I followed this guide and cloned the authserver. The project has an authserver and a client (as test). Example works fine but if I remove context-path property (I just want my app to work on /), it fails after redirect back to the client. Example:
Go to the client (localhost:9999);
Redirected to the authserver (localhost:8080);
Login through GitHub;
Redirected to the authserver and immediatly to the client with next url:
http://localhost:9999/login?code=dqoxz4&state=79qtJ5
Whitelabel error page responds:
There was an unexpected error (type=Unauthorized, status=401).
Authentication Failed: Could not obtain access token
As I mentioned above, it fails only if context-path is / (or removed at all). Otherwise, all works.
From your link:
The context path has to be explicit if you are running both the client
and the auth server on localhost, otherwise the cookie paths clash and
the two apps cannot agree on a session identifier.
We run successfully an app on / and AuthServer on /uaa. Try to set Context-Path on your AuthServer. Look at cookies from your app and AuthServer: they should not have same path.
EDIT:
Different domains should be fine. They don't share cookies. On same host, like localhost, you must use context path, because cookies are not port specific. See: https://stackoverflow.com/a/16328399/926620
Alternatively, you put domains in /etc/hosts (linux) or c:\windos\system32\drivers\etc\hosts. Just add line like:
127.0.0.1 website authserver
And then you can use http://website:9999 and http://authserver:8080 on same machine for development.
Or you can also set different names for cookies. See http://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html:
server.session.cookie.name=auth
server.session.cookie.name=web
You can set RedirecURI in your client application:
security: oauth2:
client:
client-id: acme
client-secret: acmesecret
access-token-uri: http://localhost:8080/oauth/token
user-authorization-uri: http://localhost:8080/oauth/authorize
pre-established-redirect-uri: http://localhost:9999/client
and you can set it on oauth2 server while registering the clients.
but I think it return to your ROOT context pass, Somthing like it have not enough persmission on Root pass or another application uses this context pass...
Related
I have embedded Jetty running on port 7000. Also, I have a keycloak server running on same machine on port 8100.
My all clients access goes via Jetty i.e. localhost:7000. So, I have put keycloak as reverse proxy on Jetty i.e localhost:7000/keycloak/auth will redirect to localhost:8100/auth. It is hitting correctly.
Now, there is KeycloakInstalled client to authenticate the user. I have provided auth-url as http://localhost:7000/keycloak/auth. When I run this client, it correctly authenticate the user, but when retruning the token, it gives out the exception that auth-url (localhost:7000/keycloak/auth) given to it does not match the url from keycloak sever (localhost:8100/auth).
I tried out doing following also:
https://www.keycloak.org/docs/1.9/server_installation_guide/topics/clustering/load-balancer.html
But, I am unable to generate X-Forward headers from Jetty.
Am I doing any basic thing wrong here?
Any pointers here would be very helpful.
Thanks.
I workaround it by mapping http://localhost:7000/auth (not localhost:7000/keycloak/auth) to http://localhost:8100/auth via Jetty reverse proxy. It worked perfectly.
P.S. I also need to add proxy-address-forwarding="true" in keycloak standalone.xml
I'm using apache jmeter for testing my java application. When I hit the GTM(global traffic manager: this routes the traffic to specific server depending on the load) url https:// on port 443 everything works fine.
When I try to hit the specific server on which the the application is deployed using the url http:// on port 8080, I get 401 unauthorized error because cookies are coming as null in the request.
How can I fix this?
It's hard to guess what is the problem when you don't provide any code/configuration.
Probably you are running into issue because of same origin policy (browser and tools are sending only cookies which belongs to the origin to which you are sending request).
I guess that you are retrieving cookies from https://someApp.com:443 and try to reuse them with http://someapp.com:8080. The problem is, that they are not same origins (port number is treated as part of origin URL).
Check out this links:
JMeter Issue with SSO and Cookies
https://bz.apache.org/bugzilla/show_bug.cgi?id=56358
You could try disabling JMeter cookies checking:
Temporarily (once only), via -J command-line argument like:
jmeter -JCookieManager.check.cookies=false -n -t test.jmx -l result.jtl
Permanent, by adding the next line to user.properties file (located in "bin" folder of your JMeter installation)
CookieManager.check.cookies=false
JMeter restart will be required to pick the property up.
References:
Configuring JMeter
Apache JMeter Properties Customization Guide
HTTP Cookie Manager documentation
Notice that you have only 1 Cookie Manager.
If there is more than one Cookie Manager in the scope of a Sampler,
there is currently no way to specify which one is to be used. Also, a
cookie stored in one cookie manager is not available to any other
manager, so use multiple Cookie Managers with care
I developing a web application with kerberos (v1.0.1) authentication.
My aim is to provide a login through the windows authentication Active Directory (Windows Server 2008 R2).
The problem is that the browser send to the Back End NTLM ticket instead of Kerberos ticket.
I used wireshak to check the communication work flow:
I make a rest call on the back end
application server response to me 401
browser call the kerberos service on the active directory and received the TGS_REP
now I expected that browser calls my rest service with the Kerberos token, but I received the NTLM token instead
My back end service, developed in JAVA, throw the following exception:
GSSException: Defective token detected
EDIT 1:
The first problem is that we used the IP to generate the SPN and the KEYTAB. So, we created the keytab in this way:
ktpass /out c:\keytab\myuser.keytab /mapuser myuser#company.com /princ HTTP/myuser.company.com#WELLD.CH /pass mypassword /ptype KRB5_NT_PRINCIPAL /crypto All
Then we added our BE server on the DNS
<ip_server> myuser.company.com
At the moment we can login with kerberos, and the BE (spring boot) successfully validate the kerberos' token, but we can't download the user information with KerberosLdapContextSource, so we adopt a workaround and used the DefaultSpringSecurityContextSource Bean.
Someone have any idea or references to rely on?
Thanks
I am new to Windows authentication and am facing a weird issue.
I have setup an application with SPNEGO filter library for Java.
All settings as per the documentations have been set.
Now when i open the URL of my application from another machine in the same domain, using any browser, i get a negotiation header as
TlRMTVNTUAABAAAAl4II...
This means that it is an NTLM negotiation request.
if i start fiddler and then try to run the same request for testing, i am getting a kerberos authentication request.
YIIGgwYGKwYBBQUCoIIGdzCCBnOgMDAuBg...
This means that when I am calling using fiddler, the browser is assuming that the system is on same network.
I am unable to figure out why this is happening..??
I need the kerberos ticket even in normal execution.
Server: JBoss 4.3.2 GA
anybody has any idea...??
thanks in advance
I'm new with this authentication through kerberos protocol so I tried to read a lot of howto on it but seems like I can't find any specifics with my constraints. Here is what I have :
An Active Directory Server on which users authenticate to log into their workstations
Each end user uses IE 7 to connect to my intranet application
An Apache server with load balancing
Some Tomcats servers acting as workers for the Apache server.
on each tomcat, I have 2 jakarta servlet running, users connect only on one servlet (further i will call it the servlet as if there is only one)
my tomcats need to run under jdk5. not jdk6 or jdk4. it's jdk5 period.
Now I want one to automatically get logged on my servlet. Basically I just need my servlet to retrieve the client's principal then I can manage the rest.
Based on what I understood, my client has a ticket, he ask the KDC for a special ticket for accessing the apache server, then he tries to connect to the Apache server. Based on his keytab, the apache server then decode the auth data and grant/refuse the access to specified resource.
Am I right? please guide me through this, I've been reading pages for 4 days and still no clue on which solution is the more appropriate. I tried mod_auth_kerberos for Apache but instead of grabbing the user's ticket he ask it like a basic auth. Apparently spgneo
Thanks
Ok I got this working :
Install Kerberos 5 + apache 2 + mod_auth_kerb.
On your AD, generate a keytab with only the principal you will use for Apache, I use HTTP/apache.mydom.com#MYDOM.COM
Put this keytab file on your apache server and make it readable only
by your Apache user.
Then edit your apache conf with these directive for your secure
location
apache.conf:
[…]
ServerName apache.mydom.com:80
[…]
LoadModule auth_kerb_module modules/mod_auth_kerb.so
[…]
<LocationMatch /secure)>
[… some other stuff …]
Order allow,deny
Allow from all
AuthType Kerberos
AuthName "Authentification requise"
KrbAuthRealms MYDOM.COM
#this allows user to be saved in the request
KrbSaveCredentials on
#this one force Negotiate AuthType instead of basic fallback
KrbMethodNegotiate on
#this trim the realm from username saved in the request (request.getRemoteUser() will give you "user" instead of "user#MYDOM.COM"
KrbLocalUserMapping on
KrbAuthoritative on
KrbVerifyKDC on
Krb5Keytab /install/binaries/httpd/apache.keytab
KrbServiceName HTTP
require valid-user
</LocationMatch>
And the one thing I almost failed to find on the web, you have to modify your tomcat server config (tomcat/conf/server.xml) :
<Connector [... AJP connector configuration ...] request.tomcatAuthentication="false"/>
This is really important because without it you tomcat won't retrieve any info from tomcat auth.
Don't forget too, DNS is really really really really important for a Kerberos install. If you have any issue try checking your DNS for all of your servers.