I'm new to Apache Isis, after I implemented Security Module, I try to login using isis-module-security-admin and pass. When I login I received this exception
11:38:48,577 [Native qtp1881129850-19 DEBUG] SELECT 'org.isisaddons.module.security.dom.user.ApplicationUser' AS "NUCLEUS_TYPE","A0"."accountType","A0"."atPath","A0"."emailAddress","A0"."encryptedPassword","A0"."familyName","A0"."faxNumber","A0"."givenName","A0"."knownAs","A0"."phoneNumber","A0"."status","A0"."username","A0"."id","A0"."version" FROM "isissecurity"."ApplicationUser" "A0" WHERE "A0"."username" = <'isis-module-security-admin'>
11:38:48,590 [Native qtp1881129850-19 DEBUG] SELECT 'org.isisaddons.module.security.dom.role.ApplicationRole' AS "NUCLEUS_TYPE","A1"."description","A1"."name","A1"."id" FROM "isissecurity"."ApplicationUserRoles" "A0" INNER JOIN "isissecurity"."ApplicationRole" "A1" ON "A0"."roleId" = "A1"."id" WHERE "A0"."userId" = <0>
11:38:48,599 [Native qtp1881129850-19 DEBUG] SELECT DISTINCT 'org.isisaddons.module.security.dom.permission.ApplicationPermission' AS "NUCLEUS_TYPE","A0"."featureFqn","A0"."featureType","A0"."mode","A0"."rule","A0"."id","A0"."version" FROM "isissecurity"."ApplicationPermission" "A0" CROSS JOIN "isissecurity"."ApplicationUser" "VAR_u" INNER JOIN "isissecurity"."ApplicationUserRoles" "C0" ON "VAR_u"."id" = "C0"."userId" INNER JOIN "isissecurity"."ApplicationRole" "D0" ON "C0"."roleId" = "D0"."id" WHERE "D0"."id" = "A0"."roleId" AND "VAR_u"."username" = <'isis-module-security-admin'>
11:38:48,614 [ShiroAuthenticatorOrAuthorizor qtp1881129850-19 ERROR] Unable to authenticate
org.apache.shiro.authc.AuthenticationException: No password encryption service is installed
It look like I did not install Password encryption service. but I already add it into my pom.xml. What else should I do?
I try to override getAdditionalServices, but it's error Can't override, method is final.
Which version of Apache Isis?
If 1.15.x, then the incode platform's quickstart archetype shows the configuration in the AppManifest, see here
Related
[Env: RStudio Version 1.4.1106, R version 4.0.2]
Since github disallowed authentication via userid/password, I've had problems pushing project updates from RStudio.
I setup a github PAT and installed this in .renviron
GITHUB_PAT=ghp.....
Checking, using usethis::sitrep(), it all looks OK, AFAICS: says 'Personal access token "discovered"'
> usethis::git_sitrep()
Git config (global)
* Name: 'Michael Friendly'
* Email: 'friendly#yorku.ca'
* Vaccinated: TRUE
i Defaulting to 'https' Git protocol
* Default Git protocol: 'https'
GitHub
* Default GitHub host: 'https://github.com'
* Personal access token for 'https://github.com': '<discovered>'
* GitHub user: 'friendly'
* Token scopes: 'gist, repo, user, workflow'
* Email(s): 'friendly#yorku.ca (primary)', 'michael.friendly#gmail.com'
Git repo for current project
* Active usethis project: 'C:/R/Projects/HistDataVis'
* Default branch: 'main'
* Current local branch -> remote tracking branch:
'main' -> 'origin/main'
GitHub remote configuration
* Type = 'ours'
* Host = 'https://github.com'
* Config supports a pull request = TRUE
* origin = 'friendly/HistDataVis' (can push)
* upstream = <not configured>
* Desc = 'origin' is both the source and primary repo.
Read more about the GitHub remote configurations that usethis supports at:
'https://happygitwithr.com/common-remote-setups.html'
>
Yet, when I try to push to github, I'm prompted with a userid/password dialog, which fails because github rejects password authentication.
Further checking: GITHUB_PAT seems to be OK,
> Sys.getenv("GITHUB_PAT")
[1] "ghp_T..."
>
What could be wrong? How can I test this otherwise? What can I do to fix this?
I haven't got around to doing this globally, yet, but this works on a repo-by-repo basis
git remote set-url origin git#github.com:username/repo.git
in the project's .git directory. (Not at all obvious.)
I'm try to integrate Zabbix UI with Keycloak SSO, using keycloak-proxy.
My setup is the following:
Nginx is the entry point: it handles the "virtual host", forwarding the requests to keycloak-proxy.
Keyclock-proxy is configured with client_id, client_secret, etc. to authenticate the users to Keycloak;
Zabbix dashboard on Apache, default setup: I enable the HTTP authentication.
I've created a test user both in Keycloak and Zabbix.
The authentication flow is ok: I'm redirected to KeyCloak, I do the authentication, but I always get "Login name or password is incorrect." from Zabbix UI.
What am I doing wrong?
Has anyone tried to use OIDC authentication with Zabbix?
I'm using Zabbix 4.0, KeyCloak 4.4, Keycloak-proxy 2.3.0.
keycloak-proxy configuration:
client-id: zabbix-client
client-secret: <secret>
discovery-url: http://keycloak.my.domain:8080/auth/realms/myrealm
enable-default-deny: true
enable-logout-redirect: true
enable-logging: true
encryption_key: <secret>
listen: 127.0.0.1:10080
redirection-url: http://testbed-zabbix.my.domain
upstream-url: http://a.b.c.d:80/zabbix
secure-cookie: false
enable-authorization-header: true
resources:
- uri: /*
roles:
- zabbix
Zabbix expects PHP_AUTH_USER (or REMOTE_USER or AUTH_USER) header with the username, but keycloak-proxy doesn't provide it. Let's use email as a username (you can use any claim from the access token in theory). Add email to the request header in the keycloak-proxy config:
add-claims:
- email
And create PHP_AUTH_USER variable from email header in the Zabbix Apache config:
SetEnvIfNoCase X-Auth-Email "(.*)" PHP_AUTH_USER=$1
Note: Conf syntax can be incorrect because it is off the top of my head - it may need some tweaks.
BTW: there is a (hackish) user patch available - https://support.zabbix.com/browse/ZBXNEXT-4640, but keycloak-gatekeeper is a better solution
For the record: keycloak-proxy = keycloak-gatekeeper (the project was renamed and migrated to keycloak org recently)
I want to implementation centralize auth using AWS Simple AD (samba). The client machine is linux based (ubuntu and amazon linux). Ony my ldap, i just creat one user (cn=test) under dc=ldap,dc=test,dc=io.
I am using sssd as the auth client from my linux machine. And here my /etc/sssd/sssd.conf :
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[nss]
[pam]
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://ldap.test.io
ldap_default_bind_dn = dc=ldap,dc=test,dc=io
ldap_default_authtok = password01
ldap_default_authtok_type = password
ldap_search_base = dc=ldap,dc=test,dc=io
ldap_user_search_base = dc=ldap,dc=test,dc=io
ldap_group_search_base = odc=ldap,dc=test,dc=io
ldap_user_object_class = inetOrgPerson
ldap_user_gecos = cn
override_shell = /bin/bash
cache_credentials = true
enumerate = true
But, it looks like not working from the client, i didn't get the ldap user from my client (i execute this getent passwd).
And i got this error:
nss_ldap: reconnecting to LDAP server...
nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
nss_ldap: could not search LDAP server - Server is unavailable
No passwd entry for user 'test'
Here is my reference to configure the sssd client enter link description here
Any suggestion for this case ?
Thanks
The error message you are getting is from nss_ldap, not from nss_sss. So I assume in /etc/nsswitch.conf, you configured the ldap module either on its own or before sss. If the user information is to be returned by sssd then use the sss nsswich module.
I would also recommend to not use enumerate=true unless your directory is quite small.
In /etc/nsswitch.conf be sure to have:
passwd: files sss
shadow: files sss
groups: files sss
And of course in the stack of the /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac you have to use the pam_sss.so library.
I linked wirecloud and Idm recently. When i login into wirecloud and i land into my wirecloud i got the following error:
Sorry, but the requested page is unavailable due to a server hiccup.
Our engineers have been notified, so check back later.
My idm configuration is:
URL
http://151.80.41.166:50002
Callback URL
http://151.80.41.166:50002/complete/fiware/
I cant get more error info
Exception Type: AuthStateMissing
Exception Value: Session value state missing.
Exception Location: /usr/local/lib/python2.7/site-packages/social_core/backends/oauth.py in validate_state, line 90
Python Executable: /usr/local/bin/python
Python Version: 2.7.14
Python Path:
['/opt/wirecloud_instance',
'/usr/local/lib/python27.zip',
'/usr/local/lib/python2.7',
'/usr/local/lib/python2.7/plat-linux2',
'/usr/local/lib/python2.7/lib-tk',
'/usr/local/lib/python2.7/lib-old',
'/usr/local/lib/python2.7/lib-dynload',
'/usr/local/lib/python2.7/site-packages']
The problem was i got in the same machine idm and Wirecloud and they use the same cookie.
I add the follow lines on settings.py
SESSION_COOKIE_NAME = "wcsessionid"
CSRF_COOKIE_NAME = "wccsrftoken"
When I try to login from WL hybird application in the emulator I get the below exceptions.
Environment:
1) Worklight Server (505 version) installed using the default Liberty profile and Derby database.
2) Userregistry is configured to LDAP. LDAP is up and running.
3) I have followed "Module 20.1 Form-based Authentication"
Server.xml is correctly configured :
ldapRegistry id="IBMDirectoryServerLDAP" realm="defaultWIMFileBasedRealm"
host="testserver.com" port="4389" ignoreCase="true"
baseDN="dc=ibm,dc=com"
bindDN="cn=xyz"
bindPassword="xyz123"
ldapType="IBM Tivoli Directory Server" reuseConnection="true"
idsFilters
userFilter="(&(uid=%v)(objectclass=ePerson))"
groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))"
userIdMap="*:uid"
groupIdMap="*:cn"
groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember"
ldapRegistry
Login module is : com.worklight.core.auth.ext.WebSphereLoginModule
Authenticator is : com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator
Exception:
[RandomNumberGenerationServlet]: Initialization successful.
[2/13/13 15:37:21:349 IST] 00000049 com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator I FWLSE0055I: Not recognized.
[2/13/13 15:38:27:288 IST] 0000004b ication.internal.jaas.modules.UsernameAndPasswordLoginModule A CWWKS1100A: Authentication did not succeed for user ID wpsbind. An invalid user ID or password was specified.
[2/13/13 15:38:27:742 IST] 0000004f com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator I FWLSE0055I: Not recognized.
[2/13/13 15:38:27:746 IST] 0000004f com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator I FWLSE0055I: Not recognized.
[2/13/13 15:38:27:747 IST] 0000004f com.worklight.core.auth.impl.AuthenticationFilter E FWLSE0048E: Unhandled exception caught: realm WASLTPARealm is not allowed to ignore request to a protected resouce in a non-success state
java.lang.IllegalStateException: realm WASLTPARealm is not allowed to ignore request to a protected resouce in a non-success state
at com.worklight.core.auth.impl.AuthenticationContext.checkAuthentication(AuthenticationContext.java:515)
at com.worklight.core.auth.impl.AuthenticationContext.processRealms(AuthenticationContext.java:396)
at com.worklight.core.auth.impl.AuthenticationContext.pushCurrentResource(AuthenticationContext.java:373)
at com.worklight.core.auth.impl.AuthenticationServiceBean.accessResource(AuthenticationServiceBean.java:63)
at com.worklight.core.auth.impl.AuthenticationFilter.doFilter(AuthenticationFilter.java:162)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:188)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:85)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:940)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1037)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:81)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:930)
at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:274)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:529)
at com.ibm.ws.threading.internal.Worker.executeWork(Worker.java:398)
at com.ibm.ws.threading.internal.Worker.run(Worker.java:380)
The authentication takes place in Liberty, and in order for Worklight to recognize the logged-in user, it needs to know of it.
Form-based authentication will not help here. What you can and should do is implement a Custom-based Authenticator that will retrieve from the response from Liberty the custom HTTP header containing the user information.
You can read more about Custom-based Authentication in the following Getting Started training module, to first familiarize yourself with the concept:
ftp://public.dhe.ibm.com/software/mobile-solutions/worklight/docs/v505/Module_23_-_Custom_Authenticator_and_Login_Module.pdf
For a clearer "image" of the authentication flow, you can see the diagram as depicted here: http://pic.dhe.ibm.com/infocenter/wrklight/v5r0m5/topic/com.ibm.worklight.help.doc/integ/r_authentication_at_the_gateway.html