I am trying to use "gem saml_idp" in my app but I am failling.
I am following this tutorial https://spin.atomicobject.com/2017/05/31/rails-saml-identity-provider/ but I keep receiving the messages below from server everytime I make a GET request at http://localhost:3000/saml/auth.
Processing by SamlIdpController#new as HTML
Unable to find service provider for issuer
Breadcrumb Controller halted via callback meta_data filter:Symbol has been dropped for having an invalid data type
Filter chain halted as :validate_saml_request rendered or redirected
Completed 403 Forbidden in 144ms (ActiveRecord: 0.0ms)
Started GET "/__meta_request/92c4c9d5-244f-4094-92e7-c7fed56de976.json" for ::1 at 2019-12-04 15:08:33 -0200
Does anybody know what is going on here ? Routes are:
get '/saml/auth' => 'saml_idp#new'
post '/saml/auth' => 'saml_idp#create'
That tutorial describes the configuration necessary for an SP-initiated SSO flow. It won't be entirely applicable to you, since you are creating an idP-initiated flow. You may be seeing that "Unable to find service provider for issuer" error because the route you're visiting expects an AuthnRequest present (which would normally be generated and sent by the SP, to request a login for users on the idP... which would then respond to the SP with a SAMLResponse containing an Assertion). This happens because you're extending the idPController present in the gem. You won't need to do this unless you expect to respond to AuthnRequests from SPs.
This gem may still be useful to you. You should still be able to call SamlIdp::SamlResponse.new to build a SAMLResponse from an idP-initiated flow. The exact configuration depends on how you must communicate with your SP, so it is difficult to provide guidance here.
Related
I work on a number of Rails sites with forms and take advantage of Rails built-in authenticity token support. Works like a charm. Happy Happy Joy Joy.
It varies, but I would say I average about a SQL injection attack once a month that is successfully caught as having a failed authenticity token check. Wonderful.
The problem is the failed authenticity token check generates an ActionController::InvalidAuthenticityToken exception which returns an HTTP 5xx error because it is an unhandled exception. Good: the bad request is not allowed. Bad: The hacker is functionally informed that my server crashed which is hacker-code for KEEP ATTACKING THIS INTERFACE AT ALL COSTS because they aren't catching this error.
So what is the best way to handle this? If I simply try to wrap my controller method in a try/except, it doesn't even get to my method. It seems that if I want to respond with an access denied or some similar "bad user input" error (HTTP 4xx) then I would have to plug into the pipeline which seems like overkill for something the entire world has to deal with.
Also, what is the proper HTTP response? 400 (Bad Request)? Seems correct, but the other common scenario that generates this error is when a user pulls up your form from cache after the access token has timed out. In this case, the best user experience would be to simply refresh the form with a message saying it took too long for them to fill out the form or something like that. I suppose that could be in the body of an HTTP 400 response.
So how do I build this? Maybe something in the ApplicationController? Why isn't this the default? Maybe it is being handled properly and my "Unhandled Exception" reports are earlier in the pipeline?
I am new to ASP.NET MVC. I am using http POST for custom validation. Recently I learned that both http POST and http GET are used to send data to the server. HTTP POST is more secure while http GET is less secure as it sends the data in the query string.
I want to know then, is it possible to get completely rid of HTTP GET in my project as its function is similar to http POST? I tried that but it immediately gave error as soon as I started debugging the project. It said "The resource cannot be found.". I am confused. Please help.
I would recommend to review Http Methods - MDN
Since you just started the right course of action would be to use GET to obtain the data (e.g. load the form) and POST to update the data (submit the form to the server).
If the application you are working on is written in plain ASP.NET MVC it will be impossible to completely avoid GET (as it is used by the browser to load application pages/views).
Once you are ready to move to REST APIs you might want to deeper explore PUT, DELETE and other methods
Web requests made to my 2 Rails instances sometimes produce the following error (silently)
...
W, [2019-09-04T10:53:53.880137 #13871] WARN -- : Can't verify CSRF token authenticity
I, [2019-09-04T10:53:53.880465 #13871] INFO -- : Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms)
...
I believe this is because of the CSRF token generated from 1 instance and the above request was made to another instance.
How can I resolve this without disabling CSRF tokens?
The current setup is 2 virtual machines (on separate machines) running a copy of the same Rails app, sitting behind a load balancer. I have looked at the logs and this occurs at least 10 times a day.
Any help would be much appriciated
I've never use BinaryLane, and I've tried to check their document about setting load balancer where I can show you, but cannot find one.
Here is the load balancer config I used in GCP:
Look for Session affinity option or something similar (see their explanation for each option), for me I choose Generated cookie. Hope this give you idea of the problem.
I have a web application which i need to be load tested using LoadRunner. When I record the website using vugen it works good and there is no any application bug. But when I tried to replay the script, script failed after login and while navigating to next page, say, Transaction. At the end of log, I receive error:
Action.c(252): Error -26612: HTTP Status-Code=500 (Internal Server Error)
for "http://rob.com/common/transaction
Please help me to resolve this error.
LoadRunner generates HTTP request just as your browser does, this error is the same error you would get if you would go to that URL using your browser. Error code 500 is a generic server error that is returned when there is no better (more specific error to return).
Most likely the login process requires some form of authentication which is protected against a replay attack by using some form of token. It is up to you to capture this token using Correlations in LoadRunner and replay it as the server expects. The Correlation Studio in VuGen should detect and identify the token for you but since authentication methods vary it is sometimes impossible to do this automatically and you will have to create manual correlation. Please consult the product documentation for more details on how to do it. If your website is publicly available online then post its URL and I will try to record the script on my machine.
Thanks,
Boris.
Most common reasons
You are not checking each request for a valid result being returned and using a 200 HTTP status as an assumed correct step without examining the content of what is being returned. As a result when data being returned is incorrect you are not branching the code to handle the exception. Go one to two steps beyond where your business process has come off the rails with an assumptive success and you will have a 500 status message for an out of context action occurring 100% of the time.
Missed dynamic element. Record three times. Compare the code. Address the changing components.
i get this exception
ActionController::MethodNotAllowed: Only get requests are allowed.
please can any one give solution for this
This error means you are trying to post/put/delete to a path that only accepts GET requests. You need to confirm that your route and the path and/or form method you are using match up.
This error occurs when you have defined a standard route and a client is trying to connect to the route using a HTTP method different than GET or POST.
Usually, this is caused by clients using the Microsoft Office Protocol Discovery. These clients send an OPTION request which is not supported by Rails.
You can fix the problem in multiple ways:
ignore the error in your production environment
prevent the error using a before_filter and head 406 in your controller
rescue the error using rescue_from in your controller
prevent the error filtering the request via Rack Middleware
prevent the error blocking non GET/POST/HEAD requests using your webserver
I personally prefer the last option, but it requires you to have administration privileges on the server. Otherwise, the Rack Middleware option is the most efficient way to filter unexpected requests.
How are you trying to get to this page? It looks like you are trying to do some other kind of RESTful call (put, post, delete) and that method. A code snipped of that controller would be really helpful to diagnose the problem.