Sorry for this naive question.
I generated a project using start.camunda.com, with spring security.
I do see spring security pwd in console. When I try to use admin/, I get a message password is invalid. Should I use some other userid/pwd?
The starter
The app config:
The cmd line spring security pwd
Login fail
a) On the form-based login page provided by Spring Boot you can use the generated credentials as you tried above and as described here:
https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#servlet-hello-boot-dependencies
In you example above this would be:
user: user
password: the generated password you highlighted on the console
b) This gets you past the spring security login, but the project would still be missing the SSO config for Camunda. To make this work quickly you can copy the packages
config
filter
from
https://github.com/camunda-consulting/code/tree/master/snippets/springboot-security-sso/src/main/java/com/camunda/demo
c) if you copy those folders into the generated starter project then the package name will differ, so you need to adjust
com.example.workflow.config.WebAppSecurityConfig line 33
to reflect the changed package name:
filterRegistration.setInitParameters(Collections.singletonMap("authentication-provider", "com.example.workflow.filter.webapp.SpringSecurityAuthenticationProvider"));
d) as a result of the new security configuration the credentials from a) will not exist anymore. Instead you can now use the credentials defined in
com.example.workflow.config.SecurityConfig
For instance access http://localhost:8080/ using the credentials john/john or demo/demo
Also see: https://camunda.com/best-practices/securing-camunda/
Related
I am currently working on dockerizing Jenkins FROM jenkins/jenkins:lts image. I am not so familiar with Groovy nor Jenkins, but I managed to run few scripts by adding this line to my Dockerfile
COPY /jenkins/script.groovy /usr/share/jenkins/ref/init.groovy.d/
The problem is that I couldn't find a way to automatically setup the email notification settings such as SMTP server, check the checkbox of Use SMTP Authentication. Is there a way to configure those using a Groovy script? If it's not possible then is there any other way to do so?
I'd recommend using Jenkins Configuration as Code -JCasC for as much of the Global Settings and plugin settings that are supported. A very %ge can be be done that way, including anyone. Easiest approach is manually configure an Instance (local is fine), export settings via JCasC, backup actual configure, wipe configure, load JCasC and compare to backup.
eg: mailer plugin
It does not handle the installation of the plugins,so you must do that first, maybe via plugin manager installation tool or Docker file
Update (Jenkins configuration as code)
I managed to set up the email config using JCasC plugin thanks to Ian W on the recent answer, it wasn't the answer for my question but helped me follow through.
So to set up a config in this example you will need to set up just mailing config or even more, so all you need to do is create a new file with a YAML configuration like this:
unclassified:
mailer:
authentication:
password: "AES-128-Encrypted password"
username: "example#gmail.com"
charset: "UTF-8"
smtpHost: "smtp.gmail.com"
smtpPort: "465"
useSsl: true
useTls: false
type the email and other configs like SMTP settings in plain text but for the password, you will need an encrypted password (AES-128), to do so you can simply go to:
http://<jenkins-ip>:<jenkins-port>/script
You will have a text box to type the following groovy script to encrypt that password (update your password to match your email's pass)
import hudson.util.Secret
def secret = Secret.fromString("Your Password")
println(secret.getEncryptedValue())
Once you run the script you will get a new encrypted password, simply copy then paste it in the Config file password field.
Now we are going to simply use that file to apply the new mail configuration by visiting (again make sure that you have configuration-as-code plugin installed):
http://<jenkins-ip>:<jenkins-port>/configuration-as-code/
Then copy the configuration file path inside the config path field (you can also use a URL of a config)
/path/to/conf.yaml
and finally, apply a new configuration!
You can use the JCasC for your desire find more here also see the GitHub repo
Following pipelines readme to set up a deployment pipeline, I ran
$ env CDK_NEW_BOOTSTRAP=1 npx cdk bootstrap \
--cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess \
aws://[ACCOUNT_ID]/us-west-2
to create the necessary roles. I would assume the roles would automatically add sts assume role permissions from my account principle. However, when I run cdk deploy I get the following warning
current credentials could not be used to assume
'arn:aws:iam::[ACCOUNT_ID]:role/cdk-hnb659fds-file-publishing-role-[ACCOUNT_ID]-us-west-2',
but are for the right account. Proceeding anyway.
I have root credentials in ~/.aws/credentials.
Looking at the deploy role policy, I don't see any sts permissions. What am I missing?
You will need to add permission to assume the role to the credentials from which you are trying to execute cdk deploy
{
"Sid": "assumerole",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"iam:PassRole"
],
"Resource": [
"arn:aws-cn:iam::*:role/cdk-readOnlyRole",
"arn:aws-cn:iam::*:role/cdk-hnb659fds-deploy-role-*",
"arn:aws-cn:iam::*:role/cdk-hnb659fds-file-publishing-*"
]
}
First thing you need to do is enabling the verbose mode to see what is actually happenning.
cdk deploy --verbose
If you see similar message below. Continue with step 2. Otherwise, you need to address the problem by understanding the error message.
Could not assume role in target account using current credentials User: arn:aws:iam::XXX068599XXX:user/cdk-access is not authorized to perform: sts
:AssumeRole on resource: arn:aws:iam::XXX068599XXX:role/cdk-hnb659fds-deploy-role-XXX068599XXX-us-east-2 . Please make sure that this role exists i
n the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
Check S3 buckets related to CDK and CloudFormation stacks from AWS Console. Delete them manually.
Enable the new style bootstrapping by one of the method mentioned here
Bootstrap the stack using below command. Then it should create all required roles automatically.
cdk bootstrap --trust=ACCOUNT_ID --cloudformation-execution-policies=arn:aws:iam::aws:policy/AdministratorAccess --verbose
NOTE: If you are working with docker image assets, make sure you have setup your repository before you deploy. New style bootstrapping does not create the repos automatically for you as mentioned in this comment.
This may be of use to somebody... The issue could be a mismatch of regions. I spotted it in verbose mode - the roles were created for us-east-1 but I had specified eu-west-2 in the bootstrap. For some reason it had not worked. The solution was to set the region (by adding AWS_REGION=eu-west-2 before the cdk deploy command).
I ran into a similar error. The critical part of my error was
failed: Error: SSM parameter /cdk-bootstrap/<>/version not found.
I had to re-run using the new bootstrap method that creates the SSM parameter. To run the new bootstrap method first set CDK_NEW_BOOTSTRAP via export CDK_NEW_BOOTSTRAP=1
Don't forget to run cdk bootstrap with those credentials against your account [ACCOUNT_ID].
For me, the problem was that I was using expired credentials. I was trying to use temporary credentials from AWS SSO, which were expired. The problem was that the error message is misleading: it says
current credentials could not be used to assume 'arn:aws:iam::123456789012:role/cdk-xxx999xxx-deploy-role-123456789012-us-east-1', but are for the right account. Proceeding anyway.
(To get rid of this warning, please upgrade to bootstrap version >= 8)
However, applying the --verbose flag as suggested above showed the real problem:
Assuming role 'arn:aws:iam::123456789012:role/cdk-xxx999xxx-deploy-role-123456789012-us-east-1'.
Assuming role failed: The security token included in the request is expired
Could not assume role in target account using current credentials The security token included in the request is expired . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
Getting the latest SSO credentials fixed the problem.
After deploying with --verbose I could see it was a clock issue in my case:
Assuming role failed: Signature expired: 20220428T191847Z is now earlier than 20220428T192528Z (20220428T194028Z - 15 min.)
I resolve the clock issue on ubuntu using:
sudo ntpdate ntp.ubuntu.com
which then resolves the cdk issue.
I need help with using keycloak in an Errai app. I am getting an error about "unknown authentication method" for "KEYCLOAK" ? I have the keycloak-appliance running (on a different port though), and the Errai app has a with KEYCLOAK in the web.xml file inside WEB-INF
When I run the Errai app with mvn gwt:run, I get : RuntimeException caused by "Unknown authentication mechanism KEYCLOAK". I have no idea how to go around this issue .
Just wanted to add a little more detail to #cfsnyder's answer. In order for your application server to recognize a definition in the web.xml that looks like this:
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>internal</realm-name>
</login-config>
you'll need to tell jboss (in this instance) how to interpret that particular auth method. At the time of my answer, this is in section 8.2 of the Keycloak docs.
First, download the keycloak adapter (remember, this is not the same as the Keycloak Server). Next, unzip the download in the wildfly home directory. With your application server running, just use the following command to install the Keycloak configuration into the appropriate files:
jboss-cli.sh -c --file=adapter-install.cli
When this script completes, your configuration file will have the new entry added to accommodate the KEYCLOAK entry in your web.xml. The script will add something like this to either a domain.xml or standalone.xml:
<security-domain name="keycloak">
<authentication>
<login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
</authentication>
</security-domain>
Once you have the Keycloak module files provided by the adapter + the security domain configuration to link the KEYCLOAK method to the appropriate LoginModule, you should be all set.
You will need to install and configure the Wildfly adapter in order for your Errai app to recognize the "KEYCLOAK" authentication method. See section 7.2 of the Keycloak documentation.
To add to #josh-cain's answer, you might also need following additions in your domain.xml or standalone.xml:
To <extensions></extensions>, add:
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
To <profile></profile>, add:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
The adapter installation cli scripts can fail for various reasons so you might need to add these entries manually.
I'm using java and have deployed some applications on Google App Engine and trying to download the source code for one of the deployed applications using the command line tool appcfg however with no luck. It's not able to authenticate and I'm not able to figure out why ?
Here's the command that I'm using :
appcfg -A mailboxsigma download_app c:\users\rkumar2\desktop\destination
After issuing the command here's the output :
Oct 27, 2014 10:04:32 PM java.util.prefs.WindowsPreferences <init>
WARNING: Could not open/create prefs root node Software\JavaSoft\Prefs at root 0
x80000002. Windows RegCreateKeyEx(...) returned error code 5.
0% Fetching file list...
Oct 27, 2014 10:04:35 PM com.google.appengine.tools.admin.AbstractServerConnecti
on send1
WARNING: Error posting to URL: https://appengine.google.com/api/files/list?app_i
d=mailboxsigma&
401 Unauthorized
Must authenticate first.
This is try #0
Email: raghvendra1669#gmail.com
Password for raghvendra1669#gmail.com:
Email:
As you can see in the output that after I enter my gmail credentials i.e email and password it starts asking again for the email so I do it again and upon repetitively entering the credentials it fails.
I checked my App Engine Console for correctness of the deployed application's identifier and found it to be correct. What am I missing here ?
Email: raghvendra1669#gmail.com
Password for raghvendra1669#gmail.com:
Email: raghvendra1669#gmail.com
Password for raghvendra1669#gmail.com:
Error Details:
Email "raghvendra1669#gmail.com" and password do not match.
Unable to fetch file list
.
Google disables login via apps deemed "less secure". This includes the appcfg in the SDK. What you can do is enable less secure apps.
Alternatively, you can use OAuth2.
As command line authentication has been disabled due to security reasons we can use OAuth2 for authentication. To use the same from the command line we need to indicate that we are going to use OAuth2 for authentication by passing an argument in the command--auth2.
So command would look something like this :
appcfg -A mailboxsigma --oauth2 download_app c:\users\rkumar2\desktop\destination
After issuing this command it opens up a authentication window in the browser and when you accept the authentication it will generate a key which you need to enter in the command prompt and your download starts.
Note : Downloading an app will downloads all .class files and not really the source files so you need to decompile using a suitable decompiler.
My institution requires me to periodically change my LDAP password.
In the past, I was able to perform the following steps to change my password:-
Create a Base64 encoded password at http://www.base64encode.org/
Edit /var/lib/jenkins/config.xml and change <managerPassword/>.
However, the recent version of Jenkins no longer use <managerPassword/>. Instead, I'm seeing <managerPasswordSecret/>.
I'm not sure how to generate the new secret password, so I did the following:-
Backup /var/lib/jenkins/config.xml first.
Edit /var/lib/jenkins/config.xml and change <useSecurity/> to false.
Restart Jenkins service.
Go to Jenkins.
Enable LDAP Security.
Enter new LDAP password.
Save it.
Open up /var/lib/jenkins/config.xml and copy <managerPasswordSecret/>.
Restore backup config file.
Replace <managerPasswordSecret/> with the new value.
This is incredibly convoluted.
Is there a more straightforward way for me to maintain my LDAP password change in the future?
Thanks much!
None of the above solutions worked for me with a newer version of Jenkins (2.78). What did work was putting the managerPasswordSecret in without any encryption. Once I ran Jenkins, the password got encrypted for me.
You can still use <managerPassword>.
Generate the new encoded password with
perl -e 'use MIME::Base64; print encode_base64("yourNewPassword");'
In your config.xml, find <hudson>/<securityRealm>/<managerPasswordSecret>. Change <managerPasswordSecret> to <managerPassword> (both before and after) and put the encoding from #1 between them. Save the file.
Restart jenkins
Login and using the UI, reset the LDAP Manager password to the same yourNewPassword. config.xml should now be back to <managerPasswordSecret>.
If you are paranoid (like me), restart jenkins again to use the newly modified config.xml.
I was trying to do same thing and this is simple solution (use from Jenkins console):
import com.trilead.ssh2.crypto.Base64;
import javax.crypto.Cipher;
import jenkins.security.CryptoConfidentialKey;
import hudson.util.Secret;
CryptoConfidentialKey KEY = new CryptoConfidentialKey(Secret.class.getName());
Cipher cipher = KEY.encrypt();
String MAGIC = "::::MAGIC::::";
String VALUE_TO_ENCRYPT = "";
println(new String(Base64.encode(cipher.doFinal((VALUE_TO_ENCRYPT + MAGIC).getBytes("UTF-8")))));
Decoding is simpler:
println(hudson.util.Secret.decrypt(HashFromConfigXmlHere));
Edit your config.xml file by hand.
If your Jenkins uses a <managerPasswordSecret> set of tags, put the new plain text password in there and Jenkins will read it. Once Jenkins starts up, go to the Configure System > Configure Global Security page and click Save. That will update that field with the encrypted version.
The current easiest and fastest solution (just worked for me) is from Cloudbees: simply enter the new password into the password field in the config.xml as plain text (not encrypted) then Jenkins will read that correctly. Once you start Jenkins and just re-save the Manage Jenkins -> Configure Global Security page
https://support.cloudbees.com/hc/en-us/articles/221230028-Changing-LDAP-Password
I tried solution provided by #alkuzad and its working fine. Just to clarify that you can't use Jenkins web Console when LDAP user password is expired. So what I did is as follow (I have groovy script plugin in Jenkins. I also provided run script access to anonymous user - not a good idea but it's the way I initially found to resolve this recurring issue).
Downloaded jenkins-cli.jar
put above code in GroovyPasswordClass.txt (not to forget using new password in place of VALUE_TO_ENCRYPT in code)
start jenkins server (its requirement to have jenkins running)
run below command from command prompt
java -jar jenkins-cli.jar -s groovy GroovyPasswordClass.txt
This will print encrypted password.
Better Option
Well, later I found better way to do authentication if directory service provider is MS Active Directory. In that case instead of LDAP plugin, I used Active Directory plugin for authentication. This I found better because
1) Response is faster when use Active directory plugin instead of generic LDAP protocol based plugin
2) Active Directory plugin uses user data with which Jenkins service was started and no need to configure any user account in Jenkins. So you will never have situation that your Jenkins login not working because user configured for ldap has expired password.
Hope this will help others trying to resolve this issue.