I run an application on a local jboss server. Now I try to add its api as private base url on 3 scale. But i got the following error message:
Sorry, this domain is protected
Does anyone know how to use a protected domain as private base url in 3scale?
at the moment that's not possible, it is a known limitation based on protecting the gateway itself from possible injection attacks
Related
I'm getting this error when trying to load a javascript file from another server when using microsoft edge. I have a feeling it's related to the server being http instead of https, but I'm not sure. It works in IE (after allowing unsecured content), but I can't find an option in Edge to allow unsecured content.
This is the error I'm receiving:
SEC7117: Network request to http://servername/whatever.js did not succeed. This Internet Explorer instance does not have the following capabilities: privateNetworkClientServer
Thanks in advance for your help!
It may have something to do with mixing the Internet/Intranet Zones rather than the http/https.
See here: Understanding Enhanced Protected Mode
Private Network resources
Because EPM does not declare the privateNetworkClientServer capability, your Intranet resources are protected from many types of cross-zone attacks (usually called “Cross-Site-Request-Forgery (CSRF)” and “Intranet Port Scanning.”) Internet pages are not able to frame Intranet pages, load images or resources from them, send them CORS XHR requests, etc.
I know that this is an old post, but the info still seems to be relevant since Microsoft MSDN site still references it with regards to IE11 (e.g. here: Enhanced Protected Mode on desktop IE). I also know that IE11 is not Edge, but this info might apply to metro-style apps as well.
[UPDATE]
In my setup Edge failed to load my page in an iframe. When I tried loading the page in a separate Edge tab, it loaded just fine.
It turns out Edge fails to load a private/local secured SSL page (iframe) when in-conjunction of loading a public secured page. Both sites are secured using public SSL certificates to prevent mixed content issues. The issue is that Edge security detects that the iframe site is located on the users local network (private/domain network) and prevents the page from loading in an iframe. Edge reports the following security errors in developer console:
SEC7117: Network request to https://my.company.com/default.html did not succeed. This Internet Explorer instance does not have the following capabilities: privateNetworkClientServer
SEC7111: HTTPS security is compromised by ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html
To resolve the issue we moved the internal site to a non-local address space (a private network space using a different subnet from the local network) so that Edge detects the site as public network. Alternatively you could move the resources to a true public address.
Here are two alternatives to restructuring your network:
You may consider adding the externally hosted site to your "Local
intranet" zone.
E.g. If external.somedomain contains reference to internal.mydomain/whatever.js
then add external.somedomain to "Local intranet" zone in "Internet Options".
If possible change the hostname of the externally hosted site to
match your internally hosted site.
E.g. If external.somedomain contains reference to internal.mydomain/whatever.js then change external.somedomain hostname to external.mydomain.
Both of these options will essentially allow scripts on the external site to probe for HTTPS services on your internal network to some extent, which I assume is what this security feature is trying to prevent. The first option being the least secure as the second option is limited to probing matching domain names.
During testing, I noticed that Edge seems to get network details from Active Directory when Windows is domain joined. It's likely to prevent externally hosted sites linking to resources hosted anywhere within your AD domain, and not just the current subnet you are connected to. The one exception is if the externally hosted site shares the same base domain name. All this is apparently undocumented, which is why I'm posting this info here.
I want to know hotname params in javascript webscript.
Informations i need are :
url protocol (http|https)
server port
hostname
Is there a way to find these information in a share or alfresco webscript ?
Thank you.
If you're writing a Java webscript, then your best bet is probably to inject the SysAdminParams bean to the webscript as a spring dependency. It is available as a bean with ID sysAdminParams
If you're writing a JavaScript webscript running on the Repository (Alfresco), then there's the ScriptUrl object available as the urls base script object, which you can use to fetch the details.
If you're writing something on the Share side, often the simplest option is to call the org/alfresco/repository/site/site-share-view-url.get at something like http://localhost:8080/alfresco/service/api/sites/shareUrl?nodeRef={nodeRef}. The will return you the fully-qualified URL to view that node in Share, saving you the trouble of building it yourself!
I have a Webapp that is secured using Spring Security CAS. The CAS Server and the Webapp sit behind a web server for reverse proxy (named url). The webapp uses ServiceAuthenticationDetailsSource to authenticate dynamic service urls. The problem I have is that Service Ticket validations are failing because the url supplied during validation does not match the url provided when the ticket was created. The set up works without the webserver when systems are connected using https://:/.
The issue seems to be that the web server modifies the HttpServletRequest when redirecting to the webapp where in it looses the "named url" information and is substituted with the and . The service ticket is obtained using the named url via "?service=" during login.
Any possible solution? Can apache reroute request without modifying it, especially for applications that are self identifying or for security reasons where CAS is trying to record the client IP address?
I have outlined a few options below:
Setup the Reverse Proxy
According to the Javadoc of ServletRequest: the HttpServletRequest.getServerName() will be:
the value of the part before ':' in the Host header value, if any, or
the resolved server name, or the server IP address.
This means you can configure your proxy to ensure the Host Header is set properly (Note Some containers like WebSphere do not honor the specification though).
Override using the Container Configuration
Many servers have a setup that can override this value in the event you are using a reverse proxy. There is a pretty decent thread on the Spring forums with a bit more information on it that I have summarized below.
If you are using Tomcat, I'd refer to the Reverse Proxy setup page. One method of configuration would be to configure the Http Connector to have the proxyName attribute to override the value returned by HttpServletRequest.getServerName() and proxyPort to override the value returned by HttpServletRequest.getServerPort(). An example configuration might look like:
server.xml
<Connector scheme="https" secure="true"
proxyPort="443" proxyName="example.com"
port="8009" protocol="AJP/1.3"
redirectPort="8443" maxThreads="750"
connectionTimeout="20000" />
Websphere has a few custom properties that do the same thing.
com.ibm.ws.webcontainer.extractHostHeaderPort = true
trusthostheaderport = true
httpsIndicatorHeader = com.ibm.ws.httpsIndicatorHeader
If you are not using either of these containers or need to support multiple domains, you will need to consult your containers documentation.
Custom AuthenticationDetailsSource
Of course Spring Security is pretty flexible, so you can always provide a custom implementation of AuthenticationDetailsSource that returns an instance of ServiceAuthenticationDetails that looks up the service URL in any way you wish.
Does Grails know anything about sub-domains (i.e. subdomain.domain.com) ? I don't see it discussed in the manual. Is this purely an app server/web server issue? Can be tied into grails controllers, either statically or dynamically?
It does not matter which host is accessed for a java web application.
Supposing you have multiple clients separated on one host, e.g. customer1.yourhost.com, customer2.yourhost.com, etc. and all clients will have same functionalities.
In the simplest case I propse, that you just use write a filter, which will always put some request variable, like this:
def filters = {
all(controller:'*', action:'*') {
before = {
if (request.serverName.contains(".")) {
def clientName =
request.serverName.substring(0, request.serverName.indexOf("."))
request.currentClient = Client.findByClientName(clientName) // e.g.
}
}
}
}
Then at any place you can check request.currentClient for the current accessed subdomain.
However if it gets more complicated have a look at some multi-tenant plugins for grails.
If you want to have different functionalities for each subdomain e.g. help.yourhost.com and www.yourhost.com, I would propose that you write independent grails applications. You then setup a NGINX server to redirect those requests to the appropriate application running on your application server.
We run a few Grails apps on a single host using various sub domains. In all cases we use Apache to front the Tomcat server and use mod jk or forward proxy to handle the applications to the different Grails app. Most of it is rather straight forward, what we have not figured out is running the applications at the root level for the various domains, for instance -
http://app1.domain.com instead of http://app1.domain.com/app1
The only place I'm aware of subdomains being considered is for tenant resolution when using the multi-tenant plugin. See http://tinyurl.com/6tuxwvs.
Premise
I'm attempting to make a windows service act as a signalR client to a web server (MVC3 project running on IIS Express). When trying to connect to the server, a 401 Unauthorized is returned.
Now, as far as I understand, the windows service runs under the account NETWORK_SERVICE, and it makes sense that this is not a valid user name to connect to the IIS. However, I've tried configuring SignalR in the following way:
Init
private static Connection WebUIConnection = new Connection("http://localhost:54193/IISWebsite");
Set credentials
WebUIConnection.Credentials = new System.Net.NetworkCredential("?", "?")
The settings of the IIS:
The IIS is almost a standard MVC3 project, and it has windows authentication enabled.
What I've tried
I've tried setting SignalR's credentials as my local windows username + pw, and also tried using the local network AD uname + pw, but I don't see this as being the way to do it.
So what I'm asking is, what should I consider when I try to make my windows service act as a client to the signalR-server, and is there a way to configure IIS to give client access to the Network_Service user? Is it in fact possible to make a windows service act as a client to a web server running in IIS like I'm trying to do?
Thanks,
Lari
I was able to solve what seems to be the problem. With the SignalR.Client the URL you need to give in the connection string looks like this:
private static Connection WebUIConnection = new Connection("http://localhost:54193/IISWebsite/signalr/hubs");
In addition to this I had to provide it with my local admin username and password for it to be able to connect. This is not how it should be done I feel, and I'd appreciate if anyone can enlighten me on how to make the network user have access to IIS from a local machine.
However, I think making a separate administrator account and making my windows service run under that account in the production environment is a solution I'm willing to accept. This way, it will be able to connect to the local IIS without a hitch.
Hope this information is helpful to others :)
Lari
If you're using hubs then that code is incorrect. There's a HubConnection you should be using. More info here:
https://github.com/SignalR/SignalR/wiki/SignalR-Client-Hubs