In the earlier version of the RC2 I was able to format my ACS url to:
/saml/SSO/alias/defaultAlias
This has been taken out in the release version. What do I set the ACS url on my IDP server to hit the only or default provider on the SP side?
The default URL is now simply /saml/SSO.
The alias feature is still available and supported - you can set it on MetadataGeneratorFilter's bean MetadataGenerator - ExtendedMetadata - property alias.
You can find an overview of changes between RC2 and FINAL in the manual chapter 'Important code changes', including guidelines on achieving backwards compatibility.
Related
Every was fine with Swagger until I added an authorization policy in the StartUp Class:
options.AddPolicy("requiredRoleType", policy => policy.RequireRole());
The problem: Swagger is inaccessible because this policy. I've tried to move services.AddSwaggerGen in a different order but the problem remains.
Anyway to make Swagger bypasses authorization policies?
(using .NET 5.0 and Swashbuckle.AspNetCore 6.0.7)
I solved the issue by using Authorization Requirements as described in the official documentation:
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-5.0
In this case Swagger is not affected by Authorization Requirements.
I am upgrading a resource server that accepts access tokens from our oAuth server. In .NET 4.7, I had a startup configuration that looked like this:
appBuilder.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
When I add the Nuget Package 'Microsoft.Owin.Security.OAuth', I get a warning that the package is not compatable with the target .NETCoreApp. Makes sense, but I'm not sure what the new package is.
I thought the package I needed was 'Microsoft.AspNetCore.Authentication.OAuth'. That allows me to add to startup:
services
.AddAuthentication(OAuthDefaults.DisplayName)
.AddOAuth("Bearer", options => options.AuthorizationEndpoint = "uhhh" );
Why would I be configuring an endpoint, I just want to look for an authorization token, not actually serve them up. This looks like the setup for an oAuth server, not a recipient. Also, the old 'OAuthBearerAuthenticationOptions' class allowed me to override things like 'AccessTokenFormat' but I'm not seeing that in the new options.
Lastly, I see that there is the option to configure oauth this way:
app.UseOAuthAuthentication
But it complains that it's Obsolete, looks like a Core 1 version of 'AddOAuth', and nothing about AccessTokenFormat.
Any ideas?
Core does not provide a direct replacement for those APIs or their associated token server. The current guidance is that you use a server like IdentityServer4 along with AddJwtBearerAuthentication.
I have upgraded Grails and Spring Security to latest (3.3.0.RC1 and 3.2.0.M1 respectively) by following all of the migration paths but now my annotations no longer work. Control follows through to my not authorised callback (grails.plugin.springsecurity.adh.errorPage).
I have my own list of enum backed Permissions that I use to populate my list of authorities which are being correctly loaded for my user object but they no longer work in my annotations using the hasRole expression as follows;
#Secured(["hasAnyRole('PERM_VIEW_REPORTS'"])
other expressions are working fine such as the following
#Secured("authentication.name == 'sys_admin'")
#Secured("hasRole('PERM_VIEW_REPORTS')")
I don't suppose anyone has had any similar experience with the latest Spring Security release for Grails. Remember the above has worked perfectly until I upgraded but I don't see anything in the migration path that suggests there might be a problem with this system.
Thanking for any suggestions in advance.
This came down to the "ROLE_" prefix being mandatory again in the new Spring Security 3.2.0.M1 release. As can be seen from above, I had being using a "PERM_" prefix up to now to indicate that I'm using a permission based instead of role based paradigm.
I'm hoping to add this to the migration guide for the plugin as it's a major omission AFAIC. I would hope this would become a configuration option for the plugin in a future release.
EDIT:
It turns out Spring Security have introduced new methods hasAuthority() and hasAnyAuthority() which do not use the default role prefix and so can be used in place of hasRole() and hasAnyRole().
I have forked and updated the Spring Security docs for 3.2 and sent a pull request.
Please try with
#Secured ('ROLE_USER')
If you're trying to secured with more than one Role
#Secured(['ROLE_USER','ROLE_ADMIN'])
How can I change WSDL2.0 of a service that will be deployed on WSO2 Application Server?
I want to change WSDL content of a service that developed and will be deployed on WSO2 Application Server. I moved custom WSDL file to META-INF directory and set useOriginalwsdl=true property. but only WSDL version 1.1 is that affected by this property. I want to use the custom WSDL 2.0 for my service in WSO2 Application Server. How can I do it?
WSO2 Application Server uses Axis2 1.6.x and useOriginalwsdl=true is in fact not supported for WSDL 2.0. See following JIRA.
https://issues.apache.org/jira/browse/AXIS2-5191
According to the JIRA, it is fixed in Axis2 1.7.0, which is not yet released.
If you really want to use that feature, it might be easier to patch the existing version of Axis2. The fix attached to the JIRA is simple, but I'm not really sure how much code changes are required. The patch is provided for axis2 trunk and therefore I cannot really tell without trying first!
Also the code for Axis2 versions used in WSO2 products are in WSO2 repository. For example, WSO2 Application Server 5.1.0 uses axis2 1.6.1-wso2v9 according to Carbon Release Matrix.
I hope this helps!
in a struts application, I have a filter that forces certain pages to be accessed only over https via redirection. I'm thinking in porting it to grails so my question is: In the this environment, is there a "grails" way to implement such filter or is it similar/the same as I did ? Thanks
The Spring Security core plugin has support for this. See section 17 - "Channel security"