| Form-based authentication on production environment [message #1865988] |
Thu, 16 May 2024 22:53  |
Eclipse User |
|
|
|
Good day all!
I have a problem on form-based authentication. On development environment the form-based authentication is working fine. It works according to its expected operation. Now, when i build the project for production and deployed it, the form-based authentication does not work. It seems it used the other method of authentication. Based on the logs, the UI is able to capture the username & password but when the UI make a POST request to the server for authentication it seems the server did not get it correctly. On the old version, it works fine but using the latest version it wont work. I think there are things need to configure properly when using HTTP but i am not sure which part. Could someone give me a hint or direct me to which files, settings, or configuration to look for.
These are the details:
- Eclipse Scout version 24.1
- Java 17
- Operating System: Devuan (daedalus) 64-bit
- Using HTTP
- UI-> config.properties: scout.app.sessionCookieConfigSecure=false
- UI->config.properties: scout.backendUrl=http://localhost:8080
- ui & server are on same machine.
Thanks in advance, guys..
Sincerely,
Novem
|
|
|
|
| Re: Form-based authentication on production environment [message #1866000 is a reply to message #1865994] |
Fri, 17 May 2024 04:14  |
| Eclipse User |
|
|
|
Hello Stephan,
Thanks for the reply. Actually I am using a reverse proxy (nginx) server where the website security (certificate) implemented that's why i just use the HTTP. On the previous version of the scout with the same settings, everything works perfectly. In this current version (24.1), yes it does show the login box the UI server even logs the current username and password. In my authentication on the client side, i have this:
ScoutServiceCredentialVerifier.java
final IFuture<UserFormData> passwordCaller = Jobs.schedule(new Callable<UserFormData>() {
@Override
// @SuppressWarnings("PMD.SignatureDeclareThrowsException")
public UserFormData call() throws Exception {
final IUserService userService = BEANS.get(IUserService.class);
final UserFormData userFormDataInput = new UserFormData();
userFormDataInput.getLogin().setValue(username);
userFormDataInput.getEmail().setValue(username);
final UserFormData userPassFormData = userService.getAuthenticate(userFormDataInput, passwordPlainText);
return userPassFormData;
}
}, Jobs.newInput()
.withRunContext(ClientRunContexts.copyCurrent(true).withSubject(this.retrievePasswordCheckerSubject())
.withUserAgent(UserAgents.createDefault()).withSession(null, false))
.withName(this.buildJobName()));
savedPassword = passwordCaller.awaitDoneAndGet(30, TimeUnit.SECONDS);
..
..
LOG.warn("Bad username or password for username : " + username +" -> Thru API Authentication");
..
..
On server side, i have this:
UserService.java
@Override
public UserFormData getAuthenticate(final UserFormData userPassFormData, char[] passwordPlainText) {
String password = "";
int len = passwordPlainText.length;
for(int i = 0; i < len; i++) {
password = password + passwordPlainText[i];
}
//Authenticate user using LDAP through API
Object[] userIdAndToken = apiAuthentication(userPassFormData.getLogin().getValue(), password);
..
...
..
The problem is, this userService.getAuthenticate(userFormDataInput, passwordPlainText) is not executed and that the getAuthenticate(...) is not invoked!
It seems the UI is calling its default account verifier. But in my UiServletFilter.java i have this:
..
..
m_formBasedAccessController = BEANS.get(FormBasedAccessController.class).init(new FormBasedAuthConfig().withCredentialVerifier(BEANS.get(ScoutServiceCredentialVerifier.class)));
..
..
If ScoutServiceCredentialVerifier.class is not used, then by print a logs,
Bad username or password for username : marknovemg -> Thru API Authentication
I am in the process of tracing and debugging the problem, and revisited the latest documentation of scout.
That's the other details Stephan, thanks again.
Sincerely,
Mark Novem
|
|
|
|
| Re: Form-based authentication on production environment [message #1866063 is a reply to message #1866003] |
Tue, 21 May 2024 03:39 |
| Eclipse User |
|
|
|
After days of debugging and thorough analysis of every logs and considering all aspects from project build, firewall, to reverse proxy logs. I just nailed it and successfully deployed it on production environment.
1. As to my assumption that the server received a wrong parameter -> i was wrong, the server received the correct parameter. It just seems wrong based on the logs but the server does perform only the other option when the first option is not available.
2. As to my assumption that method userService.getAuthenticate(...); was not invoked, again i was wrong. It was invoked and actually it is where the actual problem occurs.
3. As to my assumption that there might configurations needs to done when using HTTP, i just follow the eclipse scout documents with the consideration of Stephan's comments on 'scout.app.sessionCookieConfigSecure'.
Actions performed:
1. perform project build, considering all settings. Results: Same problem
2. putting LOG.info(...) on every entry points. Results: Specific entry points where the error occurs identified. But the log information does not provide a direct or specific cause or error.
3. Since we're suing API base authentication and the API URL is part of being printed of the logs, I copied the URL and perform "wget API-URL" directly on the terminal of server. Result: Specific error identified -> "connection refused"
4. Login to the reverse proxy server to confirm the error logs. Results: confirmed! "...connection refused.."
5. Copy the API-URL and test it on my machine. Results: Connection success!
6. Checking the firewall for possible rules that might block the server IP. Result! No logs that show the server IP is blocked.
7. Since we're using DJango API as our API framework, checking the API logs. Result. Connection refused! confirmed! It is the API that cause the error. The client IP is not allowed to access the API.
Cause of the problem:
1. The API does not allowed the client IP to access the API server.
Solution: Add the client IP to the allowed hosts settings of API settings.
Results: Successfully deployed Eclipse Scout on production environment (Devuan server) using a form-based authentication with API (Django API) as a base authentication point and LDAP (OpenLDAP) as the authentication source of API.
For those who might have encounter a problem identical to mine, hope this information can help you.
Thank you Stephan for the assistance.
Sincerely,
Mark Novem Pero Grisola
|
|
|
|
Powered by
FUDForum. Page generated in 0.05542 seconds
Home