I'm using a ClientAccessPolicy.xml file that I think allows pretty much all access to my WCF service:
<?xml version=""1.0"" encoding=""utf-8""?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers=""*"">
<domain uri=""*""/>
</allow-from>
<grant-to>
<resource path=""/"" include-subpaths=""true""/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>"
So far, I only want to allow my Silverlight application, and my website (MVC2 if that matters) to be able to access the service, but I don't know how I should modify my policy file to do that. I don't really know what type of access each of them needs. Can someone recommend a good resource on how to get caught up with that, as well as a suggestion as to what to specifically do with my clientaccesspolicy.xml file to make my service secure, but still available via BasicHttpBindings and WebHttpBindings?
Check out HTTP Communication and Security with Silverlight
I found it to be very helpful with these kinds of questions.
Related
There is a URL in which a SAML request is hidden. While making request, SAML authentication takes place. I would like to know if I will make the POST request to the hidden SAML URL with the same credentials as provided before. Will this session be the same as the one in which I have made the previous request.
PS: The machine, IPs and all are constant while making the requests.
Just like you open multiple tabs to access Google Docs, you would get multiple independent SAML sessions.
Each one would have different session ID and different Authentication Context.
For example, below are the two SAML responses with the same AWS IdP-init SSO SAML authentication flow.
<?xml
version="1.0"
encoding="UTF-8"
standalone="no"?>
<saml2p:Response
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://signin.aws.amazon.com/saml"
ID="_c5b2e49b9abcb559d5784487a2a4b419"
IssueInstant="2019-03-04T00:27:36.738Z"
Version="2.0">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?
idpid=<idp_id>
</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_1ad7cff1e3c1000a8f112a1a43f35457"
IssueInstant="2019-03-04T00:27:36.738Z"
Version="2.0">
<saml2:Issuer>https://accounts.google.com/o/saml2?
idpid=<idp_id>
</saml2:Issuer>
<?xml
version="1.0"
encoding="UTF-8"
standalone="no"?>
<saml2p:Response
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://signin.aws.amazon.com/saml"
ID="_1a68f45a31b8abfde9850907cd65c25b"
IssueInstant="2019-03-04T00:28:27.362Z"
Version="2.0">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?
idpid=<idp_id>
</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_f0b42fcf11de6279ffb1f890d50b57b2"
IssueInstant="2019-03-04T00:28:27.362Z"
Version="2.0">
<saml2:Issuer>https://accounts.google.com/o/saml2?
idpid=<idp_id>
</saml2:Issuer>
As you can see the SAML Response ID is different between the two.
I have trouble with the HTTPS setup in Mule. I have tried both at work and at home with fresh Anypoint Installs. I have checked every StackOverflow posts every tutorial every blogposts but nothing is doing it. I have also tried EE and CE runtimes. I am using the lastest edition of Mule and also tried doing the HTTPS inbound endpoint but with the same result. This is a major part in my project and have just lost a day trying to figure this out and it's driving me crazy...
I am trying to use the self signed certificate at first but ultimately I would like to use an SSL certificate we purchased.
I put the JRE in the anypoint directory and also tried from Program Files JRE.
This is my first time doing SSL stuff so maybe I'm missing something but here goes :
I first go into my Jre bin directory using CMD in Admin mode.
I run this command as described in the HTTPS Transport Reference documentation:
keytool -genkey -alias mule -keyalg RSA -keystore keystore.jks
I enter all the informations correctly and keep both passwords the same to simplify everything. The password is changeit.
I have also tried instead of FirstName LastName to enter the IP of my server I'm running my Anypoint on.
After having the keystore.jks, I copy it in my src/main/resources folder.
Here is my simplified flow in Mule. Normally I would then call a SOAP webservice or a REST webservice but I am trying to keep this the simplest possible :
<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns:tls="http://www.mulesoft.org/schema/mule/tls" xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:doc="http://www.mulesoft.org/schema/mule/documentation"
xmlns:spring="http://www.springframework.org/schema/beans" version="EE-3.6.1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/tls http://www.mulesoft.org/schema/mule/tls/current/mule-tls.xsd">
<http:listener-config name="HTTP_Listener_Configuration" protocol="HTTPS" host="localhost" port="8080" doc:name="HTTP Listener Configuration">
<tls:context>
<tls:key-store path="keystore.jks" password="changeit" keyPassword="changeit"/>
</tls:context>
</http:listener-config>
<flow name="omgHttpsPlzWorkFlow">
<http:listener config-ref="HTTP_Listener_Configuration" path="/" doc:name="HTTP"/>
<set-payload value="#['Hello']" doc:name="Set Payload"/>
</flow>
</mule>
I then use DHC or Postman (Google Chrome Extensions) or the browser directly to call my listener https://localhost:8080/
I always get 500 or no response. In Chrome I get
Your connection is not private
Attackers might be trying to steal your information from localhost (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID
I tried adding loggers but nothing is showing up in the console.
I thought the problem could be with the ports or proxies at work but now I try from home with the same results.
I've tried putting port to 443 putting my ip as host. Adding truststores etc..Nothing is doing it. I think I am simply missing something very small and simple.
I hope someone can help me as this is the final step to my project and if it doesn't work I cannot deploy it as it contains sensible information that I want to be secured.
Thank you for your time
You are doing everything correctly. Just click on the link https://localhost:8080/ from your browser first so that you add the unsigned certificate to your local machine and everything will work fine. You can use Postman or DHC to access your service afterwards.
in Chrome click on Advanced -> Proceed to localhost (unsafe))
in Firefox click on I understand the risks -> Add Exception...
I am new to CXF framework. Recently successfully created webservices using CXF and Spring Endpoint. I am using WSDL first approach. Can you please suggest how to use SSL(https) for web services. I have idea about truststore and keystore. I am using Apache Tomcat server.
below is my ApplicationContext.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:cxf="http://cxf.apache.org/core"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd"
default-autowire="byName">
<!-- Service endpoint -->
<jaxws:endpoint id="CalculatorWebService"
implementorClass="com.web.calculator.service.CalculatorContractImpl"
implementor="#CalculatorImpl"
address="/CalculatorWS">
</jaxws:endpoint>
<bean id="CalculatorImpl" class="com.web.calculator.service.CalculatorContractImpl"/>
I believe I need to make some configuration entries for truststore here and similarly some configuration for keystore in client side in some xml. Also I think I need some Passwordcallback class for using keystores.
Can you please help me with the configurations that has to be made to enable SSL.
Your help is truly appreciated...
Thanks...
Here is great tutorial how to set up everything you need with SSL in your CXF. Please refer to section Configuring SSL Support.
And do not forget to enable https in your tomcat. The full "how to do this" is provided here. I assume that you did not try anything yet. All you need to do just follow these steps because there is everything explained very clear.
I would prefer to avoid getting into a debate about whether HTTP verbs PUT and DELETE are appropriate or obsolete and focus on the question of actually making Silverlight work when "forced" to use these verbs.
I am trying to create a Silverlight 4 client application that calls an existing REST web service that has operations for the PUT and DELETE verbs. This service is not going to change.
I've added the following statement into constructor in my App.xaml.cs:
WebRequest.RegisterPrefix("http://", WebRequestCreator.ClientHttp);
The service has a clientaccesspolicy.xml file that contains:
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
I am using the WebClient class to handle GET and POST requests. When I attempt to do the same with PUT or DELETE for the verb/method, I get an ambiguous "security error" which led me to adding the statement above.
I've seen various posts and blog articles talking about using HttpWebRequest to get around this but have not found one that actually SHOWS HOW to make these (asynchronous) calls from a Silverlight client.
If there is something wrong with the code above, please let me know. Otherwise, if you can show me or point me to an example demonstrating how these requests can be implemented, I'd greatly appreciate the help.
In your clientaccesspolicy.xml file, you must allow the PUT and DELETE HTTP verbs.
I usually allow all HTTP verbs, which would look like this given your original configuration:
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*" http-methods="*">
<domain uri="*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
Notice the added http-methods attribute on the allow-from element.
I've solved my problem but am still not 100% sure why it is fixed.
At the suggestion of a co-worker, I enabled running the application out-of-browser and checked the setting to require elevated trust when running outside the browser. The app ran fine. I disable running out-of-browser and the app still runs fine!
As the setting says, it requires elevated trust WHEN RUNNING OUTSIDE THE BROWSER. So, if this was the problem, then I'm not sure having it checked should be fixing my problem when running IN the browser. But it does...
Add
HttpWebRequest.RegisterPrefix("http://",WebRequestCreator.ClientHttp);
HttpWebRequest.RegisterPrefix("https://", WebRequestCreator.ClientHttp);
https://mattduffield.wordpress.com/2011/12/11/silverlight-specified-method-is-not-supported-on-this-request/
we have devloped a SL4 application with a WCF service. The SL application and the service are hosted in IIS 7 with windows authentication enabled and everything else disabled.
In the wwroot i have this client access policy file:
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
and this crossdomain file:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>
the service config of the silverlight xap looks like this in the client section:
<binding name="SilverlightEndpoint" maxBufferSize="2147483647"
maxReceivedMessageSize="2147483647">
<security mode="TransportCredentialOnly" />
</binding>
....
<client>
<endpoint address="http://app.domain.intern/MyService/MyService.svc"
binding="basicHttpBinding" bindingConfiguration="SilverlightEndpoint"
contract="[interface]" name="SilverlightEndpoint" />
</client>
Now when I open my application in internet explorer it prompts me to enter my windows login credentials, after that everything works fine. In my dev environment integrated authentication works without a hitch, i dont have to enter my credentials before accessing my application. In fact, integrated authentication worked in production as well when I had the following endpoint address in the client config: "http://[servername]/MyService/MyService.svc".
Does anyone know how I can get my integrated authentication back?
Finally, I figured this out.
You really dont have to change anything in the client config. I just kept the endpoint address "http://[servername]/MyService/MyService.svc" and ignored the DNS alias.
The problem was with the browser security settings. In Internet Explorer 8, i had to manually add the dns alias to the trusted sites in the local INTRANET zone (that's important). Then everything worked fine, whether I accessed the app with the server name or the dns alias and the authentication pop up went away.