I have a web app running on weblogic 10.3.
Is it possible to make sure, that AuthenticatedSubject is always in place for all resources? Ideally by setting some default authentication for all apps, so that I dont have to modify every application's security settings.
Can I enforce, that the user has to authenticate himself once and to keep him as a principal for each request?
I tried to set up an authentication-provider in my applications realm, but it is not triggered.
I think I have to say weblogic, that all resources have to be protected in my realm.
How would I do that?
Everything is explained in this document : https://docs.oracle.com/cd/E13222_01/wls/docs103/pdf/security.pdf
You have to configure your web-app with a secutiry contraint to protect your application and force users to be authenticated
Related
I have a server and I make a tunnel with cloudflare to be able to access from outside creating an application in Cloudflare Zero Strust and I am trying to disable all the policies so that it allows me to access the application without authentication.
But nothing works, whenever I try to enter my linkstream.domain.org application, it asks me for authentication via email.
The reason is that this application allows me to play streams so I don't want it to have authentication to access.
I've searched and configured everything, but I can't remove this authentication from cloudflare:
Cloudflare Access is a product that can be used to add authentication to an application. If you want your application to be public (i.e. no authentication), I'd recommend not adding it to Access at all. You can set up a Cloudflare Tunnel without adding any Access application, for example to expose a webserver to the public.
I'd recommend looking also at the Allow policies.
We are hoping to use multi-tenancy feature of Liferay for a new implementation.
In the past versions of Liferay (prior to 7), we have been able to integrate and protect each instance of Liferay separately using Siteminder (under Control Panel -> Portal Settings -> Authentication -> Siteminder).
It seems that with Liferay 7, this is no longer possible. The Siteminder SSO configuration has been moved to with the default instance only(?) by using the token based SSO and ability specify the SSO auth request header. There does not seem to be any way to do the configuration for the secondary instances in the control panel.
Is anyone using Siteminder SSO with Liferay 7? If so, has the token based SSO worked for the default instance (ex. abc.com)? Has anyone used this for the secondary instances (ex. xyz.com)?
Any insight is much appreciated!
Thanks
Try to export the configuration and put the config file into the osgi/config folder and append the name with the company ID com.liferay.portal.security.sso.token.configuration.TokenConfiguration-20116.config (or cfg)
If this does not work the reason is that somebody forgot to add scope = ExtendedObjectClassDefinition.Scope.COMPANY to TokenConfiguration
An option would be to override this class and add the scope. I'm just afraid that a helper would then be required to pull the company-specific configuration.
In this helps someone. I heard below from Liferay. I will be testing and will post an update:
Token Based SSO has been elevated to a system setting in Liferay DXP.
This means that when the feature is enabled it is available for every
instance. There is no longer an option in Liferay itself to provide
instance-level support for Token Based SSO. The SSO is
enabled/disabled for every instance because it is set at the system
level.
Liferay DXP only cares that a token has been provided. What this means
is that whether the token is for the right instance is up to the
authentication servers being used. It is conceptually possible for
each instance to be able to use its own token. This can be tested by
seeing if the authentication servers lead to the right instances when
they provide their tokens. If that does not work then modifying the
authentication servers to ensure that they are providing the right
tokens to be directed to the right instance may be the next best step.
In regards to whether or not each instance can be individually
protected, because Token Based SSO is enabled at the system level if
instance level authentication is also enabled then both
authentications would be hit during the log-in process. If Token Based
SSO is set at the default security feature and the instance-level
authentication as the secondary, then each instance can be
individually protected.
I am looking for a way to set up a session in ASP.NET that will ignore any persistent cookies on a user's computer, and force any cookies created within that session to be session cookies.
Effectively, I wish to be able to replicate the behaviour shown in 'In Private Browsing', where the session is considered an isolated browsing session. The reason for this is to allow my application to be able to leverage OAuth authentication from social providers; however have the app force the provider to request the user's credentials when logging in, regardless if they are currently logged in to that provider.
I acknowledge that OAuth is intended to have this behaviour, of automatically identifying that a user is logged into the provider. However, it is considered necessary for this application that "remember me" functionality is ignored.
I would also prefer to not have to remind users that they should either not use "remember me" on their accounts, or insist that they use private browsing.
The app is built in using Asp.Net MVC 4 and is using Identity. I had hoped that their might be something within CookieAuthenticationOptions; however, I have been unsuccessful in finding something that might offer me this behaviour.
OpenID Connect has a special parameter "prompt" to control this: Try adding "prompt=login".
See chapter 3.1.2.1:
http://openid.net/specs/openid-connect-core-1_0.html
I have an OpenAM Identity management and a website that needs its credentials for loggin in. I want to federate my website with Google. My web site doesn't support any Federation protocol. How can I do this? Is there any module or plugin for each protocol to deploy in my site? should I change my source code ?
You should potentially set up federation between Google and OpenAM, and then use a policy agent or OpenIG to protect your application.
Even though both the agents and OpenIG tries to make the integration as transparent as possible, it may be necessary to modify the application (for example to ensure that the app reads the user name out of an HTTP request header/cookie/etc, and possibly some other modifications to interact with the application's authorization framework).
I have a web based application which is used to find information about various assets in a facility. This provides only search capability, no CRUD operations allowed from the application (except for READ). This web application is always kept open in a touchscreen device (ie workstation) and this could be used by any of the facility staff. The user does not want to initiate login and logout for each of the search operation.
We are planning on deploying the web application onto the cloud. Although it is not a need to authenticate the user who is accessing the web-application, it is still a need to ensure that information about assets in the facility are not accessible by others. How do I build this authentication layer? The various options I can think of are:
1. Include userid/password in the URL as parameters. I could create a userid/password for each of the facility. Simple, but userid/password area always visible.
2. Certificate based approach. Certificates are created for each of these workstations and deployed on those workstations. Quite secure, but has the challenge of managing the certs life-cycle. As well challenge of configuring the web-servers with certs from different facilities???
Any suggestions?
Thanks,
Prasanna
A simple, but not secure thing. Do an IP check and if the IP is from your facility then grant access.
The second, but secure method is to do a verification at the start of the application with just a password and store a session , so that you will know that people from your facility are accessing the site..