Wondering if someone can help me understand this peculiar behaviour I am seeing with the AWS ALB redirects.
We have a web application running on EC2 instance which shows three different types of login pages when the correct context path is used like below which works fine:
https:///ucmdb-browser (redirects to the default application login page)
https:///console (redirects to the administration login)
https:///status (redirects to the applicaiton status page)
and
https://<internal-ec2-fqdn/ (Page not found)
So all working as expected.
This Web application is now fronted with AWS ALB so it can be accessed from outside world.
where if someone types:
https://<externalalb-fqdn/ (should redirect to /ucmdb-browser and show the login page)
https://<externalalb-fqdn/ucmdb-browser (should redirect to /ucmdb-browser and show the login page)
https://<externalalb-fqdn/status (should redirect to /status page)
https://<externalalb-fqdn/console (should redirect to admin login page)
https://<externalalb-fqdn/ (should redirect to custom 404 error)
To do this, my settings in AWS listener looks like below:
enter image description here
Now the issue is, whenever I type, any of the URLs, it is being forwarded to 404 page only and unless I change the last default action rule to the actual UCMDB target group.
But that defeats the purpose because one could type any context path whatsoever and it still transfer the request to the application server.
Not sure what wrong I am doing but I have tried all the various combinations I can think of.
Any help is appreciated.
Related
I am preparing to work on a project where I need to display a dashboard from an online application. Unfortunately, the use of an API is currently not possible. The dashboard can be embedded in an iFrame. However, when it is displayed it will prompt the user viewing the dashboard to login to an account.
I have one paid account to this service. Are there any rails gems to login to the service before the iFrame is processed?
Or would a proxy within my rails app be a better route to go?
Any pointers are appreciated!
Neither a Rails gems nor a proxy within your rails will work and they same have the same limitation.
They are both running on the back-end, server side.
The authentication you need is client side.
Unless you mean proxy the ENTIRE thing, the auth request and all subsequent requests and user interactions with this dashboard. That should work but (see below)
The way authentication works (pretty much universally) is: once you log in to any system, it stores a cookie on your browser and then the browser sends that cookie for every subsequent request.
If you authenticate on the backend, that cookie will be sent to your rails code and will die there, and the users browser will never know about it.
Also - it is not possible to do the auth server side and capture the cookie and then have the user browse the site with their browser directly, for two reasons:
Sometimes auth cookies use information about the browser or HTTP client to encrypt the cookie, so sending the same cookie from a different client wont work
You can not tell a browser to send a cookie to a domain different than your own.
So your options are, off the top of my head right now:
If there is a login page that accepts form submissions from other domains, you could try to simulate a form submission directly to that sites "after login" page. (The page the user gets directed to once they fill up the login form). Any modern web framework as XSRF protection (Cross Site Request Forgery protection) and will disallow this approach for security reasons.
See if the auth this site uses has any kind of OAUTH, Single Sign On (SSO) or similar type of authentication integration that you can do. (Similar to an API, so you may have already explored this option)
Proxy all requests to this site through your server. You will have to rewrite the entire HTML so that all images, CSS, stylesheets, and all other assets are also routed through the proxy or else the URLs are rewritten in the HTML to not be relative. You might hit various walls if a site wasn't designed for this use case. From things like the site using relative URL's for assets that you aren't proxying, the site referencing non-relative URL's causing cross-domain errors, etc. Note its really hard to re-write every single last assets reference, its not only the HTML you're worried about, Javascript can have URL's in it too, and CSS can as well.
You could write a bookmarklet or a browser extension that logs the user into the site.
Have everyone install Lastpass
Have everyone install the TamperMonkey browser extension (and others like it for other browser), and write a small User Script to run custom javascript automatically to log the user in on that site
Scrape that site for the info you need and serve it on your own site.
OK I'm out of ideas. :)
I've got an MVC app that normally works fine, but on a particular server, it's returning a 401.0 "The authenticated user does not have access to a resource needed to process the request" error.
Normally it works like this:
User logs into a separate application, gets a user ID and token, clicks a link into this application. User ID and token go into the URL.
User gets into my application with Anonymous auth, and then in our LogonAuthorize filter, we get the ID and token from the query string to authenticate the user.
I have logging in the filter, and I can see the user getting authenticated. So, they're making it at least that far. However, instead of the page they're supposed to see, there's a 401.0 Unauthorized error from IIS.
Things I have tried:
Giving IUSR access to the directory
Running mirate.exe (it's an Entity Framework app)
Removing all [Authorize] attributes in the solution... I know that we make it as far as the Initialize() event of my BaseController object. We don't seem to make it into the specific controller actions, such as Home/Index, which inherits BaseController. I don't see any logging after BaseController.Initialize().
Giving Network Service access to the directory
Switching the App Pool from Integrated to Classic (I get a blank screen instead of a 401.0 error, which is odd. Same authentication stuff in the logs.)
Using a local user account instead of Network Service with the app pool, giving that account access to the directory
Setting different accounts to be used by "Anonymous"
Rebuilding and redeploying the app (several times)
Different authentication schemes: Turning on Windows auth gives a 401.1, turning off all of them gives a 401.2
Making sure Global.asax is in the right place
aspnet_regiis -i
Tearing all my hair out (counterproductive)
I set up a tracing rule for this error, and I have a trace, but I have no idea how to read it. I would paste it here, but it's a pretty long XML file.
The error comes from module ManagedPipelineHandler, notification ExecuteRequestHandler, handler System.Web.Mvc.MvcHandler, with error code 0x00000000.
One detail: This server is configured to use port 90 instead of port 80. I'm not sure why that would cause problems, but maybe it would?
One other detail: The app in question is running as an application in a virtual directory underneath the "main" application, which is configured as the root website.
One new detail: This server is Windows Server 2008 R2, and was upgraded from Windows Server 2003. I believe something in the upgrade process may account for the issue, as none of the "usual suspect" solutions to this type of problem have helped.
So you have found the solution but seeking clarification why it worked. This can be one of the scenario.
Seems your website/web application was hosted through specific user credentials that was expired. Next time when you remove & add windows authentication through new credentials or application pass through it worked.
I face similar situation in one of our test web application that is hosted using specific user Path Credentials. Each time user password is changed/expired. Web application stops working.
Windows authenticates first with Kerberos. Next it attempts other authentication methods. Your requirement was NTLM. Turning off all but Windows Authentication forced the application to attempt NTLM which succeeded.
It seems that the solution here was to turn on Windows auth and turn off every other form of authentication, which is counterintuitive. But there you go... that's what made it work.
If someone wants to post an answer explaining WHY that was the answer for me, I'll award them the bounty.
I am stuck at one point. We have to implement a feature which will redirect to login page with a message saying "Your session is expired, please login again!".
For this, I planned to redirect to a URL but redirection is not working! Following is the situation in my environment.
Grails Server:
http://SERVER_ONE/MyApp
Widgets (UI) Server:
http://SERVER_TWO/widgets/myWidget (different from grails server)
Login page:
http://SERVER_TWO/widgets/login
Config.groovy file already contains grails.serverURL = "http://SERVER_TWO/widgets/"
When I access the URL directly from grails server, e.g.
http://SERVER_ONE/MyApp
with invalid session, redirection works fine.
But redirection doesn't work when accessed from Widget page which is running on different server.
Redirect code is as following
redirect(uri: "http://SERVER_TWO/widgets/login?sessionExpired=true")
It would be great help to me, kindly respond, as I am relatively new to Grails development.
Do you have your sessions distributed across the servers? By default sessions are not cross-server.
I've developed a simple set of pages using ASP.NET MVC - then hosted them in IIS 7.5.
These are just visual pages with no data behind them.
The server is online and I didn't want the casual observer to be able to access them so simply set IIS up with basic authentication. I then created a limited demo account so that I could send details to customers so they can take a look at these visual pages.
When going to the url:
www.myserver/mysite/home/index
The browsers username and password box pops up as I would expect.
I then type in the details for my demo account.
However after a succesful authentication rather being taken to
www.myserver/mysite/home/index
My browser instead trys to take me to something along the lines of:
www.myserver/mysite/home/index/login.aspx?ReturnURL=.....
If I then return to the original URL it loads correctly.
How can I prevent the redirect following the sucsesful login?
I have a web application that I am trying not to recompile since there is little documentation and the environment is a little sensitive.
With that in mind, all I am trying to do is hijack the authentication mechanism to redirect to one of a couple replacement websites. To that end, there is an authentication service and an authentication controller. The website redirects to /auth/login when the user comes unauthenticated.
In the views folder I have built an alternative /auth/login_new.gsp and from there can authenticate the user and get a redirection back to /auth/redirect.gsp at some frequency but not 100%. That redirect page takes a value from the DB and redirects the user to the correct follow on website. When I run authentication from /auth/login, the site ignores the redirect request to /auth/redirect.gsp.
I had set the show pages for all the different controllers to window.location.href="/auth/redirect.gsp" but I can't get it to go there 100%. I have also reset the layout/domain.gsp file to gut the other functionality of the site and script redirect as well. I was getting errors with duplicate redirect attempts, but now I just go to a dead/gutted homepage...
Any suggestions on how I can dodge the recompile?
Thanks
Leif