How can I protect my website during development with htaccess in Cakephp? While I have only ftp username and password
I used
.htaccess
AuthType Basic
AuthName "MyProjName"
AuthUserFile "/projectname/app/webroot/p.htpasswd"
require valid-user
Server error occure
The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there was an error in a CGI script.
This is not an CakePHP question, this is a Apache HTTP question.
If you need to control HTTP Auth with users data stored in MySQL database that is managed by some cakephp app, you may need to search for "htaccess mysql user", and check the properly hashing passwords to support that feature.
Related
Sorry that my question might be repetitive but none of the solutions provided in other links have resolved my issue. Below is my situation
We have ASP.NET Core 3.1 Web application to which we are trying to use Azure AD so that users can login with our Enterprise Credentials. We started with ASP.CRORE MVC default template and enabled to Use Organization credentials and Authentication is working in our Local environment. We are now trying to deploy this app to other internal environments. So we have deployed this to two of our internal servers and configured IIS to refer this website with http IP's assigned. I was able to create Azure App registry for this application and was able to add the http IP's through Manifest, added the clientId to the appsettings.json file and the authentication is working if we refer the website using the http IP's. I have also tried by assigning https IP's assigned to the same websites and added them to Azure App Registry and again the authentication is still working if we refer the website with either of the 2 https IP's.
Now we have decided to create URL something like https://ourwebsitename.companyname.com which resolves to either of the http IP's using F5 Load balancer. I was able to add the URL to the azure app registry and using the same clientId in appsettings.json in the same way how the app is working with http or https IPs. But somehow when we refer the website URL
https://ourwebsitename.companyname.com we are getting the error as mentioned in the title of the question and I did observed after I hit the URL, its getting redirected as redirect_uri=httpXXXX instead of https which I thought may be the reason of the issue but unable to resolve. I have googled it and tried with various solutions but none resolved and so I am posing it again hoping for a luck if someone can provide me a solution.
Following are the links which appeared close to my situation but didn't work for me
https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-5.0
https://github.com/AzureAD/microsoft-identity-web/issues/115
Thanks in advance.
I looked at the sample you provided, and it does not provide the redirect_ url key in appsettings.json. So, based on my experience, it should have a built-in redirect_ url. Otherwise, the aadsts50011 error will not be reported.
To deal with this kind of problem, you can try a general solution:
When you visit the application url , you will be redirected to the login page. Decode the authorization request url, you will find redirect_url, copy the value of redirect_url and paste it into the azure portal, and try again.
For the redirect URL, it should start with https, if you need to start with http, you must configure it as http://localhost.
I have made an app with Spring Boot on backend and UI in AngularJS. UI is separate from the backend. UI is deployed in Firebase and my backend in deployed in AWS (via boxfuse). I want to add a trusted https certificate to my backend but Certificate Manager does not let me create a trusted certificate for Amazon owned domain. How can I add a certificate to the backend (with Let's Encrypt)? Does my UI also need a trusted certificate?
First of all, If you are using public domain of EC2 instance, I would advice not to use because whenever you start and stop instance, It will change the domain. If you are doing with let's encrypt than you should do it in the server which having apache configured. Let's encrypt provide you the ACME client, most recommended is certbot. Choose your OS and Web server. It will provide you the script, Run that script in your server and it will ask for required detail which needed to get SSL Certification. Rest of the things script will do it for you. Please read the documentation before you perform this things.
You should consider the domain type as well either you are using single domain or wildcard according to your application.
Below link is useful for me, If you want you can get more detail about this.
https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority
I am trying to crawl a website, more specifically a Google Site using ManifoldCF that has SAML authentication and index the crawled data into Apache Solr. But as I crawl the URL, it gives me 302 redirection to login page and then says RESPONSECODENOTINDEXABLE.
I am not sure if have I authenticated correctly or not. In manifoldCF we have options for HTTP basic authentication, NTLM authentication and Session-based access credentials authentication method. I used Session based authentication method which more looks like a form based authentication rather than SAML authentication.
Has anybody crawled a website using manifoldCF which has SAML authentication? And if not manifoldCF, has anyone been able to accomplish this via Apache Nutch, because I am afraid, it also provides only HTTP basic , Digest and NTLM authentication.
Any insight would be helpful. Can provide more information regarding the issue, if anyone here thinks it can easily be accomplished. Basically when I crawl https://sites.google.com/a/my-sub-domain.com, it redirects to SSO login page and crawler refuses to crawl any more giving a 302 error. It's an intranet based website.
There is no support in Nutch forSSO authentication using SAML. You need to handle it by writing your custom plugin. We have extended proptocol selenium plugin to handle SAML flows.
Not sure whether this helps, just try it out.
In nutch, we can provide credentials to login to the page, we have httpclient-auth.xml file in conf directory.
There u can provide your host name along with the credentials.
<auth-configuration>
<credentials username="admin" password="admin123">
<authscope host="hostname" realm="login"/>
<default/>
</credentials>
</auth-configuration>
Similarly you can add any number of credentials to this configuration.
To crawl https site, change plugin.includes property from protocol-http to protocol-httpclient in nutch-conf.xml
We have modified logic in Nutch protocol-selenium plugin to handle SSO flows.
You need to wait for redirect to SSO page. Then using selenium you can handle SSO. Again wait for redirection to original page after SSO.
If 2 factor auth is required, then things become complex. In that case you can configure google authenticator (if allowed by your IdP). You can use that to get get TOTP.
For crawling files behind authentication there is no usual way. You can configure driver to always downlaod files and then use the docwnlaoded file.
You can handle the auth flow using another http clients. If you need dynamic page's content (after all JS and Ajax request completed) then selenium is the best choice and if you are using it, you can move auth part to selenium.
I have a HTML5, AngularJS application in which I authenticate user based on windows authentication. This works fine.
I have a connect option in the application which allows user to connect to some other data source. To connect I prompt user for user name & password which is sent to a service for authentication. I am using AngularJS $http to invoke the service and pass the credentials as post parameters.
The problem is I am able to see the credentials in clear text using fiddler. I switched to HTTPS/SSL but still it is visible in fiddler. Following are my observations & queries
HTTPS/SSL only ensures transport level security, I would like to know whether I should bother about message level security in web application if transport level security is already in place (using HTTPS).
How I would ensure message level security in JavaScript/Angular.
Interestingly I used fiddler with gmail and hotmail as well. When I enter credentials on these sites fiddler does not captures it. Any idea how does it happen on these sites? They must be sending credentials for authentication.
Atul Sureka
I would like to avoid having a plain text password in the .ini file. I guess it should use Kerberos authentication, but I couldn't find how to do that.
I don't believe that Shiro has any capability to support Windows Kerberos authentication nor does it appear to have any "out of the box" capability to support encrypted passwords in the [main] section of the shiro.ini file.
Looking at this message (http://shiro-user.582556.n2.nabble.com/How-to-secure-database-password-in-shiro-ini-td7578763.html) on the Shiro mailing list it suggests the best solution is to create your own password factory which will return the password when needed. The mailing list talks about using this for database passwords but the same principle should apply to Active Directory.
This link (https://issues.apache.org/jira/browse/SHIRO-445) contains a patch which should give you some pointers on how to do this.