Security

Need help in understanding scripted authentication

strive
Influencer

Hi,

We use scripted authentication in our application. The following picture explains our application's nodes distribution. (This is not the complete picture. I just added items that are required for my questions)
alt text

The UI node runs on Jboss server. All the requests pass through our servlet security filter. I added some logger statements to understand the scripted authentication flow.

My questions are:

1. As per my understanding. The scripted authentication python scripts executes depending on the cachetiming that is set in authentication.conf. And also it executes whenever the dashboards/reports are loaded. Is this the right understanding?

2. When i launch a dashboard, i see the Rest API URLs printed twice on Jboss server.log. One log entry has the remote host as the IP address of GUI node and other log entry has the remote host as the IP address of Search Head node. Why the rest API is invoked twice? Is it single invocation but printed twice? Could you please help me to understand the scripted authentication in a better way.

3. If i launch dashboard n times, n number of sessions are created. For every launch a new session is getting created on GUI. Is it possible to share jsessionid with Scripted Authentication so that all the scripted authentication invocations will be under a single session for a user until he logs out of the system.

Thanks

Strive

0 Karma
1 Solution

strive
Influencer

userLogin: Once during login to application.
getUserInfo: Function is called periodically if user has logged into the application.
getUsers: Always called periodically irrespective of user logins.

View solution in original post

paramagurukarth
Builder

For the Question Number One :
Answer:
Your Understanding is correct

For the Question Number Two :
Answer:
I couldn't understand your question

For the Question Number Three:
Answer is :
Normally the insecure login request URL will be like
http://sh-ip:8000/account/insecurelogin?username=&password=&return_to=
Yes Splunk will create a new session for every request sent to the URL "/account/insecurelogin?"

 But,  you can avoid that by identifying the difference between the first (successfull) request and further request..
 If you manage to identify that , you can send "/account/insecurelogin?" until you create a session and after creating a session just      sending the direct dashboard link will return you the corresponding page..   (Internally for the second request you browser will attach the success full session cookies and let the splunk remember that session.. )

How to identify a successfull login.........
1. On successful loading of any dashboard inside iframe.. you can update a variable of parent window javascript variable(e.g : window.top.isSplunkLoded = true;)...
2. Next time before populating iFrame URL you can check isSplunkLoded and populate just dashboard link without "/account/insecurelogin?" link
3. You can write your code to populate isSplunkLoded either in application.js or in template HTMLs if you are uisng anything.. Just Make sure that script runs when you splunk [age loaded successfully...

The challenge is,
You cannot access parent window properties from the script inside iframe.. Since your UI and Splunk are different domain...
You have to make both as a same domain....
1. You can have a comman proxy server that redirects to UI and SPlunk SH based on URL pattern. and expoes that server to the user..
2. Set a common base URL for your UI and redirect user to UI when you get that URL pattern
3. Splunk's URL will follow some common patterns like /splunkApp , /en-, /insecurelogin..... Redirect these items to splunk
4. Just give relative path in iframe "/account/insecurelogin?username=&password=&return_to="

Check for httpd.conf configuration to create proxy server and redirection

strive
Influencer

userLogin: Once during login to application.
getUserInfo: Function is called periodically if user has logged into the application.
getUsers: Always called periodically irrespective of user logins.

strive
Influencer

Few more tests and here is my observation:
userLogin: Once during login to application.
getUserInfo: Function is called periodically if user has logged into the application.
getUsers: Always called periodically irrespective of user logins.

0 Karma

ronak
Path Finder

Hi -

I'm new to Splunk external Authentication...I've done some reading though. One question that I was hoping someone can help clarify -

I've Splunk 6.2 in search head clustering mode, with three search heads in my cluster. When I use external authentication, it seems that I still must,

  • create roles on all search heads
  • create users on all search heads
  • associate roles to users in splunk

the external authentication gets used only for password authentication.

Meaning the flow will be,

a. Define roles in ALL search heads (with right access e.g. role1 can access index A and role2 can access index B)
b. Define users in ALL search heads
c. Create association of roles and users in ALL search heads
d. Create user and password in external database
e. Create roles (that are exactly same name as in Splunk) in external database

f. When a user logs in from splunk's login page, splunk will goto external system, verify password, get the associated roles back
g. splunk will then read these returned roles, get the associated privileges and subsequent searches from user will utilize this role-privilege information to apply correct restrictions

Did I get it correct ?

0 Karma

strive
Influencer

As per the documentation userLogin and getUserInfo functions should also run periodically. Whereas in reality userLogin runs once and getUserInfo zero times.

0 Karma

strive
Influencer

I conducted some more tests on this. Based on the test results here are my answers.

For Question 1:

userLogin function is called only once. That is during login.

getSearchFilter function is called every time a search is run (It is working as per the documentation http://docs.splunk.com/Documentation/Splunk/6.0.3/Security/UsethegetSearchFilterfunction).

getUsers function runs perdiodically. The interval depends on the cacheTiming set for getUsersTTL.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...