I have established a WebService on my weblogic 10.3 BEA server, and have tried accessing it through SOAtest only to find that it gives me the error: Recieved HTTP response Code: 403 Forbidden. I appreciate that weblogic is securing my webservice ;) but in the context of what I'm doing I would like to allow anonymous access to this specific webservice. This means that I would like any client to be able to access the SOAP communications of this webservice
Any help is greatly appreciated :)
R.
Here are a few things you could try:
From the weblogic console
Home -> Domain -> Web Applications -> Turn on "Allow All Roles"
From the weblogic console make sure no roles or policies are set in
Home -> Deployments -> <your deployment> -> Security
In your web.xml deployment descriptor set
role-name="*"
That said, the default behavior of weblogic (if you haven't changed it to a secure port, etc etc) is to allow anonymous access to web apps so maybe your deployment is specifying roles even though you don't think it should be. Check all of the .xml files in your .war/.ear to see if restrictions are in place.
As a last ditch effort you should check this link: How to make weblogic form authentication in wicket
Please look for 'security-constraint' tag inside web.xml to see if there is any CONFIDENTIAL user data constraint. If there is, SSL needs to be enabled on your application server.
Related
I will state up front that this is a well discussed topic however I have been unable to find the answer I need. I have created a winforms app that makes WCF calls to a server. All works fine with no http proxy as well as an http proxy present (non-authenticating). I did no extra coding to achieve this since many problems with proxies were fixed after .NET 1.1. It just works by accepting the Internet Options (from IE). This is my primary goal. I want the proxy config to "just work" including authentication. Right now, proxy with auth fails. I do not want to programmatically specify credentials, server names, port, etc... It was pointed out here
How should I set the default proxy to use default credentials? that the following entry is needed:
<system.net>
<defaultProxy useDefaultCredentials="true" />
</system.net>
I've got this in my app.config but not having success. I'm using squid as my proxy server and I have it setup with Basic authentication. With this setup, I am forced to programmatically provide username/password (don't want this). I know how to do this and I can get it to work but that's not the point. I would like all settings to be discovered including my current credentials I used to authenticate with windows. The following has an interesting answer Web service calls and proxy authentication in the real world. It states that if IE had to prompt for username and password then so would my application. In fact, IE DOES prompt for username and password. I found good info here as well http://blogs.msdn.com/b/stcheng/archive/2008/12/03/wcf-how-to-supply-dedicated-credentials-for-webproxy-authentication.aspx. I'm going wrong somewhere. If Basic Auth is wrong, then what type of authentication would allow everything to "just work".
After more research, you really can't do what I'm trying to do across authentication protocols. The following MSDN page http://msdn.microsoft.com/en-us/library/system.net.credentialcache.defaultcredentials.aspx points that out. Understandably, basic auth if very old and not supported for calls to DefaultCredentails according to this page, but I'm deploying to users that might be running XP with older proxy servers. I will have to provide my user base with a manual method to configure user/password for basic auth with a proxy server. I believe what I'm trying to achieve is certainly doable with NTLM and Negotiate type auth methods. The bottom line is you have to manually provide user/password with basic auth with code like this:
WebRequest.DefaultWebProxy.Credentials = new NetworkCredential("user", "password123");
Sitecore security hardening guide instructs to restrict access to /sitecore/admin folder by disabling anonymous access. However, after I do that, I get an IIS error when I try to visit pages like /sitecore/admin/cache.aspx.
HTTP Error 401.2 - Unauthorized. You are not authorized to view this page due to invalid authentication headers.
Should anonymous access only be disabled if I don't want to access admin pages?
My sitecore version is 6.6.0 (rev. 130404).
In addition to disabling anonymous access, you should make sure some sort of other authentication method is enabled. By default, IIS7+ doesn't have any other authentication methods available, so all traffic will get an "unauthorized" error. With another means of authentication enabled, IIS will let you access the /sitecore/admin path (at which point, Sitecore's authentication may kick in).
I've done this in the past by creating a local user on the machine and enabling basic auth. Keep in mind, basic auth is not too secure since credentials are passed over the wire as cleartext, but in this case we forced traffic over SSL.
Though not spelled out in the hardening guide, you could also look at limiting access to that directory by IP address. For example, on a production content delivery server, restrict access to only localhost, meaning you cannot browse that directory without being RDP'd to the server directly.
I think you should remove extranet/anonymous access, but make sure that sitecore/everybody (or other role) has access.
That way you can only access it while logged into Sitecore.
Use the Access Viewer to check that users have access to it.
And I think that those pages, have a Sitecore login now. I know /sitecore/admin/dbbrowser.aspx has one.
I would not disable the anonymous access unless it is the production environment. I am not sure how you have the environments setup but ideally cache clearance should be on your stage/uat environment.
I am setting up Shibboleth on a Rackspace CentOS 6 server and it was working fine with testshib.org, but when I try to test it against the real IdentityProvider, I continue to get this error:
SAML 2 SSO profile is not configured for relying party
or more specifically
ERROR
An error occurred while processing your request. Please contact your helpdesk or user ID office for assistance.
This service requires cookies. Please ensure that they are enabled and try your going back to your desired resource and trying to login again.
Use of your browser's back button may cause specific errors that can be resolved by going back to your desired resource and trying to login again.
If you think you were sent here in error, please contact technical support
Error Message: SAML 2 SSO profile is not configured for relying party
I would like to rule out SSL as a possible cause -- I was testing my Service Provider without running SSL, and it worked fine with testshib.org, so I don't think it could cause this error but I can't get SSL set up right now so I want to know if anybody has seen this error being caused by a lack of SSL?
The main difference between testshib.org and this setup is that I uploaded my SP metadata file to the testshib.org server, whereas with my current Identity Provider I haven't given them anything. Would that cause this error, does anybody know? I was under the impression that IdPs can manage requests from anonymous Service Providers...
Thanks for your help.
The real Identity Provider generally needs your metadata up front before you can begin accepting SSO sessions. The IdP will need to load your metadata, and optionally configure/release attributes to your Service Provider, which your SP may require to make an authorization decision.
IdPs can accept requests from anonymous Service Providers, given it is configured appropriately. I don't believe the Shibboleth IdP is configured to accept anonymous requests by default.
If the IdP administrator is open to accepting anonymous requests, there is more information on that configuration here: http://shibboleth.1660669.n2.nabble.com/Problem-configuring-and-IdP-to-support-anonymous-relying-parties-td6750775.html
I have implemented OAM SSO Authentication for my web application deployed on weblogic. Now i want use weblogic embedded LDAP to provide app level authorization. I dont want to use the weblogic authentication, just the authorization since i already have authentication handled by OAM. Is that possible? Can someone please point me to any examples, tutorials, or ideas to achieve this?
Depending on your OAM version, you need to add a OAMIdentityAsserter Provider in your WLS domain. I say depending on your OAM verison, because you need to tell it which type of cookies to use.
OAM Admin guide will tell you how to do this.
how can i setup security realm in weblogic 10.3? i wan't to add user roles and let weblogic server to check those users for what resources they can access. Where weblogic stores authentication data? how can authentication data can be accessed and updated by weblogic server automatically?
Thanks in advance.....
Your question is a bit vague since there are a lot of ways to configure security within Weblogic. Oracle's documentation would be a good starting point.
You can setup the security realm under Security Realms in the console. There are some default groups with specific roles that you could assign to user accounts (for example, monitor = readonly).
LDAP data is stored in the internal LDAP folder within the domain directory. However, you can configure it to use an external LDAP.