[OTDev] OpenSSO now secure
Andreas Maunz andreas at maunz.deTue Jun 15 10:13:54 CEST 2010
- Previous message: [OTDev] OpenSSO now secure
- Next message: [OTDev] OpenSSO now secure
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Pantelis,
your XML does not adhere to the template described in the documentation,
e.g. 'createdby', 'lastmodifiedby',... are not allowed.
Also, please note that
<Value>cn=partner,ou=people,dc=opentox,dc=org</Value>
is wrong, since individuals use
<Value>uid=partner,ou=people,dc=opentox,dc=org</Value>
instead. However, there is no individual named 'partner'. If you meant
the partner group, you should have used
<Subject name="testUser" type="LDAPGroups" includeType="inclusive">
instead of
<Subject name="testUser" type="LDAPUsers" includeType="inclusive">
Please review the documentation / draft deliverable (esp. p.15) once more.
Everything is covered in detail there.
Greetings,
Andreas
chung wrote on 06/14/2010 06:47 PM:
> Hello Andreas,
> I want to create a policy for protecting the resource
> http://opentox.ntua.gr:2000/bibtex with respect to GET and POST calls,
> so I created the following policy XML:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Policies>
> <Policy name="s2_policy"
> createdby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net"
> lastmodifiedby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net"
> creationdate="1275290803394" lastmodifieddate="1275290803394"
> referralPolicy="false" active="true">
>
> <Rule name="nr1">
> <ServiceName name="iPlanetAMWebAgentService"/>
> <ResourceName name="http://opentox.nuta.gr:2000/bibtex"/>
>
> <AttributeValuePair>
> <Attribute name="POST"/>
> <Value>allow</Value>
> </AttributeValuePair>
>
> <AttributeValuePair>
> <Attribute name="GET"/>
> <Value>allow</Value>
> </AttributeValuePair>
>
> </Rule>
>
> <Subjects name="s1" description="">
> <Subject name="testUser" type="LDAPUsers" includeType="inclusive">
> <AttributeValuePair>
> <Attribute name="Values"/>
> <Value>cn=partner,ou=people,dc=opentox,dc=org</Value>
> </AttributeValuePair>
> </Subject>
> </Subjects>
> </Policy>
> </Policies>
>
> But I get the response:
>
> HTTP/1.1 400 Bad Request
> Server: nginx/0.6.32
> Date: Mon, 14 Jun 2010 16:35:07 GMT
> Content-Type: text/plain
> Connection: keep-alive
> Content-Length: 37
>
> Error in policy. ssoadm output:
> null
>
> Is the syntax of the XML above correct?
>
> Best regards,
> Pantelis
>
> On Fri, 2010-06-11 at 13:44 +0200, Andreas Maunz wrote:
>> Ok, here is the solution:
>> Please use
>>
>> <Value>cn=partner,ou=groups,dc=opentox,dc=org</Value>
>>
>> instead of
>>
>> <Value>uid=partner,ou=groups,dc=opentox,dc=org</Value>
>>
>> It was wrong in the doc and is now updated.
>>
>> Best
>> Andreas
>>
>>
>> Nina Jeliazkova wrote on 06/11/2010 10:53 AM:
>>>
>>> Andreas Maunz wrote:
>>>> I have checked on the server console:
>>>>
>>>> - the policy has correctly been created
>>>> - you are a member of 'partner' group
>>>>
>>>> So I can see no obvious error here. Could you please make sure to
>>>> refresh your token and try again?
>>>> If it still fails, I will investigate this more closely.
>>> I've verified with
>>> http://opensso.in-silico.ch/opensso/identity/isTokenValid the token is
>>> still valid; and also obtained a new token , unfortunately
>>> authorization still fails.
>>>
>>> Regards,
>>> Nina
>>>>
>>>> Andreas
>>>>
>>>> Nina Jeliazkova wrote on 06/11/2010 10:39 AM:
>>>>> Andreas,
>>>>>
>>>>> My fault, but I've just replaced the policy to use partner group and
>>>>> still not getting authorized.
>>>>>
>>>>> nina at ambit:~$ curl -i -X GET
>>>>> http://opensso.in-silico.ch/Pol/opensso-pol/nina_top_level_test4 -H
>>>>> 'subjectid:..'
>>>>> HTTP/1.1 200 OK
>>>>> Server: nginx/0.6.32
>>>>> Date: Fri, 11 Jun 2010 08:31:35 GMT
>>>>> Content-Type: text/xml
>>>>> Connection: keep-alive
>>>>> Content-Length: 1188
>>>>>
>>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>>> <Policies>
>>>>> <Policy name="nina_top_level_test4"
>>>>> createdby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net"
>>>>> lastmodifiedby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net"
>>>>> creationdate="1276245073888" lastmodifieddate="1276245073888"
>>>>> referralPolicy="false" active="true">
>>>>> <Rule name="tr1">
>>>>> <ServiceName name="iPlanetAMWebAgentService"/>
>>>>> <ResourceName
>>>>> name="http://nina-vpn.acad.bg:8080/sso_protected"/>
>>>>> <AttributeValuePair>
>>>>> <Attribute name="POST"/>
>>>>> <Value>allow</Value>
>>>>> </AttributeValuePair>
>>>>> <AttributeValuePair>
>>>>> <Attribute name="GET"/>
>>>>> <Value>allow</Value>
>>>>> </AttributeValuePair>
>>>>> </Rule>
>>>>> <Subjects name="s1" description="">
>>>>> <Subject name="test" type="LDAPGroups"
>>>>> includeType="inclusive">
>>>>> <AttributeValuePair>
>>>>> <Attribute name="Values"/>
>>>>>
>>>>> <Value>uid=partner,ou=groups,dc=opentox,dc=org</Value>
>>>>> </AttributeValuePair>
>>>>> </Subject>
>>>>> </Subjects>
>>>>> </Policy>
>>>>> </Policies>
>>>>>
>>>>> 11:31:53 AM: nina at ambit:~$ curl -i -d
>>>>> 'uri="http://nina-vpn.acad.bg:8080/sso_protected' -d 'action=POST' -d
>>>>> 'subjectid=..' 'http://opensso.in-silico.ch/opensso/identity/authorize'
>>>>> HTTP/1.1 200 OK
>>>>> Server: nginx/0.6.32
>>>>> Date: Fri, 11 Jun 2010 08:31:48 GMT
>>>>> Content-Type: text/plain;charset=UTF-8
>>>>> Connection: keep-alive
>>>>> Content-Length: 14
>>>>>
>>>>> boolean=false
>>>>>
>>>>> Regards,
>>>>> Nina
>>>>> Andreas Maunz wrote:
>>>>>> Nina,
>>>>>>
>>>>>> actually, there is no group called 'opentox'. The groups that
>>>>>> currently exist are 'partner' and 'development'.
>>>>>> Please check:
>>>>>>
>>>>>>
>>>>>> am at z21:~/aa$ curl -i -d "attributes_names=objecttype" -d
>>>>>> "attributes_values_objecttype=group" -d
>>>>>> "admin=AQIC5wM2LY4Sfcx8QFIIIagJH2prVX8o5YXh7EtJa024ps8=@AAJTSQACMDE=#"
>>>>>> http://opensso.in-silico.ch/opensso/identity/search
>>>>>> HTTP/1.1 200 OK
>>>>>> Server: nginx/0.6.32
>>>>>> Date: Tue, 08 Jun 2010 07:50:30 GMT
>>>>>> Content-Type: text/plain;charset=UTF-8
>>>>>> Connection: keep-alive
>>>>>> Content-Length: 34
>>>>>>
>>>>>> string=development
>>>>>> string=partner
>>>>>>
>>>>>> Regards
>>>>>> Andreas
>>>>>>
>>>>>>
>>>>>> Nina Jeliazkova wrote on 06/11/2010 10:26 AM:
>>>>>>> Andreas,
>>>>>>>
>>>>>>> Thanks, I've created the policy to allow all members of opentox group
>>>>>>> to do POST and GET
>>>>>>>
>>>>>>> curl -i -X GET
>>>>>>> http://opensso.in-silico.ch/Pol/opensso-pol/nina_top_level_test4 -H
>>>>>>> 'subjectid: ...'
>>>>>>> HTTP/1.1 200 OK
>>>>>>> Server: nginx/0.6.32
>>>>>>> Date: Fri, 11 Jun 2010 08:22:15 GMT
>>>>>>> Content-Type: text/xml
>>>>>>> Connection: keep-alive
>>>>>>> Content-Length: 1188
>>>>>>>
>>>>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>>>>> <Policies>
>>>>>>> <Policy name="nina_top_level_test4"
>>>>>>> createdby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net"
>>>>>>> lastmodifiedby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net"
>>>>>>> creationdate="1276244370369" lastmodifieddate="1276244370369"
>>>>>>> referralPolicy="false" active="true">
>>>>>>> <Rule name="tr1">
>>>>>>> <ServiceName name="iPlanetAMWebAgentService"/>
>>>>>>> <ResourceName
>>>>>>> name="http://nina-vpn.acad.bg:8080/sso_protected"/>
>>>>>>> <AttributeValuePair>
>>>>>>> <Attribute name="POST"/>
>>>>>>> <Value>allow</Value>
>>>>>>> </AttributeValuePair>
>>>>>>> <AttributeValuePair>
>>>>>>> <Attribute name="GET"/>
>>>>>>> <Value>allow</Value>
>>>>>>> </AttributeValuePair>
>>>>>>> </Rule>
>>>>>>> <Subjects name="s1" description="">
>>>>>>> <Subject name="test" type="LDAPGroups"
>>>>>>> includeType="inclusive">
>>>>>>> <AttributeValuePair>
>>>>>>> <Attribute name="Values"/>
>>>>>>>
>>>>>>> <Value>uid=opentox,ou=groups,dc=opentox,dc=org</Value>
>>>>>>> </AttributeValuePair>
>>>>>>> </Subject>
>>>>>>> </Subjects>
>>>>>>> </Policy>
>>>>>>> </Policies>
>>>>>>>
>>>>>>> However, I am not getting authorized (same token used in both curls,
>>>>>>> removed here). And I assume my user is a member of opentox group :)
>>>>>>>
>>>>>>>
>>>>>>> curl -i -d 'uri="http://nina-vpn.acad.bg:8080/sso_protected' -d
>>>>>>> 'action=POST' -d 'subjectid=...'
>>>>>>> 'http://opensso.in-silico.ch/opensso/identity/authorize'
>>>>>>> HTTP/1.1 200 OK
>>>>>>> Server: nginx/0.6.32
>>>>>>> Date: Fri, 11 Jun 2010 08:21:43 GMT
>>>>>>> Content-Type: text/plain;charset=UTF-8
>>>>>>> Connection: keep-alive
>>>>>>> Content-Length: 14
>>>>>>>
>>>>>>> boolean=false
>>>>>>>
>>>>>>> Could you help?
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Nina
>>>>>>>
>>>>>>> Andreas Maunz wrote:
>>>>>>>> Sorry, it should read:
>>>>>>>>
>>>>>>>> <Subject name="mygroupname" type="LDAPGroups"
>>>>>>>> includeType="inclusive">
>>>>>>>> <AttributeValuePair>
>>>>>>>> <Attribute name="Values"/>
>>>>>>>> <Value>uid=mygroup,ou=groups,dc=opentox,dc=org</Value>
>>>>>>>> </AttributeValuePair>
>>>>>>>> </Subject>
>>>>>>>>
>>>>>>>> instead.
>>>>>>>>
>>>>>>>> A.M.
>>>>>>>>
>>>>>>>> Andreas Maunz wrote on 06/11/2010 10:09 AM:
>>>>>>>>> Hi Nina,
>>>>>>>>>
>>>>>>>>> you would create a policy that contains:
>>>>>>>>>
>>>>>>>>> <Subject name="mygroupname" type="LDAPUsers"
>>>>>>>>> includeType="inclusive">
>>>>>>>>> <AttributeValuePair>
>>>>>>>>> <Attribute name="Values"/>
>>>>>>>>> <Value>uid=mygroup,ou=groups,dc=opentox,dc=org</Value>
>>>>>>>>> </AttributeValuePair>
>>>>>>>>>
>>>>>>>>> Mind the "ou=groups" instead of "ou=people". Then, create the group
>>>>>>>>> "mygroup" and assign users to it (contact Micha for that).
>>>>>>>>>
>>>>>>>>> Best regards
>>>>>>>>> Andreas
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Nina Jeliazkova wrote on 06/11/2010 08:53 AM:
>>>>>>>>>> Hi Andreas,
>>>>>>>>>>
>>>>>>>>>> Could you tell how to create a policy, that allows group of
>>>>>>>>>> users to
>>>>>>>>>> POST or GET ? This would be applicable to almost all top level
>>>>>>>>>> resources like /algorithm/{id} , etc.
>>>>>>>>>>
>>>>>>>>>> Following the example at p.12 of the deliverable D3.3. , one could
>>>>>>>>>> create a policy which is per user only.
>>>>>>>>>>
>>>>>>>>>> Best regards,
>>>>>>>>>> Nina
>>>>>>>>>>
>>>>>>>>>> Andreas Maunz wrote:
>>>>>>>>>>> Hi all,
>>>>>>>>>>>
>>>>>>>>>>> connections to the OpenSSO service at opensso.in-silico.ch can
>>>>>>>>>>> now be
>>>>>>>>>>> made secure by using SSL.
>>>>>>>>>>> Submit your user credentials safely and obtain a token:
>>>>>>>>>>>
>>>>>>>>>>> ****************************************************************
>>>>>>>>>>> am at z21:~/aa$ curl -v -k -i -d "username=amaunz&password=secret"
>>>>>>>>>>> https://opensso.in-silico.ch/opensso/identity/authenticate?uri=service=openldap
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> * About to connect() to opensso.in-silico.ch port 443 (#0)
>>>>>>>>>>> * Trying 178.63.18.76... connected
>>>>>>>>>>> * Connected to opensso.in-silico.ch (178.63.18.76) port 443 (#0)
>>>>>>>>>>> * successfully set certificate verify locations:
>>>>>>>>>>> * CAfile: none
>>>>>>>>>>> CApath: /etc/ssl/certs
>>>>>>>>>>> * SSLv3, TLS handshake, Client hello (1):
>>>>>>>>>>> * SSLv3, TLS handshake, Server hello (2):
>>>>>>>>>>> * SSLv3, TLS handshake, CERT (11):
>>>>>>>>>>> * SSLv3, TLS handshake, Server finished (14):
>>>>>>>>>>> * SSLv3, TLS handshake, Client key exchange (16):
>>>>>>>>>>> * SSLv3, TLS change cipher, Client hello (1):
>>>>>>>>>>> * SSLv3, TLS handshake, Finished (20):
>>>>>>>>>>> * SSLv3, TLS change cipher, Client hello (1):
>>>>>>>>>>> * SSLv3, TLS handshake, Finished (20):
>>>>>>>>>>> * SSL connection using AES256-SHA
>>>>>>>>>>> * Server certificate:
>>>>>>>>>>> * subject: C=CH; ST=Some-State; L=Basel; O=in silico toxicology;
>>>>>>>>>>> CN=Christoph Helma; emailAddress=helma at in-silico.ch
>>>>>>>>>>> * start date: 2010-06-09 16:38:59 GMT
>>>>>>>>>>> * expire date: 2020-06-06 16:38:59 GMT
>>>>>>>>>>> * common name: Christoph Helma (does not match
>>>>>>>>>>> 'opensso.in-silico.ch')
>>>>>>>>>>> * issuer: C=CH; ST=Some-State; L=Basel; O=in silico toxicology;
>>>>>>>>>>> CN=Christoph Helma; emailAddress=helma at in-silico.ch
>>>>>>>>>>> * SSL certificate verify result: self signed certificate (18),
>>>>>>>>>>> continuing anyway.
>>>>>>>>>>>> POST /opensso/identity/authenticate?uri=service=openldap HTTP/1.1
>>>>>>>>>>>> User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7
>>>>>>>>>>>> OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
>>>>>>>>>>>> Host: opensso.in-silico.ch
>>>>>>>>>>>> Accept: */*
>>>>>>>>>>>> Content-Length: 32
>>>>>>>>>>>> Content-Type: application/x-www-form-urlencoded
>>>>>>>>>>>>
>>>>>>>>>>> < HTTP/1.1 200 OK
>>>>>>>>>>> HTTP/1.1 200 OK
>>>>>>>>>>> < Server: nginx/0.6.32
>>>>>>>>>>> Server: nginx/0.6.32
>>>>>>>>>>> < Date: Thu, 10 Jun 2010 08:12:27 GMT
>>>>>>>>>>> Date: Thu, 10 Jun 2010 08:12:27 GMT
>>>>>>>>>>> < Content-Type: text/plain;charset=UTF-8
>>>>>>>>>>> Content-Type: text/plain;charset=UTF-8
>>>>>>>>>>> < Connection: keep-alive
>>>>>>>>>>> Connection: keep-alive
>>>>>>>>>>> < Content-Length: 72
>>>>>>>>>>> Content-Length: 72
>>>>>>>>>>>
>>>>>>>>>>> <
>>>>>>>>>>> token.id=AQIC5wM2LY4SfcyyY3V7C7qD1FD2ZoktJHsYKEKE8g+wXys=@AAJTSQACMDE=#
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> * Connection #0 to host opensso.in-silico.ch left intact
>>>>>>>>>>> * Closing connection #0
>>>>>>>>>>> * SSLv3, TLS alert, Client hello (1):
>>>>>>>>>>> ****************************************************************
>>>>>>>>>>>
>>>>>>>>>>> As you can see, a special switch (-k) is still required to allow
>>>>>>>>>>> connections using the self-signed certificate from Christoph. We
>>>>>>>>>>> might
>>>>>>>>>>> improve on this by using a free certificate from startssl.com,
>>>>>>>>>>> which
>>>>>>>>>>> clients trust.
>>>>>>>>>>>
>>>>>>>>>>> Moreover, connections without SSL still work as usual.
>>>>>>>>>>>
>>>>>>>>>>> Greetings
>>>>>>>>>>> Andreas
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
>
--
http://www.maunz.de
Fate protects fools, little children, and ships named Enterprise.
- Previous message: [OTDev] OpenSSO now secure
- Next message: [OTDev] OpenSSO now secure
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Development mailing list