I'm setting up a Jabber server for my website. I've already got some user accounts in place in the openfire database, and working IMs between them.
I'm now looking to add (some) of the users from my main database (members table, with login, password[plain text]) and allowed_to_IM[0 or 1] fields) to allow them to communicate between themselves. The Hybrid authentication is a new feature in v3.6.0a however, and there's little documentation in what configuration is required in the openfire.xml file for the database connectivity (to a second database), and what else may go in the properties (which have also taken much of the config's info away of the XML file).
My question is: Does anyone have a complete example that checks multiple databases? All the examples I'm seen seem to be just fragments.
I have it using ldap and mysql and if it helps you my setting from openfire.xml are:
<connectionProvider>
<className>org.jivesoftware.database.DefaultConnectionProvider</className>
</connectionProvider>
<database>
<defaultProvider>
<driver>com.mysql.jdbc.Driver</driver>
<serverURL>jdbc:mysql://127.0.0.1:3306/openfire</serverURL>
<username>username</username>
<password>pass</password>
<minConnections>5</minConnections>
<maxConnections>15</maxConnections>
<connectionTimeout>1.0</connectionTimeout>
</defaultProvider>
</database>
<ldap>
ldapsetting removed
</ldap>
<hybridAuthProvider>
<primaryProvider>
<className>org.jivesoftware.openfire.auth.DefaultAuthProvider</className>
</primaryProvider>
<secondaryProvider>
<className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className>
</secondaryProvider>
</hybridAuthProvider>
<provider>
<auth>
<className>org.jivesoftware.openfire.auth.HybridAuthProvider</className>
</auth>
<vcard>
<className>org.jivesoftware.openfire.auth.DefaultAuthProvider</className>
</vcard>
<user>
<className>org.jivesoftware.openfire.ldap.LdapUserProvider</className>
</user>
<auth>
<className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className>
</auth>
<group>
<className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className>
</group>
</provider>
Related
I am trying to connect a MySQL user table as a realm to my Tomcat 9. The user and roles are managed in 2 tables, as you can see in the realm configuration below. The passwords are MD5-hashed and Base64-encoded.
Unfortunately, I do not get it running properly.
REALM CONFIGURATION:
<!-- Use the LockOutRealm to prevent attempts to guess user passwords via a brute-force attack -->
<!--<Realm className="org.apache.catalina.realm.LockOutRealm"> -->
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<!--<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>-->
<!-- Custom realm for user database -->
<Realm className="org.apache.catalina.realm.JDBCRealm"
debug="99"
driverName="com.mysql.cj.jdbc.Driver"
connectionURL="jdbc:mysql://mysqlserver.example.com:3306/database?useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC&verifyServerCertificate=false&useSSL=true&requireSSL=true&autoReconnect=true"
connectionName="MYSQLDB"
connectionPassword="MYSQL_PASSWORD"
userTable="myuser" userNameCol="username" userCredCol="password"
userRoleTable="myuser_roles" roleNameCol="role"/>
<CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="{MD5}encodedCredential"
iterations="1"
saltLength="0"/>
<!-- </Realm> -->
WORKS:
When I save a password as plain text in the database and remove the CrendetialHandler from the configuration, it works. So, the database connection/configuration seems to be correct.
DOES NOT WORK:
As soon as the the password is saved hashed and encoded, it does not work anymore. I tried several CredentialHandler settings, but always getting an error, for example the latest:
WARNING [main] org.apache.tomcat.util.digester.Digester.endElement No rules found matching [Server/Service/Engine/CredentialHandler]
or
WARNING [main] org.apache.catalina.realm.CombinedRealm.setCredentialHandler A CredentialHandler was set on an instance of the CombinedRealm (or a sub-class of CombinedRealm). CombinedRealm doesn't use a configured CredentialHandler. Is this a configuration error?
As you can see, I also tried to comment out the existing logout realm or put the CrendentialHandler into it. Nevertheless, it does not work yet.
What can I do?
Thanks in advance!
Your "CredentialHandler" is sitting outside of your "Realm" That may be one of your issues (you close the Realm at the end of the "roleNameCol"). I also list the algorithm in my code as simply "MD5" vs what you show. That may also be a problem.
I would fix it such as below (I explicitly close the "CredentialHandler" and the "Realm" to be more clear):
<Realm className="org.apache.catalina.realm.JDBCRealm"
debug="99"
driverName="com.mysql.cj.jdbc.Driver"
connectionURL="jdbc:mysql://mysqlserver.example.com:3306/database?useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC&verifyServerCertificate=false&useSSL=true&requireSSL=true&autoReconnect=true"
connectionName="MYSQLDB"
connectionPassword="MYSQL_PASSWORD"
userTable="myuser" userNameCol="username" userCredCol="password"
userRoleTable="myuser_roles" roleNameCol="role">
<CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="{MD5}encodedCredential"
iterations="1"
saltLength="0">
</CredentialHandler>
</Realm>
We have just gone live with https://ecotaksen.be. The queries and updates on Exact were running fine, but after installing the production license an error itgenobr001: Client not found. occurs.
My data container specification is:
<database order="1"
creationDate="2016-04-13T09:11:03.3584276+02:00"
provider="ExactOnlineAll"
connectionString="apiUrl=https://start.exactonline.be"
/>
The connection to Exact Online using Query Tool with the same credentials and connection string is working fine.
How can I solve the itgenobr001 error?
In fact it was quite simple to solve: the "Client" referred to is the application. I needed to add the client ID of Exact Online app to my connection string, since Data Access Point requires a client ID when using a production license.
Resulting data container specification:
<database order="1" creationDate="2016-04-13T09:11:03.3584276+02:00" provider="ExactOnlineAll"
connectionString="apiUrl=https://start.exactonline.be;api-client-id=MYID" />
After that, I got a itgenobr001: Invalid authorization request., and that one required addition of the redirect url as specified in the My Apps page in Exact Online:
<database order="1" creationDate="2016-04-13T09:11:03.3584276+02:00" provider="ExactOnlineAll"
connectionString="apiUrl=https://start.exactonline.be;api-client-id=MYID;apiredirecturl=https://ecotaksen.be" />
► Problem: Anyone can access a webpage, but I only want logged in users to be authorized to access it.
Background:
Web Server = IIS 8
Server OS = Windows Server 2012
Framework = .NET 4.5
Environment = .\WebFolder\logon.aspx, .\WebFolder\inside.html
Website = Simple logon page ("logon.aspx") that guards an html page ("inside.html").
Users = External people (ie, non-intranet)
Sample URLs:
A. "www.webpage.com/logon.aspx"
B. "www.webpage.com/inside.html"
Desired Outcome:
Everyone can access the "logon.aspx" page
Only logged on users can access the "inside.html" page
Any direct attempts to access "B" will trigger a redirect to "A"
No additional use of program code
Prior Attempts:
I've been fiddling with the web.config file (authentication & authorization), but to no avail (501 Server Error, 401 Authorization Error, Runtime Application Error).
Web.Config File:
<system.web>
<authentication>
<forms name=".ASPXFORMSAUTH" loginUrl="logon.aspx" protection="All" timeout="1" path="/" slidingExpiration="true" requireSSL="false" />
</authentication>
<authorization></authorization>
</system.web>
Bottom line: I'm sure this is a very basic/easy thing to configure, it's just that I haven't been able to do it so far. Plus, I do not want to write any additional code in order to accomplish a seemingly fundamental task.
Thanks in advance!
Okay, I figured it out (after 7 hours). It requires four things (based on the example file structure):
1. Using the FormsAuthentication module
VS2012 → Project → Your credentials/authentication code → Use FormsAuthentication.RedirectFromLogin(_var1_, _var2_) instead of Response.Redirect(inside.html)
2. Adding a new node in the web.config file
<system.webServer><handlers><add name="HTMLHandler" type="System.Web.StaticFileHandler" path="*.html" verb="GET" /></handlers>
3. Including the 'defaultUrl' attribute in the Forms tag
<forms name=".ASPXFORMSAUTH" loginUrl="logon.aspx" defaultUrl="inside.html" protection="All" timeout="1" path="/" slidingExpiration="false" requireSSL="false" />
4. Adding a location tag authorization restriction to the 'web.config' file
<location path="inside.html"><system.web><authorization><deny users="?" /></authorization></system.web></location>
See my comments (below) for an explanation of each of these four pieces.
I want to provide security one way or another for Sending and Getting JSON Data,but I don't know how to do this.
Our System has roles of users (System admin, General Members, etc.)
We decided send data as JSON using the Spring MVC URL pattern. I don't want everybody that outside from system to use this URL, only users can use the URL.
Example
www.example.com/services/"hereUserPass"/"hereUserName"/category/3
Each request time for different URLs, Should I control the username and password whether registered before? or What should I do for Security?
You want to implement security into your Spring Web application. You can do this at two ways:
Url Based Security
Method Based Security
Try to make another xml file as like applicationContext-security.xml Here is an example:
<http use-expressions="true">
<intercept-url pattern="/" access="permitAll"/>
<intercept-url pattern="/static/**" filters="none" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login />
<logout />
</http>
Here we see that permitAll means permit everybody who wants to reach that URL. filters = none has the same effect but it means that user will not go over Spring Security(Previous one goes over Spring Security but has access, filtering doesn't applied). isAuthenticated means that user can reach there if authenticated. You can also apply role based acces to urls.
Other security implementation base on middle tier security. You should add this line at your application context security file:
<global-method-security pre-post-annotations="enabled" />
so you can use method based security as like:
#PreAuthorize("hasRole('ROLE_SUPERVISOR')")
void storeVisit(Visit visit) throws DataAccessException;
You can start to reading with Spring Security implementation of Spring's Pet Clinic example: http://static.springsource.org/spring-security/site/petclinic-tutorial.html
Also I recommend you read here: http://www.mularien.com/blog/2008/07/07/5-minute-guide-to-spring-security/
First Project: Spring3, Security3, Hibernate, MYSQL - How to install user tracking into database
I am working on my first project with Spring3, Security3, Hibernate, MYSQL.
I have the system working great I use Spring3 and Security3 goign to MySQL for the login and
using Spring3 MVC, Hibernate and MYSQL for system data.
I have a number of questions. Once I login does Spring Security save the user object somewhere that I can have
Hibrernate access it. I want Hibernate to put the user name or role into each insert to the database so as
I do my searches the system knows to only show data for that user and only that user?
this somes like it should be easy. Spring should be saving the user somewhere the hibernate can access.
please help me out
Once the user is authenticated, you can access the user's authentication session details:
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
SecurityContext will allow you to grab the Authentication object, and from that you can retrieve the principal (an object representing the authenticated user), roles, etc. You could inspect this information and determine what data should be stored/displayed for each user.
If you can add a request filter or interceptor (the vocabulary may vary between frameworks), you could probably make these security checks abstract/generic enough to be applied across your entire web app (instead of adding a few lines of code to every resource method you're attempting to secure). Either way, SecurityContext should get you closer to what you want.