I have a reverse proxy that authenticates users using SSL Client Side certificates. I am trying to make Sonar V4 use the credentials that are passed in by the certificate from the reverse proxy. However, I haven't had much luck so far with Sonar.
However, I did get this working with Jenkins and Trac already.
Couldn't find one out there. So I just made my own over a few days.
https://github.com/trajano/reverse-proxy-auth-sonar-plugin
Personally wasn't too thrilled to have to resort to dealing with Ruby on Rails within a Java app and learning the current API on the fly, but it seemed to work since the authentication is managed by Ruby on Rails rather than Java.
Related
I am developing rails 4 project with some API,
And I need to configure two-way SSL authentication for these API requests.
I know that two-way SSL means that:
client and server have certificates
server check client's sertificate
client check server's sertificate
if everything is OK client send a request
if everything is OK server send a response
But how it can be implement in rails?
And how can it be implemented only for rails API (requests with /api/.. prefix etc.)?
Or I am not right and it should be implemented on Nginx layer....?
Does any ruby gems for two-way SSL authentication exists?
with easy to understand documentation :)
This problem should not be solved on application layer.
Please, find example of nginx settings in the answer of this question.
I can't for the life of me find how to configure client certificate validation with Heroku SSL endpoint. Is is supported at all? Is there an alternative add-on that does support it?
I asked their support about this and this was their answer: https://help.heroku.com/tickets/128194
So it would appear that server side verification of client certificates isn't supported by heroku right now if you rely upon their web server. I.e. having a server hosted on heroku check the client certificate provided by the connecting client. This requires a check at the web server level.
However I did come across this for nodejs:
https://www.npmjs.org/package/client-certificate-auth
which would lead me to believe that for nodejs is should be possible, since you have full access to the http(s) server. I haven't tried it though
I would like to know if there is an option to implement secure websockets (wss://) and client certificate based authentication with twisted ?
I followed the instructions on http://twistedmatrix.com/documents/12.3.0/core/howto/ssl.html, in which the setup of a site over https:// and client certificates is described. Using self signed certs, this works fine. However, things get tricky when Websockets come into play.
Running the whole thing in IE 10 works fine. The client authenticates with his certificate and gains access to the site and may open the Websocket. FF and Chrome, however, won't work. Note that webserver and websocket run on the same port.
In my opinion, it seems that IE somehow stores the authentication of the client and uses it as well for the access to the websocket. FF and Chrome somehow treat the websocket as a different ressource for which no authentication has happened before.
Has anybody experienced the same or somewhat similiar issues or maybe implemented a solution for this?
If needed, I can provide my source code so far.
For all interested readers having the same problem, I finally figured it out.
The solution is to set a session id for the ssl context. Then the browser seems to remember the cert authentication even for subresources like websockets.
This should do it:
contextFactory = twisted.internet.ssl.DefaultOpenSSLContextFactory('keys/server.key',
'keys/server.crt')
ctx = contextFactory.getContext()
ctx.set_verify(
OpenSSL.SSL.VERIFY_PEER | OpenSSL.SSL.VERIFY_CLIENT_ONCE,
verifyCallback
)
## Since we have self-signed certs we have to explicitly
## tell the server to trust them.
ctx.load_verify_locations("keys/ca.crt")
ctx.set_session_id("id")
Lines 1-8 are needed anyway. Whats new is line 9. Here you have to set a session id.
As you've described the issue, this is simply a browser bug, and there's not much you can do about it with Twisted.
Websockets are still, sadly, a somewhat immature technology and bugs like the ones you're seeing are still being worked out. File bugs against the browsers and hope that they get fixed.
Perhaps you could consider implementing server-sent events for non-IE browsers, assuming that the client-cert-auth stuff works for that API / protocol?
I have a Ruby on Rails app running on Heroku server. As I'm testing the app with SSL certificate, I added a non-paid one like this tutorial explains, and forced the server app to use SSL with RackSSL gem.
So, I also have an Android client and I have some doubts:
How do I verify if the client request is using the same certificate?
How do I force SSL only on specific Rails routes?
Thanks in advance!
Ad. 1, do as suggested in the guide: Visit the endpoint and look at the certificate that gets served up (it should be the one you added). Note that the certificate is not different depending on the client accessing Heroku, it's something that Heroku serves up to clients accessing the endpoint so you can verify this using either a normal desktop browser or your smartphone.
Ad. 2, check out this answer which suggests rack-ssl-enforcer.
I had an idea for a fitness mobile app and I have been developing applications based on this idea for iPhone (Obj-C based), Android (java based), WebOS (html5 based) and Nokia Qt.
I now need to provide authentication to the users of my application. The server is a typical LAMP system. I would like the users of my mobile application to log in to the server seamlessly and securely.
I am not really a web programmer and hence would appreciate ideas on how I can go about providing authentication. I've heard about OpenID...but I am not sure if it can be used for authenticating mobile clients. Some one mentioned OAuth but I am not sure if a) it would work in this use case and b) What if my client does not have a Facebook/Twitter account?
Any ideas will be appreciated!
I have done something similar and used gnuTLS and a x.509 certificate to authenticate from the client side. Its seamless and easy to integrate.
https://idlebox.net/2009/apidocs/gnutls-2.6.6.zip/gnutls_7.html#SEC65
The important thing about using this method for me was that the https connection was just simple method calls and the handshaking process itself would be handled by the gnuTLS library.
My app was an iOS app and i used xcode to do it which was easy. I think it will be easier on the Java side but I am not sure about the Nokia part. The coding is in C and is thus cross platform.
However if you are looking for a iOS based solution i recommend http://developer.apple.com/library/ios/#samplecode/AdvancedURLConnections/Introduction/Intro.html
But for a cross platform solution that would require the same certificate across all applications and no input or work fro the user, I still suggest gnuTLS and using the x509 certificate.
If you already have a LAMP server somewhere, it should be fairly easy to set implement your own API for password authentication -- the important thing is that you do it via HTTPS! (so the user-ids / passwords can not be sniffed). You will need a digital certificate (CERT) for your web-server.
On your LAMP system you can keep the user data in it's database. Your LAMP server should also allow to create a local user account (of course).
You can use this solution either separate or together with OpenID or OAuth!
That means, if your client doesn't have Facebook or Twitter, they can still create an account on your LAMP server.
http://en.wikipedia.org/wiki/OAuth