I am trying to allow a specific IP to access a restricted path defined in security.yml with no success.
I have these 2 lines in my security.yml:
access_control:
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY, ip: "127.0.0.1" }
- { path: ^/.*, role: IS_AUTHENTICATED_FULLY, host: "test.loc" }
However, I am redirected to the login page when I try to access the project on my local.
How can I achieve it?
My guess is that you're running afoul of Chrome's aggressive 301 redirect caching. See a discussion here. Try in another browser such as Firefox.
The problem should go away if you clear Chrome's browsing data. You can also pop in to incognito mode to test.
Related
I have tried different things like below but no luck :
Redirect "/" "REPLACE WITH YOUR COMPLETE URL" in virtual host.
Redirect permanent "/one" "Replace with your complete URL" in virtual host.
Outside Virtual Host:
<Location "/">
Redirect permanent "REPLACE WITH YOUR COMPLETE URL"
</Location>
But in all the cases, URL in the browser changes to the replaced URL, which we don't want.
Actual values :
/ to be redirected to /olyweb
How would I use URL Masking or something which can redirect internally but don't reflect on browser.
The browser will always display the URL it is talking to. It cannot be fooled.
You can only do what you want by letting your Apache httpd act as a reverse proxy. You cannot do it with things like mod_rewrite.
In a reverse proxy the httpd will sit in front of your target web server. All communication to and from your target web server will travel through the httpd. Therefore you can effectively access your target web server via an alternative URL. Unlike with HTTP Redirect solutions your browser will in the reverse proxy scenario never actually know that all content comes from the target web server. Your browser never communicates with the target web server, it communicates with your httpd process.
I am trying to setup vanity url in AEM 6.4. Followed and verified the below steps
Installed the VanityURLS-Components
Allowed ‘Read’ permission to /libs/granite/dispatcher/content/vanityUrls for the ‘everyone’ group on the publish servers
Added a filter rule in the dispatcher to allow the vanity URL
/0100 { /type "allow" /url "/libs/granite/dispatcher/content/vanityUrls.html" }
Added a caching rule to prevent caching of this URL
/0001 { /type "deny" /glob "/libs/granite/dispatcher/content/vanityUrls.html" }
Added the vanity_urls configuration to the farm:
/vanity_urls {
/url "/libs/granite/dispatcher/content/vanityUrls.html"
/file "/xxx/vanity_urls"
/delay 300
}
Restarted webserver
Created a file inside file location and provide required write permission. -rwxr-xr-x 1 apache apache 0 May 14 14:26 vanity_urls
Verified /libs/granite/dispatcher/content/vanityUrls.html page is accessible from pub as anonymous request
Verified /libs/granite/dispatcher/content/vanityUrls.html page is accessible from dispatcher
Verified all required modues are enabled in Apache
Verified that dispatcher is calling pub server upon hitting the /libs/granite/dispatcher/content/vanityUrls.html, seeing logs in request.log
Finally restarted Apache Sling Resource Resolver bundle and simply saved it's configuration and restarted AEM server
The vanityurl is working only on publisher server and not on the dispatcher side.I have tried all the possible option but could not find out why it is not working? Has anyone faced similar issue? Please help me to investigate further on this issue?
Try configuring default redirect status to vanity url in apache sling resource resolver factory of publisher.configure it to be 302
When logging into Joomla! administrator, the user is redirected back to the login page. If the username/password are valid, no error messages. If the username/password are invalid, error messages to the effect.
The following is found in the Apache access log:
::1 - - [timestamp] "POST /localhost/administrator/index.php HTTP/1.1" 303 -
::1 - - [timestamp] "GET /localhost/administrator/index.php HTTP/1.1" 200 6969
This is on the local copy of the site. It has not been touched since August 2018. The problem also occurs on the live site. Other Joomla! sites on localhost do work.
Have checked the #__extensions table and all necessary extensions are enabled. com_login, com_users, plg_authentication_joomla, plg_authentication_cookie, plg_user_joomla, etc.
Excerpts from config.php:
public $live_site = '';
public $cookie_domain = '';
public $cookie_path = '';
PHP session.save_path is server writable.
Try disabling Search Engine Friendly URLs and URL Rewriting in Global Configuration / configuration.php i.e.:
public $sef = '1';
public $sef_rewrite = '1';
Try temporarily renaming .htaccess to .htaccess.old to see if this makes any difference.
Try clearing the Joomla cache, any server side cache (e.g. LiteSpeed Cache) and clearing your web browser cache.
You may also need to update the tmp and logs files paths in Global Configuration / configuration.php although this probably isn't causing the problem you are experiencing.
Another thing to try is a different PHP version.
The reason for that happening could be upgrading to higher PHP version.
In my case it was happening when i upgraded PHP from 5.6 to 7.2. So the only solution i found was downgrading back to PHP 5.6
We've been using a Apache 2.2 reverse proxy to have multiple apps running on the same VM. Everything worked fine till the moment we added Keycloak adapter 3.4.0.Final + spring security 1.5.9.RELEASE.
So this is how it works:
VM1
app1
app2
VM2
Keycloak
laptop on the same network
Browser
app1 - for dev purposes
Scenarios:
1) Everything worked fine between laptop - VM2 with the app.
2) Everything worked fine between browser laptop - VM1 - VM2 When no reverse proxy was in place (so directly accessing the app port).
3) Problems when reverse proxy in place. browser laptop - VM1 (Apache with mod_prox) - VM2
I followed all the advice in the documentation:
http://www.keycloak.org/docs/1.9/server_installation_guide/topics/clustering/load-balancer.html
http://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy
Those were my rules before:
LoadModule proxy_module modules/mod_proxy.so
ProxyRequests On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPassMatch ^/MyAPP/(.+) http://localhost:8585/MyAPP/$1
ProxyPassReverse ^/MyAPP/(.+) http://localhost:8585/MyAPP/$1
ProxyPreserveHost On
Observed:
GET VM1/MyAPP/index.html -> redirected to VM2 keycloak with the right redirect url
GET VM1/MyAPP/index.html?State=xxxx -> redirected to /
GET / -> there's nothing on root so it would end here
First change:
I've seen that the cause of this was a keycloak success handler that was redirecting me to root.
So I changed it to redirect it to the same page with this:
public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean( KeycloakAuthenticationProcessingFilter filter){
FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
successHandler = new AuthenticationSuccessHandler();
successHandler.setDefaultTargetUrl("/MyAPP/index.html");
filter.setAuthenticationSuccessHandler(successHandler);
}
Observed:
GET VM1/MyAPP/index.html -> redirected to VM2 keycloak with the right redirect url
GET VM1/MyAPP/index.html?State=xxxx -> redirected to /MyAPP/index.html
GET VM1/MyAPP/index.html?State=xxxx -> redirected to /MyAPP/index.html
GET VM1/MyAPP/index.html?State=xxxx -> redirected to /MyAPP/index.html
GET VM1/MyAPP/index.html?State=xxxx -> redirected to /MyAPP/index.html
GET VM1/MyAPP/index.html?State=xxxx -> redirected to /MyAPP/index.html
GET VM1/MyAPP/index.html?State=xxxx -> redirected to /MyAPP/index.html
....
Infinite loop.I've also noticed that the application was doing the authentication everytime.
Suspicious.
So I started suspecting it was apache that was causing problems and decided to give a shot to a different proxy:
haproxy.
It failed with the same problem.
But I was being redirected to /sso/login intead
So next step was to debug the different requests: Proxied vs non Proxied
VM1/MyAPP vs VM1:8585/MyAPP
So I discovered that it would authenticate the request every time the request had the authorization header.This was only happening with the proxy version.
So with apache 2.2 you cannot remove headers. That was just added on 2.4
So again haproxy, and tried it in the same way forcing the removal of authorization header. And it almost worked. I was getting some problem with the request method being 1 instead of GET. Odd...
So long story short It was obvious now that basic auth was the problem.
How to solve this problem?
Update:
My question now is:
How can I change KeycloakAuthenticationEntryPoint loginUri to contain the subcontext of my reverse proxy in the configuration?
- Having a reverse proxy "sso/login" on root doesn't let me have more than 1 keycloak app in the same server.
How did I solve the problem:
1) So the first step was to disable basic auth on the apache that was interfering with keycloak authorization process or at least with spring security.
What I started notice after this was that I was always being redirected to /sso/login on root.
2) To solve this problem I added a new proxy pass rule to redirect sso/login request to my server.
ProxyPassMatch ^/sso/login(.*) http://localhost:8585/sso/login$1
ProxyPassReverse ^/sso/login(.*) http://localhost:8585/sso/login$1
After this I was still being redirected to /sso/login or just to the root.
After trying with incognito mode I found it actually worked.
Tried different browser and it worked as well.
3) Some old session status was still on my browser so cleared all the cookies closed all the browser tabs and restarted chrome and it started working.
4) Bullet point 2 has a big flaw. It won't allow you to have multiple keycloak adapter app in the same server. To change the behavior on spring side I solve it with two processes.
- The first one is to re-set the login uri on keycloakAuthenticationEntryPoint
#Autowired
AdapterDeploymentContext adapterDeploymentContext;
private static final String OAUTH_LOGIN_URL = "/sso/login";
#Override
protected void configure(HttpSecurity http) throws Exception{
KeycloakAuthenticationEntryPoint keycloakAuthenticationEntryPoint =
new KeycloakAuthenticationEntryPoint(adapterDeploymentContext);
keycloakAuthenticationEntryPoint.setLoginUri(realSubContext + OAUTH_LOGIN_URL);
...
}
The second one was to add a redirect rewrite rule for sso login
keycloak:
redirect-rewrite-rules :
"^/sso/login(.*)$": "/MYSUBCONTEXT/sso/login$1"
I have a Joomla 3.3.0 installation running on a webserver without any SSL configuration or a cert. When I try to log in in the administrator area under /administrator, I get an ERR_CONNECTION_TIMED_OUT after some seconds of loading because I get redirect to https://.
The config file contains the following statement:
public $force_ssl = '0';
Is there any other setting i have to turn off to fully disable SSL?
Edit: The form of the login page is pointing at a HTTPS url:
<form action="https://www.domain.com/administrator/index.php" method="post" id="form-login" class="form-inline">
Following extensions are installed:
There are 4 places you will need to check:
Check your .htaccess file - an entry forcing SSL might be there
If you have any security extensions, try disabling them from phpMyAdmin
Check with your host if they are forcing SSL on the "administrator" folder at the server level (this is a remote possibility, but it could happen).
Go to "Extensions" -> "Modules" and then, on the left, filter as "Administrator" (change from "Site" to "Administrator"), and then search for "Login", and then click on the "Login" module, and then change "Encrypt Login Form" to "No", and then click on "Save".