Is it any difference between certificates for development and production servers?
If I have my_certificate.p12 and for ApnService provide that information
<bean id="apnsServiceFactory" class="org.apache.camel.component.apns.factory.ApnsServiceFactory">
<property name="feedbackHost" value="feedback.sandbox.push.apple.com" />
<property name="feedbackPort" value="2196" />
<property name="gatewayHost" value="gateway.sandbox.push.apple.com" />
<property name="gatewayPort" value="2195" />
<property name="certificatePath" value="file:etc/my_certificate.p12" />
<property name="certificatePassword" value="111" />
</bean>
would it be equal with that?
<bean id="apnsServiceFactory" class="org.apache.camel.component.apns.factory.ApnsServiceFactory">
<property name="feedbackHost" value="feedback.push.apple.com" />
<property name="feedbackPort" value="2196" />
<property name="gatewayHost" value="gateway.push.apple.com" />
<property name="gatewayPort" value="2195" />
<property name="certificatePath" value="file:etc/my_certificate.p12" />
<property name="certificatePassword" value="111" />
</bean>
I mean, will I be able to get some pushes and feedback with only 1 certificate, or I must have both?
And for test in development, should I use gateway.sandbox.push.apple.com or I can use feedback.push.apple.com ?
While you are in development mode, i mean for the builds installed in device via Xcode or OTA, the notifications must use development certificates and need to use gateway.sandbox.push.apple.com for sending notifications.
But while in production mode, i mean once you have tested everything looks good, and uploaded build to AppStore/TestFlight. So, for those builds, you required to use production/distribution certificates and required to sent via feedback.push.apple.com.
UPDATE:
If you required common way for both development and distribution. Then stop using certificates, instead start using token based APNs keys for the same. You can refer more detail about token based APNs keys over here: https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/establishing_a_token-based_connection_to_apns
Related
I am implementing a multitenant application with the spring security saml extention.
I have a Service Provider (SP) for each tenant.
All SPs runs on the same server exposed with SP-specific 2nd level domain:
sp1.myapp.com/myapi/1/
sp1.myapp.com/myapi/2/
In each SP metadata file I have configured the tenant-specific AssertionConsumerService.
When I test the SSO Login, I get a KO on SP side when it gets the response of the Identity Provider (IDP).
On Log side i see only:
ERROR [BaseSAMLMessageDecoder] SAML message intended destination endpoint 'https://sp1.myapp.com/myapi/saml/SSO' did not match the recipient endpoint 'https://default.myapp.com/myapi/saml/SSO'
Where the 'https://default.myapp.com/myapi/saml/SSO' is the URL set as serverName of the load balancer context provider:
<bean id="lbContextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB" init-method="afterPropertiesSet">
<property name="metadata" ref="metadata" />
<property name="keyManager" ref="keyManager" />
<property name="scheme" value="https" />
<property name="serverName" value="default.myapp.com" />
<property name="contextPath" value="/myapi" />
<property name="serverPort" value="443" />
<property name="includeServerPortInRequestURL" value="true" />
</bean>
Question
In the docs.spring.io/spring-security-saml I see that
Service provider can now define multiple assertion consumer endpoints with same binding
How can I configure it?
Does it conflict with load balancer context provider?
Can I provide multiple AssertionConsumerService with different 2nd level domains without reproduction this conflict?
I already tested:
This question seems to be fixed with the LB, but anyone knows if I can provide multiple serverName to load balancer context provider (maybe with a dynamic pick)?
Disable the checking of the InResponseToField as suggested at ch.13 docs.spring.io/spring-security-saml and for this and this question.
Configure the defaultTargetUrl of the successRedirectHandler (where I am using a custom superclass of org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler) as suggested for this question. In addition this solution is not multitenant.
<bean id="successRedirectHandler" class="org.MySamlAuthenticationSuccessHandler"
init-method="afterPropertiesSet">
<property name="contextPath" value="/myapi" />
<property name="defaultTargetUrl" value="https://default.myapp.com/myapi/saml/SSO"/>
<property name="requireProxyWrapping" value="false"/>
</bean>
Customize SAMLContextProviderLB by extending SamlContextProviderLB.
In custom class, add constructor and initialize with default values.
Override getLocalAndPeerEntity/getLocalEntity/populateLocalEntityId. In each of this method set lbDomain based on domain in requestURL.
above approach worked for me.
I'm new to Spring security and cas.
In my project I have a cas(CenteralAuthenticationServer) server and a service server.
I want to implement Switch user filter for some users in my application.
Where I should put these lines?
<bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
<property name="userDetailsService" ref="userDetailsService" />
<property name="switchUserUrl" value="/j_spring_security_switch_user" />
<property name="exitUserUrl" value="/j_spring_security_exit_user" />
<property name="targetUrl" value="/index.jsp" />
</bean>
In my cas project or in my web application?
Should I tell tomcat to use this filter in web.xml?
Is there any implementation example?
Should I create java class to implement this fitler?
Add it in your web application (dispatcher-servlet.xml). Check this example if you need.
switch user link
We have many CXF web services running under Tomcat. For each of the services, there is a beans config file, with each one having an entry like the one below. The variable ${JMX.PORT} is replaced with the assigned port at runtime. Each service has a separate port. I have looked everywhere but cannot confirm that this is correct. I do know, however, that having the same port for two or more services causes startup issues. So, I am looking for confirmation that each service should have its own port. Note - When I look at a service remotely using JConsole, with a connection string such as service:jmx:rmi:///jndi/rmi:/192.168.29.35:9912/jmxrmi, I can also see the other services, even though they have different port assignments. That makes no sense, unless there are some kind of shared resources. Can anyone help me to understand this? Thanks!
<bean id="org.apache.cxf.management.InstrumentationManager" class="org.apache.cxf.management.jmx.InstrumentationManagerImpl">
<property name="bus" ref="cxf" />
<property name="enabled" value="true" />
<property name="threaded" value="false" />
<property name="daemon" value="false" />
<property name="usePlatformMBeanServer" value="true"/>
<property name="JMXServiceURL" value="service:jmx:rmi:///jndi/rmi://localhost:${JMX.PORT}/jmxrmi" />
</bean>
I nedd to localize application and now files are loaded from text files. Is it possible to change source to database?
This is how localized messages are now loaded:
<!-- Application Message Bundle -->
<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="basename" value="/WEB-INF/messages/messages" />
<property name="cacheSeconds" value="0" />
</bean>
You can implement your own by extending AbstractMessageSource
Apparently this was asked in Spring some time ago but there were not enough people who wanted it I think.
https://jira.springsource.org/browse/SPR-364 is the JIRA and there is a JAVA file attached which is a good starting point (you need to set the SQL statement though)
Some relevant discussions are
http://forum.springsource.org/showthread.php?t=18194
http://forum.springsource.org/showthread.php?t=14610
<bean id="ntlmFilter" class="org.springframework.security.ui.ntlm.NtlmProcessingFilter">
<security:custom-filter position="NTLM_FILTER" />
<property name="stripDomain" value="true" />
<property name="defaultDomain" value="company" />
<property name="domainController" value="192.168.1.1" />
<property name="authenticationManager" ref="_authenticationManager" />
</bean>
may i know how to set failover second controller?
Unfortunately, NTLM isn't supported by Spring 3.
If using a secondary domain controller is a critical requirement for your application, I think you'll need to look into the jcifs source. Even jcifs doesn't want to support NTLM anymore either. But the old libraries are out there. I've hacked around so that my app will invisibly authenticate users whether they're from domainA or domainB. So it's possible, although possibly a bit daunting.
If I understood your question properly, you are looking for a fallback authentication provider, You can setup a list of authentication managers, so that if first one fails, it will automatically check with second one.
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ntlmServiceAuthenticationProvider"/>
<security:authentication-provider ref="ldapAuthProvider"/>
</security:authentication-manager>