how to disable http_auth on a single zend controller - apache

Project which I am currently working is developed using ZF and dojo.
For our Development and Production server we have basic user authentication which is handled using apache's virtual host config file (by having users and password files).
When we type the server URL, it will pop-up the authentication window. It is working well.
We have following controllers in our project.
Index
profile
Error
Signoff
But now our client has come up with a new requirement that only for "Signoff Controller", they would like to allow access to everyone in the network without any authentication.
But if they try to access other controllers it should ask for user authentication.
Kindly let me know your thoughts about solving this issue either by using .htaccess( apache URL rewrite ) or ZF classes if any.

You should probably try to set this up in Zend as it will give you a more flexible setup.
// just a simple example to get you started
$config = array(
'accept_schemes' => 'basic digest',
'realm' => 'My Web Site',
'digest_domains' => '/members_only /my_account',
'nonce_timeout' => 3600,
);
$adapter = new Zend_Auth_Adapter_Http($config);
Check out more on the Zend Manual on different types of auth.

Related

Attempting Authentication via Azure AD B2C and Authorization via groups from AAD

So I followed the below examples:
Hosted Blazor Web Assembly AAD B2C: here
Azure Active Directory groups and roles : here
I first implemented Hosted Blazor Web Assembly and got that working fine. Went to implement the Group and Roles parts and began to have issues.
Everything is word for word as in the examples but not sure I merged or setup the Program.cs right in the client. When attempting the call I get a "Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed."
Unfortunately none of my breakpoints work so I figured I would reach out and see if any one has any advice.
This is built from the scaffolding for Blazor.
Here is my program.cs in my client app setup.
builder.Services.AddHttpClient("<Server Project Name>", client => client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress))
.AddHttpMessageHandler<BaseAddressAuthorizationMessageHandler>();
// Supply HttpClient instances that include access tokens when making requests to the server project
builder.Services.AddScoped(sp => sp.GetRequiredService<IHttpClientFactory>().CreateClient("KeeperLife.UI.ServerAPI"));
builder.Services.AddMsalAuthentication(options =>
{
builder.Configuration.Bind("AzureAdB2C", options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes.Add("https://<Full path to >/API.Access ");
});
builder.Services.AddScoped<GraphAPIAuthorizationMessageHandler>();
builder.Services.AddHttpClient("GraphAPI",
client => client.BaseAddress = new Uri("https://graph.microsoft.com"))
.AddHttpMessageHandler<GraphAPIAuthorizationMessageHandler>();
builder.Services.AddMsalAuthentication<RemoteAuthenticationState,
CustomUserAccount>(options =>
{
builder.Configuration.Bind("AzureAd",
options.ProviderOptions.Authentication);
//Originally this was "..." but it seemed to break base config so i added the same as above and that worked but then tested with it commented out and it still worked so left it commented out.
//options.ProviderOptions.DefaultAccessTokenScopes.Add("https://<Url to full API PAth>/API.Access");
options.ProviderOptions.AdditionalScopesToConsent.Add(
"https://graph.microsoft.com/Directory.Read.All");
})
.AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, CustomUserAccount,
CustomUserFactory>();
builder.Services.AddAuthorizationCore(options =>
{
options.AddPolicy("SiteAdmin", policy =>
policy.RequireClaim("group", "<The Object ID of the group>"));
});
Not sure why your breakpoints don't work. But as far as I know, AAD B2C does not provide an Out-of-the-box RBAC functionality.
In Azure AD we can implement it by modifying the "groupMembershipClaims" field in application manifest: "groupMembershipClaims": "SecurityGroup". But it's not available in Azure AD B2C.
There is a workaround. Add a new claim type 'groups' into the custom policy and call the Microsoft Graph to get user's groups. Here is an example for your reference.
Vote this user voice post will be helpful.

Use Saml2 or Ws Federation to authenticate on IDM SAP and ADFS

Recently I've got a new demand in which I need to let the user authenticate in my application IDM SAP. Previously I had to integrate my application with ADFS.
In order to do that I used Ws Federation, and the application runs on Asp Net Core.
The authentication with ADFS works just fine, on StartUp I make my application retrieve the metadata XML file from the Idp server. Then I redirect the user to the Idp login page, it validates if the the authentication worked, returns the response, and then open my application.
Now, I've done some research to understand how I would do the same with IDM SAP. I've got a bit confused when I saw articles comparing SAML to WS Federation. What makes it even more confusing to me is that the client already provided his xml metadata file, and it looks very similar to the other one that uses ADFS.
Here's how I implemented Ws Federation:
services
.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
})
.AddWsFederation(options =>
{
options.Wtrealm = appSettings.Adfs.Wtrealm;
options.MetadataAddress = appSettings.Adfs.MetadataAddress;
options.RequireHttpsMetadata = false;
})
.AddCookie();
The Idp URL is located in my appSettings file.
It came to my mind I should try to read this new XML file provided from a local folder, but this property "MetadataAddress" seems to always expect only URLs. The IDM Sap user already said they won't expose their XML file, so I'll have to always read from a local xml file.
It didn't work, so now I'm trying to figure if my option will be to implement more than one protocol in my application.
So far I found this library that seems to be the solution
https://github.com/Sustainsys/Saml2/blob/master/Samples/SampleAspNetCore2ApplicationNETFramework/Startup.cs
I've got stuck when trying to set the XML file on StartUp method, This is what I'm trying:
.AddSaml2(options =>
{
options.SPOptions.EntityId = new EntityId("mine.metadata.xml");
options.IdentityProviders.Add(
new IdentityProvider(
new EntityId("mine.metadata.xml"), options.SPOptions)
{
LoadMetadata = true
});
options.SPOptions.ServiceCertificates.Add(new X509Certificate2(#"mine.metadata.xml"));
})
It returns me an error when trying to set the service certificate saying that it couldn't find the file specified.
Also, let's pretend I set the configuration. How should I redirect the user to IDM Sap login page?
Could anyone give some advice or guidance so I can create a better solution that works for both cases?

yii2-httpclient with Basic Auth and proxy settings

in my Yii2 application, I try to read data from an REST api, which is protected by an HTTP-Basic - Auth. Additional, a proxy is needed to connet the REST api.
So I chose the Yii httpclient-module to handle this call:
$client = new Client(['baseUrl' => 'http://my.example.com']);
$response = $client->createRequest()
->setMethod('get')
->setUrl('api/session')
->addHeaders(['Authorization' => 'Basic '.base64_encode("user:password")])
->setOptions([
'proxy' => 'proxy.server:8000',
'timeout' => 5,
]);
Running this code, I get an Bad URL in proxy request error-message form the Server.
But if I copy the URL from code to the browser (which also connected to the proxy), everything works fine: the Basic-Auth window comes up.
Is there an error in setting the Authorization tag for the header?
After working a day on this problem, in found the answer. Just a minute after asking my question, but I like to keep that question in the case, that someone has the same problem.
Answer:
The yii2 httpclient uses 2 different transport libraries: Streams (which wokrs without an additional PHP extension and is set as default) and cURL.
Switching to cURL as "transport-type", the code above works fine!
$this->client = new Client([
'baseUrl' => 'http://my.example.com',
'transport' => 'yii\httpclient\CurlTransport'])

Problems working with Google Calendar Api V3 and PHP

I'm just trying to make a little, simple application (that i already made two years ago in Objective-C with api V1) that presents a screen with time of event and description and a button : "insert event in your calendar".
Every user has, obviously, to configure the application with his google username and password.
The app simplifies some process using the first calendar available.
I had infinite problem trying to do it with javascript (this app will be made in html5), so, looking at docs, I ended up trying to make a back-end on my server in php5 (thought it could be easier...ohohoho).
So, i read docs from here : https://developers.google.com/google-apps/calendar/
What i did :
1)
Get to the Google Developers Console.
Created a project.
I now have this (not real keys):
OAuth 2.0
Client ID 352xxxyy9.apps.googleusercontent.com
Email address 3527xxxy#developer.gserviceaccount.com
Service Account
Client ID 3523xxxyy419-vpfgdfg9u77s0.apps.googleusercontent.com
Email address 35ssss9-zzzzsnhavna78ea0b9gvn6a9u77s0#developer.gserviceaccount.com
Public key fingerprints :ac15ddfxdffrtg5565fgfg545r
2)
I installed Google APIs Client Library for PHP (beta) in my server.
doc says:
Using the Google APIs Client Library for PHP requires that you download the PHP source. In the future, packages will be provided. Refer to the project page for more details.
Run the following commands to download and install the source: svn blaj blah blah.
I copied the entire source in my server. Easy :)
Then..
3) You can now import the classes you will need using the following statements:
require_once "../src/apiClient.php";
require_once "../src/contrib/apiCalendarService.php";
Ok, i'll insert them in my php script !
4)" Configure your app"
You must instantiate a client to make requests to the API. All requests to the Google Calendar API require authorization.
The following code demonstrates how to configure an authorized service object using OAuth 2.0 for native applications. For more information, see Authorize Requests.
To find your project's client ID and client secret, do the following:
Go to the Google Developers Console.
Select a project.
In the sidebar on the left, select APIs & auth. In the displayed list of APIs, make sure the Google Calendar API status is set to ON.
In the sidebar on the left, select Credentials.
Find the lines labeled Client ID and Client secret. Note that there may be a client ID without a client secret, for use with Compute Engine and App Engine; in that case, create a new client ID and client secret by selecting Create New Client ID.
Edit the src/config.php file to put in your developer API information.
global $apiConfig;
$apiConfig = array(
// Site name to show in Google's OAuth authentication screen
'site_name' => 'www.example.org',
// OAuth2 Setting, you can get these keys in Google Developers Console
'oauth2_client_id' => 'YOUR_CLIENT_ID',
'oauth2_client_secret' => 'YOUR_CLIENT_SECRET',
'oauth2_redirect_uri' => 'YOUR_REDIRECT_URL',
// The developer key; you get this from Google Developers Console
'developer_key' => 'YOUR_DEVELOPER_KEY',
...
// Which Authentication, Storage and HTTP IO classes to use.
'authClass' => 'apiOAuth2',
....
// Definition of service specific values like scopes, OAuth token URLs, etc
'services' => array(
'calendar' => array('scope' => 'https://www.googleapis.com/auth/calendar'),
)
);
But they are DIFFERENT from the key i have, what's wrong ????
What are client secrets ? redirect_url??
Please help.
I think you need to setup a service account access as described here:
https://code.google.com/p/google-api-php-client/wiki/OAuth2#Service_Accounts
I had difficulties to get it work as I made many trial and errors and my cache got filled with non-working token.
If ever you find yourself not able to access the calendar even after following all the steps, try to change this line of code:
$client->setAssertionCredentials(new Google_AssertionCredentials(SERVICE_ACCOUNT_NAME, array('https://www.googleapis.com/auth/prediction'),$key));
to this:
$client->setAssertionCredentials(new Google_AssertionCredentials(SERVICE_ACCOUNT_NAME, array('https://www.googleapis.com/auth/prediction'),$key, 'notasecret','http://oauth.net/grant_type/jwt/1.0/bearer',false,false));
The last false tells AssertionCredential class to not use any cache. I did it once and then it worked with it set to true afterward.
First go here https://console.developers.google.com/project that is where you configure your app...
Click on your project, then on the left side you will see APIs & Auth, click on Credentials. You will need to create your OAuth, and Public API Access keys.
Once you have done that you will then enter those into the appropriate client_id, secret, redirect etc.
The redirect uri is the same page your app is on, its the page the user gets sent back to after authorizing.
I had the same problem.
On this page, when you click on the Create new Client Id, choose Web application and it shoudl give you the client secret key as well.
https://console.developers.google.com/project
Add a project etc.
Hope it helps

Devise-managed session not propagating to subdomains

I am using Devise to manage authentication in a Rails 3.1 application. It works just fine in my production server. But I just set up a new test server, and if I log in to the main site, accessing a subdomain is not recognizing the session. It's asking me to log in again.
I can't recall where I would troubleshoot this information. It seems as if it is some cookie setting.
I have domains pointed to each site, production and test. The production one ends in .net, the test version ends in .co.
Can anyone point me in the right direction?
I think this is not a devise setting but a session and cookie setting.
You can work on this by setting the variable YourApp::Application.config.session
You can do this in your environment.rb file or your config/initializers/session_store.rb. Example for session_store.rb is
YourApp::Application.config.session = {
:session_domain => '.yourdomain.com',
:session_key => '_yourapp',
:expire_after => 14*24*3600,
#:secure => true, #for secure/ssl sessions and such
:secret => 'somesecretgobledygook'
}
Please note the session_domain setting it to .yourdomain.com makes your cookies work across subdomains.
This applies to sessions. There are similiar settings for cookies.