I have a flex app using BlazeDS to talk with a web app using Spring Security. During normal use the user has already logged into the web app before running the flex app, so the browser takes care of passing the JSESSIONID session cookie on the outgoing messages so the web app knows who they're coming from.
However, I'd like to be able to run the flex app from my IDE (IntelliJ IDEA) for debugging, which means there's been no previous login and thus no existing session. I put some code in -- just for the purpose of debugging -- to first send a login message. That works, and the JSESSIONID cookie comes with the response, but I don't know how to attach it to the subsequent BlazeDS remoting calls that the app makes.
Is there some sort of channel configuration that does this, or some other method? And if you're going to point me to the BlazeDS/SpringSecurity preauthentication example, I appreciate the thought, but we already have a fairly involved configuration of Spring Security and I don't want to mess with that.
As an aside, I was a bit disconcerted when I tried to follow a suggestion to call login() on the RemoteObject's ChannelSet, only to find that the ChannelSet was null. I don't see how that can be, since the remoting calls work, using -- I can only assume -- the AMF channel defined in the services-config.xml. Anyway, I don't know whether login() works by sending j_username and j_password to /j_spring_security_check anyway, so it might not have been appropriate; and of course I'd still be left with the subject of this query, which is how to use the session once it's been created.
I don't think it'll help to explain anything, but I'll include some code and config snippets...
The login:
<mx:HTTPService id="loginRequest" url="http://fiddler:8080/app/j_spring_security_check" useProxy="false"
method="POST" result="handleLoginResult(event)">
<mx:request xmlns="">
<j_username>username</j_username>
<j_password>password</j_password>
</mx:request>
</mx:HTTPService>
The RemoteObject:
<mx:RemoteObject id="remoteObject" destination="blazebackend">
<mx:method name="getConfigData" result="handleConfigDataResult(event)" fault="handleFault(event)"/>
<mx:method name="addSession" result="handleAddSessionResult(event)" fault="handleFault(event)"/>
</mx:RemoteObject>
A channel:
<channel-definition id="my-amf" class="mx.messaging.channels.AMFChannel">
<endpoint url="/{context.root}/app/amf" class="flex.messaging.endpoints.AMFEndpoint"/>
</channel-definition>
TIA.
I'd like to be able to run the flex app from my IDE (IntelliJ IDEA) for debugging
Using Eclipse you can debug inside Eclipse IDE when deployed on a localhost or remote server by configuring the "Url or path to use" when starting debugging.
JESSIONID means that you're using Java EE authentication, the login method of the ChannelSet can be used for a custom and or Basic authentication (that can be or not a Java EE authentication), I think the best for you is to deploy on a localhost, or eventually remove security when debugging.
Related
I have inherited this old ASP.Net MVC application and now I have to integrate a new Payment Service Provider. This PSP returns the responses to all payment requests via a POST message. The fields of the response are sent as hidden fields. The URL of the webhook must be provided in the request. After reading different SO posts along the same lines, I kinda know, in principle, what I would have to do. The PSP has a test & integration environment so I can send test request from my development environment. The problem I am facing is how to read the response. The URL for the webhook must be public, so me, running my development environment on my localhost, won't help. I can use webhook.site to get the responses, but I would like to get them in my application, so I check that my code behaves correctly and can handle properly the POST message containing all the hidden fields. Did anyone manage to find a possible solution for this problem?
TIA,
Ed
You mention that you want to test if you code behave correctly, I also see tag asp.net mvc in the post. For this requirement I can suggest you to go with azure. Azure have remote debugging feature which can easily help you test your code.
If you don't want to go with Azure, you can use ngrok software to make your localhost url public. This way you can trigger your code and debug it locally like remote debugging in azure.
There is one more way to test this thing very well. Just log the whole body of webhook (in logs or DB) and later execute it yourself through postman. This might doesn't let your webhook endpoint know the result at same time.
We have a J2EE application (running on -cough- IE only) that uses JSESSIONID to manage session state between client and server. Some of our customers use a third-party web application (https://mdoffice.sentara.com/) in which the client Javascript onload method calls:
document.execCommand("ClearAuthenticationCache");
This smashes our JSESSIONID cookie in the browser and hence causes the the app server to see subsequent requests from our IE client window as an invalid or timed out session and the user gets kicked out. Our server is OAS/OC4J, but I doubt this it matters: The same basic behavior occurs if I hit the above URL while logged into my online banking.
In trying to research this, I found that most folks are interested in duplicating this behavior in non-IE browsers. I'm interested in how to protect against it. We verified that our session cookies are have domain scoping, but the above command doesn't seem to honor that. We have a lame work-around by which we launch IE with a -noframemerging argument. That's ugly, and also ends up messing with our logic that tries to limit the client to a single login.
I can't find much useful on MSDN, but this article (http://blogs.msdn.com/b/ieinternals/archive/2010/04/05/understanding-browser-session-lifetime.aspx) does make it clear that the above command "...clears session cookies ... for ALL sites running in the current session".
Does anyone know of either:
Obviously preferable: A way to protect our precious session cookies from ClearAuthenticationCache?
Vane hope: A less aggressive alternative to ClearAuthenticationCache that we might tell our customers to communicate to the 3rd party? (Of course, they'd have to do this with any 3rd party that causes this problem. Currently there's just the one.)
Thanks for any help!
I've an ASP .NET MVC4 application that uses SimpleMembership and allows users to sign in with their google accounts.
In order to do that I configured the application's AuthConfig class by uncommenting the OAuthWebSecurity.RegisterGoogleClient(); line to add google as an external login method. I didn't really change much inside the external login methods that already come with the ASP .NET MVC4 Internet Application template.
Problem:
Everything works fine when I run it locally (IIS express) or when I deploy it to a 'test' server (IIS 6.1, accessible on the intranet only). When I click my "sign in with google" button, I'm sent to google's authentication page, whose url looks something like this:
https://accounts.google.com/ServiceLogin?service=lso&passive=12096...(long url)
Alas, when I deploy it to the 'production' server (internet facing) and try to access it via internet, Google authentication stops working: when I click my "sign in with google" I'm being sent to an url that looks like this:
http://MY_APPLICATION_NAME.MY_DOMAIN.com/accounts/o8/ud?openid.claimed_id=http%3A%2F%2Fspecs.openid...(long url)
This url is wrong not only because it has my domain in it (I believe it should be accounts.google.com?), but also because the rest of it is completely different from the url I get when the authentication works.
What I know and have tried:
If I use fiddler, I can see that the application is behaving differently when I'm accessing the application via internet or intranet.
If I access it from within the network, I see I'm making a request to http://MY_APPLICATION_NAME.MY_DOMAIN.com/account/ExternalLogin?returnUrl= and then "Tunnel to www.google.com:443, Tunnel to accounts.google.com:443". This works ok.
If I access it from the internet I see I'm making a request to http://MY_APPLICATION_NAME.MY_DOMAIN.com/account/ExternalLogin?returnUrl= and then another one to http://MY_APPLICATION_NAME.MY_DOMAIN.com/accounts/o8/ud?openid.claimed_id=http%3A%2F%2Fspecs.openid...(long url). This obviously gives a 404.
I might be wrong but I assume that this url is generated by the OAuthWebSecurity.RequestAuthentication(provider, returnUrl). What puzzles me is that it looks like it is requesting the authenticaton to my server instead of accounts.google.com.
My research so far has only brought to me posts/questions/etc. showing how easy it is to use SimpleMembership for external authentication and I can see everyone does it pretty much the same way.
Conclusion:
I believe this probably has something to do with something I must configure on web.config or IIS. I do know that the requests to my application arrive at my DNS server which does a url rewrite and forwards the request to my web server, although I don't know if this is related to the problem.
Does anyone have any idea of what might be wrong or ever had a similar issue? Any help would be appreciated.
EDIT:
I've looked into OpenAuthSecurityManager.cs's source code and although I can't debug it I see the problem might be related to an incorrect HttpContext inside the RequestAuthentication method, due to my reverse proxy settings on IIS?
I ended up with a request to change the IT infrastructure.
OpenAuthSecurityManager.cs was probably getting a wrong HttpContext instance because of the way the requests were being handled by the previous infrastructure (requests arrived at our DNS server and were forwarded to the web service, on a different server inside our network, with UrlRerwrite rules).
It's working now.
An architectural question.
My site needs to allow the user to record video and upload it to the "site". I've been poking around a fair bit and it seems I have to use some kind of media server to achieve this aim. As I'm introducing this secondary server into the system (I seek to embed the flash app residing on this server into the HTML delivered by the site) it occurs to me that this broadens the scope of security a lot. What scares me is attackers trying to embed the flash app themselves or attempting to impersonate clients (or anything else I haven't thought of yet!).
I was therefore wondering how people secure their applications with such an architecture. Sure I can do what is suggested here, a decent band-aid for now but afaik the domain information can technically be falsified by the client.
I could separate out the auth of the site giving me a WebServer, an AuthServer and a MediaServer enabling the MediaServer to separately auth. Getting the user to log into both sites is obviously onerous and passing around the user's login creds and securing all connections sounds ugly and averse to best practice.
As far as I can see my best bet is some kind of temporary token that the auth server creates. So the website kicks the auth server after logging in to generate the token which the site can then pass to the media server (as part of the flash vars) and the MediaServer itself can use to double check against the auth server.
I'm relatively new to Red5, Flash and web security so I was wondering if the following sounds sane, secure and/or necessary. Also if anyone knows of decent tools to use for such an auth system and whether there is something already kicking about in ASP.NET auth for such a purpose.
the solution provided in your link ... you should read my second comment.
The first about virtual hosts is wrong! My comment does actually tell you (at least one) solution to secure your app.
You could for example pass a SESSION_ID in the connect method to Red5. The user would get the SESSION_ID from another webservice call before he invokes the record or playback method.
The SESSION_ID might be even some kind of temporary token, that is only valid for 15 minutes and only usable a single time for exactly that video. How far you implement that is a matter of how secure your mechanism needs to be.
Sebastian
Using a Java based image uploader and having problems, seems my controller action is not being hit if I upload multiple files. I can't use fiddler or FireBug because they don't pickup the Java apps request to the server. I need to see what is being requested in debug mode so I can fix my Route - I am assuming this is my problem.
How can I hook into this and see what the request is?
You could still use a web debugging proxy (like Fiddler) if your Java based image uploader supports a proxy. Other than that you can use a packet sniffer like Wireshark or break your debug session at a point with a HttpContext, e.g. in Global.asax at BeginRequest.