[OTDev] OpenSSO now secure
chung chvng at mail.ntua.grMon Jun 14 18:47:43 CEST 2010
- Previous message: [OTDev] OpenSSO now secure
- Next message: [OTDev] OpenSSO now secure
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello Andreas, I want to create a policy for protecting the resource http://opentox.ntua.gr:2000/bibtex with respect to GET and POST calls, so I created the following policy XML: <?xml version="1.0" encoding="UTF-8"?> <Policies> <Policy name="s2_policy" createdby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net" lastmodifiedby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net" creationdate="1275290803394" lastmodifieddate="1275290803394" referralPolicy="false" active="true"> <Rule name="nr1"> <ServiceName name="iPlanetAMWebAgentService"/> <ResourceName name="http://opentox.nuta.gr:2000/bibtex"/> <AttributeValuePair> <Attribute name="POST"/> <Value>allow</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="GET"/> <Value>allow</Value> </AttributeValuePair> </Rule> <Subjects name="s1" description=""> <Subject name="testUser" type="LDAPUsers" includeType="inclusive"> <AttributeValuePair> <Attribute name="Values"/> <Value>cn=partner,ou=people,dc=opentox,dc=org</Value> </AttributeValuePair> </Subject> </Subjects> </Policy> </Policies> But I get the response: HTTP/1.1 400 Bad Request Server: nginx/0.6.32 Date: Mon, 14 Jun 2010 16:35:07 GMT Content-Type: text/plain Connection: keep-alive Content-Length: 37 Error in policy. ssoadm output: null Is the syntax of the XML above correct? Best regards, Pantelis On Fri, 2010-06-11 at 13:44 +0200, Andreas Maunz wrote: > Ok, here is the solution: > Please use > > <Value>cn=partner,ou=groups,dc=opentox,dc=org</Value> > > instead of > > <Value>uid=partner,ou=groups,dc=opentox,dc=org</Value> > > It was wrong in the doc and is now updated. > > Best > Andreas > > > Nina Jeliazkova wrote on 06/11/2010 10:53 AM: > > > > Andreas Maunz wrote: > >> I have checked on the server console: > >> > >> - the policy has correctly been created > >> - you are a member of 'partner' group > >> > >> So I can see no obvious error here. Could you please make sure to > >> refresh your token and try again? > >> If it still fails, I will investigate this more closely. > > I've verified with > > http://opensso.in-silico.ch/opensso/identity/isTokenValid the token is > > still valid; and also obtained a new token , unfortunately > > authorization still fails. > > > > Regards, > > Nina > >> > >> Andreas > >> > >> Nina Jeliazkova wrote on 06/11/2010 10:39 AM: > >>> Andreas, > >>> > >>> My fault, but I've just replaced the policy to use partner group and > >>> still not getting authorized. > >>> > >>> nina at ambit:~$ curl -i -X GET > >>> http://opensso.in-silico.ch/Pol/opensso-pol/nina_top_level_test4 -H > >>> 'subjectid:..' > >>> HTTP/1.1 200 OK > >>> Server: nginx/0.6.32 > >>> Date: Fri, 11 Jun 2010 08:31:35 GMT > >>> Content-Type: text/xml > >>> Connection: keep-alive > >>> Content-Length: 1188 > >>> > >>> <?xml version="1.0" encoding="UTF-8"?> > >>> <Policies> > >>> <Policy name="nina_top_level_test4" > >>> createdby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net" > >>> lastmodifiedby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net" > >>> creationdate="1276245073888" lastmodifieddate="1276245073888" > >>> referralPolicy="false" active="true"> > >>> <Rule name="tr1"> > >>> <ServiceName name="iPlanetAMWebAgentService"/> > >>> <ResourceName > >>> name="http://nina-vpn.acad.bg:8080/sso_protected"/> > >>> <AttributeValuePair> > >>> <Attribute name="POST"/> > >>> <Value>allow</Value> > >>> </AttributeValuePair> > >>> <AttributeValuePair> > >>> <Attribute name="GET"/> > >>> <Value>allow</Value> > >>> </AttributeValuePair> > >>> </Rule> > >>> <Subjects name="s1" description=""> > >>> <Subject name="test" type="LDAPGroups" > >>> includeType="inclusive"> > >>> <AttributeValuePair> > >>> <Attribute name="Values"/> > >>> > >>> <Value>uid=partner,ou=groups,dc=opentox,dc=org</Value> > >>> </AttributeValuePair> > >>> </Subject> > >>> </Subjects> > >>> </Policy> > >>> </Policies> > >>> > >>> 11:31:53 AM: nina at ambit:~$ curl -i -d > >>> 'uri="http://nina-vpn.acad.bg:8080/sso_protected' -d 'action=POST' -d > >>> 'subjectid=..' 'http://opensso.in-silico.ch/opensso/identity/authorize' > >>> HTTP/1.1 200 OK > >>> Server: nginx/0.6.32 > >>> Date: Fri, 11 Jun 2010 08:31:48 GMT > >>> Content-Type: text/plain;charset=UTF-8 > >>> Connection: keep-alive > >>> Content-Length: 14 > >>> > >>> boolean=false > >>> > >>> Regards, > >>> Nina > >>> Andreas Maunz wrote: > >>>> Nina, > >>>> > >>>> actually, there is no group called 'opentox'. The groups that > >>>> currently exist are 'partner' and 'development'. > >>>> Please check: > >>>> > >>>> > >>>> am at z21:~/aa$ curl -i -d "attributes_names=objecttype" -d > >>>> "attributes_values_objecttype=group" -d > >>>> "admin=AQIC5wM2LY4Sfcx8QFIIIagJH2prVX8o5YXh7EtJa024ps8=@AAJTSQACMDE=#" > >>>> http://opensso.in-silico.ch/opensso/identity/search > >>>> HTTP/1.1 200 OK > >>>> Server: nginx/0.6.32 > >>>> Date: Tue, 08 Jun 2010 07:50:30 GMT > >>>> Content-Type: text/plain;charset=UTF-8 > >>>> Connection: keep-alive > >>>> Content-Length: 34 > >>>> > >>>> string=development > >>>> string=partner > >>>> > >>>> Regards > >>>> Andreas > >>>> > >>>> > >>>> Nina Jeliazkova wrote on 06/11/2010 10:26 AM: > >>>>> Andreas, > >>>>> > >>>>> Thanks, I've created the policy to allow all members of opentox group > >>>>> to do POST and GET > >>>>> > >>>>> curl -i -X GET > >>>>> http://opensso.in-silico.ch/Pol/opensso-pol/nina_top_level_test4 -H > >>>>> 'subjectid: ...' > >>>>> HTTP/1.1 200 OK > >>>>> Server: nginx/0.6.32 > >>>>> Date: Fri, 11 Jun 2010 08:22:15 GMT > >>>>> Content-Type: text/xml > >>>>> Connection: keep-alive > >>>>> Content-Length: 1188 > >>>>> > >>>>> <?xml version="1.0" encoding="UTF-8"?> > >>>>> <Policies> > >>>>> <Policy name="nina_top_level_test4" > >>>>> createdby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net" > >>>>> lastmodifiedby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net" > >>>>> creationdate="1276244370369" lastmodifieddate="1276244370369" > >>>>> referralPolicy="false" active="true"> > >>>>> <Rule name="tr1"> > >>>>> <ServiceName name="iPlanetAMWebAgentService"/> > >>>>> <ResourceName > >>>>> name="http://nina-vpn.acad.bg:8080/sso_protected"/> > >>>>> <AttributeValuePair> > >>>>> <Attribute name="POST"/> > >>>>> <Value>allow</Value> > >>>>> </AttributeValuePair> > >>>>> <AttributeValuePair> > >>>>> <Attribute name="GET"/> > >>>>> <Value>allow</Value> > >>>>> </AttributeValuePair> > >>>>> </Rule> > >>>>> <Subjects name="s1" description=""> > >>>>> <Subject name="test" type="LDAPGroups" > >>>>> includeType="inclusive"> > >>>>> <AttributeValuePair> > >>>>> <Attribute name="Values"/> > >>>>> > >>>>> <Value>uid=opentox,ou=groups,dc=opentox,dc=org</Value> > >>>>> </AttributeValuePair> > >>>>> </Subject> > >>>>> </Subjects> > >>>>> </Policy> > >>>>> </Policies> > >>>>> > >>>>> However, I am not getting authorized (same token used in both curls, > >>>>> removed here). And I assume my user is a member of opentox group :) > >>>>> > >>>>> > >>>>> curl -i -d 'uri="http://nina-vpn.acad.bg:8080/sso_protected' -d > >>>>> 'action=POST' -d 'subjectid=...' > >>>>> 'http://opensso.in-silico.ch/opensso/identity/authorize' > >>>>> HTTP/1.1 200 OK > >>>>> Server: nginx/0.6.32 > >>>>> Date: Fri, 11 Jun 2010 08:21:43 GMT > >>>>> Content-Type: text/plain;charset=UTF-8 > >>>>> Connection: keep-alive > >>>>> Content-Length: 14 > >>>>> > >>>>> boolean=false > >>>>> > >>>>> Could you help? > >>>>> > >>>>> Best regards, > >>>>> Nina > >>>>> > >>>>> Andreas Maunz wrote: > >>>>>> Sorry, it should read: > >>>>>> > >>>>>> <Subject name="mygroupname" type="LDAPGroups" > >>>>>> includeType="inclusive"> > >>>>>> <AttributeValuePair> > >>>>>> <Attribute name="Values"/> > >>>>>> <Value>uid=mygroup,ou=groups,dc=opentox,dc=org</Value> > >>>>>> </AttributeValuePair> > >>>>>> </Subject> > >>>>>> > >>>>>> instead. > >>>>>> > >>>>>> A.M. > >>>>>> > >>>>>> Andreas Maunz wrote on 06/11/2010 10:09 AM: > >>>>>>> Hi Nina, > >>>>>>> > >>>>>>> you would create a policy that contains: > >>>>>>> > >>>>>>> <Subject name="mygroupname" type="LDAPUsers" > >>>>>>> includeType="inclusive"> > >>>>>>> <AttributeValuePair> > >>>>>>> <Attribute name="Values"/> > >>>>>>> <Value>uid=mygroup,ou=groups,dc=opentox,dc=org</Value> > >>>>>>> </AttributeValuePair> > >>>>>>> > >>>>>>> Mind the "ou=groups" instead of "ou=people". Then, create the group > >>>>>>> "mygroup" and assign users to it (contact Micha for that). > >>>>>>> > >>>>>>> Best regards > >>>>>>> Andreas > >>>>>>> > >>>>>>> > >>>>>>> Nina Jeliazkova wrote on 06/11/2010 08:53 AM: > >>>>>>>> Hi Andreas, > >>>>>>>> > >>>>>>>> Could you tell how to create a policy, that allows group of > >>>>>>>> users to > >>>>>>>> POST or GET ? This would be applicable to almost all top level > >>>>>>>> resources like /algorithm/{id} , etc. > >>>>>>>> > >>>>>>>> Following the example at p.12 of the deliverable D3.3. , one could > >>>>>>>> create a policy which is per user only. > >>>>>>>> > >>>>>>>> Best regards, > >>>>>>>> Nina > >>>>>>>> > >>>>>>>> Andreas Maunz wrote: > >>>>>>>>> Hi all, > >>>>>>>>> > >>>>>>>>> connections to the OpenSSO service at opensso.in-silico.ch can > >>>>>>>>> now be > >>>>>>>>> made secure by using SSL. > >>>>>>>>> Submit your user credentials safely and obtain a token: > >>>>>>>>> > >>>>>>>>> **************************************************************** > >>>>>>>>> am at z21:~/aa$ curl -v -k -i -d "username=amaunz&password=secret" > >>>>>>>>> https://opensso.in-silico.ch/opensso/identity/authenticate?uri=service=openldap > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> * About to connect() to opensso.in-silico.ch port 443 (#0) > >>>>>>>>> * Trying 178.63.18.76... connected > >>>>>>>>> * Connected to opensso.in-silico.ch (178.63.18.76) port 443 (#0) > >>>>>>>>> * successfully set certificate verify locations: > >>>>>>>>> * CAfile: none > >>>>>>>>> CApath: /etc/ssl/certs > >>>>>>>>> * SSLv3, TLS handshake, Client hello (1): > >>>>>>>>> * SSLv3, TLS handshake, Server hello (2): > >>>>>>>>> * SSLv3, TLS handshake, CERT (11): > >>>>>>>>> * SSLv3, TLS handshake, Server finished (14): > >>>>>>>>> * SSLv3, TLS handshake, Client key exchange (16): > >>>>>>>>> * SSLv3, TLS change cipher, Client hello (1): > >>>>>>>>> * SSLv3, TLS handshake, Finished (20): > >>>>>>>>> * SSLv3, TLS change cipher, Client hello (1): > >>>>>>>>> * SSLv3, TLS handshake, Finished (20): > >>>>>>>>> * SSL connection using AES256-SHA > >>>>>>>>> * Server certificate: > >>>>>>>>> * subject: C=CH; ST=Some-State; L=Basel; O=in silico toxicology; > >>>>>>>>> CN=Christoph Helma; emailAddress=helma at in-silico.ch > >>>>>>>>> * start date: 2010-06-09 16:38:59 GMT > >>>>>>>>> * expire date: 2020-06-06 16:38:59 GMT > >>>>>>>>> * common name: Christoph Helma (does not match > >>>>>>>>> 'opensso.in-silico.ch') > >>>>>>>>> * issuer: C=CH; ST=Some-State; L=Basel; O=in silico toxicology; > >>>>>>>>> CN=Christoph Helma; emailAddress=helma at in-silico.ch > >>>>>>>>> * SSL certificate verify result: self signed certificate (18), > >>>>>>>>> continuing anyway. > >>>>>>>>>> POST /opensso/identity/authenticate?uri=service=openldap HTTP/1.1 > >>>>>>>>>> User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 > >>>>>>>>>> OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15 > >>>>>>>>>> Host: opensso.in-silico.ch > >>>>>>>>>> Accept: */* > >>>>>>>>>> Content-Length: 32 > >>>>>>>>>> Content-Type: application/x-www-form-urlencoded > >>>>>>>>>> > >>>>>>>>> < HTTP/1.1 200 OK > >>>>>>>>> HTTP/1.1 200 OK > >>>>>>>>> < Server: nginx/0.6.32 > >>>>>>>>> Server: nginx/0.6.32 > >>>>>>>>> < Date: Thu, 10 Jun 2010 08:12:27 GMT > >>>>>>>>> Date: Thu, 10 Jun 2010 08:12:27 GMT > >>>>>>>>> < Content-Type: text/plain;charset=UTF-8 > >>>>>>>>> Content-Type: text/plain;charset=UTF-8 > >>>>>>>>> < Connection: keep-alive > >>>>>>>>> Connection: keep-alive > >>>>>>>>> < Content-Length: 72 > >>>>>>>>> Content-Length: 72 > >>>>>>>>> > >>>>>>>>> < > >>>>>>>>> token.id=AQIC5wM2LY4SfcyyY3V7C7qD1FD2ZoktJHsYKEKE8g+wXys=@AAJTSQACMDE=# > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> * Connection #0 to host opensso.in-silico.ch left intact > >>>>>>>>> * Closing connection #0 > >>>>>>>>> * SSLv3, TLS alert, Client hello (1): > >>>>>>>>> **************************************************************** > >>>>>>>>> > >>>>>>>>> As you can see, a special switch (-k) is still required to allow > >>>>>>>>> connections using the self-signed certificate from Christoph. We > >>>>>>>>> might > >>>>>>>>> improve on this by using a free certificate from startssl.com, > >>>>>>>>> which > >>>>>>>>> clients trust. > >>>>>>>>> > >>>>>>>>> Moreover, connections without SSL still work as usual. > >>>>>>>>> > >>>>>>>>> Greetings > >>>>>>>>> Andreas > >>>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>> > >>> > >> > > >
- Previous message: [OTDev] OpenSSO now secure
- Next message: [OTDev] OpenSSO now secure
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Development mailing list