WSO2 Admin services BAMMediatorConfigAdmin - web-services

I am trying to add BAM server profile (under ESB server) using Admin Web services. I am not seeing any error thrown while executing as standalone program but profile is not getting added. Please advise if below steps are correct -
Get admin cookie by connecting to "AuthenticationAdmin" URL
Create stubs using wsdl2java from "BAMMediatorConfigAdmin" WSDL
String bamcepServerProfileServiceURL = Constant.SERVICE_URL + "BAMMediatorConfigAdmin";
BAMMediatorConfigAdminStub stub = new BAMMediatorConfigAdminStub(bamcepServerProfileServiceURL);
ServiceClient client = stub._getServiceClient();
Options option = client.getOptions();
option.setManageSession(true);
option.setProperty(org.apache.axis2.transport.http.HTTPConstants.COOKIE_STRING, adminCookie);
BAMMediatorConfigAdminStub.BamServerConfig bamConfig = new BAMMediatorConfigAdminStub.BamServerConfig();
bamConfig.setUsername("admin");
bamConfig.setPassword("admin");
bamConfig.setLoadbalanced(false);
bamConfig.setSecurity(true);
bamConfig.setIp("localhost");
bamConfig.setAuthenticationPort("7611");
BAMMediatorConfigAdminStub.SaveBamServerConfig config = new BAMMediatorConfigAdminStub.SaveBamServerConfig();
config.setBamServerConfig(bamConfig);
stub.saveBamServerConfig(config);

Please check #addResource in[1], which creates the profile and calls ,
stub.saveResourceString(resourceString, bamServerProfileLocation);
through #saveResourceString in[2]
[1]https://svn.wso2.org/repos/wso2/carbon/platform/branches/4.1.0/components/mediators/bam/org.wso2.carbon.mediator.bam.config.ui/4.1.0/src/main/java/org/wso2/carbon/mediator/bam/config/ui/BamServerProfileUtils.java
[2]https://svn.wso2.org/repos/wso2/carbon/platform/branches/4.1.0/components/mediators/bam/org.wso2.carbon.mediator.bam.config.ui/4.1.0/src/main/java/org/wso2/carbon/mediator/bam/config/ui/BamServerProfileConfigAdminClient.java

Related

How does jetty.security.ConfigurableSpnegoLogin work?

I'm trying to make a jetty server use kerberos. For this, I found that there is a built-in solution, called org.eclipse.jetty.security.ConfigurableSpnegoLoginService.
Unfortunately, I haven't found any useful documentation for this. There is one closed issue in the github jetty project about this, but those comments did not help either.
Can someone point me to an example on how to use it? I only need this for authentication, but no authorization.
The way I'd use it is something like this:
ConfigurableSpnegoLoginService spnegoLoginService = new ConfigurableSpnegoLoginService(....);
//set up the spnegoLoginService
ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
securityHandler.setLoginService(spnegoLoginService);
The SPNEGOAuthenticationTest has a server side component example.
server = new Server();
server.setSessionIdManager(new DefaultSessionIdManager(server));
HashLoginService authorizationService = new HashLoginService(realm,
realmPropsPath.toString());
ConfigurableSpnegoLoginService loginService =
new ConfigurableSpnegoLoginService(realm,
AuthorizationService.from(authorizationService, ""));
loginService.addBean(authorizationService);
loginService.setKeyTabPath(serviceKeyTabPath);
loginService.setServiceName(serviceName);
loginService.setHostName(serviceHost);
server.addBean(loginService);
ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
Constraint constraint = new Constraint();
constraint.setAuthenticate(true);
constraint.setRoles(new String[]{"**"}); //allow any authenticated user
ConstraintMapping mapping = new ConstraintMapping();
mapping.setPathSpec("/secure");
mapping.setConstraint(constraint);
securityHandler.addConstraintMapping(mapping);
authenticator = new ConfigurableSpnegoAuthenticator();
securityHandler.setAuthenticator(authenticator);
securityHandler.setLoginService(loginService);
securityHandler.setHandler(handler);
SessionHandler sessionHandler = new SessionHandler();
sessionHandler.setHandler(securityHandler);
To use ConfigurableSpnegoLoginService you require (must have / not optional) ...
A Servlet / HTTP Authentication realm
A Servlet Authentication role
A Servlet Constraint + Constraint Mapping
An AuthorizationService (but you don't want a authorization??)
A ConfigurableSpnegoAuthenticator
Not entirely sure how you will satisfy the "no authorization" part with spnego/kerberos + http authentication + servlet constraint / authentication in the mix. Maybe you have to drop the "no authorization" part and define proper authorization / roles, but put everyone in the same role??

Unable to connect two LDAP servers at a time with Apache-Superset application

I am trying to configure Superset with multiple ldap servers, but at this moment, I was able to setup for only one server.
Any work around that can be done in the 'Config.py' to configure multiple servers at a same time??
I have given the following configuration in the ‘config.py’ file.
config.py - LDAP configs
AUTH_TYPE = AUTH_LDAP
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Alpha"
AUTH_LDAP_SERVER = "ldap://ldap_example_server_one:389"
AUTH_LDAP_USE_TLS = False
AUTH_LDAP_BIND_USER = "CN=my_user,OU=my_users,DC=my,DC=domain"
AUTH_LDAP_BIND_PASSWORD = "mypassword"
AUTH_LDAP_SEARCH = "DC=my,DC=domain"
AUTH_LDAP_UID_FIELD = "sAMAccountName"
Note – It worked for ‘ldap_example_server_one:389’ server but when tried to add another server it threw an Configuration failure error.
You can't use multiple LDAP servers with default LDAP authenticator from Flask Appbuilder. You have to implement your own custom security manager which will be able to operate as many LDAP servers as you want.
At first, you should create new file, e.g. my_security_manager.py. Put these lines into it:
from superset.security import SupersetSecurityManager
class MySecurityManager(SupersetSecurityManager):
def __init__(self, appbuilder):
super(MySecurityManager, self).__init__(appbuilder)
Secondly, you should let Superset know that you want to use your brand new security manager. To do so, add these lines to your Superset configuration file (superset_config.py):
from my_security_manager import MySecurityManager
CUSTOM_SECURITY_MANAGER = MySecurityManager
Here is additional information on the topic.

Getting HTTP 401 Error calling MS CRM 365 USING SOAP UI

I am trying to call MSCRM 365 web services using SOAPUI, this is what i have done so far
Downloaded Organization WSDL from my cRM instance
Uploaded in SOAPUI
Added three header parameters - Content-Type, SOAPAction and Accept
Added Username and Password in Request Properties
Whenever I send a request to MSCRM, I get "HTTP ERROR 401 - Unauthorized: Access is denied"
Anyone have any ideas?
Thanks,
Nitesh
Since this is Dynamics 365 it does not authenticate using Username / Password. Instead you will need to use OAuth as shown in the link
https://msdn.microsoft.com/en-us/library/gg327838.aspx
// TODO Substitute your correct CRM root service address,
string resource = "https://mydomain.crm.dynamics.com";
// TODO Substitute your app registration values that can be obtained after you
// register the app in Active Directory on the Microsoft Azure portal.
string clientId = "e5cf0024-a66a-4f16-85ce-99ba97a24bb2";
string redirectUrl = "http://localhost/SdkSample";
// Authenticate the registered application with Azure Active Directory.
AuthenticationContext authContext =
new AuthenticationContext("https://login.windows.net/common", false);
AuthenticationResult result = authContext.AcquireToken(resource, clientId, new
Uri(redirectUrl));
Use the access token in message requests:
using (HttpClient httpClient = new HttpClient())
{
httpClient.Timeout = new TimeSpan(0, 2, 0); // 2 minutes
httpClient.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer", result.AccessToken);
Another options would be to shift from Xrm.Client to Xrm.Tools.Connection. See the example in this site.
https://msdn.microsoft.com/en-us/library/jj602970.aspx

Moodle Error - Web Services Client - No access rights in module context

I have got the following setup in Moodle:
I have enabled Web Services
I have enabled the REST protocol
I have added a service called grades and enabled it
I have added the function mod_assign_get_grades to the service
I have assigned the webservice user as an authorized user for the service
I have also created and assigned a role to the user that will allow the user of the rest protocol
I have also created a token for the user and service
I have used the code below to make a request to the API:
/// SETUP - NEED TO BE CHANGED
$token = '068183c4c700bdcfe2b0bfe24a8043e2';
$domainname = 'http://localhost/Project/moodle';
$functionname = 'mod_assign_get_grades';
// REST RETURNED VALUES FORMAT
$restformat = 'xml'; //Also possible in Moodle 2.2 and later: 'json'
//Setting it to 'json' will fail all calls on earlier Moodle version
/// PARAMETERS - NEED TO BE CHANGED IF YOU CALL A DIFFERENT FUNCTION
$params = array('assignmentids' => array(1));
/// REST CALL
header('Content-Type: text/plain');
$serverurl = $domainname . '/webservice/rest/server.php'. '?wstoken=' . $token . '&wsfunction='.$functionname;
require_once('./curl.php');
$curl = new curl;
//if rest format == 'xml', then we do not add the param for backward compatibility with Moodle < 2.2
$restformat = ($restformat == 'json')?'&moodlewsrestformat=' . $restformat:'';
$resp = $curl->post($serverurl . $restformat, $params);
print_r($resp);
Upon execution I get the following error:
No access rights in module context
As far as I can tell I have assigned the appropriate capabilities and permissions and don't know where I'm going wrong?
Looks like the web service user I created did not have the privileges to access student grades. Using the admin account that I created when I used moodle I am able to run the script and return a response.

ASP.NET Identity / OData using CORS and cookie authentication missing Auth cookie

I have an ASP.NET Identity site and a ASP.NET OData site.
Both sites have CORS enabled and both site are using ASP.NET Identity CookieAuthentication.
When I execute both sites locally on my computer using IIS (not express) the AUTH cookie is being passed in the header on each request to the OData site.
But when I deploy the sites to the production IIS server then the header is missing the AUTH cookie when calling the production OData site.
Both production and my local IIS have the same domain name and CORS is setup to allow all.
The WebApiConfig has
cors = new Http.Cors.EnableCorsAttribute("*", "*", "*");
config.Enable(cors);
Before anyone asks, yes the machine key is the same between sites.
UPDATE
This seems to be a CORS issue.
When both sites are on my local machine they use the same host name and domain name but when the site are on the production server they have different host names and the same domain name.
You might need to specify the "Access-Control-Allow-Origin" inside your OAuthAuthorizationServerProvider.
I'm using OWIN but you should be able to do something similarly.
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
try adding the policy in your OWIN startup class as below. Just keep in mind that the Startup class might have some different class files since it's a partial class. Also, check ConfigureAuth method to see if everything is set according to your needs there. For instance, you set the external signin cookie of Identity as copied below in ConfigureAuth method to allow External Signin Cookeies like facebook and google.
public void Configuration(IAppBuilder app)
{
//
app.UseCors(CorsOptions.AllowAll);
ConfigureAuth(app);
}
app.UseExternalSignInCookie(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie);
I finally got this to work.
In the ASP.NET Identity site I have the following:
// configure OAuth for login
app.UseCookieAuthentication(new CookieAuthenticationOptions {
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
Provider = new CookieAuthenticationProvider(),
LoginPath = new PathString("/Account/Login.aspx"),
CookieName = ".TESTAUTH",
CookieDomain = ".test.com",
CookieSecure = CookieSecureOption.Always
});
It seems that the important part on the ASP.NET Identity site is that the "CookieName, CookieDomain, and the Machine Key" must match the one on the OData site.
And then on the OData site I have the following:
// configure OAuth for login
app.UseCookieAuthentication(new CookieAuthenticationOptions {
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
Provider = new CookieAuthenticationProvider { OnApplyRedirect = ApplyRedirect },
LoginPath = new PathString("/Account/Login.aspx"),
CookieName = ".TESTAUTH",
CookieDomain = ".test.com",
CookieSecure = CookieSecureOption.Always
});
// build the configuration for web api
HttpConfiguration config = new HttpConfiguration();
// Enable CORS (Cross-Origin Resource Sharing) for JavaScript / AJAX calls
// NOTE: USING ALL "*" IS NOT RECOMMENDED
var cors = new Http.Cors.EnableCorsAttribute("*", "*", "*");
config.EnableCors(cors);
// call the web api startup
WebApiConfig.Register(config);
app.UseWebApi(config);
private void ApplyRedirect(CookieApplyRedirectContext context)
{
Uri absoluteUri = null;
if (Uri.TryCreate(context.RedirectUri, UriKind.Absolute, absoluteUri))
{
var path = PathString.FromUriComponent(absoluteUri);
if (path == context.OwinContext.Request.PathBase + context.Options.LoginPath)
{
QueryString returnURI = new QueryString(context.Options.ReturnUrlParameter, context.Request.Uri.AbsoluteUri);
context.RedirectUri = "https://www.test.com/Account/Login.aspx" + returnURI.ToString;
}
}
context.Response.Redirect(context.RedirectUri);
}
The "LoginPath" is required even though it does not exist on the OData site and you can't use a full url to another site for the login path.
I used "OnApplyRedirect" to redirect to the actual Login page.
I'm not sure what the difference is between "config.EnableCors" and "app.UseCors" but the EnableCors seems to be working for now.