[OTDev] OpenSSO now secure
chung chvng at mail.ntua.grTue Jun 15 13:29:57 CEST 2010
- Previous message: [OTDev] OpenSSO now secure
- Next message: [OTDev] OpenSSO now secure
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Andreas, On Tue, 2010-06-15 at 10:13 +0200, Andreas Maunz wrote: > Hi Pantelis, > > your XML does not adhere to the template described in the documentation, > e.g. 'createdby', 'lastmodifiedby',... are not allowed. I looked into the documentation at http://opentox.org/data/documents/partner/wp/3/deliverables/Draft% 20Report%20WP3-D3.3/view and created the following XML according to the instructions: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE Policies PUBLIC "-//Sun Java System Access Manager7.1 2006Q3 Admin CLI DTD//EN" "jar://com/sun/identity/policy/policyAdmin.dtd"> <Policies> <Policy name="myFirstPolicy" referralPolicy="false" active="true"> <Rule name="myFirstRule"> <ServiceName name="iPlanetAMWebAgentService" /> <ResourceName name="http://opentox.ntua.gr:2000/bibtex"/> <AttributeValuePair> <Attribute name="GET" /> <Value>allow</Value> </AttributeValuePair> </Rule> <Subjects name="mySubjectGroup" description=""> <Subject name="myUserAccount" type="LDAPUsers" includeType="inclusive"> <AttributeValuePair> <Attribute name="Values"/> <Value>uid=Sopasakis, ou=people, dc=opentox,dc=org</Value> </AttributeValuePair> </Subject> </Subjects> </Policy> </Policies> But the server says: HTTP/1.1 400 Bad Request Server: nginx/0.6.32 Date: Tue, 15 Jun 2010 11:27:45 GMT Content-Type: text/plain Connection: keep-alive Content-Length: 37 Error in policy. ssoadm output: null Here is the request: curl -k -i -H "Content-Type: application/xml" -T /home/chung/policies/sample-pol.xml -X POST https://opensso.in-silico.ch/Pol/opensso-pol -H "subjectid: AQIC5wM2LY4SfczvmG%2FpdOaUiOc%2FRdM1G9mcPbSW%2BNUqwWA%3D%40AAJTSQACMDE% 3D%23" Is there something wrong with the policy? > > Also, please note that > <Value>cn=partner,ou=people,dc=opentox,dc=org</Value> > is wrong, since individuals use > <Value>uid=partner,ou=people,dc=opentox,dc=org</Value> > instead. However, there is no individual named 'partner'. If you meant > the partner group, you should have used > <Subject name="testUser" type="LDAPGroups" includeType="inclusive"> > instead of > <Subject name="testUser" type="LDAPUsers" includeType="inclusive"> Sorry, my mistake! > > Please review the documentation / draft deliverable (esp. p.15) once more. > Everything is covered in detail there. > > Greetings, > Andreas > Best regards, Pantelis > > chung wrote on 06/14/2010 06:47 PM: > > Hello Andreas, > > I want to create a policy for protecting the resource > > http://opentox.ntua.gr:2000/bibtex with respect to GET and POST calls, > > so I created the following policy XML: > > > > <?xml version="1.0" encoding="UTF-8"?> > > <Policies> > > <Policy name="s2_policy" > > createdby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net" > > lastmodifiedby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net" > > creationdate="1275290803394" lastmodifieddate="1275290803394" > > referralPolicy="false" active="true"> > > > > <Rule name="nr1"> > > <ServiceName name="iPlanetAMWebAgentService"/> > > <ResourceName name="http://opentox.nuta.gr:2000/bibtex"/> > > > > <AttributeValuePair> > > <Attribute name="POST"/> > > <Value>allow</Value> > > </AttributeValuePair> > > > > <AttributeValuePair> > > <Attribute name="GET"/> > > <Value>allow</Value> > > </AttributeValuePair> > > > > </Rule> > > > > <Subjects name="s1" description=""> > > <Subject name="testUser" type="LDAPUsers" includeType="inclusive"> > > <AttributeValuePair> > > <Attribute name="Values"/> > > <Value>cn=partner,ou=people,dc=opentox,dc=org</Value> > > </AttributeValuePair> > > </Subject> > > </Subjects> > > </Policy> > > </Policies> > > > > But I get the response: > > > > HTTP/1.1 400 Bad Request > > Server: nginx/0.6.32 > > Date: Mon, 14 Jun 2010 16:35:07 GMT > > Content-Type: text/plain > > Connection: keep-alive > > Content-Length: 37 > > > > Error in policy. ssoadm output: > > null > > > > Is the syntax of the XML above correct? > > > > Best regards, > > Pantelis > > > > On Fri, 2010-06-11 at 13:44 +0200, Andreas Maunz wrote: > >> Ok, here is the solution: > >> Please use > >> > >> <Value>cn=partner,ou=groups,dc=opentox,dc=org</Value> > >> > >> instead of > >> > >> <Value>uid=partner,ou=groups,dc=opentox,dc=org</Value> > >> > >> It was wrong in the doc and is now updated. > >> > >> Best > >> Andreas > >> > >> > >> Nina Jeliazkova wrote on 06/11/2010 10:53 AM: > >>> > >>> Andreas Maunz wrote: > >>>> I have checked on the server console: > >>>> > >>>> - the policy has correctly been created > >>>> - you are a member of 'partner' group > >>>> > >>>> So I can see no obvious error here. Could you please make sure to > >>>> refresh your token and try again? > >>>> If it still fails, I will investigate this more closely. > >>> I've verified with > >>> http://opensso.in-silico.ch/opensso/identity/isTokenValid the token is > >>> still valid; and also obtained a new token , unfortunately > >>> authorization still fails. > >>> > >>> Regards, > >>> Nina > >>>> > >>>> Andreas > >>>> > >>>> Nina Jeliazkova wrote on 06/11/2010 10:39 AM: > >>>>> Andreas, > >>>>> > >>>>> My fault, but I've just replaced the policy to use partner group and > >>>>> still not getting authorized. > >>>>> > >>>>> nina at ambit:~$ curl -i -X GET > >>>>> http://opensso.in-silico.ch/Pol/opensso-pol/nina_top_level_test4 -H > >>>>> 'subjectid:..' > >>>>> HTTP/1.1 200 OK > >>>>> Server: nginx/0.6.32 > >>>>> Date: Fri, 11 Jun 2010 08:31:35 GMT > >>>>> Content-Type: text/xml > >>>>> Connection: keep-alive > >>>>> Content-Length: 1188 > >>>>> > >>>>> <?xml version="1.0" encoding="UTF-8"?> > >>>>> <Policies> > >>>>> <Policy name="nina_top_level_test4" > >>>>> createdby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net" > >>>>> lastmodifiedby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net" > >>>>> creationdate="1276245073888" lastmodifieddate="1276245073888" > >>>>> referralPolicy="false" active="true"> > >>>>> <Rule name="tr1"> > >>>>> <ServiceName name="iPlanetAMWebAgentService"/> > >>>>> <ResourceName > >>>>> name="http://nina-vpn.acad.bg:8080/sso_protected"/> > >>>>> <AttributeValuePair> > >>>>> <Attribute name="POST"/> > >>>>> <Value>allow</Value> > >>>>> </AttributeValuePair> > >>>>> <AttributeValuePair> > >>>>> <Attribute name="GET"/> > >>>>> <Value>allow</Value> > >>>>> </AttributeValuePair> > >>>>> </Rule> > >>>>> <Subjects name="s1" description=""> > >>>>> <Subject name="test" type="LDAPGroups" > >>>>> includeType="inclusive"> > >>>>> <AttributeValuePair> > >>>>> <Attribute name="Values"/> > >>>>> > >>>>> <Value>uid=partner,ou=groups,dc=opentox,dc=org</Value> > >>>>> </AttributeValuePair> > >>>>> </Subject> > >>>>> </Subjects> > >>>>> </Policy> > >>>>> </Policies> > >>>>> > >>>>> 11:31:53 AM: nina at ambit:~$ curl -i -d > >>>>> 'uri="http://nina-vpn.acad.bg:8080/sso_protected' -d 'action=POST' -d > >>>>> 'subjectid=..' 'http://opensso.in-silico.ch/opensso/identity/authorize' > >>>>> HTTP/1.1 200 OK > >>>>> Server: nginx/0.6.32 > >>>>> Date: Fri, 11 Jun 2010 08:31:48 GMT > >>>>> Content-Type: text/plain;charset=UTF-8 > >>>>> Connection: keep-alive > >>>>> Content-Length: 14 > >>>>> > >>>>> boolean=false > >>>>> > >>>>> Regards, > >>>>> Nina > >>>>> Andreas Maunz wrote: > >>>>>> Nina, > >>>>>> > >>>>>> actually, there is no group called 'opentox'. The groups that > >>>>>> currently exist are 'partner' and 'development'. > >>>>>> Please check: > >>>>>> > >>>>>> > >>>>>> am at z21:~/aa$ curl -i -d "attributes_names=objecttype" -d > >>>>>> "attributes_values_objecttype=group" -d > >>>>>> "admin=AQIC5wM2LY4Sfcx8QFIIIagJH2prVX8o5YXh7EtJa024ps8=@AAJTSQACMDE=#" > >>>>>> http://opensso.in-silico.ch/opensso/identity/search > >>>>>> HTTP/1.1 200 OK > >>>>>> Server: nginx/0.6.32 > >>>>>> Date: Tue, 08 Jun 2010 07:50:30 GMT > >>>>>> Content-Type: text/plain;charset=UTF-8 > >>>>>> Connection: keep-alive > >>>>>> Content-Length: 34 > >>>>>> > >>>>>> string=development > >>>>>> string=partner > >>>>>> > >>>>>> Regards > >>>>>> Andreas > >>>>>> > >>>>>> > >>>>>> Nina Jeliazkova wrote on 06/11/2010 10:26 AM: > >>>>>>> Andreas, > >>>>>>> > >>>>>>> Thanks, I've created the policy to allow all members of opentox group > >>>>>>> to do POST and GET > >>>>>>> > >>>>>>> curl -i -X GET > >>>>>>> http://opensso.in-silico.ch/Pol/opensso-pol/nina_top_level_test4 -H > >>>>>>> 'subjectid: ...' > >>>>>>> HTTP/1.1 200 OK > >>>>>>> Server: nginx/0.6.32 > >>>>>>> Date: Fri, 11 Jun 2010 08:22:15 GMT > >>>>>>> Content-Type: text/xml > >>>>>>> Connection: keep-alive > >>>>>>> Content-Length: 1188 > >>>>>>> > >>>>>>> <?xml version="1.0" encoding="UTF-8"?> > >>>>>>> <Policies> > >>>>>>> <Policy name="nina_top_level_test4" > >>>>>>> createdby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net" > >>>>>>> lastmodifiedby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net" > >>>>>>> creationdate="1276244370369" lastmodifieddate="1276244370369" > >>>>>>> referralPolicy="false" active="true"> > >>>>>>> <Rule name="tr1"> > >>>>>>> <ServiceName name="iPlanetAMWebAgentService"/> > >>>>>>> <ResourceName > >>>>>>> name="http://nina-vpn.acad.bg:8080/sso_protected"/> > >>>>>>> <AttributeValuePair> > >>>>>>> <Attribute name="POST"/> > >>>>>>> <Value>allow</Value> > >>>>>>> </AttributeValuePair> > >>>>>>> <AttributeValuePair> > >>>>>>> <Attribute name="GET"/> > >>>>>>> <Value>allow</Value> > >>>>>>> </AttributeValuePair> > >>>>>>> </Rule> > >>>>>>> <Subjects name="s1" description=""> > >>>>>>> <Subject name="test" type="LDAPGroups" > >>>>>>> includeType="inclusive"> > >>>>>>> <AttributeValuePair> > >>>>>>> <Attribute name="Values"/> > >>>>>>> > >>>>>>> <Value>uid=opentox,ou=groups,dc=opentox,dc=org</Value> > >>>>>>> </AttributeValuePair> > >>>>>>> </Subject> > >>>>>>> </Subjects> > >>>>>>> </Policy> > >>>>>>> </Policies> > >>>>>>> > >>>>>>> However, I am not getting authorized (same token used in both curls, > >>>>>>> removed here). And I assume my user is a member of opentox group :) > >>>>>>> > >>>>>>> > >>>>>>> curl -i -d 'uri="http://nina-vpn.acad.bg:8080/sso_protected' -d > >>>>>>> 'action=POST' -d 'subjectid=...' > >>>>>>> 'http://opensso.in-silico.ch/opensso/identity/authorize' > >>>>>>> HTTP/1.1 200 OK > >>>>>>> Server: nginx/0.6.32 > >>>>>>> Date: Fri, 11 Jun 2010 08:21:43 GMT > >>>>>>> Content-Type: text/plain;charset=UTF-8 > >>>>>>> Connection: keep-alive > >>>>>>> Content-Length: 14 > >>>>>>> > >>>>>>> boolean=false > >>>>>>> > >>>>>>> Could you help? > >>>>>>> > >>>>>>> Best regards, > >>>>>>> Nina > >>>>>>> > >>>>>>> Andreas Maunz wrote: > >>>>>>>> Sorry, it should read: > >>>>>>>> > >>>>>>>> <Subject name="mygroupname" type="LDAPGroups" > >>>>>>>> includeType="inclusive"> > >>>>>>>> <AttributeValuePair> > >>>>>>>> <Attribute name="Values"/> > >>>>>>>> <Value>uid=mygroup,ou=groups,dc=opentox,dc=org</Value> > >>>>>>>> </AttributeValuePair> > >>>>>>>> </Subject> > >>>>>>>> > >>>>>>>> instead. > >>>>>>>> > >>>>>>>> A.M. > >>>>>>>> > >>>>>>>> Andreas Maunz wrote on 06/11/2010 10:09 AM: > >>>>>>>>> Hi Nina, > >>>>>>>>> > >>>>>>>>> you would create a policy that contains: > >>>>>>>>> > >>>>>>>>> <Subject name="mygroupname" type="LDAPUsers" > >>>>>>>>> includeType="inclusive"> > >>>>>>>>> <AttributeValuePair> > >>>>>>>>> <Attribute name="Values"/> > >>>>>>>>> <Value>uid=mygroup,ou=groups,dc=opentox,dc=org</Value> > >>>>>>>>> </AttributeValuePair> > >>>>>>>>> > >>>>>>>>> Mind the "ou=groups" instead of "ou=people". Then, create the group > >>>>>>>>> "mygroup" and assign users to it (contact Micha for that). > >>>>>>>>> > >>>>>>>>> Best regards > >>>>>>>>> Andreas > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> Nina Jeliazkova wrote on 06/11/2010 08:53 AM: > >>>>>>>>>> Hi Andreas, > >>>>>>>>>> > >>>>>>>>>> Could you tell how to create a policy, that allows group of > >>>>>>>>>> users to > >>>>>>>>>> POST or GET ? This would be applicable to almost all top level > >>>>>>>>>> resources like /algorithm/{id} , etc. > >>>>>>>>>> > >>>>>>>>>> Following the example at p.12 of the deliverable D3.3. , one could > >>>>>>>>>> create a policy which is per user only. > >>>>>>>>>> > >>>>>>>>>> Best regards, > >>>>>>>>>> Nina > >>>>>>>>>> > >>>>>>>>>> Andreas Maunz wrote: > >>>>>>>>>>> Hi all, > >>>>>>>>>>> > >>>>>>>>>>> connections to the OpenSSO service at opensso.in-silico.ch can > >>>>>>>>>>> now be > >>>>>>>>>>> made secure by using SSL. > >>>>>>>>>>> Submit your user credentials safely and obtain a token: > >>>>>>>>>>> > >>>>>>>>>>> **************************************************************** > >>>>>>>>>>> am at z21:~/aa$ curl -v -k -i -d "username=amaunz&password=secret" > >>>>>>>>>>> https://opensso.in-silico.ch/opensso/identity/authenticate?uri=service=openldap > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> * About to connect() to opensso.in-silico.ch port 443 (#0) > >>>>>>>>>>> * Trying 178.63.18.76... connected > >>>>>>>>>>> * Connected to opensso.in-silico.ch (178.63.18.76) port 443 (#0) > >>>>>>>>>>> * successfully set certificate verify locations: > >>>>>>>>>>> * CAfile: none > >>>>>>>>>>> CApath: /etc/ssl/certs > >>>>>>>>>>> * SSLv3, TLS handshake, Client hello (1): > >>>>>>>>>>> * SSLv3, TLS handshake, Server hello (2): > >>>>>>>>>>> * SSLv3, TLS handshake, CERT (11): > >>>>>>>>>>> * SSLv3, TLS handshake, Server finished (14): > >>>>>>>>>>> * SSLv3, TLS handshake, Client key exchange (16): > >>>>>>>>>>> * SSLv3, TLS change cipher, Client hello (1): > >>>>>>>>>>> * SSLv3, TLS handshake, Finished (20): > >>>>>>>>>>> * SSLv3, TLS change cipher, Client hello (1): > >>>>>>>>>>> * SSLv3, TLS handshake, Finished (20): > >>>>>>>>>>> * SSL connection using AES256-SHA > >>>>>>>>>>> * Server certificate: > >>>>>>>>>>> * subject: C=CH; ST=Some-State; L=Basel; O=in silico toxicology; > >>>>>>>>>>> CN=Christoph Helma; emailAddress=helma at in-silico.ch > >>>>>>>>>>> * start date: 2010-06-09 16:38:59 GMT > >>>>>>>>>>> * expire date: 2020-06-06 16:38:59 GMT > >>>>>>>>>>> * common name: Christoph Helma (does not match > >>>>>>>>>>> 'opensso.in-silico.ch') > >>>>>>>>>>> * issuer: C=CH; ST=Some-State; L=Basel; O=in silico toxicology; > >>>>>>>>>>> CN=Christoph Helma; emailAddress=helma at in-silico.ch > >>>>>>>>>>> * SSL certificate verify result: self signed certificate (18), > >>>>>>>>>>> continuing anyway. > >>>>>>>>>>>> POST /opensso/identity/authenticate?uri=service=openldap HTTP/1.1 > >>>>>>>>>>>> User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 > >>>>>>>>>>>> OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15 > >>>>>>>>>>>> Host: opensso.in-silico.ch > >>>>>>>>>>>> Accept: */* > >>>>>>>>>>>> Content-Length: 32 > >>>>>>>>>>>> Content-Type: application/x-www-form-urlencoded > >>>>>>>>>>>> > >>>>>>>>>>> < HTTP/1.1 200 OK > >>>>>>>>>>> HTTP/1.1 200 OK > >>>>>>>>>>> < Server: nginx/0.6.32 > >>>>>>>>>>> Server: nginx/0.6.32 > >>>>>>>>>>> < Date: Thu, 10 Jun 2010 08:12:27 GMT > >>>>>>>>>>> Date: Thu, 10 Jun 2010 08:12:27 GMT > >>>>>>>>>>> < Content-Type: text/plain;charset=UTF-8 > >>>>>>>>>>> Content-Type: text/plain;charset=UTF-8 > >>>>>>>>>>> < Connection: keep-alive > >>>>>>>>>>> Connection: keep-alive > >>>>>>>>>>> < Content-Length: 72 > >>>>>>>>>>> Content-Length: 72 > >>>>>>>>>>> > >>>>>>>>>>> < > >>>>>>>>>>> token.id=AQIC5wM2LY4SfcyyY3V7C7qD1FD2ZoktJHsYKEKE8g+wXys=@AAJTSQACMDE=# > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> * Connection #0 to host opensso.in-silico.ch left intact > >>>>>>>>>>> * Closing connection #0 > >>>>>>>>>>> * SSLv3, TLS alert, Client hello (1): > >>>>>>>>>>> **************************************************************** > >>>>>>>>>>> > >>>>>>>>>>> As you can see, a special switch (-k) is still required to allow > >>>>>>>>>>> connections using the self-signed certificate from Christoph. We > >>>>>>>>>>> might > >>>>>>>>>>> improve on this by using a free certificate from startssl.com, > >>>>>>>>>>> which > >>>>>>>>>>> clients trust. > >>>>>>>>>>> > >>>>>>>>>>> Moreover, connections without SSL still work as usual. > >>>>>>>>>>> > >>>>>>>>>>> Greetings > >>>>>>>>>>> Andreas > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>> > >>> > >> > > > > >
- Previous message: [OTDev] OpenSSO now secure
- Next message: [OTDev] OpenSSO now secure
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Development mailing list