XPages Social Business Toolkit - oauth-2.0

I am trying to implement XPagesSBT on localhost.
I have followed this article http://heidloff.net/home.nsf/dx/12152011034545AMNHECAP.htm and the SBT document by Niklas and was trying to implement dropbox oAuth.
I have also placed http://localhost/XPagesSBT.nsf/ and http://localhost/WebSecurityStore.nsf in root folder
but still i get this error
Error while executing JavaScript action expression
Script interpreter error, line=1, col=26: Error calling method 'isAuthenticated()' on java class 'com.ibm.xsp.extlib.sbt.services.client.endpoints.DropboxEndpoint'
No application is registered with id XPagesSBT and provider Dropbox
if(!#Endpoint("dropbox").isAuthenticated()) {#Endpoint("dropbox").authenticate(true);}
do i need to make any other configuration /setup to XPagesSBT db? or it wont work with Localhost?

I don't remember exactly anymore but reading my blog entry you linked it says you shouldn't use Anonymous:
"Additionally there are a couple of security related settings which are important to understand. First of all you need to assign access to the document with the application keys to the ID with which you signed the two NSFs. In the screenshot above I've entered both OpenNTF servers and my own user ID. When you use the web UI to do this these names are added to the document in an authors field and a readers field.
In the last step you need to configure the ACL of the security store. Anonymous must not have access to this database. All users who you want to be able to use the Social Enabler OAuth functionality need to have author access. This is so that their user keys can be stored in this database so that they only have to do the OAuth dance once. "

It should work on localhost. It looks like a configuration issue with SBT not being able to read the security tokens from the websecuritystore.nsf . Did you create the Dropbox Application Key with an admin id and sign the websecuritystore with the correct id?
Padraic

Related

Shiro and client certs

For my JSF/TomEE application, I have a NoSQL database with users and roles that specifies how users can access resources (basically, IDs in a url parameter) either read-only or write.
I want to implement security and this post gave me some ideas but I am keen to try a 3rd party library - probably Shiro or PicketLink. The rule is that users will authenticate themselves with a client certificate, and if that is not provided, they will be authenticated as a default guest user.
Surprisingly, I am having a bit of trouble finding some information on how to do this in Shiro, it doesn't look straight forward. It is a bit of a surprise to me that there is nothing "out of the box" in Shiro to implement client certificate authentication.
So I think I have to create a Realm to "connect" Shiro with my database. Then I read I might need to extend org.apache.shiro.authc.UsernamePasswordToken to read the certificate and pass it to Shiro. Then I suppose I have to restrict access to content in JSF xhtml pages (using the rendered attribute for example) and I suppose that even in all methods of the Named Managed beans I will need to check the permissions.
Also, It is not clear to me how I can assign the guest user when a certificate is not provided, since apparently it is TomEE the one who validates the client, so if no certificate is provided, my code will not get executed to assign the guest user. I could open two different ports in TomEE, but then the access will not be unified, since I want to treat the guest user uniformely, as any other user in the system. How can this be done?
Is this implemented in a easier way in PicketLink? (which is also better prepared for JSF)
OK, it took me a while and a lot of research, so I will summarise my findings dramatically. I documented everything but do not want to create a book chapter.
So I decided to go with Shiro, and everything I describe works and can be done. This X509certificate project for Shiro was quite useful. Basically, you need to implement a Realm overriding two methods (one for authentication and another for authorisation) - there is a class to extend in the code I mentioned before.
The distiction of a user not providing a cert can be done in the Shiro Filter, so when no token (certificate) is provided, one can be created on the fly or read from a keystore.
For restricting access in JSF there are some shiro tags that can help, no need to use rendered. I have checked permissions also in the beans or other classes accessing the database. This works once the permissions have been established in the authorisation method.
The issue with Tomcat can be solved by using <Connector port="..." ClientAuth="want" ... which will ask for a certificate but will not stop the user if no certificate is provided.

Implementing windows authentication in MVC using Active Directory (AD)

I have following requirement for my application :
Application Security will be controlled with Windows integrated
security. The Active Directory (AD) Domain must be stored in the application XML
configuration file.
Users will be able to View the Master File and Transaction
assignments with no security.
There will be one AD group for Adding / Changing / Deleting Master
File data.
There will be one AD group for assigning Master File data to
Transaction data.
A user could be in one, both or neither of the groups. The AD groups
will be stored in the application XML configuration file.
I understood the requirement but not sure how to implement it.
Specially the part 'A user could be in one, both or neither of the groups.'
Any thoughts or directions would be of great help.
i don't know all solutions, but hope this will try to help you
For Point1 :- for windows security use windows authentication and check the identity of the user, and make your database related to users stored in separate XML file and read the data(user information) from XML file.
For point2 :- Add the user AD which are going to access the system(on IIS machine)and create group for View/edit/assign permission set appropriate role as per your need, and use this group in while doing login
For point3-4: create separate login to access the file data and transcation data.

How do I disable user account in apacheDs

I am using ApacheDS 2.0.0.v20130628,I use Spring security ldap to authenticate users.
For a new user,once user registers an account with the web application an email will be sent to make the account active so that his email will also be verified.Until User clicks on the link sent to his email,User should not be able to Login to the application.So how can I disable the user account till then?
I came across with an attribute on web nsAccountLock,But I am unable to find this attribute in ApacheDS.
I want to know is there anything in ldap-user-service like "active" which is used in a SQL query for JDBC User service in spring security?
Any suggestions as how to go about on this?
nsAccountLock is used to lock accounts in Oracle Directory Server. But not in apache Directory server. even i'm facing the same issue for finding attribute for disabling user in Apache DS. its looks like they havent created any attribute for it.
I have used 'pager' as a option to know if the user is enabled or disabled.
Use the 'pwdAccountLockedTime' operationsl attribute, that's the standard way in Apache DS.
For more details refer

How do I get a list of Google Docs for the current logged in user with Apps Script?

I am working with Apps Script on a Google Site and I am trying to use Oauth to authenticate the gadget as the active user to show the active users documents list. I have found several Google group discussions asking about this with no answers, was hoping I could get an answer on here. Here is my code:
var oauthConfig = UrlFetchApp.addOAuthService("gDocs");
oauthConfig.setAccessTokenUrl("https://www.google.com/accounts/OAuthGetAccessToken");
oauthConfig.setRequestTokenUrl("https://www.google.com/accounts/OAuthGetRequestToken?scope=https://docs.google.com/feeds/");
oauthConfig.setAuthorizationUrl("https://www.google.com/accounts/OAuthAuthorizeToken");
oauthConfig.setConsumerKey("myDomainName");
oauthConfig.setConsumerSecret("myCosumerSeceret");
var options =
{
"method": "GET",
"headers": { "GData-Version": "3.0" },
"oAuthServiceName" : "gDocs",
"oAuthUseToken" : "always"
};
var results = UrlFetchApp.fetch("https://docs.google.com/feeds/default", options);
At this point the code does not run and the page with the gadget displays:
Authorization is required to perform that action.
Any assistance would be greatly appreciated.
Thank you,
James Krimm
In order to perform authorization using 3-legged OAuth, you have to use 'anonymous' as ConsumerKey and ConsumerSecret:
oauthConfig.setConsumerKey("anonymous");
oauthConfig.setConsumerSecret("anonymous");
Also, please note that the correct feed url is https://docs.google.com/feeds/default/private/full.
However, if your goal is to get the list of documents for the active user, why don't you just use the DocsList Services provided by Apps Script? They will also take care of parsing the results for you.
https://developers.google.com/apps-script/service_docslist
It's not possible to access the active user data. A published Apps Script, as on a site, runs under the account of the script owner, called effective user. And, as a security concern, the script owner does not have permission to access any data of the active user.
So, what #claudio suggests (of using builtin DocsList) is not possible.
Unless we're talking about a Google Apps domain (and not regular consumer accounts) and the script owner is the domain administrator. In which case he can use the Google Docs List Data API to impersonate any user on his domain.
Either way, the consumer key and secret should always be "anonymous", regardless this scenario.
I have a Google Script OAuth library https://sites.google.com/site/scriptsexamples/custom-methods/google-oauth that will make the OAuth part less painful.
And some source code for a currently being developed DriveSrevice Library that will hit the points that are missing in Google Script.
https://sites.google.com/site/scriptsexamples/custom-methods/driveservice
This particular error is probably not related to OAuth but related to adding DocsList to the app.
See: https://developers.google.com/apps-script/troubleshooting#common_errors
Authorization is required to perform that action.
This error indicates that the script is lacking the authorization
needed to run. When a script is run in the Script Editor or from a
custom menu item an authorization dialog is presented to the user.
However, when a script is run as a service, embedded with a Google
Sites page, or run from a trigger the dialog cannot be presented and
this error is shown. To authorize the script, open the Script Editor
and run any function. To avoid this error, remember to run the script
once in the Script Editor after adding new services or capabilities to your script.
The answers here are not correct. You CAN do what you need, but not using Oauth directly. Instead, publish the Apps Script with the option to "run as the current user" instead of the script owner. Then use DocsList of DriveApp to get at the users files. The key here is to publish the service to "run as the user accessing the app".

Setting up a private beta for a website

I'm trying to setup a "private beta" for a site that I'm working on. The site uses open id. I don't want anyone to even browse the pages if they aren't part of the beta. What's the best way to implement this? Any suggestions?
For example:
When the site goes live, users will go to http://www.mydomain.com which will not require them to log in.
For the beta I want to restrict access. Users that go to http://www.mydomain.com will be redirected to a login page. Anyone attempting to access ANY PART OF THE SITE who is not authenticated will be redirected back to the login page.
I could stick [Authorize] attributes all over my controller actions, but that seems stupid.
If you're using ASP.NET MVC, it comes with authentication/authorization out of the box. You should be able to use that to setup authentication on your site.
Alternatively you could setup app server settings - IIS lets you setup username/password on a specific site it's serving, regardless of what the actual application may do. If you have access to the app server this might be the best solution.
If you're using IIS6, you can setup authorization easily. Right-click on your site > Properties > Directory Security Tab > Authentication and Access Control > Edit, and enter a username/pwd of your choice. Done.
The real question is how are they being invited to the private beta?
You could setup a password which drops a cookie much like serverfault.com does.
OR
If you know who you are inviting: you could add them to the system before hand using the email/login information that you already know about them (assuming you are inviting them via email)
I have implemented a function in a web application a while ago where we go the possibility to block access to the full website unless the user was an administrator (which in our case meant that the user account was a member of a specific group in Active Directory).
It was based on two things. First, all pages in the web application inherited not directly from the Page class, but from a custom page class in our web application. Second, we had a value like this in the appSettings section of web.config file:
<add key="adminaccessonly" value="0" />
The custom page class would check that value when loading. If it was not 0 it would redirect to a page (that did not inherit the same custom page class, though) informing the user that "the site is not available right now". If the value was 0 the page would load as usual.
In that application we used this to be able to take the site "offline" when we deployed a new version, giving us some time to verify that all was good before we let in the users again.
Best way are invitation system (based on invitation code) or manually confirmation access after create profile in your system. imho
Or you could host the site on a private server, and set up a VPN to use it. Depending on your resources and needs this may be the easiest and most secure way to do what you want without modifying your codebase.
OR alternatively you could use Apache or IIS to force authentication on access to the website directory. Keeping the authentication info in .htaccess for a while.
Even though you use open id authentication, you may still need some form of authorization mechanism. The simplest form would be a user-roles system in your database that assigns different roles to users
In your case, just assign the private_beta role to your private beta invitees and ensure you your authorization mechanism that all users have private_beta privilege before they may continue.
If you don't want to provide authorization for the public site (where everyone can do everything, once authenticated), then, you may only need to do a quick-and-dirty post-processing (for private beta only) on your open_id authenticated users to check them off a short list (which you can store on a text file.

Resources