CAS authentication and limiting access for specified users - authentication

I'm using CAS (Central Authentication Service) from Jasig in a client JSF app running on tomcat 6 server. I would like to limit the access to the app just for the users specified in my database rather than all the users which can be authenticated using that CAS service. When the user attempts to log in, I need to check if his username is also in my database's table user and if it is - allow the access to the app. Otherwise, I would like to redirect user to a page "You don't have permission to access this part of the application". So I need authorization as well. Is there a good way to authorize the users in jsf 2.0? Thanks in advance for any help/suggestions.

Sounds like you need to design a custom Authentication Handler class in CAS. In theory, your handler would extend this [1], perform all the necessary checks and database look ups and will then be able to return a signal that indicates whether or not the user could authN.
You should then reference your custom handler in the deploerConfigContext.xml file.
For displaying the message, you could either throw an exception with the proper messages code, such that the message would appear above the login form, or you could alter the spring webflow and generate a new view-state which the user would be redirected to, if they fail to get access. The first approach is much easier to implement.
Another approach would be to take advantage of the isUserInRole() method [2] using the persondir api.
[1] http://developer.jasig.org/projects/cas/cas-server-core/cas-server/cas-server-core/apidocs/org/jasig/cas/authentication/handler/support/AbstractUsernamePasswordAuthenticationHandler.html
[2] https://wiki.jasig.org/pages/viewpage.action?pageId=47874068

Related

Keycloak uma-grant type tickets for service accounts do not seem to work with policies

I am trying to use the Keycloak AuthzClient to register resources and related permissions in a resource server.
I have a resource server "resourceserver" with authz service enabled.
Using the AuthzClient, initialized with the json file containing the resource server's client id and secret, I'm able to obtain a pat.
...
authzClient.obtainAccessToken().getToken();
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("myresource");
resource.setUris(new HashSet<>(Collections.singletonList("urn:resourceserver:resourcetype1:myresource")));
resource.setOwnerManagedAccess(true);
resource.setType("urn:resourceserver:resourcetype1");
resource.addScope("read", "write");
resource = authzClient.protection(pat).resource().create(resource);
UmaPermissionRepresentation permissionRepresentation = new UmaPermissionRepresentation();
permissionRepresentation.setName("myresourcepermissions");
permissionRepresentation.setDescription("foo");
permissionRepresentation.addRole("somerole");
UmaPermissionRepresentation result = authzClient.protection(pat).policy(resource.getId()).create(permissionRepresentation)
After executing this code, I can see, in the keycloak admin UI, that the resource has been created, and the scopes, however the policy/permission don't seem to show up.
I believe it is probably intended, as this keycloak admin UI only shows policies of types client, role, js, etc., but not "uma" which is what UmaPermissionRepresentation creates.
I can however see that policy exists in Keycloak by querying authz/protection/uma-policy with my pat.
So there is something there. Now testing it. I created a regular user and assigned it the realm role somerole. Using this user and some arbitrary public client, I'm able to get an RPT.
First getting an access token using the password grant:
grant_type=password&username=joe&password=password&client_id=somepublicclient
Then exchanging that for an RPT:
grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=resourceserver
The RPT comes back and if I view its contents, I can see the authorization block giving me access to the myresource resource.
However, when I try a similar flow with a service account (to which I also granted the somerole role)using the client credentials flow to obtain the initial access token:
grant_type=client_credentials&client_id=serviceaccount1&client_secret=77c1ffa8-0ea8-420c-ad45-e1a69a03838d
I am able to obtain an RPT, but that RPT does not contain myresource in the authorization/permission block, only the Default resource.
I have been trying to understand why that is. I have also tried using the .addClient("serviceaccount1") or even .addUser("service-account-serviceaccount1") in the UmaPermissionRepresentation, but still, the policy doesn't seem to kick in and my service account does not have access to the resource.
This is using Keycloak 4.8.0.Final.
Note: using the keycloak admin client, I am able to create policies/permissions that actually make this work; but in my environment this would causes other problems because of the roles I would need to assign to the admin client (like viewing all clients to retrieve an id etc.)
I have the same problem with KeyCloak 11.0.2.
Shared resources do not end up in the permission tickets of service accounts. Service accounts are explicitly excluded in the authorization token service.
Since sharing resources with service accounts is possible, this seems inconsistent.
However, you can work around this by explicitly setting the azp claim to something other than your client_id via a protocol mapper on your client.
.

How to Login LDAP with Jmeter?

I am currently recording a web with Login LDAP that means I need to input username and password in popup authentication (screenshot attached).
After I am done recording, I play back the script, and it always failed.
And I followed tutorial from https://www.blazemeter.com/blog/windows-authentication-apache-jmeter but it still failed.
Here is my Test Plan:
Here is HTTP Authorization Manager setting:
Please help.
Thanks,
Rio
If you really "followed the tutorial" you should know what is your authentication type challenge, the choice is in:
Basic Access
NTLM
Kerberos
Your setup is wrong for any of the types as you should have either base url or domain or domain+realm+appropriate configuration in jaas.conf and krb5.conf files.
I don't think sending one request is sufficient for simulating log in process, real users do the following:
open login page (at least 1 request)
type credentials (you need to mimic the time required to type using Timers)
perform login (another at least 2 request)
You may also need to perform correlation of dynamic parameters (if any), check out How to Handle Correlation in JMeter to learn more about the concept / implementation
Your approach of AJAX requests simulation is wrong, as per the definition AJAX requests are Asynchronous, to wit real browsers execute them at the same time while in your setup they are sequential. So consider placing the AJAX calls under the Parallel Controller

Symfony 3 authentication provider fallback

I have implemented authentication mechanism on some mobile application using JWTBundle with symfony 3. Until now the process requires users to submit both their email and password in order to authenticate. This works great.
Today I would like to grant access/create_account using Facebook authentication.
From the mobile app, users will access the application without submitting any password but instead FB will probably return user's Facebook identifier along with some other info. I will then post those datas to login_check route.
At this point I need a way to check (at the very beginning of request processing flow) whether login_check POST datas are standard username/pwd credentials (which I guess are handled through daoauthenticationprovider by default ? which in turn pass the processing to JWT in order to create a authentication token) and if not, fallback to another custom XXAuthenticationProvider to handle those datas (eg. if a facebook identifier is present then lookup the user account with FB API, do stuff … then create a JWT token).
I read couples of articles dealing with Symfony's Security components but none explained the whole thing clearly neither exposed a way to proceed. I still have difficulties to figure out how I could hook into the security firewall to achieve this.
Is this a way to go and how can I achieve this ?
Thank you.

Laravel 4 [API] how do i check if i already logged in from the consumer?

I've been creating API and consumer by following Simple API Development with Laravel from Aaron Kuzemchak. I got the problem after I success to auth via API from my consumer; I do not know how to check it, if the consummer already success logged in or not at the other pages...
For example, at the first; I show the login page, click the submit button to check the credentials via API. The login attempt is working, success to logged in and redirect to dashboard. But, if I haven't logged in and accessed the dashboard from URL, i got the dashboard :O
The API server and the consumer have separated machine and the database only exists at the API server.
Am I doing this right (with the flow for the API and Consumer) ?
At the consumer, how can I get to know if the user already logged in or not (after success attempt the credential)? (somehow? someidea?)
Thank you before... :)
This question is very confusing, probably because I haven't watched that screencast yet, but shouldn't Auth::check() be what you are looking for? It will return true or false depending on if the user is logged in.
Just to make sure:
You have a back end API built from the tutorial posted here: http://kuzemchak.net/blog/entry/laracon-slides-and-video
You're using HTTP Basic authentication as described in the above tutorial
You're building a (consumer) front end web interface for users on a separate server
Your consumer interface uses forms based authentication (a login form)
The backend API uses HTTP basic authentication (and the consumer sends an API key for the user with each request). As such, the backend won't keep track of a user being logged in. That means your consumer interface will need to do this.
You could use the Laravel Auth class for this normally, but your front end would normally have access to the database and the bundled authentication drivers could just check a username/password.
I'd say your options are:
Store details of the user in a session using the Session class (feels a bit nasty but simple)
Write an authentication driver and then use the Auth class (advanced but cleaner: http://www.karlvalentin.de/1903/write-your-own-auth-driver-for-laravel-4.html)
Just talk straight to the database using the existing Auth class and Eloquent

Auto login after signup in CAS

I am setting up my own CAS. A authentication handler was written and username/password are authenticated against a MySQL db. I also add signup page and related logic.
Now I would like to let user automatically log on when he/she has registered as a user. How to achieve this?
The comment above is incorrect - CAS clients do not have access to the cookie, only the CAS Server does - CAS is not a shared-cookie protocol.
If you only have a single site, you can just create a session on the client, using the standard mechanisms for Java, Ruby, whatever platform you're using.
If you want to create an SSO session for login to multiple applications, basically you need to:
Create a SSO session (via the CAS server)
Redirect to the CAS Server
Have the user redirected back to your application.
To accomplish the first one, you likely will want to modify the CAS LoginFlow to allow you to authenticate the user, either via one-time token or a similar mechanism.
Here is my implementation. The idea is borrowed from class org.jasig.cas.web.flow.AuthenticationViaFormAction.
In my web controller handling unlock request which is often from a registration email of a new user.
String oneTimeAuthToken = this.userManager.generateOneTimeAuthToken(userEmail);
UsernamePasswordCredentials credentials = new UsernamePasswordCredentials();
credentials.setUsername(userEmail);
credentials.setPassword(oneTimeAuthToken);
String tgt = centralAuthenticationService.createTicketGrantingTicket(credentials);
ticketGrantingTicketCookieGenerator.addCookie(request, response, tgt);
log.debug("Current user was unlocked and logged in.");
The fundamentals behind this is to create a temp password-like token to authenticate. Of course, userManager should clear this token automatically once authentication is successful.
Hope this is clear. Let me know if you observe anything wrong.