I have installed the below plugins
compile 'org.grails.plugins:spring-security-core:3.1.1'
compile "org.grails.plugins:spring-security-oauth2:1.1.0"
compile "org.grails.plugins:spring-security-oauth2-google:1.1.0"
Spring security core is working properly.
But I am having issues in implementing the oauth-google authentication.
The plugin documentation says we need to pass the api_key and api_secret. I have created a project in console.developers.google.com and have created the API Key and Oauth Keys, I am confused on which values to use in the application.yml.
Because as per console.developers.google.com the API key and Oauth Key are separate credentials.
Any suggestion on from where to get and how to set the below values would be helpful.
api_key: 'AIzaSyBjfn345tg6j0ol1e89kHMOY'
api_secret: 'xseettDDNtjjuutrfuAFTe4d'
successUri: "/oauth2/google/success"
failureUri: "/oauth2/google/failure"
callback: "/oauth2/google/callback"
scopes: "some_scope"
api_key and api_secret
I took those keys from console.cloud.google.com/
API Manager > Credentials > Create / Edit the entry
then Client ID and Client Secret are the needed values. Other parameters are paths within the Grails app itself, I believe you can change those if you want to override the default behaviour of the plugin.
But there's more ...
Remember about whitelisting your callback address (done on the very same panel). For local connection I set it (on Google API Manager) as
http://localhost:8080/oauth2/google/callback
Remember that apart of calling grails s2-quickstart com.yourapp User Role you need to call also grails init-oauth2 ... (described here - https://github.com/MatrixCrawler/grails-spring-security-oauth2).
Next thing I had to was to override the default login page to be able to display the link mentioned here https://github.com/MatrixCrawler/grails-spring-security-oauth2-google <oauth2:connect provider="google" id="google-connect-link">Google</oauth2:connect>. The default ones are here https://github.com/grails-plugins/grails-spring-security-core/tree/master/grails-app/views/login you just have to copy them to grails-app/views/login/ and modify them.
Next problem was that script from point 2 didn't add static hasMany = [oAuthIDs: OAuthID] field to User domain, which caused the ask view submit to crash.
After that, the Google Oauth2 authentication worked for me.
Related
I am working on SSO authentification system using SAML2 protocol. Since i do not have the real IDP informations yet, i needed test environment so i used this docker image which worked like a charm. I am able to access it through localhost:8080 without any problem and also to log in with test account.
But then, when i try to log into my SP (the website i am working on), though i am well redirected to the idp at localhost:8080/simplesaml/saml2/idp/SSOService.php, i got an error telling me metadata not found. here is the stack trace :
SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => '\'\'')
Backtrace:
3 lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:300 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaData)
2 lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:320 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaDataConfig)
1 modules/saml/lib/IdP/SAML2.php:330 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 www/saml2/idp/SSOService.php:19 (N/A)
Did anybody ever faced the same one ? Because i don't really understand where SimpleSAMLphp try to get those metadata.
NOTE :
I am manually able to find metadata at localhost:8080/simplesaml/saml2/idp/metadata.php
It is an old project i am working for and it is a fork of symfony 1 so i can't use more recent plugins. So for SSO i use this plugin on service provider side.
Finally solved. The Authn Request i sent contained empty "issuer" field and this one was needed on idp side since simpleSAMLphp seemes to store SP Metadata in an array like Metdata['spName']. So of course their was no entry for the empty string as key.
I have a Spring Cloud Config app with the Spring Cloud Security dependencies. I'm trying to hit the /encrypt endpoint to encrypt a password.
According to the docs at http://cloud.spring.io/spring-cloud-config/spring-cloud-config.html#_key_management I believe I need to set a symmetric key using "encrypt.key". But I can't figure out where to put this; all combinations I've tried result in {"description":"No key was installed for encryption service","status":"NO_KEY"} when I attempt to POST to /encrypt.
If I POST a key to /key, the /encrypt works perfectly, so I'm pretty sure that everything else is setup correctly. It also works fine using the environment variable ENCRYPT_KEY, or by using a system property encrypt.key. I just can't figure out where to place the encrypt.key within a configuration file. Is there a sample on this?
Thanks #pVilaca, this is indeed what the documentation says, but setting the key in application.properties or application.yml won't work.
Through experimentation I've found that the only place you can set the encrypt.key property is an ENCRYPT_KEY environment variable, a system property, bootstrap.properties, bootstrap.yml, or calling the /key endpoint.
Not sure why application.properties or application.yml don't work in this case. Setting this key must have more of an impact on the startup process than it would appear.
Setting Spring Cloud Version to 'Brixton.SR5' worked for me. For some reason, setting 'encrypt.key' in either application.properties/yml or bootstrap.properties/yml in later Spring Cloud Version does not work anymore.
check properties tag of pom.xml file. If you are using version 2 or 3 of Dalston, change it to:
<spring-cloud.version>Dalston.SR1</spring-cloud.version>
and it should be working fine. In my case i was using version 3 and changing it to version 1 resolved the issue for me.
Reference:
https://github.com/spring-cloud/spring-cloud-config/issues/767
If you're using spring cloud with spring boot, that is the method that is described on the documentation that you mentioned, you've two 'main' properties files.
bootstrap.[properties,yml]
To modify the startup behaviour you can change the location of the config server using bootstrap.properties (like application.properties but for the bootstrap phase of an application context)
application.[properties,yml]
where the "application" is injected as the "spring.config.name" in the SpringApplication (i.e. what is normally "application" in a regular Spring Boot app)
source: Spring Cloud Config Documentation
So, it should be enough to set the encrypt.keyin your application.[properties,yml] file (or the alternative name if specified)
I am developing test application for displaying claims of authenticated identity in MVC-ASP.net (Visual studio 2013)
I have given authentication from active directory in following way.
1.Add new mvc project in solution .
2.click on Change authentication.
3.select organization account
4.select on premises.
5.given federation url
6.App Id url
After running the application i am getting following error.
WIF10201: No valid key mapping found for securityToken: 'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'http://websso.avanade.com/adfs/services/trust'
This error is coming only for this federation for other federation i am able to see claims.
After searching on internet i am thinking that it is certificate(thumbprint) issue.
But I am not clear with solutions.
Can anybody explain me why this error throwing and solution for the same.
Thanks in Advance !!!
There could be 2 causes for this error.
Missing thumbprint in web.config: Get the actual thumbprint from ADFS and put in web.config under the thumbprint tag
Mismatch in port number between the site and ADFS configuration: Update ADFS configuration with the url containing the correct port number
The second solution fixed it for me...
I ran into this while trying to update a legacy MVC application to use AAD.
I based the changes on a newly created project with organizational authentication and noticed I did not have a connection string named DefaultConnection, which the DatabaseIssuerNameRegistry assumes you will, nor did I have either of the required tables in the database.
Using Vittorio Bertocci's great post with all the details, I refactored the code to integrate the new database tables, created and applied a migration, and inserted the appropriate key and tenant in the new IssuingAuthorityKey and Tenant tables, respectively. I also had to make sure to change the DatabaseIssueNameRegistry to use the existing DbContext.
For solutions created in VS2013 and later, the solution should contain the logic to roll over keys automatically. No need to put the value in the web.config file.
You might run into this issue when migrating your solution from local to another environment. In that case you will probably try to point your solution to a new application in Azure Active Directory. Check the following:
Make sure all urls in the web.config are pointing to the correct url not the one automatically generated when you set it up locally
Remove all enteries from IssuingAuthorityKeys table. The keys will autopopulate when you re-build the solution and run it. On the server you might need to replace the dlls manually for it to refresh
Last and most important, delete all rows from the Tenants table. On the first run on the new environment, an Admin from the owning Active Directory has to sign up and authorize the application.
If the values in both tables are still not populated automatically after these steps, check this article for steps on how to manually get the values.
Thumbprints and server names are case sensitive in web.config. make sure they are typed correctly and restart IIS.
It fixed my issue.
So I have an application that works perfectly on my desktop, and also works perfectly when deployed to tomcat on a windows machine. However, when I attempt to use this application while deployed on the same version of tomcat, but on AIX, it fails to retrieve data out of LDAP.
A user is able to successfully authenticate, but the context is null. DirContextOperations is passed into my ContextMapper as null. Does anyone know what ports that need to be open to get this data or what other configuration may need to be done? Based on what I am seeing it has to be a server configuration issue somewhere.
If you are using Spring Security LDAP plugin then it will be easy to co-relate the below mentioned configuration in AIX with the app. I prepared few snapshots for the configuration so that I do not clutter the answer space here. Have a look at LDAP config in AIX and try to setup the same in AIX Server.
Now coming to the LDAP plugin, there is nothing much other than setting up a bunch of properties is required. Values for these properties will be available once the LDAP configuration is done in AIX (as mentioned in the above mentioned slide).
Note:-
After creating a standalone LDAP, you might need to add realm if the user is associated to a group. I have not mentioned the same in the slides since I do not have an active LDAP host available now.
UPDATE
Instead of using BindAuthenticator can you try switching to PasswordComparisonAuthenticator for authentication.
Using the below setting in Config forces to use PasswordComparisonAuthenticator to authenticate and return back the DirContextOperations. Can this setting be tried?
grails.plugins.springsecurity.ldap.authenticator.useBind = false
#Refer LdapAuthentication Implementations.
I am not sure if this will be the answer in your case. I was also getting null in DirContextOperations object when trying to obtain values from Active Directory.
I was trying to get ldap attributes like this as the Grails LDAP plugin Documentation states:
String mail = ctx.originalAttrs.attrs['mail'].values[0]
and all those were null. So I have changed the line above for this one instead and it works for me:
String mail = ctx.attributes.getAt('mail').values[0].toString()
I have just started using grails and installed the spring-security and spring-security-ui plugins. I am following the tutorial given here. The application starts with one bootstrapped user me with ROLE_ADMIN permission.
With the UI override scripts I was able to get the register functionality up and running and it works all right. Now, I have installed the User Management scripts (grails s2ui-override user) to try adding, editing, removing users.
A new user gets created fine, I have checked this against the HSQLDB instance. However, if I now log-out from the application and try to login with the newly created user the application tells me that it is unable to find a user with the provided username and password.
I haven't modified the default logout handling so am using /j_spring_security_logout which as the documentation says invalidates the session.
Is this a know issue? If so how can I get around this or if not how can I debug this issue?
EDIT:
This issue is also persisting without the UI addition. Register as a new user. Once you finish e-mail verification you are auto-logged in to the site. Now logout and try to login in back again. It gives the same error.
FINAL EDIT:
The UI plugin comes with the RegisterController that still encodes the password. However, the newer domain classes that come with the core are also doing this and the recommended practice is that controllers shouldn't. I commented out a line that does the encoding and the login/logout works now at least for the basic scenario.
There is a warning on that tutorial
Earlier versions of the plugin didn't include password encryption logic in the domain class, but it makes the code a lot cleaner.
I am guessing security-ui plugin does not know about that change, and comparing unencrypted password with the encrypted one on the database.
l managed to fix my problem. The problem was double encryption. Under the spring security ui in the user controller on line 41 the password was being encrypted and then again by the domain class so on login it was comparing a double encrypted password and a single encrypted password. To solve the problem l just commented out line 41 in the user controller which was encrypting the password
EDIT: If you have trouble figuring out where one would go to edit the controller, you can find the source code of the downloaded plugins in your user home's
/.grails/version/projects/projectname/plugins
directory for editing (at least on Mac / Linux, dunno where you'd find it in windows).