I'm facing a problem related to the users' session. I'm using Adapter Based Authentication which I user to authenticate the user to have secret data from the web service.
For example when the user1 login, he gets his own data. Now when the user2 login , he gets his own data. But the user1 , also , get the user2's data. So all the users are getting the data of last login user.
I tried to put this connectAs="endUser" but I'm still facing the same problem.
Any idea to solve this problem.
Practically I have the opposite behaviour of this question:
IBM Worklight 6.0 - Adapter with basic auth doesn't update auth header if client logs out/in
this is the authenticationConfig.xml :
<securityTests>
<customSecurityTest name="AdapterSecurityTest">
<test isInternalUserID="true" realm="AdapterAuthRealm" />
</customSecurityTest>
<mobileSecurityTest name="PushSecurityTest">
<testUser realm="AdapterAuthRealm"/>
<testDeviceId provisioningType="none"/>
</mobileSecurityTest>
</securityTests>
<realms>
<realm name="AdapterAuthRealm" loginModule="AdapterLoginModule">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="MyAdapter.onAuthRequired" />
<parameter name="logout-function" value="MyAdapter.onLogout" />
</realm>
</realms>
<loginModules>
<loginModule name="AdapterLoginModule">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule>
</loginModules>
connectas enduser should be set on getsecretdata, not on authenticate.
Related
I've an issue on this feature.
SignIn action works well with ADFS and return to AuthServices/Acs
But Logout action don't call ADFS and redirect directly to returnUrl parameters (checked it with fiddler).
I'm calling this link : /AuthServices/Logout?ReturnUrl=~/&Status=LoggedOut
web.config is set up as this :
<kentor.authServices entityId="https://localhost:2181/AuthServices" returnUrl="https://localhost:2181/">
<identityProviders>
<add
entityId="https://ADFS DOMAIN/adfs/services/trust"
signOnUrl="https://ADFS DOMAIN/adfs/ls"
logoutUrl="https://ADFS DOMAIN/adfs/ls/?wa=wsignout1.0"
binding="HttpPost"
allowUnsolicitedAuthnResponse="true"
metadataLocation="https://ADFS DOMAIN/FederationMetadata/2007-06/FederationMetadata.xml"
wantAuthnRequestsSigned="true">
<signingCertificate fileName="~/App_Data/*****.cer" />
</add>
</identityProviders>
</kentor.authServices>
If I launch https://ADFS DOMAIN/adfs/ls/?wa=wsignout1.0 on another tabs, it is working, I return on signin page from my website.
So it seems to be an internal issue to retrieve logouturl and send it ?
Thanks for helps.
There are a number of requirements that need to be met before logout request will be issued:
You need to have a http://kentor.se/AuthServices/LogoutNameIdentifier claim and its issuer has to match the IDP that you're trying to logout from.
You need to have http://kentor.se/AuthServices/SessionIndex claim.
Your AuthServices IDP configuration needs a logoutUrl (I see you've specified this but probably it's easier to let AuthServices read it from the metadata)
You have specified a ServiceCertificate with either Signing or Both usage (i.e. not just Encryption)
Your AuthServices IDP configuration has DisableOutboundLogoutRequests =
false (this is the default)
Missing claims (first two points) is the most likely issue if you have some claims transformation happening during login or you are not retaining the original ClaimsIdentity. See also the documentation regarding ClaimsAuthenticationManager, e.g. https://github.com/KentorIT/authservices/blob/master/doc/ClaimsAuthenticationManager.md
You can turn on logging and see which of these points are failing:
https://github.com/KentorIT/authservices/blob/v0.21.2/Kentor.AuthServices/WebSSO/LogOutCommand.cs#L155-L170
I am trying to schedule a new blast to send emails. I am calling the below URL
https://app.streamsend.com/audiences/1/blasts.xml
posting the below xml to the service
<blast>
<from>
<name>Customer Service</name>
<email-address>xxx#example.com</email-address>
</from>
<to>
<audience-id>1</audience-id>
<filter-id></filter-id>
<include-lists>5</include-lists>
<exclude-lists>7</exclude-lists>
</to>
<subject>My First Blast</subject>
<body>
<email-id>9</email-id>
</body>
<options>
<track-views>true</track-views>
<track-clicks>true</track-clicks>
<include-social-bar>false</include-social-bar>
</options>
<scheduled-for>2015-02-17T20:00:00Z</scheduled-for>
</blast>
I am getting WebException showing error 422 unprocessable entity. Please help me in resolving this issue.
Before scheduling a blast we must first verify the email mentioned in the email-address tag(xxx#example.com). This is to ensure compliance with the U.S. Can-Spam Law.
<blast>
<from>
<name>Customer Service</name>
<email-address>xxx#example.com</email-address>
</from>
<to>
<audience-id>1</audience-id>
<filter-id></filter-id>
<include-lists>5</include-lists>
<exclude-lists>7</exclude-lists>
</to>
<subject>My First Blast</subject>
<body>
<email-id>9</email-id>
</body>
<options>
<track-views>true</track-views>
<track-clicks>true</track-clicks>
<include-social-bar>false</include-social-bar>
</options>
<scheduled-for>2015-02-17T20:00:00Z</scheduled-for>
</blast>
To verify the email address, Login to stream send web portal and try to set up a blast. Steps to set up a blast
Step 1: Mention the sender email address information
Step 2: Activation link is sent to the email mentioned in step 1. Once the user activates the link, the sender account is verified successfully.
We will be able to schedule the blasts after verification without any issues.
Note: In stream send one audience Id is created per account, usually the value is 1, sometimes it may have a value other than 1. While scheduling a blast it is better to check for the audience id by calling the API rather than hard coding the value.
We have a Google Gadget that connects to Fusion Tables through the Fusion Table API with the user’s Google Account. It performs SELECT and INSERT.
We built the gadget using OAuth1 (shindig library for opensocial). It worked fine for the deprecated version of the Fusion Table API. When we migrated it to the new PAPI, the select qworks fine because authentication with OAuth2 is not necessary. For the INSERT however, it is necessary. The documentation for opensocial has not been completely updated:http://docs.opensocial.org/display/OSREF/OpenSocial+Specification+Considerations
I cannot figure out how to successfully use OAuth2 to perform an Insert. We have the API privileges to read/write at the domain level and the user has owner privileges to the Fusion table.
The error I am getting is saying “Invalid Credentials” Pretty vague and I cannot tell why.
Here is our gadget header:
<OAuth>
<Service name="google">
<Access url="https://www.google.com/accounts/OAuthGetAccessToken" method="GET" />
<Request url="https://www.google.com/accounts/OAuthGetRequestToken?scope=https://www.googleapis.com/auth/fusiontables%20https://docs.google.com/feeds/default/private"
method="GET" />
<Authorization url="https://www.google.com/accounts/OAuthAuthorizeToken?oauth_callback=http://oauth.gmodules.com/gadgets/oauthcallback" />
</Service>
</OAuth>
I am not sure exactly how to update, so I added another header:
<OAuth2>
<Service name="google">
<Authorization url="https://www.google.com/accounts/OAuthAuthorizeToken?oauth_callback=http://oauth.gmodules.com/gadgets/oauth2callback" />
</Service>
</OAuth2>
When we make the call, we do the following:
options = {};
options[gadgets.io.RequestParameters.CONTENT_TYPE] = gadgets.io.ContentType.TEXT;
options[gadgets.io.RequestParameters.METHOD] = gadgets.io.MethodType.POST;
options[gadgets.io.RequestParameters.POST_DATA] = postData;
options[gadgets.io.RequestParameters.AUTHORIZATION] = gadgets.io.AuthorizationType.OAUTH2;
options[gadgets.io.RequestParameters.HEADERS] = {'Authorization':'{encrypted fusiontable key}'}; //not sure if this helps but its extra
options[gadgets.io.RequestParameters.OAUTH_SERVICE_NAME] = "google";
options[gadgets.io.RequestParameters.OAUTH_USE_TOKEN] = "always";
URL = https://www.googleapis.com/fusiontables/v1/query?key={encrypted fusiontable key} &client_id={id number}”;
postData=”sql=INSERT…”;
gadgets.io.makeRequest(URL, handlerWrapper, options);
Thanks!
If you're doing a write request, you will need to supply the oauth token that encodes the user's permission to access the table. It looks like this might be in gadgets.io.RequestParameters.OAUTH_REQUEST_TOKEN. The key is used for read access from public tables. Also, you may need to set the OAUTH_SERVICE_NAME to "fusiontables".
What I am doing is I set both alfresco and share to session time out time 60 minutes in their web.xml file.
My scenario is
When I want to start a workflow in Start Workflow page, I fill all
necessary data but do not click "Start Workflow" button.
After session time out, I click this "Start Workflow" button.
At the first time, authentication box opens and request for username
and password.
I filled user name and password of another user.
It starts a workflow with the authenticated another user.
Other times for session timeout, it does not request authentication
box, but acts for previously requested authenticated user.
So I think Why does it happen??? Is it because of cookie??
Currently there are four cookies used, namely alfLogin, alfUsername2, JSSESSIONID, _alfTest. Only when user is logged out, alfUsername2 cookie is deleted and others are remained.alfLogin and alfUsername2 cookies' expire time is 7 days and other cookie are depends on session.
Can alfresco web script still be used after session timeout? If so, how can I avoid this condition?
Although I have to answer my own question, I just want to share my result. I have to trace much. But answer is so simple.
Firstly, it is not because of cookie.
This answer is not only just for clicking "Start Workflow" button but also calling alfresco webscript after session time out in share.
All calling to alfresco webscript is done by EndPointProxyController specifically org.springframework.extensions.webscripts.servlet.mvc.EndPointProxyController in spring-webscripts-1.0.0-sources.jar.
In handleRequestInternal method if there is no session and basicHttpAuthChallenge is true, basic authentication box is shown as below.
else if (this.basicHttpAuthChallenge || descriptor.getBasicAuth())
{
// check for HTTP authorisation request (i.e. RSS feeds, direct links etc.)
String authorization = req.getHeader("Authorization");
if (authorization == null || authorization.length() == 0)
{
res.setStatus(HttpServletResponse.SC_UNAUTHORIZED,
"No USER_ID found in session and requested endpoint requires authentication.");
res.setHeader("WWW-Authenticate", "Basic realm=\"Alfresco\"");
// no further processing as authentication is required but not provided
// the browser will now prompt the user for appropriate credentials
return null;
}
else
{
// other coding
}
We can avoid this condition as
in endpointController of slingshot-application-context.xml, change
basicHttpAuthChallenge to false.
Like
<!-- Override EndPointProxyController to enable Basic HTTP auth challenge on 401 response -->
<bean id="endpointController" class="org.springframework.extensions.webscripts.servlet.mvc.EndPointProxyController">
<property name="cacheSeconds" value="-1" />
<property name="useExpiresHeader"><value>true</value></property>
<property name="useCacheControlHeader"><value>true</value></property>
<property name="configService" ref="web.config" />
<property name="connectorService" ref="connector.service" />
<property name="supportedMethods"><null/></property>
<property name="basicHttpAuthChallenge"><value>false</value></property>
</bean>
I'm using Spring Security 3 and my ApplicationContext-Security.xml specifies
<form-login login-page="/genesis" default-target-url="/diagnostics/start-diagnostics"
authentication-failure-url="/genesis?authfailed=true"
authentication-success-handler-ref="customTargetUrlResolver"/>
<access-denied-handler error-page="/genesis?notauthorized=true"/>
<logout logout-success-url="/genesis"/>
<session-management session-authentication-error-url="/genesis">
<concurrency-control max-sessions="1"/>
</session-management>
However when I log into my app in a second browser, then return to my first browser as soon as I try to do anything I get a plain white screen with the message "This session has been expired (possibly due to multiple concurrent logins being attempted as the same user"
How do I configure Spring Security 3 to display my own "you've been disconnected" URL?
You can either:
force concurrency filter to throw authentication exception (and it'll be handled by <form-login>),
provide your own session-expired page.
These situations are described here in Spring Security manual:
<concurrency-control> Attributes
error-if-maximum-exceeded
If set to "true" a SessionAuthenticationException will be raised when
a user attempts to exceed the maximum allowed number of sessions. The
default behaviour is to expire the original session.
expired-url
The URL a user will be redirected to if they attempt to use a session
which has been "expired" by the concurrent session controller because
the user has exceeded the number of allowed sessions and has logged in
again elsewhere. Should be set unless exception-if-maximum-exceeded is
set. If no value is supplied, an expiry message will just be written
directly back to the response.
Also check ConcurrentSessionFilter and ConcurrentSessionControlStrategy for more details.
Answering your question: in your config you should have something like this:
<session-management session-authentication-error-url="/genesis">
<concurrency-control max-sessions="1" expired-url="/sessionExpired.jsp" />
</session-management>
Note that expired-url is not the same as session-authentication-error-url.