I have a API-kit project that incorporates spring security basic authentication. The application builds and runs successfully without MUnit tests. When including MUnit tests, it fails to build giving the following:
WARN 2019-07-09 11:21:18,619 [main] org.springframework.beans.factory.xml.XmlBeanDefinitionReader: Ignored XML validation warning
org.xml.sax.SAXParseException: schema_reference.4: Failed to read schema document 'http://www.mulesoft.org/schema/mule/spring-security/current/mule-spring-security.xsd', because 1) could not find the document; 2) the document could not be read; 3) the root element of the document is not <xsd:schema>.
Running the MUnit tests themselves, all pass.
The flows that implement this security use the following:
<mule-ss:http-security-filter
doc:name="API Secutiry filter"
realm="mule-realm"
securityProviders="delegateSecurityProvider" />
where the security manager is defined as:
<mule-ss:security-manager
name="Spring_Security_Provider"
doc:name="Spring Security Provider">
<mule-ss:delegate-security-provider
name="delegateSecurityProvider"
delegate-ref="authenticationManager" />
</mule-ss:security-manager>
and the authentication manager is defined as:
<spring:beans>
<ss:authentication-manager alias="authenticationManager">
<ss:authentication-provider>
<ss:user-service id="userService">
<ss:user
name="${gov.mt.dphhs.telcor.authentication.user}"
password="${gov.mt.dphhs.telcor.authentication.password}"
authorities="ROLE_ADMIN" />
</ss:user-service>
</ss:authentication-provider>
</ss:authentication-manager>
</spring:beans>
The XML namespaces are as follows:
xmlns:mule-ss="http://www.mulesoft.org/schema/mule/spring-security"
xmlns:ss="http://www.springframework.org/schema/security"
http://www.mulesoft.org/schema/mule/spring-security http://www.mulesoft.org/schema/mule/spring-security/current/mule-spring-security.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
Additional information:
<mule.version>3.8.0</mule.version>
<mule.tools.version>1.2</mule.tools.version>
<munit.version>1.3.7</munit.version>
Seems you are missing the spring-security module
<dependency>
<groupId>org.mule.modules</groupId>
<artifactId>mule-module-spring-security</artifactId>
<version>${mule.version}</version>
</dependency>
Related
We are performing load testing using tsung.
We were able to load test a HTTP end point without any headers.
But when add HTTP header, tsung is failing and not able to make the request.
I am unable to decipher from the tsung logs the issue. The format of the configuration tsung.xml is exactly as per the tsung help docs.
please find the below tsung.xml configuration we used and also error from logs,
tsung.xml
<sessions>
<session name="http-example" probability="100" type="ts_http">
<request>
<http url="http://172.17.0.1/api/test" version="1.1" method="GET">
<http_header name="Authorization" value="Bearer a3b84dd8-d8a3-4e37-9468-5244333df0e0"/>
</http>
</request>
</session>
</sessions>
tsungcontroller.log
** Reason for termination =
** {{case_clause,false},
[{ts_http_common,'-headers/1-fun-0-',2,
[{file,"src/tsung/ts_http_common.erl"},{line,224}]},
{lists,foldl,3,[{file,"lists.erl"},{line,1248}]},
{ts_http_common,http_no_body,2,
[{file,"src/tsung/ts_http_common.erl"},{line,75}]},
{ts_http,get_message,2,[{file,"src/tsung/ts_http.erl"},{line,130}]},
{ts_client,handle_next_request,2,
[{file,"src/tsung/ts_client.erl"},{line,798}]},
{gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,505}]},
{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,239}]}]}
Please let me know what I am missing
I was using tsung 1.5.1 earlier. But the issue is resolved in 1.6 :) :)
I am able to add http headers.
We have our shared Ivy repository on an nginx web server reachable within our intranet.
I configured a url resolver to read from the shared repository and an ssh resolver to write to it, mostly following Jason Grimes' excellent blog post on managing dependencies in non-Java projects.
Now I just successfully published a module to the repository via the ssh resolver.
In my SFTP client I can see the directory structure and files sitting in the directory served by the web server:
com.organization/modulename/ivy-modulename-2.0.1.xml.md5
com.organization/modulename/ivy-modulename-2.0.1.xml.sha1
com.organization/modulename/ivy-modulename-2.0.1.xml
com.organization/modulename/modulename-2.0.1.zip.md5
com.organization/modulename/modulename-2.0.1.zip.sha1
com.organization/modulename/modulename-2.0.1.zip
However, when I execute ivy:listmodule it doesn't seem to find it. Frankly, it doesn't output anything apart from the ivysettings initialization output.
This is the Ant target I am executing:
<!-- ================================
target: check-already-in-repo
Check if the current version of a module already exists in the (shared) repository.
================================ -->
<target name="check-already-in-repo">
<ivy:listmodules resolver="shared" organisation="${ivy.organisation}" module="${ivy.module}" revision="${version}" property="already-in-repo" value="true"/>
<ac:if>
<isset property="already-in-repo"/>
<then>
<echo>${ivy.module} ${version} already exists in the repository.</echo>
<echo>Skipping publishing of ${ivy.module}.</echo>
</then>
</ac:if>
</target>
And this is the only output:
$ ant check-already-in-repo -Dversion=2.0.1 -Divy.organisation=com.organization -Divy.module=modulename
Buildfile: [...]/build.xml
check-already-in-repo:
[ivy:listmodules] :: Apache Ivy 2.4.0-rc1 - 20140315220245 :: http://ant.apache.org/ivy/ ::
[ivy:listmodules] :: loading settings :: file = [...]/build/ivysettings.xml
BUILD SUCCESSFUL
Total time: 0 seconds
I checked the value of ivy.shared.default.root and the corresponding ivy and artifact patterns and they're all matching (I kept them simple).
I tried it with the glob matcher and called ivy:listmodules with organization=*, module=* and revision=*, so it should in every case return something. Which it doesn't.
What do I miss?
Here's the rest of the relevant config:
<ivysettings>
<!-- This file is referenced from multiple projects - DO NOT EDIT! -->
<!-- shared -->
<property name="ivy.shared.default.root" value="http://10.79.1.30/ivy"/>
<property name="ivy.shared.default.ivy.pattern" value="[organisation]/[module]/ivy-[module]-[revision].[ext]"/>
<property name="ivy.shared.default.artifact.pattern" value="[organisation]/[module]/[artifact]-[revision].[ext]"/>
<!-- local -->
<property name="ivy.local.default.root" value="${ivy.default.ivy.user.dir}/local"/>
<property name="ivy.local.default.ivy.pattern" value="${ivy.shared.default.ivy.pattern}"/>
<property name="ivy.local.default.artifact.pattern" value="${ivy.shared.default.artifact.pattern}"/>
<settings defaultResolver="default"/>
<resolvers>
<filesystem name="local">
<ivy pattern="${ivy.local.default.root}/${ivy.local.default.ivy.pattern}" />
<artifact pattern="${ivy.local.default.root}/${ivy.local.default.artifact.pattern}" />
</filesystem>
<!-- read access -->
<url name="shared">
<ivy pattern="${ivy.shared.default.root}/${ivy.shared.default.ivy.pattern}" />
<artifact pattern="${ivy.shared.default.root}/${ivy.shared.default.artifact.pattern}" />
</url>
<!-- write access -->
<ssh name="ssh" host="10.79.1.30" port="22" user="ivy" userPassword="${ivy.ssh.password}" publishPermissions="0664">
<ivy pattern="${ivy.shared.default.ivy.pattern}" />
<artifact pattern="${ivy.shared.default.artifact.pattern}" />
</ssh>
<chain name="default" returnFirst="true">
<resolver ref="local"/>
<resolver ref="shared"/>
</chain>
</resolvers>
</ivysettings>
After executing the Ant target with the -d (debug) option something caught my eye:
$ ant check-already-in-repo -Dversion=2.0.1 -Divy.organisation=com.organization -Divy.module=modulename -d
[...]
[ivy:listmodules] using shared to list all in http://10.79.1.30/ivy/
[ivy:listmodules] HTTP response status: 403 url=http://10.79.1.30/ivy/
[ivy:listmodules] CLIENT ERROR: Forbidden url=http://10.79.1.30/ivy/
[ivy:listmodules] HTTP response status: 403 url=http://10.79.1.30/ivy/
[ivy:listmodules] CLIENT ERROR: Forbidden url=http://10.79.1.30/ivy/
[ivy:listmodules] problem while listing resources in http://10.79.1.30/ivy/ with shared (java.io.IOException: The HTTP response code for http://10.79.1.30/ivy/ did not indicate a success. See log for more detail.)
[ivy:listmodules] java.io.IOException: The HTTP response code for http://10.79.1.30/ivy/ did not indicate a success. See log for more detail.
[...]
It seems for listmodules to work, the web server needs to have directory listings enabled. And indeed, after adding
location /ivy {
autoindex on;
}
to the nginx config and restarting the web server it finally worked as expected!
$ ant check-already-in-repo -Dversion=2.0.1 -Divy.organisation=com.organization -Divy.module=modulename
Buildfile: [...]/build.xml
check-already-in-repo:
[ivy:listmodules] :: Apache Ivy 2.4.0-rc1 - 20140315220245 :: http://ant.apache.org/ivy/ ::
[ivy:listmodules] :: loading settings :: file = [...]/build/ivysettings.xml
[echo] modulename 2.0.1 already exists in the repository.
[echo] Skipping publishing of modulename.
BUILD SUCCESSFUL
Total time: 0 seconds
Hooray! :-)
We are trying to consume web service from orbeon client code. Everything works fine with one way SSL however we now wish to call the web service using 2 way SSL. We are able to call the web service using 2 way SSL successfully using the Apache CXF framework using Java code.
I followed the steps outlined in the Orbeon Wiki.
Changes made in properties-local.xml
<property as="xs:anyURI"
name="oxf.http.ssl.keystore.uri"
value="/apps/property/ClientStore.jks"/>
<property as="xs:string"
name="oxf.http.ssl.keystore.password"
value="password"/>
<property as="xs:anyURI"
name="oxf.url-rewriting.service.base-uri"
value="http://localhost:8085/Orbeon"/>
<property as="xs:anyURI"
name="oxf.fr.persistence.exist.uri"
value="http://localhost:8085/fr/service/exist"/>
<property as="xs:anyURI"
name="oxf.fr.persistence.exist.exist-uri"
value="http://localhost:8085/exist/rest/db/orbeon/fr"/>
After implementing the changes outlined above we are getting the exception below:
ERROR XFormsServer - xforms-submit-error - setting throwable {throwable:
"javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:488)
at org.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:62)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148
Java start up options are:
-Djavax.net.ssl.trustStorePassword=password
-Djavax.net.ssl.keyStore=/apps/property/DMClientStore.jks
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=/apps/property/trustkeystore.jks
Questions:
Are these properties sufficient for enabling 2 way SSL?
For Apache CXF we need to provide two keystores, one with the client certificate and a truststore. Where do we configure both of these keystores for Orbeon?
I've been hopelessly trying for two complete days to expose a data source using HSQLDB through JNDI, through Jetty (8.1.8.v20121106). Most of the tutorials out there are out of date: For example http://dinukaroshan.blogspot.com/2012/04/setting-up-jndi-with-jetty-embedded.html uses Jetty 6, which is obvious from the package names that are used (Mortbay instead of eclipse), or they just concentrate on the jetty.xml and jetty-env.xml files, without giving any Java code samples on how did they consume the configuration files like this one:
http://wiki.eclipse.org/Jetty/Feature/JNDI#Example_Webapps
My best attempt at doing it has given me the following result:
java.lang.Exception: javax.naming.NameNotFoundException; remaining name 'env/jdbc/MySqlDS'
at wavemark.dcpcontroller.controllerws.db.DBProxy.getConnection(DBProxy.java:47)
at test.wavemark.dcpcontroller.controllerws.webservice.TestDCPControllerWS.getConnection(TestDCPControllerWS.java:97)
at org.dbunit.DatabaseTestCase.newDatabaseTester(DatabaseTestCase.java:85)
at org.dbunit.DatabaseTestCase.getDatabaseTester(DatabaseTestCase.java:109)
at org.dbunit.DatabaseTestCase.tearDown(DatabaseTestCase.java:164)
at test.wavemark.dcpcontroller.controllerws.webservice.TestDCPControllerWS.setUp(TestDCPControllerWS.java:33)
at junit.framework.TestCase.runBare(TestCase.java:132)
at junit.framework.TestResult$1.protect(TestResult.java:110)
at junit.framework.TestResult.runProtected(TestResult.java:128)
at junit.framework.TestResult.run(TestResult.java:113)
at junit.framework.TestCase.run(TestCase.java:124)
at junit.framework.TestSuite.runTest(TestSuite.java:232)
at junit.framework.TestSuite.run(TestSuite.java:227)
at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:83)
at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:49)
at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
Caused by: javax.naming.NameNotFoundException; remaining name 'env/jdbc/MySqlDS'
at org.eclipse.jetty.jndi.NamingContext.lookup(NamingContext.java:505)
at org.eclipse.jetty.jndi.NamingContext.lookup(NamingContext.java:536)
at org.eclipse.jetty.jndi.NamingContext.lookup(NamingContext.java:551)
at org.eclipse.jetty.jndi.java.javaRootURLContext.lookup(javaRootURLContext.java:117)
at javax.naming.InitialContext.lookup(InitialContext.java:392)
at wavemark.dcpcontroller.controllerws.db.DBProxy.getConnection(DBProxy.java:43)
... 19 more
My jetty.xml file is as follows:
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
<Configure id='wac' class="org.eclipse.jetty.server.Server">
<!-- ============================================================== -->
<!-- Add the DataSource(s) only valid for this webapp below -->
<!-- ============================================================== -->
<New id="MySqlDS" class="org.eclipse.jetty.plus.jndi.Resource">
<Arg>jdbc/MySqlDS</Arg>
<Arg>
<Set name="driverClass">org.hsqldb.jdbcDriver</Set>
<!--<Set name="url">jdbc:hsqldb:sample</Set>-->
<Set name="user">sa</Set>
<Set name="password"></Set>
</Arg>
</New>
</Configure>
I added the following to my web.xml (This happens to be an axis2 web application):
<resource-ref>
<res-ref-name>jdbc/MySqlDS</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
And this is the Java code I'm using to consume the Jetty configuration:
public ServerManager(int webServerPort,String jettyConfigurationsFilePath, String webApplicationPath) throws Exception
{
System.out.println("Initializing server");
this.webServerPort = webServerPort;
this.webApplicationPath = webApplicationPath;
server = new Server(webServerPort);
XmlConfiguration configuration = new XmlConfiguration(new File(jettyConfigurationsFilePath).toURI().toURL());
configuration.configure(server);
System.out.println("Finished configuring Jetty Server...");
System.out.println("Server initialized");
System.out.println("Server state is now " + server.getState());
WebAppContext webapp = new WebAppContext();
webapp.setContextPath("/");
webapp.setWar(webApplicationPath);
server.setHandler(webapp);
}
What am I doing wrong? Is there an up-to-date tutorial that would allow me to use HSQLDB as my DBMS, JNDI to expose the data source, and Jetty8?
Thanks a lot for the help.
This is not a complete answer, but something obvious in the second wiki link you provide is the use of a DataSource. An instance of javax.sql.DataSource is created. The settings for HSQLDB are like this, when it is used instead of Derby in the given example:
<Configure id='wac' class="org.eclipse.jetty.webapp.WebAppContext">
...
<New id="myds" class="org.eclipse.jetty.plus.jndi.Resource">
<Arg><Ref id="wac"/></Arg>
<Arg>jdbc/mydatasource</Arg>
<Arg>
<New class="org.hsqldb.jdbc.JDBCDataSource">
<Set name="DatabaseName">file:mytestdb</Set>
<Set name="User">SA</Set>
<Set name="Password"></Set>
</New>
</Arg>
</New>
</Configure>
I'm using the Spring Security SAML 2.0 sample webapp on Tomcat 7 and have modified it to try to get it to authenticate against a Ping Identity service. The webapp is talking to the service and it's sending back an assertion, but it's failing when trying to verify the signature, as shown by the debug output below:
- Attempting to verify signature and establish trust using KeyInfo-derived credentials
- Signature contained no KeyInfo element, could not resolve verification credentials
- Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
- Attempting to verify signature using trusted credentials
- Failed to verify signature using either KeyInfo-derived or directly trusted credentials
- Validation of received assertion failed, assertion will be skipped
org.opensaml.xml.validation.ValidationException: Signature is not trusted or invalid
I understand that it's not able to verify the signature, and I have been given a certificate by the Ping Identity admins to use, but I'm unsure of how to include it in the application. I've tried adding it to the JKS (keystore) that comes with the sample application using the JDK's keytool program, but it can't seem to find it in there. I've also tried adding it to the service provider's metadata xml file like this:
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
[Certificate is here...]
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
However it still returns the same error.
Is there a specific place I should put the certificate in order to validate the signature? I'm relatively new to SAML and application security in general, so I apologise if I'm using the wrong terminology.
Finally got this to work. Turns out I'd missed out a line of configuration in the security context file, and that (it appears as though) no X509 certificate definition was needed in the service provider's metadata XML file.
Basically I'd already imported the public key I'd been provided with into the existing JKS (using keytool), but I hadn't told the application to specifically use this. In order to do this, I had to go into the security context file (in my case "securityContext.xml") and add the following line to the ExtendedMetadata bean definition for the SP's metadata xml file:
<property name="signingKey" value="[alias of the provided key in the JKS goes here]"/>
Hence after this modification, the ExtendedMetadataDelegate bean definition looked like this:
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:security/[Path to SP metadata xml file].xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool" />
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="alias" value="[SP alias goes here]" />
<property name="signingKey" value="[alias of the provided key in the JKS goes here]"/>
</bean>
</constructor-arg>
</bean>
Hope this helps anyone who might be in a similar situation.
In spring boot it can be configured in the assertingparty configuration
spring:
security:
saml2:
relyingparty:
registration:
yourrequestissuerid:
assertingparty:
verification:
credentials:
- certificate-location: "classpath:idp.crt"