OpenSSO (OpenAM) : Turn off URL enforcement - policy

We're using OpenAM to manage sessions on our application.
The problem is everytime we're trying to pass a parameters with the GET method, the ressource is blocked (error 403 - forbidden). If no parameter is set, everything is wirking.
EX:
http://mysite.com/logo.jpg ----> Works.
http://mysite.com/logo.jpg?foo=bar ----> ERROR !
For images or css, it's normal to do not have parameters, but all links with using the GET method aren't working.
How could we solve our problem? Actually, disabling this policy would be a good solution.
We've looked for section 7.4.2 in the OpenAM's documentation (http://openam.forgerock.org/doc/admin-guide/OpenAM-Admin-Guide.html) but nothing is working.
Any clue ?
Thanks for your time.

So all you need to do is create 2 policies one to cover
.mysite.com/ (i could not post the http://)
.mysite.com/?*
Since the policy engine actually looks are arguments and can restrict access based on args or not.
Creating a second policy to allow args, will solve your problems.

You have to create the appropriate policies to accept parameters in your url.
In your OpenAm console :
- go to the Access Control Tab
- click on the realm you want to modify
- click on the Agents Tab
- click agent name you want to modify
- go to the Application Tab
In the Not Enforced URL Processing section
- look for the NotEnforced URLs parameter
- Enter the new policies in New Value
- click Add and then save.
You can use * or -*- depending on what you want :
* include all subdivision (Ex : mysite.com/* would permit mysite.com/Foo/Bar)
-*- exclude subdivision (Ex : mysite.com/-*- would permit
mysite.com/page1.aspx but
not mysite.com/Foo/page1.aspx)
So you can use for your parameters something like mysite.com?-*- or
more specifically mysite.com?myparam=-*-
And be aware : despite the fact that it is indicated "Hot Swap : yes", it doesn't mean that your changes are effective immediately.

Related

How can I capture dynamic value in Load Runner that appears in the Request header section?

A dynamic value that appears in the subsequent web requests appears in the Request Header throughout the script. I am unable to correlate this value as it is not available in response header / body section. How can I now correlate this value?
I have tried recording using VUGEN - HTML & URL Mode. I have also used Fiddler as well as HAR files exported via Chrome Developer Tools. None of them have any additional request/responses that could have been potentially missed while recording with VUGen or other tools.
The dynamic value appears in the Request Header like this :
Reference:
https://*****/suite/sites/ecase-case-worker/page/home/start-process/iUBVQU4qoHEAl9UkPVyXKjTxMt3bz-olj7yCJ6dulSOHbmIIDal?parameters=**855b2a7b-a175-49e6-9ee0-7b7f37667197**
The "855b2a...." value appears throughout the script in different places like this below :-
web_custom_request("iUBVQU4qoHEAl9UkPVyXKjTxMt3bz-olj7yCJ6dulSOHbmIIDal",
"URL=https://****/suite/rest/a/sites/latest/ecase-case-worker/page/home/startProcess/iUBVQU4qoHEAl9UkPVyXKjTxMt3bz-olj7yCJ6dulSOHbmIIDal?cacheKey=**855b2a7b-a175-49e6-9ee0-7b7f37667197**",
I have manually verified in the application that it this value keeps changing every single time "Create application" link is clicked. Is there a way to capture this dynamically changing value?
If this is not sent to you from the server, as a correlated value, then what remains is that the value is generated on the client, likely as a part of a JavaScript function output.
Speak with the developer of your application about the location of the generation of this value. If it is locally generated then simply execute the JavaScript inside of your HTTP script or reproduce the algorithm in C for native inclusion in a C HTTP virtual user. You have some alternate paths as well, which includes the newer JavaScript based virtual user, Truclient (which runs a full browser), Citrix, RDP or GUI virtual users.
With Truclient, Citrix, RDP or GUI you are simply going to run a full browser and inherit the JavaScript execution and inclusion of the key value as a part of full stack execution.
The Fiddler recording helped in identifying the correlation value as it was hidden in one of the EXTRARES references, which wasn't captured anywhere by the VUGen. The request had to be subsequently added manually into the script to pick up the dynamic value in it's response.

JMeter : How do I Remove local HTTP Header Manager from each Requests in the Thread Group?

Here is a link to image: https://i.stack.imgur.com/fIg3R.png
I have local Header manger for each request. I also have Global one. [Please look at the image] I want to remove local Header manager for all requests.
I tried it by creating a preprocessor and writing "sampler.getHeaderManager().removeHeaderNamed("HTTP Header manager");" inside it. But, It's not working. Because of this, It cannot authenticate credentials.
I also tried "sampler.getHeaderManager().remove(0)". This didn't work too. remove(1) ignores the global header manager.
Here is my suggestion. Care must be taken care while following the below steps. I follow this trick to replace dynamic values.
Take a backup of your JMeter script.
Open the script in the notepad++.
Find the Header Manager tags. It goes something like this
<hashTree><HeaderManager guiclass="HeaderPanel" testclass="HeaderManager" testname="HTTP Header Manager" enabled="true"><collectionProp name="HeaderManager.headers"/></HeaderManager><hashTree/>
If you have many Header Manager Name and its name unique, you can use regular expression in notepad++.
Reg ex syntax in notepad++
<hashTree><HeaderManager guiclass="HeaderPanel" testclass="HeaderManager" testname="(.+)" enabled="true"><collectionProp name="HeaderManager.headers"/>
</HeaderManager><hashTree/>
Replace it with empty value using Find and Replace.
While replacing, please take care of <hashtree></hashtree> tags, any conflicts will result in corruption in the script. Use Test Plan Check Tool plugin to validate your test plan. Please visit this link to know more https://jmeter-plugins.org/wiki/TestPlanCheckTool/
Save it and open in JMeter.
Before
After
Give your "global" header manager a different name
Run your test via Taurus tool. Taurus naturally supports JMeter tests execution and adds some extra features on top, for instance Modifications for Existing Scripts. Assuming your test is called test.jmx the relevant Taurus config file will be as simple as:
---
execution:
scenario:
script: test.jmx
modifications:
disable: HTTP Header Manager
If you save it as i.e. test.yml and execute Taurus as:
bzt test.yml -gui
a JMeter instance will launch and open your script with Header Manager elements disabled.
See Navigating your First Steps Using Taurus article for more information on the approach.
Currently it is not possible to fully remove test elements programmatically, you can only remove individual headers. Going forward you might want to untick Capture HTTP Headers box under HTTP(S) Test Script Recorder in order to avoid this situation:

Laravel 4: when using Config::set to change auth.model then Auth::user() not work

My laravel project has two login system.
1) Using user_name and Password
2) Using secret code
my 1st login system work properly. because auth.model has 'User' model.
so I use 'Config::set' in 'tempSing' method to obtain 2nd login as bellow.
Config::set('auth.model', 'TempUser')
Config::set('auth.table', 'temp_user')
After that code I use bellow code
$user= TempUser::where('secret_code','=',Input::get('code'))->first();
Auth::login($user,true);
if(Auth::check())
return Redirect::route('getTemp');
then that code work properly and redirect to the 'getTemp' and after routing it make 'temp.php'. but their include
if(Auth::check())
so my problem is above logic not become true. that problem is occurred when using 'Config::set' but I Configured 'auth.model' and 'auth.table' manualy in 'auth.php' not happen any error. Please help me.
I would assume Laravel initializes the Auth service once when the application is started, so later edits to configuration don't affect it anymore. A solution would be to initialize an instance yourself, and use that.

Worklight - Updatable static content

I have this requirement : My WL application have a set of static pages that might be updated any time. Originally the source of all static content is a desktop page that will be transformed by xsl to a mobile friendly content. The problem that I don't want to do that on each request (HA requirement).
I want to get some inspiration on how to architect that without using direct update mechanism (don't want the end user to get notified of these updates).
I should note that pages will change rarely every few month maybe.
I'm thinking about 2 ways of doing that :
1- Making the transformation on adapter side and rely on WL caching so that transformation is not made each time (does that exist ?). But how the adapter will get notified of page change and flush the cache ? Should I program some advanced java based adapter ? (Storing in the cache and having a kind of a job that scans every day for content changes ?)
2- Doing it mobile side but I don't know how to get notified of changes !
Is your only problem with Worklight's Direct Update that the user is being notified and is required to explicitly approve the transfer?
In this case why not use the option of Silent Direct Update?
The property you're looking for is updateSliently set to true in initOptions.js.
For this to work it is required, obviously, that connectOnStartup will be set to true as well.
perhaps what is doable is to use an adapter to fetch the HTML (or whatever it is) and save it to the device's local storage and then have the app display this content, this way you do not alter the app's web resources and not trigger Direct Update.

SQL Network Interfaces, error: 26 only on solution rebuild

I have a site built using MVC4 which is getting content out of a database and it all works fine.
If I then rebuild the solution and try to refresh the page to check my changes, I will always get the SQL Network Interfaces, error: 26 saying that I cannot connect to the server.
However, if I then browse to my homepage and then back to the page I was looking at it will work fine.
Does anyone know what could cause this problem as it is really annoying
EDIT
Further to this I have found it is when the AuthorizationContext filterContext is being loaded after the rebuild that it cannot connect to the db
EDIT 2
As with neil below I have found that I only get the problem if I try to access a page that has had a role assigned to it
I'm seeing the exact same problem and can trace it to the .ASPXAUTH session cookie in the browser. Delete that cookie and the database error goes away until the next rebuild.
The error occurs regularly if you are authenticated and then rebuild the project and try to browse any page that either:
Requires authentication
Makes a call to the User object (e.g. #if (User.IsInRole("Administrators")))
If you have the AuthorizeAttribute filter set in App_Start/FilterConfig.cs you'll get this on every page.
This seems to be new behavior following the most recent Patch Tuesday updates. Previously, I was seeing weird behavior where I would remain logged in but I would loose my roll membership. After the most recent patches, it seems Simple Membership chokes when it gets a bad .ASPXAUTH cookie (invalid because of the rebuild).
I've got the correct connection string in InitializeSimpleMembershipAttribute.cs but it's like Simple Membership is defaulting to something else in this one instance.
Note that I've moved the Simple Membership databases from the original (localDb) to a full-fledged (local) SQL Server instance. Don't know why that would matter, and it works fine in all other cases.
Update:
I've also tried making the connection string name the same as the EF context name (e.g. "ProjectContext") on the theory that it is defaulting to the standard convention, but that made no difference. I am explicitly identifying the connection string name in all my context class constructors (using the : base("connectionString") syntax) and Simple Membership is able to find the right connection string all other times.
Update 2:
The problem only occurs after rebuild when accessing a page protected by role. A simple [Authorize] won't trigger it. You need something like [Authorize(Role="Admin")]. I've replicated this on a new MVC 4 project with no other modifications, using the default (localDb) database. Clear the cookie and that same user can access the protected content w/o any problems. I believe this is a core .NET or MVC bug and needs to be reported as such.
This happened to me while rebuilding the application when I was logged in the browser.
Deleting cookies fixed the problem for me.
When using SimpleMembership, this bug occurs with any use of Roles-not just in the controller, but also when I use:
if(Roles.IsUserInRole(rolename){...
I am late to the game with this answer, but I added [InitializeSimpleMembership] to my home controller and I think that fixed it.