I've set up an LDAP Directory Authentication Scheme on Oracle Apex (v21.1) like this, and created the ACL on my Database:
If I try to test the LDAP Login, it's working (using my firstname.lastname). I replaced the IP Address and the domain name for confidential purposes.
I can connet to my application, but I cannot access it, I can't land on the home page, because I need an authorization scheme based on the groups the users are in.
In my company, there are multipled departements, they each have a group in the Microsoft Active Directory that will give them the access to the application, each groups are named like this: GRP_Inventaire_Dpt1, GRP_Inventaire_Dpt2, GRP_Inventaire_Dpt3,....
I tried to create an Authorization Scheme based on this tutorial:
https://blog.jonas-hellmann.de/authorization-in-oracle-apex-with-ldap-groups/
I tried to adapt the code of the function as you can see on the chapter 2.3 of the tutorial, here's how I did:
And here's my authorization scheme:
As you can see on the screen, I have to write the exact group name to access to my application, but I would like to have the possiblity to check if the user is in a group which start with "GRP_Inventaire_", no matter what department he is.
Unfortunately, some things seems already weird. Why does the password need to be statically written down in the function? How can dynamically have it in the function based on the LDAP Authentication Scheme? However, I know that I can use the p_username parameter for the username.
***Finally, if I try to connect to my application, I have the error message of my Authorization scheme: ***
To summarize what I'm looking for:
Authorization scheme based on the user logging in
Check if the user is part of a group which start with "GRP_Inventaire_"
The function needs to have dynamically the credentials of the user connecting
Do not hesitate to ask questions for more details.
Don't you need to check user's security group with something like this?
DECLARE VAL BOOLEAN;
BEGIN
VAL := APEX_UTIL.CURRENT_USER_IN_GROUP('xxx');
RETURN VAL;
END;
Related
I am working on Netsuite and I'm new to it, so I need help. After creating roles and assigning a user to that specific role, I want to assign them to an application created using the integration record. When I wanted to create an access token, after selecting the application in the application name drop down, I am not finding any users or roles in the user drop down box and the role drop down box:
This is where I am facing the problem. So I need a solution to select users in the drop down box.
This link tells you all you need to know about setting up TBA and the correct basic permissions needed:
Token Based Authentication
Your user needs to have a role assigned to it with the following basic permissions:
User Access Token: Full
Access Token Management: Full
Web Services: Full
Once this role has been assigned to your user, the user will be available for selection when creating a token.
Go to the role you have setup for this OAuth and click Permissions tab > Setup and make sure User Access Tokens permission is there.
Here are the docs for setting up TBA roles. Maybe you are missing one of the permissions?
Getting Started with Token-based Authentication
We have integrated Websphere commerce with LDAP and the proper login flow is working fine.
We have a requirement that user can have an option to login using his phone number and also his membership card.
Currently we are storing the ph.no and membership card in LDAP database also.
We are unable to use these fields for login as well. Can someone give some pointers on the same?
WAS has Standalone and Federated LDAP authentication.
Standalone LDAP configs in WebSphere allow you to construct your own LDAP search that's used to map a web username to a DN. You can list multiple attributes using LDAP filter syntax (|(phone=%v)(membershipcard=%v)...
https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_ldapfilter.html
Modify the user filter, if necessary. The user filter is used for
searching the registry for users and is typically used for the
security role-to-user assignment. The filter is also used to
authenticate a user with the attribute that is specified in the
filter. The filter specifies the property that is used to look up
users in the directory service. In the following example, the property
that is assigned to %v, which is the short name of the user, must be a
unique key. Two LDAP entries with the same object class cannot have
the same short name. To look up users based on their user IDs (uid)
and to use the inetOrgPerson object class, specify the following
syntax: (&(uid=%v)(objectclass=inetOrgPerson)
Federated registries take a semi-colon separated list of LDAP attribute names used for the same purpose.
https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/twim_ldap_settings.html :
All login properties are searched during login. If multiple entries or
no entries are found, an exception is thrown. For example, if you
specify the login properties as uid;mail and the login ID as Bob, the
search filter searches for uid=Bob or mail=Bob. When the search
returns a single entry, then authentication can proceed. Otherwise, an
exception is thrown.
Both are covered in gory detail in the manual.
I have set up authentication for my application using the Azure Rest API / OAuth 2 flow, following the steps outlined here:
https://ahmetalpbalkan.com/blog/azure-rest-api-with-oauth2/
I have created an ActiveDirectory application within Azure which is linked to an ActiveDirectory instance.
Inside my own application I have configured it to post to the following Azure OAuth endpoint:
https://login.windows.net/<<MY-AD-TENANT-ID>>/oauth2/authorize?client_id=<<GUID>>&response_type=code
This all works fine. I can authenticate against my ActiveDirectory using emails of the form
someuser#<myDomain>.com
However, I have realised that I can also authenticate using any valid microsoft email address, which obviously means that anyone with a valid microsoft email can get an access token for my application e.g.
randomUser#hotmail.com
Can anyone tell me how I can restrict the authentication to just allow users who are in my Active directory? Users with emails of the form
someuser#<myDomain>.com
I have looked through the documentation but have had no luck so far.
Mechanics of Token Validation
What does that really mean: to validate a token? It boils down to three things, really:
Verify that it is well-formed
Verify that it is coming from the intended authority
Verify that it is meant for the current application
Your problem is that you are not doing the number 3 validation.
You probably are missing something like this in your application where you are validating the token:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = ConfigurationManager.AppSettings["ida:Audience"],
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
});
Currently I have the same problem and trying to figure out a solution.
That's what I found out:
After authentication you get back a JSON Web Token (see this page https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx). After decoding this, there are several information available. But I am not sure which of those could possibly make sure to only allow login of the specified Active Directory.
#Aram refers to the values audience (aud) and tenant (tid). Unfortunately audience is always set to the app_id given with the request and tenant is always set to the tenant-id of the Azure tenant, although you are using a live.com account, for example.
Finally, I came up with the idea of checking for the existence of oid (»Object identifier (ID) of the user object in Azure AD.«, https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx). I hope that this one will only be set if the user is part of the Active Directory that is issuing the authorization.
As a result, I set my app up to do the following: If in the decoded version of the id_token of the Access token response there is no oid property set – the login-request will be rejected.
Problem is: I can't confirm that my approach works, because I don't have a second Azure AD and can't check if only live/hotmail/... users will not be given a oid, but also users from different ADs. Maybe #bobbyr you could try that out and report?
Thanks to Thomas Ebert's prompt I've figured out a way to solve my problem. I don't know if it will help anyone else, but...
Basically when my app gets the token from Azure, before passing it on to the client, I can decode the JWT and just look at the email field.
In my case if the email address isn't one that belongs to my domain I can just send a 401 unauthorized back to the client.
It feels weird that Azure doesn't offer some way of doing this via config, maybe it does, but noone has answered this for me, and I've read enough of their docs now to want to pull my own eyes out so I never see the word Azure again...
I have an Apex application where you can add data: your name, address, phone number and email address, and I would like to create an Apex user with the email and a password "password" to log-in. When you logged in, you have access to certain pages.
So it would be a dynamic user generation based on the data you provide in the Text Fields.
Do you have any idea how i could manage to do that?
It should be something like a webshop where you register and then you have access.
I think your problem can be solved by defining authorization scheme and authentication scheme for the current page. you can use Custom Authentication schema for dynamic user creation.
To have different access to different user is controlled by authorization schema.
Search section "8.2.2.8 Security" or Authentication or authorization into url
http://docs.oracle.com/cd/E37097_01/doc.42/e35125/bldr_pg_edit_att.htm#HTMDB25152
I'm currently using openAM to protect a small webapp of mine using a Java EE web agent. Someone tries to access the app, they get redirected to the openAM instance, they login, they go to the app. Simple stuff.
What I'd like is for openAM to pass the username that was successfully used to the web app. It's my understanding that "session attributes" should be used for this. When in the admin, I go to my Java EE webagent and open up the "Application" tab to see the "Session Attributes Processing". I see that HTTP_COOKIE is a choice for fetching.
1) is it the case that I should expect to see the username, if properly set up, as plaintext in the cookie?
2) what value do I enter in the session mapping to get the username? How do I find what value in the data store corresponds to this?
Thanks
We are using HTTP_HEADER with our agents. So if you are already using agents (which sounds like you are), then the following should work for you. In OpenAM web console:
Access Control > Top Level Realm > Agents > Web / J2EE / etc. > click on an agent
Application tab > Profile Attributes Processing section > Profile Attribute Fetch Mode:
Click on the "HTTP_HEADER" choice
Profile Attribute Mapping:
Map Key: [uid] ... Corresponding Map Value: uid
Click Add. It should look like [uid]=uid once you've added it. Add any other mapping you need that matches attributes to your backend authentication system. Ours is ldap.
In your web application, retrieve the HTTP Header elements and look for the token. It should look something like this: AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.AAJTSQABMDE.
You can then use the OpenAM REST interface to validate and retrieve attributes associated with the token such as user name, password, cn, etc. To retrieve all attributes, the URL would be like this:
http://<OpenAM_Host>:<Port>/<deploy_uri>/identity/attributes?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*
You can also specify attributes you want like this:
http://<OpenAM_Host>:<Port>/<deploy_uri>/identity/attributes?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*&attributenames=uid&attributenames=userpassword
References:
https://wikis.forgerock.org/confluence/display/openam/Use+OpenAM+RESTful+Services
http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/dev-guide/index/chap-rest.html
1) yes, the agent will create plaintext cookies (and if the user sends malicious ones it will recreate them just fine), however using HTTP_HEADER method to pass on attributes is considered as a better solution (since it's not stored on the client side).
2) Session Attributes Processing only works if you actually stored something in the session. For that you can either use the "User Attribute Mapping to Session Attribute" feature in Authentication All Core Settings or write some custom module to save derivative values. Otherwise if you just want to get the uid of the user, then use Profile Attributes Processing (uid key HTTP_UID value and your app will see a HTTP_UID cookie/header).