My experience with Shibboleth is limited and I have no access to configuration or logs on the IdP or the SP. I am trying to troubleshoot this issue:
Previous Shibboleth session is still active on the client workstation. When attempting to access document protected by the following .htaccess configuration:
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
The client (occasionally) receives the following error message:
Authorization Failed
Based on the information provided to this application about you, you are not authorized to access the resource at "http://myresourcepath"
Please contact the administrator of this service or application if you believe this to be an error
In troubleshooting, I changed .htaccess from
require valid-user
to:
require shib-session
I thought the issue might be the deprecated parameter- but after changing, I was still receiving the authorization failed message. The only way to successfully authorize is to clear the browser cache, revisit the page which then it prompts for authentication, and then authorization passes its check and you hit the page successfully with no error.
What complicates matters even more, is, when .htaccess is set to:
require shib-session
The authorization error message persists even after clearing the cache and re-authenticating. I had to change .htaccess back to
require valid-user
I dont know what could cause the random authorization issue, if the session wasn't valid, the user would get directed to the idp for login, correct? Thats Shibboleth's design. So, the session has to be valid- but why does it not recognize the user as authorized for that resource?
Additionally:
after I received the message and googled quickly, it seems like a stock response from the idp:
https://technical.bestgrid.org/index.php/Vladimir's_general_Shiboleth_notes
says:
This specific example asks for the user variable to be set to any value - and any Shibboleth attribute can be used with the variable name it is assigned to in the Attribute Acceptance policy (AAP.xml). For more syntax on using the require directive, see the examples in the SP htaccess documentation on specific features implemented for the Apache require directive.
Users who do not have the attribute (or do not provide it), get the following error message (with the Shibboleth logo). .... is same message....
This form of control however may not be that user friendly - user would have to know to go either use Autograph to allow the release of the attribute, or talk to their IdP administrator to configure the attributes on the IdP.
Also note that this does not work with lazy sessions - in which case one immediately gets the same error message.
Further, note that care must be taken with overlapping access control blocks. These should be listed from the most-generic ("/") to the most specific (as "/secure" in the above example). Otherwise, the more relaxed settings on the generic one would override the more stringent settings on the specific one.
Related
I have multiple resources, each resource pointing to a page on the application. I am using keycloak (v10.0.2) for authentication of requests. I have two users, Admin, and Client. Admin has access to all the resources while Client has access to only a few resources. After assigning permissions on keycloak, I've evaluated on the console and made sure the permissions to resources are granted as I want them to be.
Now, while accessing the application as an Admin, all the resources are accessible like it should be. But when logged in as Client, the login and couple of pages work fine but the remaining fails the OAuth2AuthenticationProcessingFilter. The following is the message from the logs.
DEBUG o.s.security.web.FilterChainProxy.doFilter - /services/customerAPI/listOfCustomers at position 6 of 12 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
DEBUG o.s.s.o.p.a.OAuth2AuthenticationProcessingFilter.doFilter - Authentication request failed: error="access_denied", error_description="Invalid token does not contain resource id (ums)"
DEBUG o.s.s.w.h.writers.HstsHeaderWriter.writeHeaders - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#8ff0a24
DEBUG o.s.s.o.p.e.DefaultOAuth2ExceptionRenderer.writeWithMessageConverters - Written [error="access_denied", error_description="Invalid token does not contain resource id (ums)"] as "application/json;charset=UTF-8" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter#5adada73]
DEBUG o.s.s.w.c.SecurityContextPersistenceFilter.doFilter - SecurityContextHolder now cleared, as request processing completed
Can someone please help me in finding what I am doing wrong?
Assigning the default client role uma_protection to the "Client" user resolved the issue.
Note: Similar questions deal with either Auth0 with Angular or are several years out of date and refer to previous versions.
We're using Auth0 to provide authentication for a group of applications run on Apache with mod_auth_openidc.
The only customization is that mod_auth_openidc is configured to check whether a user has access to a specific application or not via:
<location /app1/>
AuthType openid-connect
Require claim valid_app1:true
</Location>
<location /app2/>
AuthType openid-connect
Require claim valid_app2:true
</Location>
User metadata defined in the Auth0 settings (valid_app1 or valid_app2, etc) defines whether a user can access the applications located at website.com/app1 or website.com/app2, etc.
Currently, the user is correctly redirected to the Auth0 login page when the user tries to access any of the applications, and correctly rejects those users who do not have access to that application.
However on a successful login, the user is redirected to the callback page (defined as the first callback in the Auth0 settings and the OIDCRedirectURI in auth_openidc.conf, e.g. website.com/auth) and not back to the application the user attempted to load.
How do I configure Auth0 with Apache so that a user is returned to the URL of the application they initially attempted to load and not the callback URL?
Good
website.com/app1 > AUTH0 login > website.com/app1
website.com/app2 > AUTH0 login > website.com/app2
Bad
website.com/app1 > AUTH0 login > website.com/auth
You can accomplish this with a few different approaches:
You can register more than one callback/redirect URL within the client application configuration in Auth0 and then each application starts the login process by telling Auth0 the redirect URL associated with it.
You can represent your applications as multiple client applications in Auth0 where each one has a specific callback redirect URL and each application starts the process with that redirect URL.
You can continue to use the same callback URL and then do a second redirect to the final destination. This implies knowing where the user started the process which can be achieved by leveraging OAuth state parameter (this parameter should also be used for CSRF protection, see Using the State Parameter.
Options 1. and 2. are very similar, usually if we talking about conceptually different applications you would go with option 2 and if it's a single application that just wants to have two different ways of processing the callback you would go with option 1..
Finally, option 3 allows a similar thing to what's done in the first option, that is, the same application can conditionally redirect users to different places after login, but does it without the need to register additional redirect URL's in the Auth0 side. It's the application itself that decides where the user goes after processing the login at the callback URL.
I have an MVC4 project with simplemembership configured. It's all working etc. but I would like to know how to tell it wich controller/action to redirect to when a user is not authorized to view a given page.
For example, if I use [Authorize(Roles="Admin")] and try to view that page with a logged in user that does not have the "Admin" role it redirects me to the login page, even though I am already logged in.
I would like to change this to something else... maybe a 404 or a nice message to say "You are not authorized to view that content".
I've tried googling for just about everything I can think of to do with this but haven't found an answer so far.
Can this be done with the current setup or do I need something else? A pointer in the right direction would be appreciated :)
Try creating a custom AuthrorizeAttribute and override the OnAuthorization method so that you do a redirect to your custom page if authorization fails and to the logon page if authentication fails. Another approach that some people use is to check if the current user is authenticated on the logon page and if they are you can assume they were redirected to this page because authorization failed. In that case display a special message to the user indicating that they are not authorized to access that page. For some applications this may make sense because a user might have multiple accounts and they want to logon to another account where they are authorized to perform the operation. Some of these concepts are discussed in this QA.
This is, unfortunately, a problem with Asp.net as a whole (although it originates from a problem in the HTTP specification), it does not differentiate between unauthorized users and unauthenticated users, even though they seem to go out of their way to talk about the difference. In order to change this behavior, you would have to write a lot of code, and it's just easier to write a custom handler to check if you are already authenticated.
The HTTP standard never intended for a user to be in an "authenticated state". In fact, it doesn't really even know about the concept of a "user". Each page request is intended to carry information independent of the other page requests. The fact that browsers cache this information (or authentication is done by cookie) is irrelevant to what the standard intended.
The standard basically says that the server should issue a 401 if the requested resource is not authorized, and since each request has it's own authorization, the intention a simple pass/fail scenario. There is no concept of an authorized state for the site. The request either succeeds or fails.
I think frameworks like ASP.NET have gone a long way to creating their own authorization/authentication state, but they really should just go all the way here.
You might find this thread enlightening regarding the disagreement among the web community about the exact interpretations.
403 Forbidden vs 401 Unauthorized HTTP responses
I'm using openDJ LDAP server for authentication process of a Java based project using JNDI.
Most of the other things like password expired, invalid credentials can be handled using exceptions. (using the understandable message in exception, or using the error codes in some occasions)
ds-cfg-force-change-on-add and ds-cfg-force-change-on-reset attributes are set to true in the password policy.
But when a newly created user logs in or, when a user logs in after a password reset by admin no exceptions occur.
Can somebody tell me how to handle this.
One alternative in this case is the password policy request and response controls (example) defined in draft-behera-ldap-password-policy, supported by OpenDJ LDAP SDK and other SDKs. You pass the request control to the directory server, and you get back a response control.
The response control indicates whether the password needs to be changed, why a requested password modification could not complete, how much time remains before expiration, etc.
I'm using CAS (Central Authentication Service) from Jasig in a client JSF app running on tomcat 6 server. I would like to limit the access to the app just for the users specified in my database rather than all the users which can be authenticated using that CAS service. When the user attempts to log in, I need to check if his username is also in my database's table user and if it is - allow the access to the app. Otherwise, I would like to redirect user to a page "You don't have permission to access this part of the application". So I need authorization as well. Is there a good way to authorize the users in jsf 2.0? Thanks in advance for any help/suggestions.
Sounds like you need to design a custom Authentication Handler class in CAS. In theory, your handler would extend this [1], perform all the necessary checks and database look ups and will then be able to return a signal that indicates whether or not the user could authN.
You should then reference your custom handler in the deploerConfigContext.xml file.
For displaying the message, you could either throw an exception with the proper messages code, such that the message would appear above the login form, or you could alter the spring webflow and generate a new view-state which the user would be redirected to, if they fail to get access. The first approach is much easier to implement.
Another approach would be to take advantage of the isUserInRole() method [2] using the persondir api.
[1] http://developer.jasig.org/projects/cas/cas-server-core/cas-server/cas-server-core/apidocs/org/jasig/cas/authentication/handler/support/AbstractUsernamePasswordAuthenticationHandler.html
[2] https://wiki.jasig.org/pages/viewpage.action?pageId=47874068