I am using IdentityServer3(build 2.3.0.0) and Enterprise library for logging.
Currently, I have log options set as following
var options = new IdentityServerOptions
{
LoggingOptions = new LoggingOptions()
{
EnableHttpLogging = false,
EnableKatanaLogging = false,
EnableWebApiDiagnostics = false,
WebApiDiagnosticsIsVerbose = false
},
EventsOptions = new EventsOptions()
{
RaiseErrorEvents = true,
RaiseFailureEvents = true,
RaiseInformationEvents = false,
RaiseSuccessEvents = false
}
}
Above configuration does not disable logging of following entries
Returning token response.
End token request
Creating JWT access token
Setting a sliding lifetime: 29100
Creating refresh token
Creating access token
Processing token request
Creating token response
Start password token request validation
Start token request validation
Client validation success
Secret validator success: HashedSharedSecretValidator
Secret id found: JSApp
Parser found secret: PostBodySecretParser
Start parsing for secret in post body
X.509 certificate not found.
Start parsing for X.509 certificate
Start client validation
Start token request
CorsPolicyService allowed origin
How to disable above logging and just allow error logs entries only?
This is just a matter of configuring your logging framework to not display INFO logging. Instead log ERROR and FATAL only.
If you want to disable logging altogether you can configure the NoopLogger for LibLog like:
LogProvider.SetCurrent(new NoopLogProvider());
https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Logging/NoopLogProvider.cs
I have figured out how to configure EntLib configuration to avoid informational logging.
If CategoryFilter is used as a logFilter then you can disable Information logging by setting switchValue to Warning(or any other value per your need).
<add switchValue="Warning" name="Information">
<listeners>
<add name="Database Trace Listener" />
</listeners>
</add>
If PriorityFilter is being used as logFilter, then one thing to note is that LibLog doesn't set priority parameter for LogEntry.
So, EntLib defaults priority to "-1".
But, EntLib does not filter LogEntries with priority with -1(even if minimumPriority is set to "-1").
https://msdn.microsoft.com/en-us/library/dn440731(v=pandp.60).aspx
So, in this case logEntires endup at special category source
<specialSources>
<allEvents switchValue="All" name="All Events" />
<notProcessed switchValue="Warning" name="Unprocessed Category">
<listeners>
<add name="Database Trace Listener" />
</listeners>
</notProcessed>
<errors switchValue="All" name="Logging Errors & Warnings"/>
</specialSources>
Here, set notProcessed category's switchValue to Warning to avoid informational logging.
Related
I have a subflow that ensures an OAuth access token is current. The token value is saved in an object store that expires the entry shortly before it times out. When expired, a new token value is retrieved and placed in the object store.
I didn't find any straightforward examples of a Mule v3 methodology to refresh a token that utilizes an object store, so here's the code, if anyone's interested.
<sub-flow name="get_token">
<objectstore:retrieve config-ref="TokenStore" key="StatusToken" defaultValue-ref="#['expired']" targetProperty="StatusToken" doc:name="Get token from Object Store"/>
<choice doc:name="Expired?">
<when expression="#[flowVars.StatusToken == 'expired']">
<set-payload value="#[{'grant_type':'refresh_token', 'refresh_token':'${RefreshToken}'}]" doc:name="Set payload for token refresh"/>
<http:request config-ref="HTTP-Token" path="${tokenPath}" method="POST" doc:name="Get new token">
<http:request-builder>
<http:header headerName="Content-Type" value="application/x-www-form-urlencoded"/>
</http:request-builder>
</http:request>
<dw:transform-message doc:name="Write token to flowVar">
<dw:set-variable variableName="StatusToken">
<![CDATA[
%dw 1.0
%output application/java
---
payload.access_token
]]>
</dw:set-variable>
</dw:transform-message>
<objectstore:store config-ref="TokenStore" key="StatusToken" value-ref="#[flowVars.StatusToken]" doc:name="Put token to Object Store"/>
</when>
<otherwise>
<set-variable variableName="Useless" value="#['']" doc:name="Useless placeholder"/>
</otherwise>
</choice>
</sub-flow>
The flow works well as designed, but here's my question. A choice router checks to see if the token has expired. There is no action required otherwise, and the flow errors out if the default path is empty. What's the simplest element to minimize processing and any resource utilization on the default path?
Following Ryan Carter's comment, this could be marked as a duplicate, but not really.
Here's the link:
How do I implement IF in mulesoft
Summary
Mule 4:
The <otherwise> tag is not needed
Mule 3:
A component is needed. I tend to use Logger with the level of TRACE, since log4j2 is smart and won't substitute parameters if the level is set to DEBUG and higher. However, if you really need to debug a flow, it would be good to see that it got routed correctly.
I've an issue on this feature.
SignIn action works well with ADFS and return to AuthServices/Acs
But Logout action don't call ADFS and redirect directly to returnUrl parameters (checked it with fiddler).
I'm calling this link : /AuthServices/Logout?ReturnUrl=~/&Status=LoggedOut
web.config is set up as this :
<kentor.authServices entityId="https://localhost:2181/AuthServices" returnUrl="https://localhost:2181/">
<identityProviders>
<add
entityId="https://ADFS DOMAIN/adfs/services/trust"
signOnUrl="https://ADFS DOMAIN/adfs/ls"
logoutUrl="https://ADFS DOMAIN/adfs/ls/?wa=wsignout1.0"
binding="HttpPost"
allowUnsolicitedAuthnResponse="true"
metadataLocation="https://ADFS DOMAIN/FederationMetadata/2007-06/FederationMetadata.xml"
wantAuthnRequestsSigned="true">
<signingCertificate fileName="~/App_Data/*****.cer" />
</add>
</identityProviders>
</kentor.authServices>
If I launch https://ADFS DOMAIN/adfs/ls/?wa=wsignout1.0 on another tabs, it is working, I return on signin page from my website.
So it seems to be an internal issue to retrieve logouturl and send it ?
Thanks for helps.
There are a number of requirements that need to be met before logout request will be issued:
You need to have a http://kentor.se/AuthServices/LogoutNameIdentifier claim and its issuer has to match the IDP that you're trying to logout from.
You need to have http://kentor.se/AuthServices/SessionIndex claim.
Your AuthServices IDP configuration needs a logoutUrl (I see you've specified this but probably it's easier to let AuthServices read it from the metadata)
You have specified a ServiceCertificate with either Signing or Both usage (i.e. not just Encryption)
Your AuthServices IDP configuration has DisableOutboundLogoutRequests =
false (this is the default)
Missing claims (first two points) is the most likely issue if you have some claims transformation happening during login or you are not retaining the original ClaimsIdentity. See also the documentation regarding ClaimsAuthenticationManager, e.g. https://github.com/KentorIT/authservices/blob/master/doc/ClaimsAuthenticationManager.md
You can turn on logging and see which of these points are failing:
https://github.com/KentorIT/authservices/blob/v0.21.2/Kentor.AuthServices/WebSSO/LogOutCommand.cs#L155-L170
We have a Google Gadget that connects to Fusion Tables through the Fusion Table API with the user’s Google Account. It performs SELECT and INSERT.
We built the gadget using OAuth1 (shindig library for opensocial). It worked fine for the deprecated version of the Fusion Table API. When we migrated it to the new PAPI, the select qworks fine because authentication with OAuth2 is not necessary. For the INSERT however, it is necessary. The documentation for opensocial has not been completely updated:http://docs.opensocial.org/display/OSREF/OpenSocial+Specification+Considerations
I cannot figure out how to successfully use OAuth2 to perform an Insert. We have the API privileges to read/write at the domain level and the user has owner privileges to the Fusion table.
The error I am getting is saying “Invalid Credentials” Pretty vague and I cannot tell why.
Here is our gadget header:
<OAuth>
<Service name="google">
<Access url="https://www.google.com/accounts/OAuthGetAccessToken" method="GET" />
<Request url="https://www.google.com/accounts/OAuthGetRequestToken?scope=https://www.googleapis.com/auth/fusiontables%20https://docs.google.com/feeds/default/private"
method="GET" />
<Authorization url="https://www.google.com/accounts/OAuthAuthorizeToken?oauth_callback=http://oauth.gmodules.com/gadgets/oauthcallback" />
</Service>
</OAuth>
I am not sure exactly how to update, so I added another header:
<OAuth2>
<Service name="google">
<Authorization url="https://www.google.com/accounts/OAuthAuthorizeToken?oauth_callback=http://oauth.gmodules.com/gadgets/oauth2callback" />
</Service>
</OAuth2>
When we make the call, we do the following:
options = {};
options[gadgets.io.RequestParameters.CONTENT_TYPE] = gadgets.io.ContentType.TEXT;
options[gadgets.io.RequestParameters.METHOD] = gadgets.io.MethodType.POST;
options[gadgets.io.RequestParameters.POST_DATA] = postData;
options[gadgets.io.RequestParameters.AUTHORIZATION] = gadgets.io.AuthorizationType.OAUTH2;
options[gadgets.io.RequestParameters.HEADERS] = {'Authorization':'{encrypted fusiontable key}'}; //not sure if this helps but its extra
options[gadgets.io.RequestParameters.OAUTH_SERVICE_NAME] = "google";
options[gadgets.io.RequestParameters.OAUTH_USE_TOKEN] = "always";
URL = https://www.googleapis.com/fusiontables/v1/query?key={encrypted fusiontable key} &client_id={id number}”;
postData=”sql=INSERT…”;
gadgets.io.makeRequest(URL, handlerWrapper, options);
Thanks!
If you're doing a write request, you will need to supply the oauth token that encodes the user's permission to access the table. It looks like this might be in gadgets.io.RequestParameters.OAUTH_REQUEST_TOKEN. The key is used for read access from public tables. Also, you may need to set the OAUTH_SERVICE_NAME to "fusiontables".
What I am doing is I set both alfresco and share to session time out time 60 minutes in their web.xml file.
My scenario is
When I want to start a workflow in Start Workflow page, I fill all
necessary data but do not click "Start Workflow" button.
After session time out, I click this "Start Workflow" button.
At the first time, authentication box opens and request for username
and password.
I filled user name and password of another user.
It starts a workflow with the authenticated another user.
Other times for session timeout, it does not request authentication
box, but acts for previously requested authenticated user.
So I think Why does it happen??? Is it because of cookie??
Currently there are four cookies used, namely alfLogin, alfUsername2, JSSESSIONID, _alfTest. Only when user is logged out, alfUsername2 cookie is deleted and others are remained.alfLogin and alfUsername2 cookies' expire time is 7 days and other cookie are depends on session.
Can alfresco web script still be used after session timeout? If so, how can I avoid this condition?
Although I have to answer my own question, I just want to share my result. I have to trace much. But answer is so simple.
Firstly, it is not because of cookie.
This answer is not only just for clicking "Start Workflow" button but also calling alfresco webscript after session time out in share.
All calling to alfresco webscript is done by EndPointProxyController specifically org.springframework.extensions.webscripts.servlet.mvc.EndPointProxyController in spring-webscripts-1.0.0-sources.jar.
In handleRequestInternal method if there is no session and basicHttpAuthChallenge is true, basic authentication box is shown as below.
else if (this.basicHttpAuthChallenge || descriptor.getBasicAuth())
{
// check for HTTP authorisation request (i.e. RSS feeds, direct links etc.)
String authorization = req.getHeader("Authorization");
if (authorization == null || authorization.length() == 0)
{
res.setStatus(HttpServletResponse.SC_UNAUTHORIZED,
"No USER_ID found in session and requested endpoint requires authentication.");
res.setHeader("WWW-Authenticate", "Basic realm=\"Alfresco\"");
// no further processing as authentication is required but not provided
// the browser will now prompt the user for appropriate credentials
return null;
}
else
{
// other coding
}
We can avoid this condition as
in endpointController of slingshot-application-context.xml, change
basicHttpAuthChallenge to false.
Like
<!-- Override EndPointProxyController to enable Basic HTTP auth challenge on 401 response -->
<bean id="endpointController" class="org.springframework.extensions.webscripts.servlet.mvc.EndPointProxyController">
<property name="cacheSeconds" value="-1" />
<property name="useExpiresHeader"><value>true</value></property>
<property name="useCacheControlHeader"><value>true</value></property>
<property name="configService" ref="web.config" />
<property name="connectorService" ref="connector.service" />
<property name="supportedMethods"><null/></property>
<property name="basicHttpAuthChallenge"><value>false</value></property>
</bean>
I'm using Spring Security 3 and my ApplicationContext-Security.xml specifies
<form-login login-page="/genesis" default-target-url="/diagnostics/start-diagnostics"
authentication-failure-url="/genesis?authfailed=true"
authentication-success-handler-ref="customTargetUrlResolver"/>
<access-denied-handler error-page="/genesis?notauthorized=true"/>
<logout logout-success-url="/genesis"/>
<session-management session-authentication-error-url="/genesis">
<concurrency-control max-sessions="1"/>
</session-management>
However when I log into my app in a second browser, then return to my first browser as soon as I try to do anything I get a plain white screen with the message "This session has been expired (possibly due to multiple concurrent logins being attempted as the same user"
How do I configure Spring Security 3 to display my own "you've been disconnected" URL?
You can either:
force concurrency filter to throw authentication exception (and it'll be handled by <form-login>),
provide your own session-expired page.
These situations are described here in Spring Security manual:
<concurrency-control> Attributes
error-if-maximum-exceeded
If set to "true" a SessionAuthenticationException will be raised when
a user attempts to exceed the maximum allowed number of sessions. The
default behaviour is to expire the original session.
expired-url
The URL a user will be redirected to if they attempt to use a session
which has been "expired" by the concurrent session controller because
the user has exceeded the number of allowed sessions and has logged in
again elsewhere. Should be set unless exception-if-maximum-exceeded is
set. If no value is supplied, an expiry message will just be written
directly back to the response.
Also check ConcurrentSessionFilter and ConcurrentSessionControlStrategy for more details.
Answering your question: in your config you should have something like this:
<session-management session-authentication-error-url="/genesis">
<concurrency-control max-sessions="1" expired-url="/sessionExpired.jsp" />
</session-management>
Note that expired-url is not the same as session-authentication-error-url.