Assign a openAM user to Activiti Processes - ldap

How can I assign an openAM user to the Activiti processes.
I have an openAM that is running on apache and side by side I have an spring application Activiti Processes.
how can i add a user through openAM to my BPMn process.
1 i have integrated my openAM with activiti process application.
<?xml version="1.0" encoding="UTF-8"?>
<bpmn2:definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:bpmn2="http://www.omg.org/spec/BPMN/20100524/MODEL"
xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI"
xmlns:dc="http://www.omg.org/spec/DD/20100524/DC"
xmlns:di="http://www.omg.org/spec/DD/20100524/DI"
xmlns:activiti="http://activiti.org/bpmn"
id="sample-diagram"
targetNamespace="http://bpmn.io/schema/bpmn"
xsi:schemaLocation="http://www.omg.org/spec/BPMN/20100524/MODEL BPMN20.xsd">
<bpmn2:process id="sampleproc-e9b76ff9-6f70-42c9-8dee-f6116c533a6d" name="Sample Process" isExecutable="true">
<bpmn2:documentation />
<bpmn2:startEvent id="StartEvent_1">
<bpmn2:outgoing>SequenceFlow_0qdq7ff</bpmn2:outgoing>
</bpmn2:startEvent>
<bpmn2:userTask id="UserTask_0b6cp1l" name="User Task 1" activiti:assignee="demo">
<bpmn2:incoming>SequenceFlow_0qdq7ff</bpmn2:incoming>
<bpmn2:outgoing>SequenceFlow_1sc9dgy</bpmn2:outgoing>
</bpmn2:userTask>
<bpmn2:sequenceFlow id="SequenceFlow_0qdq7ff" sourceRef="StartEvent_1" targetRef="UserTask_0b6cp1l" />
<bpmn2:serviceTask id="ServiceTask_1wg38me" name="Service Task 1" implementation="serviceTask1Impl">
<bpmn2:incoming>SequenceFlow_1sc9dgy</bpmn2:incoming>
<bpmn2:outgoing>SequenceFlow_0t37jio</bpmn2:outgoing>
</bpmn2:serviceTask>
<bpmn2:sequenceFlow id="SequenceFlow_1sc9dgy" sourceRef="UserTask_0b6cp1l" targetRef="ServiceTask_1wg38me" />
<bpmn2:endEvent id="EndEvent_0irytw8">
<bpmn2:incoming>SequenceFlow_0t37jio</bpmn2:incoming>
</bpmn2:endEvent>

you may have several options, based on your deployment.
If you use 'domain cookies' you could just use a simple servlet filter based on https://backstage.forgerock.com/docs/openam/13.5/apidocs/com/iplanet/sso/SSOTokenManager.html
You could do the same if OpenAM and your web app are accessed via the same FQDN (e.g. using an HTTP reverse-proxy)
If OpenAM and the FQDN used to access the Spring app do not share a cookie domain, you could either use an OpenAM Policy Agent that solves this for you or you could use an internet standards based approach by leveraging SAML or OIDC.
Spring Security has modules for both or you apply a module in an HTTP reverse-proxy server (e.g. Apache http server, mod_auth_mellon for SAML or mod_auth_oidc for OIDC).

Related

ASP.NET Core TLS client certificate authentication only for a specific API location

Is it possible in ASP.NET Core (standalone) to activate authentication with client certificates only for a specific location (API or Page)?
With IIS is it possible to define a configuration file for a folder.
<configuration>
<system.webServer>
<security>
<access sslFlags="Ssl,SslNegotiateCert,SslRequireCert" />
</security>
</system.webServer>
</configuration>
Can I configure the ASP.Net Core Kestrel server in a similar way?
Steeltoe provides a client certificate auth library that is based on Microsoft's client certificate authentication but allows authorization policies to be applied per-endpoint.
It was built with some additional features specific to Cloud Foundry (including pre-built authorization policies based on data inside the certificate), but you can likely ignore those pieces or build your own policies. There are some sample apps in this repo that should help demonstrate how it works

Apache camel saml authentication

Anyone implemented SAML SSO authentication using Apache camel? I need sample authentication code for same in Apache camel.I checked in that camel site but didn't find any useful information
Read the section on Spring Security integration, you need to implement the AuthorizationPolicy using camel-spring-security module. The Spring Security SAML project on GitHub have a sample application.

How to publish an existing API on WSO2 ESB

I can't seem to find a simple article on how to publish an existing restAPI through WSO2 ESB as proxy.
I have an existing API which responds with either Json or XML output based on content-type on the header. I would like to publish this api through the WSO2 ESB as proxy. I don't think WSO2 Application server is needed in this case, as the rest api is running on its own app server.
API:
http://somehost.com:8001/api/BusinessApi/GetContentTypes
Response:
[{"contentTypeID":1,"name":"Movies","isTop":true,"subLevels":1,"contentTypeIdBase":1},{"contentTypeID":2,"name":"TV Show","isTop":true,"subLevels":3,"contentTypeIdBase":4},{"contentTypeID":3,"name":"TV Season","isTop":false,"subLevels":2,"contentTypeIdBase":4},{"contentTypeID":4,"name":"TV Episode","isTop":false,"subLevels":1,"contentTypeIdBase":4},{"contentTypeID":5,"name":"Music Album","isTop":true,"subLevels":2,"contentTypeIdBase":6},{"contentTypeID":6,"name":"Music Track","isTop":false,"subLevels":1,"contentTypeIdBase":6},{"contentTypeID":7,"name":"Music Video","isTop":false,"subLevels":1,"contentTypeIdBase":7},{"contentTypeID":8,"name":"Book Set","isTop":false,"subLevels":1,"contentTypeIdBase":8},{"contentTypeID":9,"name":"Books","isTop":true,"subLevels":1,"contentTypeIdBase":9}]
The objective is to publish the api via WSO2 ESB and try to achieve the below actions:
Logging the API calls
Messaging/ forking calls based on a criteria
Centralize all API calls authentication model
Is it possible to just run ESB server to achieve this function?
Thanks in Advance!!
Setting up a proxy API, this can only be done via
adding API option under main->service-bus->APIs
Give the API a custom name, which is the identity on WSO2 ESB.
Give the context which is your custom resource.
go to the source view and add the below source
Begin of snippet
<api xmlns="http://ws.apache.org/ns/synapse" name="GetC" context="/api1">
<resource methods="GET" url-mapping="/">
<inSequence>
<log/>
<send>
<endpoint>
<address uri="http://somehost.com:8001/api/businessApi/GetContentTypes"/>
</endpoint>
</send>
</inSequence>
<outSequence>
<log/>
<send/>
</outSequence>
</resource>
</api>
End of snippet
You should now be to access the api via ESB proxy url
With your approach, you have created an api in ESB, which passes the request to your backend api. During this you expect to log every api call and control authentication too. I didn't understand the forking requirement.
Have you tried WSO2 API Manager? It will allow you to make your api a managed api. i.e. You will be able to control access to your api via oauth tokens. You can log the api calls too (although its not a good thing to log every call due to performance reasons).
If you integrate it with WSO2 DAS, you will be able to see some useful stats too. This is the API Manager documentation.
https://docs.wso2.com/display/AM1100/WSO2+API+Manager+Documentation

Consume WCF library in Silverlight 4 application

An error occurred while trying to make a request to URI:
'http://localhost:8732/Design_Time_Addresses/WCF/Service1/'. This
could be due to attempting to
access a service in a cross-domain way without a proper cross-domain
policy in place, or a
policy that is unsuitable for SOAP services. You may need to contact
the owner of the service
to publish a cross-domain policy file and to ensure it allows
SOAP-related HTTP headers to be
sent. This error may also be caused by using internal types in the web
service proxy without
using the InternalsVisibleToAttribute attribute. Please see the inner
exception for more
details.
the error appears when result returned from the wcf
I consumed this wcf via console, website, win forms and it works properly
I use 2 xml files in the WCF library :
clientaccesspolicy.xml
crossdomain.xml
It used to make my brain hurt too.
I figured out for my use I needed this file:
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="SOAPAction">
<domain uri="*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
named clientaccesspolicy.xml
The trick is that is has to be at the root of your web server. That being said you need to be able to browse the file. In your case located at:
http://localhost:8732/clientaccesspolicy.xml
If you cannot see the file silverlight will always complain and boy does it complain whenever it can!
I should point out that my policy file is not restrictive, so use it wisely.
Oh, that problem. Besides the crossdomain, you cannot run the debugger from VS2010 which is what i'm gather from that localhost URL. Try publishing silverlight app on the domain or server that your WCF is on. For example, if your web service is on http://10.xx.xx.xx/sites/myWCF, publish your silverlight app on http://10.xx.xx.xx/sites/MySilverlightApp. You're debugger is going to run as http://localhost:somePort which is definitely going to give you problems even with a cross-domain policy file. Apart from that, ensure that you config file for your web.service is correct. Ensure all the interfaces have endpoint bindings and there is a host on the main service location(sounds obvious, but is a common error).

How to control what WCF Authentication will deny?

I am learning and designing a WCF service. I have picked to use Windows credential as the authentication method, and I have configured it correctly, hopefully, because I can see the authentication audit log from event log viewer when I am testing my service hosted in the local machine.
But now I come up with this weird question: what users will not be authenticated under such configuration? Does my service authenticate all Windows user within the same Windows domain, or can I specify what specific users within my domain will/will not get authenticated?
Or, does it mean that I can only control what users (in my domain) can perform what operations my service is providing through authorization(that I know how to do)?
It sounds simple but all the material I found only tell you how to perform authentication, doesn't say how to deny authentication request.
Update:
After reading #syneptody answer, I still have two questions:
I must say my confusion between authentication and authorization is still there. The authentication means to identify the user. But if I want to tell a user belonging to the same domain as the service host(it's IIS, by the way), who just makes a request to my service, "you are not authenticated", what I really should say is "I do authenticate you, but you are not authorized (to perform your request)", is it right? There is not a state of "Unauthenticated" for a user in my domain? And what if a user not belonging to my domain makes a request? My service will tell him "You are not authenticated" or "You are not authorized"? As long as this user has an identity, the service will authenticate it, and continue to investigate whether it should be authorized?
#syneptody mentioned This "authorization" element. It belongs to ASP.NET, and it specifies which roles can/can't access the resource (whether it is the website or an application hosted in the website, depending on which Web.config file it is in). Is it right? But what if I don't use ASP.NET or don't host the WCF in ASP.NET Compatibility Mode, will it still work like that? Actually the requirement for us is to only provide the service, so I didn't think of using ASP.NET because in my opinion it is more like a web client consuming my service.
By the way, my usage scenario is this service will be hosted and consumed within intranet. So I choose Windows credential for authentication and Windows Groups for role-based authorization because it requires minimum work in my opinion.
Take a look at this article:
http://msdn.microsoft.com/en-us/library/aa702682.aspx
It does a pretty good job explaining the connection between WCF and ASP.NET. If you are able to run your services in ASP.NET compatibility mode you can use the ASP.NET authorization rules. In a domain environment where you can leverage Integrated Authentication there is no easier way to provide authorization to your services.
Your service implementation:
[AspNetCompatibilityRequirements(RequirementsMode AspNetCompatibilityRequirementsMode.Allowed)]
[ServiceBehavior]
public class Foo { ... }
Then in your configuration:
<system.web>
<authorization>
<allow users="?" />
<allow roles="DOMAIN_SECURITY_GROUP" />
<deny users="*" />
</authorization>
<authentication mode="Windows" />
<identity impersonate="false" />
</system.web>