HOAB

History of a bug

Introscope intrumentation static / final method

Rédigé par gorki Aucun commentaire

Problem :

It seems that I have no metric on one particular method while it works for all the others.

This is method is  :

public final boolean myMethod(myArgs)

Does the fact that this method is final is a problem for bytecode instrumentation of Introscope ?

Solution :

No. It works :) As usual. My problem is somewhere else.

3 classes : 

Parent

package com.test.caapm.finalmethodtest;

public class ParentClass {
    public void finalMethod() {
        System.out.println("parentFinalMethod");
    }
}

Middle

package com.test.caapm.finalmethodtest;

public class TestFinalMethodAgent extends ParentClass {

    public static void staticMethod() {
        System.out.println("staticMethod");
    }

    public final static void finalStaticMethod() {
        System.out.println("finalStaticMethod");
    }

    public final void finalMethod() {
        System.out.println("finalMethod");
    }

    public static void main(String... args) {
        TestFinalMethodAgent test = new TestFinalMethodAgent();

        while(true) {
            test.finalMethod();
            TestFinalMethodAgent.staticMethod();
            TestFinalMethodAgent.finalStaticMethod();
            try {
                Thread.sleep(1000);
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        }
    }

}

Child

package com.test.caapm.finalmethodtest;

public class ChildClass extends TestFinalMethodAgent{
}

Pbd

SetFlag: TestFinalMethod
TurnOn: TestFinalMethod

IdentifyDeepInheritedAs: com.test.caapm.finalmethodtest.ParentClass TestFinalMethod

TraceAllMethodsIfFlagged: TestFinalMethod PerIntervalCounter "{classname} - {method}"

 

 

 

 

 

 

OVH mutualisé et owncloud

Rédigé par gorki Aucun commentaire

Le problème :

J'essaie d'utiliser Owncloud avec un OVH mutualisé.

J'ai déplacé des fichiers dans cette arborescence, et il faut maintenant faire de la ligne de commande… qui n'est pas disponible en OVH mutualisé.

Solution :

Ligne de commande à exécuter : 

./occ files:scan <mon chemin> <mon user>

Quelques difficultés : 

  1. Accès à la ligne de commande, on utilise un shell PHP, par exemple P0wnyShell
  2. Trouver le binaire occ : il est à la racine :)
  3. Droit d'exécution sur occ : chmod 744 occ
  4. Identifier l'exécutable PHP : ps -aef | grep php
2617  9693  0 09:44 ?        00:00:00 php7.4 -c /usr/local/php7.4/etc/php-cgi.ini -d display_errors=0 -d session.force_path=1 -- p0wnyshell.php
  1. Modifier le fichier occ pour mettre le bon chemin : #!/usr/bin/env /usr/local/php7.4/bin/php
  2. Executer : 
./occ files:scan <mon chemin> <mon user>

 

Lire la suite de OVH mutualisé et owncloud

Springboot OAUTH & PKCS failed & log level of the filter

Rédigé par gorki Aucun commentaire

Problem :

When using Spring Oauth2 resource server, it checks the received token, to do so it must retrieve token validaty or get certificates to validate token. These two calls are usually made in HTTPS for obvious security reason.

When the certificate is not known by the Spring Oauth2 resource server JVM, it fails as SSL handshake can not complete. It fails. Without a single message :) 

Solution :

Put the following log level on : 

org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter: DEBUG

I see that the exception is propagate to authenticationFailureHandler I see that it should be handle by authenticationFailureHandler but somewhere in the chain, it's not traced… Could search deeper next time.

It will activate this log : 

            try {
                AuthenticationManager authenticationManager = this.authenticationManagerResolver.resolve(request);
                Authentication authenticationResult = authenticationManager.authenticate(authenticationRequest);
                ...
            } catch (AuthenticationException var11) {
                SecurityContextHolder.clearContext();
                if (debug) {// 134
                    this.logger.debug("Authentication request for failed!", var11);
                }
                this.authenticationFailureHandler.onAuthenticationFailure(request, response, var11);
            }

Keycloak admin stuck on HTTP 204 because of port 443

Rédigé par gorki Aucun commentaire

Problem :

I use Keycloak 19.0.1 behind a proxy (nginx) and wasn't able to connect to the admin part of keycloak.

With a reverse proxy nginx and keycloak, login in admin console lead to be blocked on :

/realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id=security-admin-console ....

With a 204 return code and no other errors. 

Solution :

I had to explore keycloak source code to find the cause ; This test failed in keycloak.js : if ((event.origin !== loginIframe.iframeOrigin) in keycloak.js

After a (lot of) time of search, it appears that it compares : https://mydomain/keycloak and https://mydomain:443/keycloak because I'd setup hostname-port to 443 in keycloak.config.

My keycloak configuration : 

hostname=mydomain  
proxy=reencrypt  
hostname-strict=false  
hostname-port=443  
hostname-path=keycloak  
http-relative-path=keycloak  
hostname-admin-url=https://mydomain/keycloak

So keycloak build his URL as follow : https://mydomain:443/

And the browser send : https://mydomain/ as 443 is a default port and not displayed in the URL.

By removing the port, it works perfectly : 

#hostname-port=443

I open a discussion to improve documentation here

 

Introscope & SAML (saml.jsp)

Rédigé par gorki Aucun commentaire

Problem :

I tried to connect Broadcom Introscope 10.7 and SAML given by Keycloak.

Based on these documents : 

Well not enough to make it works.

Solution :

Thanks to remote debug mode, the key is that the callback URL is : 

https://<webview url>/saml.jsp

Search for saml.jsp + introscope on google. Good luck.

Here are the steps (assuming that you already have a keycloak realm up and ready) : 

Step 1 : IntroscopeEnteprise.properties

introscope.saml.enable=true
introscope.saml.request.binding=POST
introscope.saml.idpUrl=<URL_KEYCLOAK>/realms/<your realm>/protocol/saml
introscope.saml.issuer=com.ca.apm.webview.serviceprovider
introscope.saml.webstart.issuer=com.ca.apm.webstart.serviceprovider
introscope.saml.em.issuer=com.ca.apm.em.serviceprovider
introscope.saml.principalAttributeName=principalName
introscope.saml.groupsAttributeName=groups
introscope.saml.webstart.tokenTimeoutInSeconds=60
introscope.saml.internalIdp.enable=false
# introscope.saml.internalIdpUrl=http://localhost:8080/idp/profile/SAML2/POST/SSO

Step 2 : Keycloak configuration

  1. Create a client named as introscope.saml.issuer so in our case :  com.ca.apm.webstart.serviceprovider
  2. Enter the callback URL in Master SAML Processing URL : https://<webview url>/saml.jsp

Step 3 : Certificates

You should secure you communication between Introscope and Keycloak : 

  1. Provide HTTPS for Keycloak
  2. Provide HTTPS for Introscope
  3. Sign information in Keycloak client
  4. Import Keycloak key in a JKS truststore for Java (Webview part). Keycloak client certificate are in the client definition, tab “Keys”.
    1. Follow Official guide to create the JKS
  5. Point to this truststore (example : spprivatekey.jks) - next steps.

Step 4 : IntroscopeWebview.properties:

apm.webview.saml.sp.truststore=/path/to/spprivatekey.jks
Fil RSS des articles