I've set up two Tomcat servers as described in the README's and the http://cxf.apache.org/ site. The tests for the IDP server work; I can see the WSDL for the web service. But when I go to https://localhost:8443/fedizhelloworld/secure/fedservlet, I just get a blank page.
The log output of the IDP server says:
16:56:45.379 [http-nio-9080-exec-7] DEBUG o.a.c.a.AuthenticatorBase - Security checking request GET /fediz-idp-sts/REALMA/STSServiceTransport
16:56:45.380 [http-nio-9080-exec-7] DEBUG org.apache.catalina.realm.RealmBase - No applicable constraints defined
16:56:45.381 [http-nio-9080-exec-7] DEBUG o.a.c.a.AuthenticatorBase - Not subject to any constraint
On the RP server, I see:
16:58:04.941 [http-bio-8443-exec-3] DEBUG o.a.c.a.FormAuthenticator - WsFedAuthenticator:invoke()
16:58:04.941 [http-bio-8443-exec-3] DEBUG o.a.c.a.AuthenticatorBase - Security checking request GET /fedizhelloworld/secure/fedservlet
16:58:04.942 [http-bio-8443-exec-3] DEBUG o.a.c.a.FormAuthenticator - authenticate invoked
16:58:04.942 [http-bio-8443-exec-3] DEBUG o.a.c.a.FormAuthenticator - reading configuration for context path: /fedizhelloworld
16:58:04.942 [http-bio-8443-exec-3] INFO o.a.c.a.FormAuthenticator - No valid principal found in existing session. Redirecting to IDP
16:58:04.942 [http-bio-8443-exec-3] DEBUG o.a.c.f.c.p.FederationProcessorImpl - Issuer url: https://localhost:9443/fediz-idp/federation
16:58:04.942 [http-bio-8443-exec-3] DEBUG o.a.c.f.c.p.FederationProcessorImpl - WAuth: null
16:58:04.942 [http-bio-8443-exec-3] DEBUG o.a.c.f.c.p.FederationProcessorImpl - WReq: null
16:58:04.942 [http-bio-8443-exec-3] DEBUG o.a.c.f.c.p.FederationProcessorImpl - HomeRealm: null
16:58:04.942 [http-bio-8443-exec-3] DEBUG o.a.c.f.c.p.FederationProcessorImpl - Freshness: null
16:58:04.942 [http-bio-8443-exec-3] DEBUG o.a.c.f.c.p.FederationProcessorImpl - SignIn Query: null
16:58:04.942 [http-bio-8443-exec-3] DEBUG o.a.c.f.c.p.FederationProcessorImpl - wreply=https://localhost:8443/fedizhelloworld/secure/fedservlet
16:58:04.942 [http-bio-8443-exec-3] DEBUG o.a.c.f.c.p.FederationProcessorImpl - wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld
16:58:04.943 [http-bio-8443-exec-3] DEBUG o.a.c.f.c.p.FederationProcessorImpl - wctx=b6ae9556-5e4f-49ca-a9ee-493403cf1ab3
16:58:04.943 [http-bio-8443-exec-3] DEBUG o.a.c.a.FormAuthenticator - Save request in session '271D4C59304744F60BDF1B84B386896C'
16:58:04.943 [http-bio-8443-exec-3] DEBUG o.a.c.a.AuthenticatorBase - Failed authenticate() test
The README promises:
The browser is redirected to the IDP and prompts for username and password.
but I just get a blank page with the URL https://localhost:9443/fediz-idp/federation?wa=wsignin1.0&wreply=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2Fsecure%2Ffedservlet&wtrealm=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld&wct=2015-12-03T15%3A58%3A04.942Z&wctx=b6ae9556-5e4f-49ca-a9ee-493403cf1ab3
My guess is that there is something wrong with the configuration but what?
Make sure you have both WARs (fediz-idp.war and fediz-idp-sts.war) deployed on the IDP server.
When you have, you should see this output right after Not subject to any constraint:
2015-12-04 10:19:25,030 [http-nio-9443-exec-8] INFO org.apache.cxf.fediz.service.idp.STSPortFilter - STSAuthenticationProvider.wsdlLocation set to https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl
2015-12-04 10:19:25,117 [http-nio-9443-exec-8] INFO org.springframework.web.context.support.GenericWebApplicationContext - Refreshing Flow ApplicationContext [federation]: startup date [Fri Dec 04 10:19:25 CET 2015]; parent: WebApplicationContext for namespace 'idp-servlet'
2015-12-04 10:19:25,118 [http-nio-9443-exec-8] INFO org.springframework.beans.factory.support.DefaultListableBeanFactory - Replacing scope 'request' from [org.springframework.web.context.request.RequestScope#447feb96] to [org.springframework.web.context.request.RequestScope#2709bb72]
2015-12-04 10:19:25,129 [http-nio-9443-exec-8] INFO org.apache.cxf.fediz.service.idp.service.jpa.DBInitApplicationListener - Inital DB already loaded
2015-12-04 10:19:25,131 [http-nio-9443-exec-8] INFO org.apache.cxf.fediz.service.idp.service.jpa.DBInitApplicationListener - Inital DB already loaded
Related
I'm trying to only start an xdebug session only when I pass a certain trigger string with the request via a cookie, like so:
GET https://1.2.3.4
cookie: XDEBUG_TRIGGER=mytriggerstring
Although I can get xdebug to start as planned with the trigger, I can also still start the session without the trigger using this generic request:
GET https://1.2.3.4?XDEBUG_SESSION_START=anything
Here's my complete xdebug config file:
xdebug.start_with_request=trigger
xdebug.mode=debug
xdebug.trigger_value=mytriggerstring
xdebug.client_host = 192.168.1.10
The xdebug docs here say
The functionality only gets activated when a specific trigger is
present when the request starts
I'm not seeing anything there that says XDEBUG_SESSION_START has to be disabled, or how to disable it if that was needed.
What am I missing?
This is on CentOS 7 and here's my xdebug/php version:
PHP 7.4.27 (cli) (built: Dec 14 2021 17:17:06) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
with Xdebug v3.1.2, Copyright (c) 2002-2021, by Derick Rethans
Here are logs from xdebug.log_level=10:
..passing no xdebug params:
[661] Log opened at 2022-02-24 02:40:03.415677
[661] [Config] DEBUG: Checking if trigger 'XDEBUG_TRIGGER' is enabled for mode 'debug'
[661] [Config] INFO: Trigger value for 'XDEBUG_TRIGGER' not found, falling back to 'XDEBUG_SESSION'
[661] [Config] INFO: Trigger value for 'XDEBUG_SESSION' not found, so not activating
[661] Log closed at 2022-02-24 02:40:03.416915
..passing my trigger via the cookie:
[663] Log opened at 2022-02-24 02:40:38.079079
[663] [Config] DEBUG: Checking if trigger 'XDEBUG_TRIGGER' is enabled for mode 'debug'
[663] [Config] DEBUG: The trigger value 'mytriggerstring' matched the shared secret 'mytriggerstring' for mode 'debug'
[663] [Step Debug] INFO: Connecting to configured address/port: 192.168.1.10:9003.
[663] [Step Debug] INFO: Connected to debugging client: 192.168.1.10:9003 (through xdebug.client_host/xdebug.client_port). :-)
..passing the XDEBUG_SESSION_START=anything cgi param
[661] Log opened at 2022-02-24 02:42:39.009885
[661] [Step Debug] DEBUG: Found 'XDEBUG_SESSION_START' HTTP variable, with value 'anything'
[661] [Step Debug] INFO: Connecting to configured address/port: 192.168.1.10:9003.
[661] [Step Debug] INFO: Connected to debugging client: 192.168.1.10:9003 (through xdebug.client_host/xdebug.client_port). :-)
Congratulations! You have found a bug, I think.
Would you please be so kind to report it to the Xdebug development team at https://bugs.xdebug.org ? Just copying and pasting the whole information from this post their issue tracker will likely be enough for them to fix this (if it turns out to be a real bug).
ABP version 4.4 APP with identity server with angular EF core
my angular client send the username and password to identity server that is part of my abp application (mean same URL for api and identity server) that returns me token but after very next request for "api/abp/application-configuration" return with CORs error.
same application work for QA local environment with local config.
same call for "api/abp/application-configuration" work on app start because that time token is not attached in request header
i check my app setting CorsOrigins are matching with IdentityServerClientCorsOrigins
no space issue both angular and front end on https but with different port. you can verify with logs. one thing is strange in log no protocol attach # respond. (domain:1000)
I check and confirm that this is Authentication issue. by comment these two line and Authorize attribute from class
My application works fine. no issue for cors
app.UseAuthentication();
app.UseJwtTokenMiddleware();
system log
2021-09-04 10:42:24.731 -04:00 [INF] Request starting HTTP/2 OPTIONS https://domain:1000/.well-known/openid-configuration - -
2021-09-04 10:42:24.745 -04:00 [INF] CORS policy execution successful.
2021-09-04 10:42:24.751 -04:00 [INF] Request finished HTTP/2 OPTIONS https://domain:1000/.well-known/openid-configuration - - - 204 - - 19.7919ms
2021-09-04 10:42:24.793 -04:00 [INF] Request starting HTTP/2 GET https://domain:1000/.well-known/openid-configuration - -
2021-09-04 10:42:24.794 -04:00 [INF] CORS policy execution successful.
2021-09-04 10:42:46.050 -04:00 [ERR] Exception occurred while processing message.
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
System.IO.IOException: IDX20804: Unable to retrieve document from: 'System.String'.
System.Net.Http.HttpRequestException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (domain:1000)
System.Net.Sockets.SocketException (10060): A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
It is not a CORS issue, instead it is because your API (the UseJwtTokenMiddleware part) can't reach your IdentityServer over HTTP(s). I guess you got some DNS/Certificate/Network issue to resolve.
i am using Gatling 3.0.0 as a plugin in SBT i am configuring the browser as given in the https://gatling.io/docs/current/http/recorder/#recorder under configuration heading after then when i start the recorder using gatling:startRecorder in sbt and try to hit my website https://www.example.com/ Firefox displayed
Did Not Connect: Potential Security Issue
Firefox detected a potential security threat and did not continue to www.mydomain.com because this website requires a secure connection.
www.mydomain.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site
and here are the exception logs
ioEventLoopGroup-2-1] DEBUG io.netty.handler.ssl.util.InsecureTrustManagerFactory - Accepting a server certificate: CN=www.mydomain.com
14:44:55.604 [nioEventLoopGroup-4-2] DEBUG io.gatling.recorder.http.Mitm$ - Open new server channel
14:44:55.607 [nioEventLoopGroup-4-1] WARN io.netty.channel.DefaultChannelPipeline - An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:579)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:496)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:672)
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:627)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:443)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:422)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:634)
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:294)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1297)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
... 16 common frames omitted
14:44:55.609 [recorder-akka.actor.default-dispatcher-4] DEBUG io.gatling.recorder.http.flows.SecuredNoProxyMitmActor - Server channel 6acf48e4 was closed while in Connected state, closing
14:44:55.622 [recorder-akka.actor.default-dispatcher-2] DEBUG io.gatling.recorder.http.flows.PlainNoProxyMitmActor - serverChannel=8d7b2171 received init request http://detectportal.firefox.com/success.txt, connecting
14:44:55.622 [recorder-akka.actor.default-dispatcher-2] DEBUG io.gatling.recorder.http.flows.PlainNoProxyMitmActor - Connecting to Remote(detectportal.firefox.com,80)
14:44:55.629 [recorder-akka.actor.default-dispatcher-4] INFO akka.actor.RepointableActorRef - Message [io.gatling.recorder.http.flows.MitmMessage$ClientChannelInactive] without sender to Actor[akka://recorder/user/$a#-1754914561] was not delivered. [1] dead letters encountered. If this is not an expected behavior, then [Actor[akka://recorder/user/$a#-1754914561]] may have terminated unexpectedly, This logging can be turned off or adjusted with configuration settings 'akka.log-dead-letters' and 'akka.log-dead-letters-during-shutdown'.
14:44:55.655 [nioEventLoopGroup-2-2] DEBUG io.gatling.recorder.http.Mitm$ - Open new client channel
How did you configured proxy in your firefox? Do you have proxy only for http or also for https? If you are proxing also https requests then in recorder settings you need to switch "HTTPS mode" to "Certificate Authority". There will be a button to generate new certificate authority file that you need to import to your browser (Preferences / Privacy & Security / Certificates / View certificates / Import). After that your browser will know that it can trust Gatling proxy server and you should be able to proxy also ssl requests.
My camel route picks up files from a sftp endpoint configured with username and password. Before the connection is made, i get a prompt for username and password from Kerberos.
I skip this by pressing enter, and authentication proceeds as expected, the files i picked up. Edit: After going through the versioning logs and the program logs i'm not entirely sure this is what happend, and i cannot reproduce it.
What i see it that my (one) screen-copy with the Kerberos prompt coincides with the one of several logs showing authentication failure because my username is wrong.
Why do i get the prompt? My endpoint looks like this:
sendEmptyMessageWhenIdle: sendEmptyMessageWhenIdle=true
useHostFile: knownHostsFile=known_hosts&strictHostKeyChecking=yes
workDirectory: /omg/myprogram/${env}/WorkDirectory
fromParams: streamDownload=true&maximumReconnectAttempts=2&throwExceptionOnConnectFailed=true&consumer.bridgeErrorHandler=true&disconnectOnBatchComplete=true
mypassword: password=blablabla
fromUri: sftp://myuser#accept.server.nu:22/TST?${mypassword}
from: ${fromUri}&${sendEmptyMessageWhenIdle}&${routeScheduler}&delete=true&${useHostFile}&localWorkDirectory=${workDirectory}&${fromParams}
Actually when i dont use a hosts file the same thing happens:
useUserKnownHostsFile=false
The camel version is 2.22.2.
What can i do to disable Kerberos in Apache camel?
Could you please set preferredAuthentications attribute on the SFTP component and see if makes a difference? This is an example preferredAuthentications=publickey,keyboard-interactive,password. Documentation for FTP component here. The docs say if you don't set this, the component will use default list of mechanisms in JSCH.
Edit:
I see a similar question here but in JSCH perspective.
It appears that the Kerberos prompt appears when authentication with the provided user-name and password fails.
That is, i have not been able to reproduce the problem i described above but i have found that the Kerberos prompt appeared when the username was incorrect.
Log:
2019-01-31 12:42:30,767 DEBUG [main] myprogram.StartUpVerneProphet - - - Running with Spring Boot v2.0.8.RELEASE, Spring v5.0.12.RELEASE
2019-01-31 12:42:30,769 INFO [main] myprogram.StartUpVerneProphet - - - No active profile set, falling back to default profiles: default
2019-01-31 12:42:36,003 WARN [main] org.apache.camel.component.file.remote.SftpOperations - - - JSCH -> Permanently added 'accept.server.nu' (DSA) to the list of known hosts.
2019-01-31 12:43:01,537 WARN [main] org.apache.camel.component.file.remote.SftpOperations - - - JSCH -> Permanently added 'accept.server.nu' (DSA) to the list of known hosts.
2019-01-31 12:44:13,940 WARN [main] org.apache.camel.component.file.remote.SftpOperations - - - JSCH -> Permanently added 'accept.server.nu' (DSA) to the list of known hosts.
2019-01-31 12:44:24,963 WARN [main] org.apache.camel.component.file.remote.SftpConsumer - - - Error auto creating directory: TST due Cannot connect to sftp://faulty-username#accept.server.nu:22. This exception is ignored. org.apache.camel.component.file.GenericFileOperationFailedException: Cannot connect to sftp://faulty-username#accept.server.nu:22
at org.apache.camel.component.file.remote.SftpOperations.connect(SftpOperations.java:144)
at org.apache.camel.component.file.remote.RemoteFileConsumer.connectIfNecessary(RemoteFileConsumer.java:197)
Screen-copy:
12:42:30,761 |-INFO in c.q.l.core.rolling.helper.TimeBasedArchiveRemover - first clean up after appender initialization
12:42:30,763 |-INFO in c.q.l.core.rolling.helper.TimeBasedArchiveRemover - Multiple periods, i.e. 32 periods, seem to have elapsed. This is expected a t application start.
2019-01-31 12:42:30 DEBUG myprogram.StartUp - - - Running with Spring Boot v2.0.8.RELEASE, Spr ing v5.0.12.RELEASE
2019-01-31 12:42:30 INFO myprogram.StartUp - - - No active profile set, falling back to defau lt profiles: default
2019-01-31 12:42:36 WARN org.apache.camel.component.file.remote.SftpOperations - - - JSCH -> Permanently added 'accept.server.nu' (DSA) to the list of known hosts.
Kerberos username [root]:
Kerberos password for root:
2019-01-31 12:43:01 WARN org.apache.camel.component.file.remote.SftpOperations - - - JSCH -> Permanently added 'accept.server.nu' (DSA) to the list of known hosts.
Kerberos username [root]:
Kerberos password for root:
Unfortunately, i made only one screencopy, so i am unsure if there was any occasion where the Kerberos prompt appeared after i used the correct user-name.
It hasn't appeared totday.
I'm getting this error from a request called from the task queue. It suggests I need to change the app.yaml handler but I think I have the correct handler
Here is the error log entry:
2011-11-17 13:30:35.849 /tasks/kacher 302 209ms 0kb
0.1.0.1 - - [17/Nov/2011:13:30:35 -0800] "GET /tasks/kacher HTTP/1.1" 302 0 - - "rawload.XXX.appspot.com" ms=209 cpu_ms=0 api_cpu_ms=0 cpm_usd=0.000032 queue_name=default task_name=cf2e2f1d39d108b3972a1da8c6532fea
W2011-11-17 13:30:35.842
Request failed because URL requires user login. For requests invoked within App Engine (offline requests like Task Queue, or webhooks like XMPP and Incoming Mail), the URL must require admin login (or no login).
This is the code to call the task:
taskqueue.add(url='/tasks/kacher',target='rawload',method='GET')
Here is my app.yaml, with the task urls as login:admin which seems correct (to me):
- url: /tasks.*
script: main.py
login: admin
- url: .*
script: main.py
login: required
secure: always
There's a known bug in the dev_appserver with tasks that require admin login sometimes failing like this. Try logging your browser session in as an admin before accessing the URL that enqueues the task, or try uploading your app to production to see if you experience the issue there.