Good morning. Question scenario is as follows. Suppose an employee with a role goes to annual leave and he has an account in a spring boot application. How can I disable his user account so that logins fail at that time. How do I write the code? I'm using WebSecurityConfigurerAdapter but I failed to accomplish this task. I need sample working code using preferably Spring boot 2.6.* cause other resources I found on the net are using older versions.
Thanks in advance.
If you want to disable a user for a certain period of time where the user can not log in till u enable his ID, then I assume that u created a table of name "User" where you store all user credentials, specify two more columns "role" and "isActive(boolean)", in "role" column you can specify your role as ADMIN or ROLE_ADMIN and write a code with logic where an admin has all authorization, as an admin you can alter the data, before that you should write a code for only active users can log in, then as an admin, you can change the state from "true" to "false" in the specific user's "isActive" column, now the user only able to login if his "isActive" state is true.
you can ping me any time...
Related
I created a multi-tenant application where each tenant have different set of users. I am trying to implement a functionality where same user might exist in different tenants. Does outsystems provide such functionality or I have to create my custom logic ?
Right now, I did create a user having same username in 2 different tenants and during login I am showing user to select tenants. But on changing tenants and logging to that tenant, the environment doesn't switch to that tenant that user has selected.
Below is the image of the logic of switching tenants and logging in the customer.
During debugging I saw that after executing TenantSwitch action it did change the Site.TenantID property but after User_Login action is reverted to the first tenant not the one user selected.
When you use User_Login(), the system will log you in the first Tenant it finds in the DB that has that username, thus ignoring your TenantSwitch().
So, if you want to login to a specific Tenant in your case, you need to be more explicit and instead use the Login() action - after the tenant switch.
For a thorough explanation of this, with example code, please check out the following deepdive Master Class on Multi-Tenancy starting around the 27:20 minute mark.
This isn't available out of the box as OutSystems assigns users (and all entities) to a specific tenant. Entities belonging to single tenanted modules are assigned to the default tenant.
OutSystems uses a hidden .Tenant_Id attribute on each entity to indicate which tenant that user belongs to. You can unhide this attribute for the users entity by selecting it, clicking More... and then ticking the relevant box in the Advanced tab. You can then access the attribute directly, but be aware this will hinder OutSystems' ability to do some of the stuff it does automatically to ensure that you access tenant specific data.
When you use the User_Login action OutSystems will deduce which tenant to use from the User.Tenant_Id attribute regardless of which tenant you've switched it to previously. The user would need an account for each tenant they need to use, but there's no reason this couldn't be done behind the scenes with OS fetching the correct username before logging in. You'd need to ensure they all stay in sync though, especially the passwords ofc.
I'm developing an application using Grails and Spring Security.
My wish is, when the user creates his account informing his company name, the app creates an entry in the company, role and user tables and relates that role and user with the company entry.
The role created will be like an administrator which has permission for do every thing. This user with that role can creates new roles specifying the permissions but all roles created should be only in the company scope, so those roles should not be available for users of others companies.
I've seen that the Spring Security has a feature called Requestmap which for each URL, the application can specify the roles which will have access.
I don't know if this is the best solution, because in my app the number of roles will increase at least as many as the number of user.
Do you guys have some advice of how to solve this problem?
Thank you for all.
You should have a look on Spring Security ACL plugin.
With this plugin you would be able to add permissions (like write or read permission) to certain users on certain domain models.
Have a look on example taken from documentation:
#Transactional
#PreAuthorize("hasPermission(#report, write) or " +
"hasPermission(#report, admin)")
Report updateReport(Report report, params) {
report.properties = params
report.save()
report
}
By using PreAuthorize annotation it is checked if user has write (or admin) permission on this certain Report entity.
I have question:
It is possible to customize query at authentication provider using jdbc-user-service ?
For example:
i have an application where users chose there roles when they insert there logins and passwords, so i want to create a query like this:
select login,password, enabled from xxxx where username=?
and after this query i want to attribute to this person (returned by this query),if exists, a role which is xxxx. I should also pass the role selected to this query.
xxxx is the role which is selected by user at first
I hope that you understand me and sorry if it is a stupid question , i'm still beginner.
I think you should consider writing custom authentication service class, instead of jdbc-user-service query. You hold the user role somehow and while building authorities of logged in user in UserDetails service, add appropriate role in the collection. OR The role of logged in user can be manipulated later. You are gonna have to try and manipulate spring security context. Read this forum page to know more.
I am currently having a problem in implementing concurrent user session in spring mvc. My requirement is that "I have a web application which uses spring MVC, and I have my own login form and I have not implemented spring security yet(which means I have not configured any role based user restriction in my web application). I want only one user with same username to be logged in from a machine. I have surfed all over the net , but couldn't find any useful links nor example project(without role based).
My Requirement:
One user per session
No role based restriction
Have my own login form and once the user logs in , user object(which contains username an password) is stored in session object
If user tries to login for second time , previous user session should be terminated and new user(second user) should be allowed to home page.
Can some one please provide me a solution, links or example project for my requirement ? Many thanks in advance :)
Why not just go ahead and use Spring Security? It will take care of deactivating sessions for you. You can use your own login form and not restrict any of your endpoints based on roles.
You can configure the max number of sessions like so:
We are using 2.x spring security right now. I am asked to build an admin tool so that the ROLE_ADMIN can change to any user in the site and view the site as that person (each person on the site may see different stuff depending on the role which is dynamically granted base on the database) and of course the admin should be able to switch back to admin without logging in.
Is there a build in function, if not how should I do this?
Thanks in advance!
Use the existing Spring SwitchUserFilter:
http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.html
I don't know any spring-security out-of-the-box solution that will answer your requirement, but I can suggest you a way for implementing it.
Declare a url for the "view the site as" action with a query param to get the user name, for example: /myApp/viewTheSiteAs?user=marley
Write your own custom filter that will do the following:
2.1 Validate that the authenticated user is "admin" user
2.2 Extract the user from the action ("marley" :-))
2.3 Validate that it exists (using the UserDetailsService).
2.4 Construct new Authentication object with the granted authorities that fits the user you have extracted, and replace the current Authentication object with your own object: SecurityContextHolder.getContext().setAuthentication(myNewAuthObject)
Add a filter chain in spring security config file for /ViewTheSiteAs that will act as regular filter chain (should authenticate the "real" user as regular), and locate your custom filter at the end of the chain.
Doing the following will cause spring security to think that the user from viewTheSiteAs action is the authenticated one, and by that check the permissions according this user.
p.s. - this is not a security break since it downgrades the authenticated user permissions, which means "less powerful" user.
Good luck.