I want to implement an IQHandler, but I want to make sure that only authenticated users can send IQ Packets to it. I want to make sure that the JID I get from Packet.getFrom() is the authenticated user that sent it.
I need this so that no one can just create an IQ Packet and set the "from" attribute to a user id other than their own. Can someone help me with this?
Try this:
ClientSession session = sessionManager.getSession(sender);
if(session.getStatus() == Session.STATUS_AUTHENTICATED) {
//YOUR STUFF HERE
}
UPDATE:
Looking closer at the source. It appears that the IQRouter already does this for you. If you are not authenticated the server response with an error stating just that.
public void route(IQ packet) {
if (packet == null) {
throw new NullPointerException();
}
JID sender = packet.getFrom();
ClientSession session = sessionManager.getSession(sender);
try {
// Invoke the interceptors before we process the read packet
InterceptorManager.getInstance().invokeInterceptors(packet, session, true, false);
JID to = packet.getTo();
if (session != null && to != null && session.getStatus() == Session.STATUS_CONNECTED &&
!serverName.equals(to.toString())) {
// User is requesting this server to authenticate for another server. Return
// a bad-request error
IQ reply = IQ.createResultIQ(packet);
reply.setChildElement(packet.getChildElement().createCopy());
reply.setError(PacketError.Condition.bad_request);
session.process(reply);
Log.warn("User tried to authenticate with this server using an unknown receipient: " +
packet.toXML());
}
else if (session == null || session.getStatus() == Session.STATUS_AUTHENTICATED || (
isLocalServer(to) && (
"jabber:iq:auth".equals(packet.getChildElement().getNamespaceURI()) ||
"jabber:iq:register"
.equals(packet.getChildElement().getNamespaceURI()) ||
"urn:ietf:params:xml:ns:xmpp-bind"
.equals(packet.getChildElement().getNamespaceURI())))) {
handle(packet);
}
else {
IQ reply = IQ.createResultIQ(packet);
reply.setChildElement(packet.getChildElement().createCopy());
reply.setError(PacketError.Condition.not_authorized);
session.process(reply);
}
// Invoke the interceptors after we have processed the read packet
InterceptorManager.getInstance().invokeInterceptors(packet, session, true, true);
}
Related
I would like to check if mobile data is available (the app has access, it's switched on in settings, aeroplane mode isn't on and there is a valid connection).
I want to know this even when an active wifi connection is established. So I can't use any get the current connection as it won't be the current one, WiFi would be.
I have tried looking into NWPath and NWPathMonitor but got a bit confused by it all.
Thanks, if I need to add any more information just drop a comment and I will update this or reply to you.
Since you have a Tag with Xamarin, just use the API from Essentials. For the connectivity-checker see the docs.
Here is a pretty perfekt blogpost from "James Montemagno"
A sneak preview of the Post:
var current = Connectivity.NetworkAccess;
switch(current)
{
case NetworkAccess.Internet:
// Connected to internet
break;
case NetworkAccess.Local:
// Only local network access
break;
case NetworkAccess.ConstrainedInternet:
// Connected, but limited internet access such as behind a network login page
break;
case NetworkAccess.None:
// No internet available
break;
case NetworkAccess.Unknown:
// Internet access is unknown
break;
}
Edit due to the comment from #Samuel James:
Maybe this helps?
Check what type of activ connection (according docs from Mircosoft):
var profiles = Connectivity.ConnectionProfiles;
if (profiles.Contains(ConnectionProfile.Cellular))
{
// Active mobile/cellular data connection.
}
public enum ConnectionProfile
{
/// <summary>Other unknown type of connection.</summary>
Unknown,
/// <summary>The bluetooth data connection.</summary>
Bluetooth,
/// <summary>The mobile/cellular data connection.</summary>
Cellular,
/// <summary>The ethernet data connection.</summary>
Ethernet,
/// <summary>The WiFi data connection.</summary>
WiFi
}
See my answer here ,we can use CoreTelephony framework to get what the specific type of cellular is .
Try the following code
public ConnectivityTest()
{
// Register for connectivity changes, be sure to unsubscribe when finished
Connectivity.ConnectivityChanged += Connectivity_ConnectivityChanged;
}
string result;
void Connectivity_ConnectivityChanged(object sender, ConnectivityChangedEventArgs e)
{
var access = e.NetworkAccess;
var profiles = e.ConnectionProfiles;
if (Connectivity.NetworkAccess != NetworkAccess.Internet)
{
result = "NoNetworkAccess";
}
else if (profiles.Contains(ConnectionProfile.Cellular))
{
CTTelephonyNetworkInfo networkInfo = new CTTelephonyNetworkInfo();
string carrierTypeName = networkInfo.ServiceCurrentRadioAccessTechnology.Values[0];
if (carrierTypeName == null) result = "unknown";
else if (carrierTypeName == CTRadioAccessTechnology.GPRS ||
carrierTypeName == CTRadioAccessTechnology.Edge ||
carrierTypeName == CTRadioAccessTechnology.CDMA1x)
result = "2G";
else if (carrierTypeName == CTRadioAccessTechnology.WCDMA ||
carrierTypeName == CTRadioAccessTechnology.HSDPA ||
carrierTypeName == CTRadioAccessTechnology.HSUPA ||
carrierTypeName == CTRadioAccessTechnology.CDMAEVDORev0 ||
carrierTypeName == CTRadioAccessTechnology.CDMAEVDORevA ||
carrierTypeName == CTRadioAccessTechnology.CDMAEVDORevB ||
carrierTypeName == CTRadioAccessTechnology.EHRPD)
result = "3G";
else if (carrierTypeName == CTRadioAccessTechnology.LTE)
result = "4G";
else result = "5G";
}
}
Refer to
https://stackoverflow.com/a/61327753/8187800
I was wondering if I can force apache to send HTTP 401 instead of HTTP 403 in case any condition inside RequireAll fails.
Surprisingly I found AuthzSendForbiddenOnFailure, which forces 403 instead of 401. But what about opposite?
How I can force apache reask for the login and password in case authorization fails?
Edit:
I looked at the debug log right now.
The thing is that if I will put just Require valid user in the RequireAll section, in the log I would see "denied (no authentocated user yet)". Yet if I will put Require env SMTH additionally, apache will check Require valid user but then, after it will fail with "denied (no authentocated user yet)", it will also check my second Require and will fail just with "denied" and throw HTTP 403. I think this is a bug. Why apache checks for a second Require in RequireAll if the first one failed already?
Edit2:
It seems that it wasn't implemented yet:
https://github.com/apache/httpd/blob/trunk/modules/aaa/mod_authz_core.c#766
if (child_result != AUTHZ_NEUTRAL) {
/*
* Handling of AUTHZ_DENIED/AUTHZ_DENIED_NO_USER: Return
* AUTHZ_DENIED_NO_USER if providing a user may change the
* result, AUTHZ_DENIED otherwise.
*/
if (section->op == AUTHZ_LOGIC_AND) {
if (child_result == AUTHZ_DENIED) {
auth_result = child_result;
break;
}
if ((child_result == AUTHZ_DENIED_NO_USER
&& auth_result != AUTHZ_DENIED)
|| (auth_result == AUTHZ_NEUTRAL)) {
auth_result = child_result;
}
}
else {
/* AUTHZ_LOGIC_OR */
if (child_result == AUTHZ_GRANTED) {
auth_result = child_result;
break;
}
if ((child_result == AUTHZ_DENIED_NO_USER
&& auth_result == AUTHZ_DENIED)
|| (auth_result == AUTHZ_NEUTRAL)) {
auth_result = child_result;
}
}
}
I am creating an application that is mentioned to connect to an instance of on owncloud server but i can't find why it doesn't connect to the server .Instead of that the reply i get to the login screen and i get the html code for it
this is the code responsible for the connection
//the network request and reply
QNetworkAccessManager * manager = new QNetworkAccessManager();
QUrl url (url1);
manager->get(QNetworkRequest(url));
connect(manager, SIGNAL(authenticationRequired(QNetworkReply*,QAuthenticator*)),
SLOT(provideAuthenication(QNetworkReply*,QAuthenticator*)));
connect(manager, SIGNAL(finished(QNetworkReply *)),
this, SLOT(result(QNetworkReply *)));
the reply code
void Login::result(QNetworkReply *reply)
{
reply->deleteLater();
if(reply->error() == QNetworkReply::NoError) {
// Get the http status code
int v = reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
if (v >= 200 && v < 300) // Success
{
qDebug()<<"Here we got the final reply";
QString replyText = reply->readAll();
qDebug()<<replyText;
}
else if (v >= 300 && v < 400) // Redirection
{
qDebug()<<"Get the redirection url";
QUrl newUrl = reply->attribute(QNetworkRequest::RedirectionTargetAttribute).toUrl();
// Because the redirection url can be relative,
// we have to use the previous one to resolve it
newUrl = reply->url().resolved(newUrl);
QNetworkAccessManager *manager = reply->manager();
QNetworkRequest redirection(newUrl);
QNetworkReply *newReply = manager->get(redirection);
QString replyText = newReply->readAll();
qDebug()<<replyText;
return; // to keep the manager for the next request
}
}
else
{
// Error
qDebug()<<reply->errorString();
}
reply->manager()->deleteLater();
}
could you help me figure out why i get the login screen instead of authentication ?
Try to call connect() before calling manager->get() otherwise when the authentication required signal is triggered, there might not be any slots present to call to handle that signal.
Try this instead:
QNetworkAccessManager * manager = new QNetworkAccessManager();
QUrl url (url1);
connect(manager, SIGNAL(authenticationRequired(QNetworkReply*,QAuthenticator*)),
SLOT(provideAuthenication(QNetworkReply*,QAuthenticator*)));
connect(manager, SIGNAL(finished(QNetworkReply *)),
this, SLOT(result(QNetworkReply *)));
manager->get(QNetworkRequest(url));
I have a good start on a technique similar to this in Express 3
http://notjustburritos.tumblr.com/post/22682186189/socket-io-and-express-3
the idea being to let me grab the session object from within a socket.io connection callback, storing sessions via connect-redis in this case.
So, in app.configure we have
var db = require('connect-redis')(express)
....
app.configure(function(){
....
app.use(express.cookieParser(SITE_SECRET));
app.use(express.session({ store: new db }));
And in the app code there is
var redis_client = require('redis').createClient()
io.set('authorization', function(data, accept) {
if (!data.headers.cookie) {
return accept('Sesssion cookie required.', false)
}
data.cookie = require('cookie').parse(data.headers.cookie);
/* verify the signature of the session cookie. */
//data.cookie = require('cookie').parse(data.cookie, SITE_SECRET);
data.sessionID = data.cookie['connect.sid']
redis_client.get(data.sessionID, function(err, session) {
if (err) {
return accept('Error in session store.', false)
} else if (!session) {
return accept('Session not found.', false)
}
// success! we're authenticated with a known session.
data.session = session
return accept(null, true)
})
})
The sessions are being saved to redis, the keys look like this:
redis 127.0.0.1:6379> KEYS *
1) "sess:lpeNPnHmQ2f442rE87Y6X28C"
2) "sess:qsWvzubzparNHNoPyNN/CdVw"
and the values are unencrypted JSON. So far so good.
The cookie header, however, contains something like
{ 'connect.sid': 's:lpeNPnHmQ2f442rE87Y6X28C.obCv2x2NT05ieqkmzHnE0VZKDNnqGkcxeQAEVoeoeiU' }
So now the SessionStore and the connect.sid don't match, because the signature part (after the .) is stripped from the SessionStore version.
Question is, is is safe to just truncate out the SID part of the cookie (lpeNPnHmQ2f442rE87Y6X28C) and match based on that, or should the signature part be verified? If so, how?
rather than hacking around with private methods and internals of Connect, that were NOT meant to be used this way, this NPM does a good job of wrapping socket.on in a method that pulls in the session, and parses and verifies
https://github.com/functioncallback/session.socket.io
Just use cookie-signature module, as recommended by the comment lines in Connect's utils.js.
var cookie = require('cookie-signature');
//assuming you already put the session id from the client in a var called "sid"
var sid = cookies['connect.sid'];
sid = cookie.unsign(sid.slice(2),yourSecret);
if (sid == "false") {
//cookie validation failure
//uh oh. Handle this error
} else {
sid = "sess:" + sid;
//proceed to retrieve from store
}
I want to call a Security Token Service which was created and deployed using Metro 2.2 framework from an Axis 2 STS Client. I'm trying to do the same but getting issues like the one below: -
java.lang.RuntimeException:Incorrect inclusion value: -1
I went deep into the source code and saw that in SecureConversationTokenBuilder class code is wriiten something like this:-
String inclusionValue = attribute.getAttributeValue().trim();
conversationToken.setInclusion(SP11Constants.getInclusionFromAttributeValue(inclusionValue));
then I went into the SP11Constants.getInclusionFromAttributeValue(inclusionValue) and saw the following piece of code:-
public static int getInclusionFromAttributeValue(String value ) {
if (INCLUDE_ALWAYS.equals(value)) {
return SPConstants.INCLUDE_TOEKN_ALWAYS;
} else if (INCLUDE_ALWAYS_TO_RECIPIENT.equals(value)) {
return SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT;
} else if (INCLUDE_NEVER.equals(value)) {
return SPConstants.INCLUDE_TOKEN_NEVER;
} else if (INCLUDE_ONCE.equals(value)) {
return SPConstants.INCLUDE_TOKEN_ONCE;
} else {
return -1;
}
}
as INCLUDE_ALWAYS = "http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always" which is not equal to what is defined by metro in policy.xml like
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always
Therefore the above code always return -1 and in turn throws a runtime exception as below:-
public void setInclusion(int inclusion) {
if(SPConstants.INCLUDE_TOEKN_ALWAYS == inclusion ||
SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT == inclusion ||
SPConstants.INCLUDE_TOEKN_ALWAYS_TO_INITIATOR == inclusion ||
SPConstants.INCLUDE_TOKEN_NEVER == inclusion ||
SPConstants.INCLUDE_TOKEN_ONCE == inclusion ) {
this.inclusion = inclusion;
} else {
//TODO replace this with a proper (WSSPolicyException) exception
throw new RuntimeException("Incorrect inclusion value: " + inclusion);
}
}
Just wanted to know whether it is possible to get token from Security Token Service (STS) created in Metro Framework invoked from an Axis2 based STS Client.Please advise as I'm stuck in between.
Thanks in advance.