Spring websocket set handshake handler/interceptor - spring-websocket

I try to set handshake handler through xml config:
<bean id="customHandler" class="app.wsock.CustomHandler"/>
<websocket:message-broker>
<websocket:stomp-endpoint path="/foo">
<websocket:handshake-handler ref="customHandler"/>
<websocket:sockjs/>
</websocket:stomp-endpoint>
<websocket:stomp-broker-relay prefix="/topic,/queue" />
</websocket:message-broker>
but on connect also using DefaultHandshakeHandler. What I'm doing wrong?

This is a bug (see SPR-11568).
You'll need to update your app to Spring Framework 4.0.3.

Related

log4j2 Socket Appender with SSL enabled

Here is my log4j2 SocketAppender configured with SSL
<Configuration status="warn">
<Socket name="transSocketAppender" host="lxddv002.test.intranet"
port="9400" protocol="TCP" reconnectionDelayMillis="30000"
immediateFail="false">
<PatternLayout pattern="%m%n" charset="UTF-8" />
<SSL>
<Truststore location="C:\Users\AC26252\Desktop\certs\keystore.jks"
password="123456" />
</SSL>
</Socket>
<Async name="transSocketAsyncAppender" bufferSize="204800">
<AppenderRef ref="transSocketAppender" />
</Async>
I get this error on my server restart and the first few(2 or 3) request logs are lost and not being transported.
2018-11-22 19:04:05,243 AsyncAppender-socketAsyncAppender ERROR Unable to write to stream TLS:lxddv002.test.intranet:9400 for appender socketAppender: org.apache.logging.log4j.core.appender.AppenderLoggingException: Error writing to TLS:lxddv002.test.intranet:9400
2018-11-22 19:04:05,259 AsyncAppender-socketAsyncAppender ERROR An exception occurred processing Appender socketAppender
org.apache.logging.log4j.core.appender.AppenderLoggingException: Error writing to TLS:lxddv002.test.intranet:9400
at org.apache.logging.log4j.core.net.TcpSocketManager.write(TcpSocketManager.java:229)`at org.apache.logging.log4j.core.appender.OutputStreamManager.write(OutputStreamManager.java:201)`
Is there anything wrong with my configuration? Any help is appreciated. thanks
The issue was with my log4j2 version. I have upgraded to the latest version and its working fine now.

Configuration Error Azure Key Vault as a Visual Studio Connected Service ConfigurationBuilder

I am trying to wire up Azure Key Vault in my ASP.NET (.Net Framework) MVC Web App using Visual Studio 2017 Community 15.7.5 Connected Service targeting .Net 4.7.2.
It adds a configBuilder with the name AzureKeyVault with an attribute called vaultName that throws a "The 'vaultName' attribute is not allowed." warning.
When I run the application I get an error that the configBuilders attribute on the appsetting tag is not good like so:
I am using the following package versions which are all current:
<package id="Microsoft.Azure.KeyVault" version="3.0.0" targetFramework="net472" />
<package id="Microsoft.Azure.KeyVault.WebKey" version="3.0.0" targetFramework="net472" />
<package id="Microsoft.Azure.Services.AppAuthentication" version="1.0.3" targetFramework="net472" />
There is an update to Microsoft.Azure.Services.AppAuthentication but it is a preview and it caused dependency issues with other packages.
tldr; - you probably don't have the appropriate permissions to access the key vault.
In currently released versions of the .Net framework, detailed errors about config builders are not always easily discoverable in the ASP.NET yellow screen. We have changes in vNext to address this issue, but it is currently a problem for 4.7.1/2. For the time being, if you create a simple console app to read appSettings with the same config builder configuration, you should see more exception information in the stack that gets spit out.
Based on the yellow screen you posted though I would guess (and its really just an educated guess based on past reports and nothing specific in your case) you are running into an authentication issue in the Microsoft.Azure.Services.AppAuthentication library. When running in Visual Studio, that library can use your personal credentials to access the key vault. If deployed in Azure, they use a different magic technology to authenticate the application to the key vault. If you want to eliminate the "magic" and take more control over this, you can specify more detailed connection information with the 'connectionString' attribute. There is more information as well as a link to connection string details on our GitHub page (MicrosoftConfigurationBuilders).
As for the "The 'vaultName' attribute is not allowed." warning... it's just a warning. The .xsd that VS uses to validate configuration was not correctly updated to allow random attributes on configBuilder definitions. We hope to address this in a future VS release around the time that the next framework ships.
Steve Molloy was correct in that the Configuration Error was a red herring. I created a console app and the error messages were much better but they still required some investigation. Here's my Console App Code and packages:
static void Main(string[] args)
{
var azureServiceTokenProvider = new AzureServiceTokenProvider
(azureAdInstance:"https://InsertAADSubscriptionName.onmicrosoft.com/");
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = keyVaultClient.GetSecretAsync(
"https://InsertKeyVaultName.vault.azure.net", "InsertSecretYouWantBack").GetAwaiter().GetResult();
}
<packages>
<package id="Microsoft.Azure.KeyVault" version="3.0.0" targetFramework="net472" />
<package id="Microsoft.Azure.KeyVault.WebKey" version="3.0.0" targetFramework="net472" />
<package id="Microsoft.Azure.Services.AppAuthentication" version="1.0.3" targetFramework="net472" />
<package id="Microsoft.IdentityModel.Clients.ActiveDirectory" version="3.19.8" targetFramework="net472" />
<package id="Microsoft.Rest.ClientRuntime" version="2.3.13" targetFramework="net472" />
<package id="Microsoft.Rest.ClientRuntime.Azure" version="3.3.15" targetFramework="net472" />
<package id="Newtonsoft.Json" version="11.0.2" targetFramework="net472" />
</packages>
I put a breakpoint on the last bracket and kept looking for my secret value in the variable secret. I kept getting the following error indicating that Azure AD wasn't able to authenticate my local environment and return an access token.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried the following 4 methods to get an access token,
but none of them worked.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried to get token using Managed Service Identity.
Unable to connect to the Managed Service Identity (MSI) endpoint.
Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried to get token using Visual Studio.
Access token could not be acquired.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried to get token using Azure CLI. Access token could
not be acquired. ERROR: Please run 'az login' to setup account.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried to get token using Active Directory Integrated
Authentication. Access token could not be acquired. get_user_name_failed:
Failed to get user nameInner Exception : No mapping between account names
and security IDs was done
The problem was that since I was running the app locally I needed to be logged in to Azure CLI locally. To do this: first install Azure CLI on your machine, then go to a CMD or a PowerShell prompt and type az login and follow the instructions returned.
This did the trick; the console app was able to get an access token.
I tried it on my web app in the original question above and it worked as expected.

TSung HTTP not working with header

We are performing load testing using tsung.
We were able to load test a HTTP end point without any headers.
But when add HTTP header, tsung is failing and not able to make the request.
I am unable to decipher from the tsung logs the issue. The format of the configuration tsung.xml is exactly as per the tsung help docs.
please find the below tsung.xml configuration we used and also error from logs,
tsung.xml
<sessions>
<session name="http-example" probability="100" type="ts_http">
<request>
<http url="http://172.17.0.1/api/test" version="1.1" method="GET">
<http_header name="Authorization" value="Bearer a3b84dd8-d8a3-4e37-9468-5244333df0e0"/>
</http>
</request>
</session>
</sessions>
tsungcontroller.log
** Reason for termination =
** {{case_clause,false},
[{ts_http_common,'-headers/1-fun-0-',2,
[{file,"src/tsung/ts_http_common.erl"},{line,224}]},
{lists,foldl,3,[{file,"lists.erl"},{line,1248}]},
{ts_http_common,http_no_body,2,
[{file,"src/tsung/ts_http_common.erl"},{line,75}]},
{ts_http,get_message,2,[{file,"src/tsung/ts_http.erl"},{line,130}]},
{ts_client,handle_next_request,2,
[{file,"src/tsung/ts_client.erl"},{line,798}]},
{gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,505}]},
{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,239}]}]}
Please let me know what I am missing
I was using tsung 1.5.1 earlier. But the issue is resolved in 1.6 :) :)
I am able to add http headers.

Consuming Web Service using 2 Way SSL using Orbeon client code

We are trying to consume web service from orbeon client code. Everything works fine with one way SSL however we now wish to call the web service using 2 way SSL. We are able to call the web service using 2 way SSL successfully using the Apache CXF framework using Java code.
I followed the steps outlined in the Orbeon Wiki.
Changes made in properties-local.xml
<property as="xs:anyURI"
name="oxf.http.ssl.keystore.uri"
value="/apps/property/ClientStore.jks"/>
<property as="xs:string"
name="oxf.http.ssl.keystore.password"
value="password"/>
<property as="xs:anyURI"
name="oxf.url-rewriting.service.base-uri"
value="http://localhost:8085/Orbeon"/>
<property as="xs:anyURI"
name="oxf.fr.persistence.exist.uri"
value="http://localhost:8085/fr/service/exist"/>
<property as="xs:anyURI"
name="oxf.fr.persistence.exist.exist-uri"
value="http://localhost:8085/exist/rest/db/orbeon/fr"/>
After implementing the changes outlined above we are getting the exception below:
ERROR XFormsServer - xforms-submit-error - setting throwable {throwable:
"javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:488)
at org.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:62)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148
Java start up options are:
-Djavax.net.ssl.trustStorePassword=password
-Djavax.net.ssl.keyStore=/apps/property/DMClientStore.jks
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=/apps/property/trustkeystore.jks
Questions:
Are these properties sufficient for enabling 2 way SSL?
For Apache CXF we need to provide two keystores, one with the client certificate and a truststore. Where do we configure both of these keystores for Orbeon?

Spring Security SAML - Failed to verify signature

I'm using the Spring Security SAML 2.0 sample webapp on Tomcat 7 and have modified it to try to get it to authenticate against a Ping Identity service. The webapp is talking to the service and it's sending back an assertion, but it's failing when trying to verify the signature, as shown by the debug output below:
- Attempting to verify signature and establish trust using KeyInfo-derived credentials
- Signature contained no KeyInfo element, could not resolve verification credentials
- Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
- Attempting to verify signature using trusted credentials
- Failed to verify signature using either KeyInfo-derived or directly trusted credentials
- Validation of received assertion failed, assertion will be skipped
org.opensaml.xml.validation.ValidationException: Signature is not trusted or invalid
I understand that it's not able to verify the signature, and I have been given a certificate by the Ping Identity admins to use, but I'm unsure of how to include it in the application. I've tried adding it to the JKS (keystore) that comes with the sample application using the JDK's keytool program, but it can't seem to find it in there. I've also tried adding it to the service provider's metadata xml file like this:
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
[Certificate is here...]
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
However it still returns the same error.
Is there a specific place I should put the certificate in order to validate the signature? I'm relatively new to SAML and application security in general, so I apologise if I'm using the wrong terminology.
Finally got this to work. Turns out I'd missed out a line of configuration in the security context file, and that (it appears as though) no X509 certificate definition was needed in the service provider's metadata XML file.
Basically I'd already imported the public key I'd been provided with into the existing JKS (using keytool), but I hadn't told the application to specifically use this. In order to do this, I had to go into the security context file (in my case "securityContext.xml") and add the following line to the ExtendedMetadata bean definition for the SP's metadata xml file:
<property name="signingKey" value="[alias of the provided key in the JKS goes here]"/>
Hence after this modification, the ExtendedMetadataDelegate bean definition looked like this:
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:security/[Path to SP metadata xml file].xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool" />
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="alias" value="[SP alias goes here]" />
<property name="signingKey" value="[alias of the provided key in the JKS goes here]"/>
</bean>
</constructor-arg>
</bean>
Hope this helps anyone who might be in a similar situation.
In spring boot it can be configured in the assertingparty configuration
spring:
security:
saml2:
relyingparty:
registration:
yourrequestissuerid:
assertingparty:
verification:
credentials:
- certificate-location: "classpath:idp.crt"

Resources