NetTcpCertificatesBinding" name="NetTcpCertificatesEndpoint" contract="AcordWSContract.IAcordWSService201309">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
</service>
</services>
<behaviors>
<endpointBehaviors>
<behavior name="NetTcpCertificatesBehavior">
<clientCredentials>
<clientCertificate findValue="631f5a67a9a70bc78540bb809e73fd1dbd00bbeb" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
<serviceCertificate>
<authentication certificateValidationMode="None" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="Visible">
<!-- To avoid disclosing metadata information, set the values below to false before deployment -->
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" httpGetUrl=""/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials>
<serviceCertificate findValue="7da522dd75f3fca2687837b7b67e117a8700ec62" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint"/>
<clientCertificate>
<certificate findValue="631f5a67a9a70bc78540bb809e73fd1dbd00bbeb" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpsBinding>
<!--binding for clients within the firewall but calling the old style soap service-->
<binding name="BasicHttpsBinding" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpsBinding>
<netTcpBinding>
<binding name="NetTcpCertificatesBinding" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<!--<readerQuotas maxDepth="32" maxStringContentLength="65535" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />-->
<!--<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />-->
<security>
<transport clientCredentialType="Certificate" protectionLevel="EncryptAndSign" />
</security>
</binding>
</netTcpBinding>
</bindings>
<protocolMapping>
<add binding="wsHttpBinding" scheme="https" />
</protocolMapping>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
Here is the full error I am receiving when trying to add a service to the WCF Test Client:
Error: Cannot obtain Metadata from https://10.100.13.28:51448/AcordWebService.svc If this is a Windows (R) Communication Foundation service to which you have access, please check that you have enabled metadata publishing at the specified address. For help enabling metadata publishing, please refer to the MSDN documentation at http://go.microsoft.com/fwlink/?LinkId=65455.WS-Metadata Exchange Error URI: https://10.100.13.28:51448/AcordWebService.svc Metadata contains a reference that cannot be resolved: 'https://10.100.13.28:51448/AcordWebService.svc'. Could not establish trust relationship for the SSL/TLS secure channel with authority '10.100.13.28:51448'. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure.HTTP GET Error URI: https://10.100.13.28:51448/AcordWebService.svc There was an error downloading 'https://10.100.13.28:51448/AcordWebService.svc'. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure.
Lastly, to fill in a few holes in the information:
Any and all help will be appreciated if I'm able to finally resolve this problem.
Thanks in advance.
Here is how I solved my problem:
First, I had to turn on logging in my web.config:
<system.serviceModel>
<diagnostics>
<messageLogging maxMessagesToLog="30000" logEntireMessage="true"
logMessagesAtServiceLevel="true"
logMalformedMessages="true"
logMessagesAtTransportLevel="true"
maxSizeOfMessageToLog="65535000">
</messageLogging>
</diagnostics>
</system.serviceModel>
<system.diagnostics>
<sources>
<source name="System.ServiceModel"
switchValue="Verbose, ActivityTracing"
propagateActivity="true">
<listeners>
<add name="traceListener" />
</listeners>
</source>
</sources>
<sharedListeners>
<add name="traceListener"
type="System.Diagnostics.XmlWriterTraceListener"
initializeData="c:\logs\Traces.svclog" />
</sharedListeners>
<trace autoflush="true" />
</system.diagnostics>
Then checking the generated log I finally discovered that my web service's constructor was failing attempting to initialize NLog. Ultimately, I discovered that NLog was attempting to write to EventLog for which it did not have permissions. I followed the instructions found here except that I granted the permissions to the IIS AppPool user. This solved my problem.