Pages

Thursday, November 17, 2016

"{"error":"invalid_grant","error_description":"Please check the 'exp' claim."}"

Hi,

I am getting the following error while sending the JWT Token request to https://api.box.com/oauth2/token

Error:


"{"error":"invalid_grant","error_description":"Please check the 'exp' claim."}"


Solution:

long DEVIDE=1000L;
long currentTime=System.currentTimeMillis();
long seconds=(currentTime/DEVIDE);
seconds=seconds+60L;


Map<String, Object> claims= new HashMap<String,Object>();
claims.put("iss", CLIENT_ID);
claims.put("sub", SUBJECT_ID);
claims.put("box_sub_type", "user");
claims.put("aud", "https://api.box.com/oauth2/token");
claims.put("jti", UUID.randomUUID());
long currentTime=System.currentTimeMillis();
long seconds=(currentTime/DEVIDE);
seconds=seconds+60l;
claims.put("exp",seconds);

After modifying the code issue will be resolved.

Wednesday, September 14, 2016

Sending Tomcat Logs to Syslog Servers in Redhat 7

I want to send the tomcat logs to syslogs servers in redhat 7 as follows:

1. Configuring the tomcat.conf file


     I want to send the tomcat catalina.log to syslog server using the local1 facility. Go to the /etc/rsyslog.d/ and create a file called tomcat.conf and add the following content to the file.


 # File 1
input(type="imfile"
      File="/var/log/tomcat/catalina.log"
      Tag="catalina"
      StateFile="/var/spool/catalina"
      Severity="info"
      Facility="local1")

local1.*  @<syslogServer>:514

Replace syslogServer with your actual syslog name or ip address server.

In the above configuration 

File is the tomcat log file absolue path. In my case tomcat log file path is /var/log/tomcat/catalina.log.

Tag is the identification for the tomcat log file into the syslog server. In my case catalina is the tag to filter the content from the syslog server.

type is the module is being used to parse the log files. This module needs to be configured in the /etc/rsyslog.conf file. Please look section 2.2 for configuration. 

StateFile is the tomcat log file parse status.

Severity is the logging severity into the syslog server

Faciltiy is the logging under facilitiy. In my case facility is local1 and this faility is being used to 
filter the log file content and send to the different location. 

2. Configuring the rsyslog.conf

    2.1 Load the imfile module

     The imfile module is required to parse the catalina.log file  and send to the syslog server.
      Edit the rsyslog.conf file and add the following content under MODULE section.

      module(load="imfile" PollingInterval="10")

    2.2 Configure the messages

    This confuguration is required for not logging the calatling.log messages into the /var/log/messages.

    Edit the /etc/rsyslog.conf file and append the local1.none content before /var/log/messages.

    *.info;mail.none;authpriv.none;cron.none;local1.none                /var/log/messages 
    

   2.3 Restart the rsyslog daemon.

     systemctl restart rsyslog



Friday, January 29, 2016

Enabling Windows Authentication WCF Web Service in IIS


I want to enable the windows authentication for my existing WCF web service as follows:

Pre-Requisite:

     The WCF Service application already deployed in the IIS.

1. Wcf Service Application

     1.1 web.config 

      The following changes needs to be done to enable the windows authentication for wcf service   application:

      Configure Basic Http Binding: 

     Go to the web.config file under <configuration><system.serviceModel> section add your basic http binding.   

<bindings>
      <basicHttpBinding>
        <binding name="BasicHttpEndpointBinding">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings> 
    This binding name  needs to be included in the Service Endpoint binding configuration. 

    Configure Service Endpoint 

      Go to the web.config file under <configuration><system.serviceModel><service>  section add your endpoint configuration.

    
<endpoint address="" binding="basicHttpBinding" contract="Service.AppService" bindingNamespace="http://example.edu/Service/" bindingConfiguration="BasicHttpEndpointBinding"  >

I have highlighted the font in red color to modify the binding configuration.
      

2.  IIS Configuration

      2.1 Application Pool

        This configuration is required because to delegate the  authenticated kerberos  token to target application:
  
   Open the IIS Manager Console --> Host Name --> Application Pools --> Select WCF Deployed Application Pool -->  Right Click --> Advanced Settings -->  Process Model --> Identity --> Select Custom Account --> Click Set Button.
        Enter Your Service Account User Name, Password, and Confirm Password.

    After Configuring the Application Pool Identity, you should restart the Application Pool 

      2.2 WCF Service Application

           This configuration is required because to enable the windows authentication for wcf service application.

          Configuring the Windows Authentication:


          Open the IIS Manager Console --> Host Name -->  Web Site --> WCF Service Application --> Click Authentication --> Right Click Windows Authentication --> Select Enable

          It will enable the windows authentication.
         
          Configure the Use Pool Identity

Open the IIS Manager Console --> Host Name -->  Web Site --> WCF Service Application --> Click Configuration Editor --> system.webServer/security/authentication/windowsAuthentication > UseAppPoolCredential value false to true.

      2.3 Configuring the SPN

       Open the command prompt as a windows administrator and configure the spn for host name as follows:

setspn -S "HTTP/Hostname"  <Application Pool Identity>
setspn -S "HTTP/host fqdn"  <Application Pool Identity>

The <Application Pool Identity> configured at the step 2.1


3. Restart IIS

     Open the IIS Manager Console --> Host Name --> Right Click --> Stop 
      It will stop the IIS server 
     Open the IIS Manager Console --> Host Name --> Right Click --> Start
     It will start the IIS server

4. Active Directory Configuration

     This configuration is required to delegate the kerberos token to the application.
      Open the Active Directory Users and Computer --> Search the Application Pool Identity (2.1 Configured Application Pool Identity or IIS Service Account) and Click Delegation --> Select "Trust this user for delegation to Any Service Kerberos Only.

5. Test the application


      5.1 Create the krb.conf file

       Create the krb.conf file and add the following content inside the file.

      [libdefaults]
    default_realm = EXAMPLE.EDU
[realms]
    EXAMPLE.EDU = {
        kdc = dcs01example.edu
    }  

      Replace default_realm and kdc values with your ad domain realm and ad kdc.

      5.2 Create the JAAS login.conf file

       Create the login.conf file and add the following content inside the file.

com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
 doNotPrompt=false useTicketCache=true;
};

      5.3 Execute the Java Code


      Execute the following code to test the Windows Authentication.


import java.net.Authenticator;
import java.net.PasswordAuthentication;
import java.net.URL;
import edu.example.Service;
import edu.example.Service_Service;


public class ClientService {

    private static String USER_NAME="<Replace Your User Name>";
private static String USER_PWD="<Replace Your User Password>";
public ClientService() throws Exception {
}
public static void main(String args[]) throws Exception
{
System.setProperty("java.security.krb5.conf","c:/ClientService/src/krb.conf");
System.setProperty("java.security.auth.login.config","C:/ClientService/src/login.conf");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
System.setProperty("com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump", "true");
System.setProperty("com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.dump", "true");
System.setProperty("com.sun.xml.ws.transport.http.HttpAdapter.dump", "true");
Authenticator myAuth = new Authenticator() 
{
   @Override
   protected PasswordAuthentication getPasswordAuthentication()
   {
    System.err.println("Feeding username and password for "
               + getRequestingScheme());
       return new PasswordAuthentication(USER_NAME, USER_PWD.toCharArray());
   }
};
Authenticator.setDefault(myAuth);
Service_Service service= new Service_Service();
Service binding=service.getBasicHttpBindingService();
String result= binding.verify("");
System.out.println(result);
}

}