I'm writing a job that will connect to a client's FTP/S server over my SOCKS5 proxy and I'm utilizing the Apache Commons Net package. The issue is that my SOCKS proxy is configured to not require authentication but I am still getting the following exception:
java.net.SocketException: SOCKS : authentication failed
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:443)
at java.net.Socket.connect(Socket.java:519)
I've tried setting the java.net.socks.username and password properties to empty strings but I still get it. Is there a way I can tell the code to not use authentication? Digging into the underlying source i almost think it's querying the proxy server for the authentication requirement, but I'm not sure.
Alright so the issue was that my SOCKS proxy was set up to ask for authentication but to also accept connections that did not authenticate. We use Dante and while programs like Filezilla are smart enough to iterate through all of the acceptable authentication methods, it seems like the java.net package only goes off the first method supplied. Since my authentication configuration in my sockd.conf file was as follows:
method: username none
user.notprivileged: nobody
java.net was demanding a username and password. I simply flipped the methods to "none username" and both Filezilla and java.net correctly pass through the proxy. It's a bit of an IT solution but whatever gets the code to work, right?
Related
We have a splunk instance which is exposed to internet via say https://splunk.mycompany.com
When we access the above URL browser says connection is secure meaning all certificates are ok.
Now splunk REST API service is running on port 8089. So to access splunk REST API we have to hit
https://splunk.mycompany.com:8089
Whenever we are hitting the above URL we are getting certificate issues and browser is saying "your connection is not private"
Error is: NET::ERR_CERT_AUTHORITY_INVALID
As I am still accessing the same hostname via https (and a new port) it should establish a secure connection. But why it's failing to validate certificate authority?
Edit: I have been told by the splunk team to take ther certificate of https://splunk.mycompany.com and install in the java keystore in the machine from where the REST API call is being made. They also told this is working for otheres. My question why it is even needed?
You should enable SSL on port 8089 via server.conf file.
Have a look at the Splunk Documentation here: https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/ConfigTLSCertsS2S
Any idea how to fix this security vulnerability ?
Java JMX interface is accessible via following username/password pairs: admin/password admin/admin admin/activemq monitorRole/QED controlRole/R%26D controlrole/password monitorrole/password cassandra/cassandrapassword monitorRole/tomcat controlRole/tomcat monitorRole/mrpasswd controlRole/crpasswd role1/role1passwd role2/role2passwd role3/role3passwd admin/thisIsSupposedToBeAStrongPassword! QID Detection Logic (Authenticated):
This QID tries to log into JMX RMI server using above credentials. Note:if remote JMX RMI sever accessible without authentication. all of above credentials will post.
fix for this mentions to change the common password, but not sure where exactly and if that is the right way. Any guidance is appreciated
You can use JAVA Console (jconsole.jar or jcnsole.exe) or Java Mission Control to verify whether you can connect with one of the default passwords listed by Qualys or without any credentials at all.
Here are the instructions on how to secure JMX from Oracle:
https://docs.oracle.com/javadb/10.10.1.2/adminguide/radminjmxenablepwd.html
Here's how to enable JMX with password and SSL:
https://docs.oracle.com/javadb/10.10.1.2/adminguide/radminjmxenablepwdssl.html
You may need to work with your specific vendor on how to address this for your specific configuration but here's how another particular vendor recommends addressing it:
https://support.datastax.com/hc/en-us/articles/204226179-Step-by-step-instructions-for-securing-JMX-authentication-for-nodetool-utility-OpsCenter-and-JConsole
Because I don't need to consider security issues in my application, I want to connect to RabbitMQ using the Java client without a password.
In the management UI, I set the users password to "no password". Then I tried it this way:
ConnectionFactory factory = new ConnectionFactory();
factory.setHost("localhost");
factory.setUsername("myuser");
connection = factory.newConnection();
Alternatively, I tried to assemble the URI by hand:
factory.setUri("amqp://myuser#localhost:5672");
...but in both cases the authentication fails with this exception:
Exception in thread "main" com.rabbitmq.client.AuthenticationFailureException: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.
at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:339)
at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:716)
at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:760)
at de.bmw.rabbitmq.workerqueue.Producer2.main(Producer2.java:51)
Is it even possible to get a connection without a password?
Passwordless authentication can be achieved by using the rabbitmq-auth-mechanism-ssl as documented here: https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl. This requires that SSL/TLS support is set up and working. If this option is chosen, a trusted root certificate is used for authentication, and any username/password is ignored altogether.
I'm currently investigating whether passwordless authentication is possible in conjunction with LDAP, but I haven't had any luck getting this to work.
Edit: In my environment, Windows services are authenticating using certificate-based auth, and the RabbitMQ cluster admins can authenticate to the management web UI using LDAP. In case you're interested in LDAP auth, here's another post about it.
Because I don't need to consider security issues in my application
I would heavily question this assumption. In fact, I would go so far as to say this is never correct.
That being said:
just use a simple password that anyone can know. It's going to be easier to do that, than to try and make RMQ work without a password.
To finalize this issue. As suggested by Derick Bailey: I helped myself by introducing (default) credentials for the different clients.
I have implemented simple proxy server using Java NIO channels, but have a problem, some sites works perfectly, but other give an error about unknown path or redirect on technical page of its hoster with message the resource doesn't exist. Is it my fault or may be some sites don`t allow proxy?
ProxyServer works as this: I enter 'localhost' and in browser I recive site that was set in code. And request from browser I simply resend on target site at such way:
private void connect(SelectionKey key) throws IOException {
SocketChannel channel = ((SocketChannel) key.channel());
Attachment attachment = (Attachment) key.attachment();
channel.write(attachment.buffer);
}
So 'key' - is SelectionKey of target site and in attachment.buffer I store request that was send to proxy server.
So, something worng with my code or its just closed opportunity to proxy by sites?
Update 1. I suppose, I found a problem. Cause I redirect request from localhost to remote server AS IS so in request in field HOST I have 'localhost'. It seems like some sites ignore this fields, other try to use and redirect to 404 page, cause can't find 'localhost' I`m asking for. So question is how to change field 'Host' in request on destination server name?
The target server doesn't know anything about your NIO code, or whether you are a proxy or a real client.
If you got an error page, the proxy is working, and it is the resource being proxied that is the problem: it doesn't exist, you don't have access, etc. Nothing you can do about that in your code and no reason why you should worry. Just send the error page to the client, same as you would send anything else.
Why is that method called connect() when it doesn't connect and does do something else?
I found a problem. filed HOST after proxy contains 'localhost', so some sites accept it, other not. Replace value of this fields with real host fix the problem.
I have made a web service client importing a third party wsdl in eclipse.
But I got this exception:
javax.xml.ws.WebServiceException: Connection IO Exception. Check nested exception for details. (Unable to connect to 1X.XXX.X.XX:X0 - Connection timed out).
I hope this exception occurred for the proxy only.
There is a proxy server between me and that third party. I don't know how to do the proxy authentication and where in coding I need to this proxy authentication.
Is your end point on HTTPS? There different ways proxies support HTTPS - one ways is SSL bridging and the other is SSL Tunneling..
May be your client side libraries you used to connect may not support the one being used by the proxy...
You must explicitly set the proxy server in Java, the JRE does not retrieve it from the OS configuration. You can find the detailed explanation here. As per the link, a standard configuration may look like this:
System.setProperty("http.proxyHost", "myproxy.com");
System.setPropery("http.proxyPort", "8080");
Obviously, you can also define the system properties as VM arguments during startup.