We are using ktor 2.1.0 version and have configured multiple JWK providers.
Our application have 3 endpoints, one is health check without authorization.
When one of the JWK providers starts responding very slow, our application endpoints stops responding (event that without authorization health check) and waits while first request for the slow JWK provider will be finished.
It's look like what all Ktor stops responding during bearer token validation.
Can it be some configuration issue? Or it is a bug in Ktor?
We upgraded jwks-rsa to the 0.21.2 version. This one gives us ability to set the timeouts, but with these timeouts we cover the problem, but not solving.
Related
I have a few WCF Services with wsHttpBinding with TransportWithMessageCredential security. Windows credentials must be provided on each request and therefore are used for authentication (by design by AD), authorization (with AD by AZman) and to identity the user who performed the action (auditory purposes).
The thing is now I need to perform some load tests on these services, using Jmeter, and I'm strugling how can I authenticate the user for each request, I was wondering if anyone had ever mede this?
I really need to test with this security concern because the authentication and authorization processes are part of the load tests itself. I could remove them but then the load tests wouldn't be accurate.
The solutions I have in my mind are:
Ensure this is possible to achieve via JMeter
Create a WCF Routing Service on top of these services, exposed as basicHttpsBinding which then routes the requests to appropriate destination service, performing impersonation (seems to be a choise but it is not the original test case as well)
Remove security for load test purposes, but then a part of the tests would be removed as well (along with security)
Out of box JMeter doesn't support any SOAP security implementations so you might want to use i.e. WS Security for SOAP plugin
You should be able to provide your Windows credentials via SOAP Message UsernameToken
and the plugin will generate the relevant wsse:Username token
More information: Running SOAP WS-Security Load Tests in JMeter
I have a couple of projects:
Chat - SignalR backend (ChatHub)
Web - MVC project that hosts clientside scripts, including those that make calls to the Chat project
I'm in the process of migrating from .NET Framework to .NET Core and am moving to SignalR for Core as part of this work. Cookie authentication is working correctly on the old version, but upon migrating to SignalR for Core, I appear to be having problems.
Cookie authentication is enabled in both projects. The Web project works fine and the Auth cookie is correctly recognised and used for authentication. The Chat project, however, is not correctly authenticated against the cookie, despite the cookie being included at least in the negotiate request:
When I make a call to the ChatHub, Context.User.Identity.Name is empty. The same call returns a populated name when run on the Web project. If I decorate the ChatHub with [Authorize], the call fails with a 401.
Here's a minimalistic repro project showing the issue.
I assume the problem is related to the Authentication I have configured, or perhaps the cross-domain nature of the call?
This documentation is pretty unhelpful, and only says the following:
In a browser-based app, cookie authentication allows your existing user credentials to automatically flow to SignalR connections. When using the browser client, no additional configuration is needed. If the user is logged in to your app, the SignalR connection automatically inherits this authentication.
This appears under some very basic configuration, which basically only calls app.UseAuthentication(). Alas, that configuration does not work for me.
How do I set Cookies authentication in SignalR for Core so it works across two projects?
The issue is that by default, the Data Protection system that ASP.NET Core uses to encrypt the auth ticket isolates apps from one another.
You need to configure data protection on each project you wish to share protected payloads to use the same key ring and app identifier:
services.AddDataProtection()
.SetApplicationName("<appName>")
// as well as the following calls if your projects are to be deployed on different machines
.PersistKeysToAzureBlobStorage(new Uri("<blobUriWithSasToken>"))
.ProtectKeysWithAzureKeyVault(new Uri("<keyIdentifier>"), new DefaultAzureCredential());
We are making a cloud native enterprise business application on dotnet core mvc platform. The dotnet core default api gateway between frontend application and backend microservices is Ocelot used in Async mode.
We have been suggested to use RabbitMQ message broker instead of Ocelot. The reasoning given for this shift is asynchronous request - response exchange between frontend and microservices. Here, we would like to declare that our application would have few hundred cshtml pages spanning over several frontend modules. We are expecting over thousand users concurrently using the application.
Our concern is that, is it the right suggestion or not. Our development team feels that we should continue using Ocelot api gateway for general request - response exchange between frontend and microservices and use RabbitMQ only for events which are going to trigger backgroup processing and respond after a delay when the job gets completed.
In case you guys feel that yes we can replace Ocelot, then our further concerns about reliable session based request and response. We should not have to programmaticaly corelate response to session requests. Here it may please be noted that with RabbitMQ we are testing with dotnet core MassTransit library. The Ocelot API Gateway is designed to handle session based request-response commnunication.
In RabbitMQ should we make reply queue for each request or should the client maintain a single reply queue for all requests. Should the reply queue be exclusive or durable.
Can single reply queue per client be able to serve to all request or will it be correct to make multiple receive endpoint based on application modules/cshtml pages to serve all our concurrent users with efficient way.
Thanking you all, we eagerly wait for your replies.
I recommend to implement RabbitMQ. You might need to change ocelot to rabbit mq.
I am using Cometd 3.0.1 with jetty 9.2.3 using JSR 356 based websocket implementation (and not jetty's own websocket implementation).
I have added some auth filters which basically ask for authentication headers from request. But as websocket upgrade happen as a part of websocketupgrade filter, is there a way to make authentication work here?
Authenticating via a Filter is the wrong way to accomplish authentication.
Correct Solution:
The servlet spec expects you to setup and configure the the authentication and authorization layers of your application using the servlet techniques of both the container and the application metadata (WEB-INF/web.xml)
This means you setup a the container side security, either using the Jetty container specific LoginService, or using a JAAS spec configuration. Then you reference your security realms in your WEB-INF/web.xml and use them. If you have something custom, then you can hook into the LoginService of your choice (even a custom one) and manage it accordingly.
JAAS and LoginService Authentication and Authorization is applied before all filters and servlets.
In this scenario, you'll have access to the authentication information during the upgrade process, in particular during the ServerEndpointConfig.Configurator.modifyHandshake()
Ugly Hack Solution:
Add the org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter to your WEB-INF/web.xml manually.
This then leaves it up to you to attempt to get your authentication filter to exist before this WebSocketUpgradeFilter in 100% of use cases.
Caution: filter execution ordering is not part of the servlet spec. Be careful with this, as it might seem to be working on your dev machine and then suddenly not work in QA or production. Simply because the Set of filters in the metadata will have a different order in it.
Notes:
Path Spec must be /*
Async Supported must be true
Dispatcher Types must be REQUEST only.
Do not set the contextAttributeKey for that filter
All other WebSocketUpgradeFilter init-params are invalid for JSR-356 use (they are overridden by the various JSR-356 endpoint configurations)
We are planning to have multiple client views/UIs (E.g. Customer facing UI and Internal UI) on one (same) set of web services which perform end-to-end operation needed for both views/UIs including login. I am assuming this is possible with minor modifications to the out of the box code generated by Jhipster. Mainly around ..
- enabling CSRF
- changing WebConfigurator, ???
- decoupling web services from UI into separate wars/apps
- pointing to the new web services url in the client side
- ???
I would like to know experts opinion on achieving the same, and kind of changes and effort involved.
CSRF will work with JHipster 2, be careful as currently Spring Security and AngularJS don't use the same CSRF cookie (and thus, don't work!)
I would limit the URL access, maybe by IP adress, either in the Spring Security configuration or per endpoint (by adding security annotations per endpoint)