problems about OpenIG ,401 Authorization Required

This topic has 15 replies, 4 voices, and was last updated 6 years, 4 months ago by raghukanakala.

  • Author
    Posts
  • #8411
     licolDream
    Participant

    I test the OpenIG’s integrating applications with OpenAM’s password capture and replay
    feature. I do everything as the chapter 5 (Getting Login Credentials From
    OpenAM) of the document that is OpenIG Gateway GuideVersion 5.0.0-SNAPSHOT(https://forgerock.org/forum/general-discussion/) says. But when i test the result, when I access http://www.example.com:8080/replay, the browser was redirected to the OpenAM login page.,then log in with username george, password costanza,but it always return Authorization Required.
    and the logs of jetty is

    Jetty-v7-Agent_3.5.02016-03-08 10:10:39.005:INFO:oejs.Server:jetty-8.1.17.v20150415
    2016-03-08 10:10:39.109:INFO:oejdp.ScanningAppProvider:Deployment monitor /path/to/jetty/webapps at interval 1
    2016-03-08 10:10:39.118:INFO:oejd.DeploymentManager:Deployable added: /path/to/jetty/webapps/spdy.war
    2016-03-08 10:10:39.186:INFO:oejw.WebInfConfiguration:Extract jar:file:/path/to/jetty/webapps/spdy.war!/ to /tmp/jetty-0.0.0.0-8080-spdy.war-_spdy-any-/webapp
    2016-03-08 10:10:40.265:INFO:oejd.DeploymentManager:Deployable added: /path/to/jetty/webapps/agentapp.war
    2016-03-08 10:10:40.268:INFO:oejw.WebInfConfiguration:Extract jar:file:/path/to/jetty/webapps/agentapp.war!/ to /tmp/jetty-0.0.0.0-8080-agentapp.war-_agentapp-any-/webapp
    2016-03-08 10:10:40.519:INFO:oejd.DeploymentManager:Deployable added: /path/to/jetty/webapps/root.war
    2016-03-08 10:10:40.521:INFO:oejw.WebInfConfiguration:Extract jar:file:/path/to/jetty/webapps/root.war!/ to /tmp/jetty-0.0.0.0-8080-root.war-_-any-/webapp
    TUE MAR 08 10:10:57 CST 2016 (INFO) org.forgerock.openig.http.GatewayHttpApplication
    OpenIG base directory : /root/.openig
    ------------------------------
    TUE MAR 08 10:10:57 CST 2016 (INFO) org.forgerock.openig.http.GatewayHttpApplication
    Reading the configuration from /root/.openig/config/config.json
    ------------------------------
    TUE MAR 08 10:10:58 CST 2016 (WARNING) JwtSession
    JWT session support has been enabled but no encryption keys have been configured. A temporary key pair will be used but this means that OpenIG will not be able to decrypt any JWT session cookies after a configuration change, a server restart, nor will it be able to decrypt JWT session cookies encrypted by another OpenIG server.
    ------------------------------
    TUE MAR 08 10:10:59 CST 2016 (WARNING) {Router}/handler
    Heaplet name ('{Router}/handler') has been converted to a slug ('router-handler') for URL exposition (REST endpoints).
    ------------------------------
    TUE MAR 08 10:10:59 CST 2016 (INFO) {Router}/handler
    Added route '04-keygen' defined in file '/root/.openig/config/routes/04-keygen.json'
    ------------------------------
    TUE MAR 08 10:10:59 CST 2016 (INFO) {Router}/handler
    Added route '04-replay' defined in file '/root/.openig/config/routes/04-replay.json'
    ------------------------------
    TUE MAR 08 10:10:59 CST 2016 (INFO) {Router}/handler
    Added route '99-default' defined in file '/root/.openig/config/routes/99-default.json'
    ------------------------------
    TUE MAR 08 10:10:59 CST 2016 (INFO) {Router}/handler
    Added route '01-static' defined in file '/root/.openig/config/routes/01-static.json'
    ------------------------------
    2016-03-08 10:10:59.494:INFO:oejdp.ScanningAppProvider:Deployment monitor /path/to/jetty/contexts at interval 1
    2016-03-08 10:10:59.495:INFO:oejd.DeploymentManager:Deployable added: /path/to/jetty/contexts/test.xml
    2016-03-08 10:10:59.526:INFO:oejw.WebInfConfiguration:Extract jar:file:/path/to/jetty/webapps/test.war!/ to /tmp/jetty-0.0.0.0-8080-test.war-_-any-/webapp
    2016-03-08 10:11:00.142:INFO:oejs.TransparentProxy:TransparentProxy @ /javadoc-proxy to http://download.eclipse.org/jetty/stable-8/apidocs
    2016-03-08 10:11:00.147:INFO:oejd.DeploymentManager:Deployable added: /path/to/jetty/contexts/javadoc.xml
    2016-03-08 10:11:00.183:INFO:oejs.AbstractConnector:Started [email protected]:8080
    TUE MAR 08 10:11:17 CST 2016 (INFO) @Capture[{Router}/handler]
    
    --- (request) id:6e2d4d6a-e2d5-49f6-9c72-3896c1c639af-1 --->
    
    GET http://www.example.com:8080/replay HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Encoding: gzip, deflate, sdch
    Accept-Language: zh-CN;q=1,zh;q=0.9
    Connection: keep-alive
    Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwgJgFOxkeQtLA1idCxVOvYGkukXrFiW44.*AAJTSQACMDEAAlNLABQtNzM2MzM5MTcwMTA3OTI4NzQ1MQ..*
    Host: www.example.com:8080
    Referer: http://openam.example.com:8085/openam/XUI/
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
    username: george
    
    ------------------------------
    TUE MAR 08 10:11:17 CST 2016 (INFO) @Capture[{Router}/handler]
    
    <--- (response) id:6e2d4d6a-e2d5-49f6-9c72-3896c1c639af-1 ---
    
    HTTP/1.1 401 Unauthorized
    Content-Length: 23
    Date: Tue, 08 Mar 2016 02:11:17 GMT
    
    ------------------------------
    TUE MAR 08 10:11:17 CST 2016 (INFO) @Capture[{Router}/handler]
    
    --- (request) id:6e2d4d6a-e2d5-49f6-9c72-3896c1c639af-3 --->
    
    GET http://www.example.com:8080/favicon.ico HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate, sdch
    Accept-Language: zh-CN;q=1,zh;q=0.9
    Connection: keep-alive
    Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwgJgFOxkeQtLA1idCxVOvYGkukXrFiW44.*AAJTSQACMDEAAlNLABQtNzM2MzM5MTcwMTA3OTI4NzQ1MQ..*
    Host: www.example.com:8080
    Referer: http://www.example.com:8080/replay
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
    
    ------------------------------
    TUE MAR 08 10:11:17 CST 2016 (INFO) @Capture[{Router}/handler]
    
    <--- (response) id:6e2d4d6a-e2d5-49f6-9c72-3896c1c639af-3 ---
    
    HTTP/1.1 200 OK
    Content-Length: 1809
    Content-Type: text/html; charset=ISO-8859-1
    Date: Tue, 08 Mar 2016 02:11:17 GMT
    
    <!DOCTYPE html>
    <!--
      The contents of this file are subject to the terms of the Common Development and
      Distribution License (the License). You may not use this file except in compliance with the
      License.
    
      You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
      specific language governing permission and limitations under the License.
    
      When distributing Covered Software, include this CDDL Header Notice in each file and include
      the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
      Header, with the fields enclosed by brackets [] replaced by your own identifying
      information: "Portions Copyright [year] [name of copyright owner]".
    
      Copyright 2014-2015 ForgeRock AS.
    -->
    <html>
    <head lang="en">
        <meta charset="UTF-8">
        <title>Howdy, Anonymous User</title>
        <!-- OpenAM (Login) -->
        <!-- loginToken value="fake-nonce" -->
        <style type="text/css">
            #login-form {
                float: right;
                border: 1px solid #999;
                border-radius: 6px;
                margin: 0.25em;
                padding: 0.25em;
                font-family: verdana, arial, sans-serif;
                background: #eae737;
            }
        </style>
    </head>
    <body>
    
        <div id="login-form">
    
            <form method="POST" >
                <input id="username" name="username" type="text" placeholder="username" />
                <input id="password" name="password" type="password" placeholder="password" />
                <input id="login"    name="submit" type="submit" value="Login" />
            </form>
    
        </div>
    
        <div id="content">
    
            <iframe frameborder="0"
                    seamless="seamless"
                    src="https://forgerock.org/openig/"
                    height="1000" width="100%"></iframe>
    
        </div>
    
    </body>
    </html>
    

    java version “1.7.0_79”
    openig-war-4.0.0.war
    openig-doc-5.0.0-20160305.013032-89-jar-with-dependencies.jar
    openam-12.0.0 which is deployed in win7,tomcat 7.
    the J2ee Agent and OpenIG are deployed in centos 6,jetty 8.

    #8413

    When you look at the first request, you’ll see that the password header is missing.
    So, when OpenIG will replay the credentials to the protected application, it will fail (this is the 401 you get back).
    The rest of the traces are just noise: the openig-doc sample app isn’t smart enough to handle favicon.ico and always serves the same HTML again and again for any GET.

    Can you check that you configured the OpenAM side properly (look for typo in attributes names for instance) ?

    #8419
     licolDream
    Participant

    Thanks. But I have edited the policy agent profile , on the Application tab page under Session Attributes Processing, as the document says, I add UserToken=username and sunIdentityUserPassword=password to the Session Attribute Mapping list. It puzzled me that the username header exists but the password header is missing. And in the OpenAM the DES shared key is RqfHrnBiQLo= and in the 04-replay.json the key is also RqfHrnBiQLo= which I got from curl http://localhost:8080/keygen. And I add com.sun.identity.authentication.spi.ReplayPasswd to the Authentication Post Processing Classes.

    I really do not know why the password header is missing. Did I do something wrong or I forget something ?

    #8428
     licolDream
    Participant

    Thanks. But I have edited the policy agent profile , on the Application tab page under Session Attributes Processing, as the document says, I add UserToken=username and sunIdentityUserPassword=password to the Session Attribute Mapping list. It puzzled me that the username header exists but the password header is missing. And in the OpenAM the DES shared key is RqfHrnBiQLo= and in the 04-replay.json the key is also RqfHrnBiQLo= which I got from curl http://localhost:8080/keygen. And I add com.sun.identity.authentication.spi.ReplayPasswd to the Authentication Post Processing Classes.

    I really do not know why the password header is missing. Did I do something wrong or I forget something ?

    #8452

    How are you performing the first request ?
    I mean, are you handcrafting requests with something like curl or postman, or are you using a plain old browser ?

    As a workaround, you can try to change the header name to something else then password (X-Credentials for instance) ?

    #8521
     licolDream
    Participant

    I used a browser which is Google Chrome(47.0.2526.106 m) to access http://www.example.com:8080/replay.
    I have added UserToken=username and sunIdentityUserPassword=adafwefa to the Session Attribute Mapping list of the policy agent profile, but the header contains only username: george . Except UserToken=username,no matter what I added, the request header contained only username:george. I want to know that once a user login in OpenAM, how to config the policy agent to add the username and password to the header of the request,then the OpenIG can get the username and then password.

    The route configuration file is :

     {
        "handler": {
            "type": "Chain",
            "config": {
                "filters": [
                    {
                        "type": "PasswordReplayFilter",
                        "config": {
                            "loginPage": "${true}",
                            "headerDecryption": {
                                "algorithm": "DES/ECB/NoPadding",
                                "key": "keB/baRUAvE=",
                                "keyType": "DES",
                                "charSet": "utf-8",
                                "headers": [
                                    "password"
                                ]
                            },
                            "request": {
                                "method": "POST",
                                "uri": "http://www.example.com:8081",
                                "form": {
                                    "username": [
                                        "${request.headers['username'][0]}"
                                    ],
                                    "password": [
                                        "${request.headers['password'][0]}"
                                    ]
                                }
                            }
                        }
                    },
                    {
                        "type": "HeaderFilter",
                        "config": {
                            "messageType": "REQUEST",
                            "remove": [
                                "password",
                                "username"
                            ]
                        }
                    }
                ],
                "handler": "ClientHandler"
            }
        },
        "condition": "${matches(request.uri.path, '^/replay')}"
    }
    
    #8523

    Can you also share your config.json content please ?

    #8524
     licolDream
    Participant

    It is as same as the config.json in the document.

    {
      "handler": {
        "type": "Router",
        "audit": "global",
        "baseURI": "http://www.example.com:8081",
        "capture": "all"
      },
      "heap": [
        {
          "name": "LogSink",
          "type": "ConsoleLogSink",
          "config": {
            "level": "DEBUG"
          }
        },
        {
          "name": "JwtSession",
          "type": "JwtSession"
        },
        {
          "name": "capture",
          "type": "CaptureDecorator",
          "config": {
            "captureEntity": true,
            "_captureContext": true
          }
        }
      ]
    }
    #8525

    Can you make a try with OpenAM 13 ?
    What is the J2EE Agent version ?

    #8526
     licolDream
    Participant

    The j2EE Agent version is 3.5.0. (Jetty-v7-Agent_3.5.0.zip).
    And the jetty is jetty-8.1.17.v20150415. Is there anything wrong? If not,I will make a try with OpenAM 13.Thanks very much.

    #8527

    Nothing wrong, we did our own testing using Agents v3.5.0
    Please can you make the try with AM 13 ?

    #8528
     licolDream
    Participant

    Ok. I will make a try with OpenAM 13. Thank you so much.

    #8544
     licolDream
    Participant

    It works well with OpenAM-13.0.0 . Thanks you very much.

    #8547
     Rajesh R
    Participant

    @licolDream If it helps you in any way, I had tested the Password Replay feature using OpenAM 12 (with an older version of OpenIG). The screen-cast around the same is here: https://forgerock.org/2015/08/forgerock-openig-getting-credentials-from-forgerock-openam/

    #8657
     raghukanakala
    Participant

    Even i have tried with OpenAM 12 and it is working fine. I had modified below changes as mentioned in the
    link https://bugster.forgerock.org/jira/browse/OPENAM-3253.

    I had disabled XUI interface in OpenAM under Configuration ->Authentication -> Core. It is working fine.

Viewing 15 posts - 1 through 15 (of 16 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?