I'm having trouble understanding at which point to save my password to the database.
I was doing it in the UserService, but that results in hashing the password again when saving, so I am unable to update my user using CRUD.
I know I should not do it in the Service, but where then?
Can I do it in the setter in User Entity?
I'm getting and saving my users in a UserRepository.
The way I have done this before is having 3 separate methods in your UserService called createUser, one called updateUser and another called updatePassword.
Only the createUser and updatePassword will set the password hash. The updateUser will retrieve the user from the database first and then update all the fields except the password.
Related
I have a old database on which I want to use new Laravel 5.2, i want to change its User Authentication code to my requirements like - its tablename, username field(its not a email field), its password and also need to stop laravel from encrypting the password as the password are not encrypted in the database, also I need to remove features like remember me option, register new users ... Can anyone please help/guide me.
password from users and database are one and the same - laravel shall not encrypt the password string.
I am trying to succeed in all the above things together past 2 days now. if one thing is rectify I goof up with another. specially in case of password checking - currently any / wrong password will also be allowed as a user - only username needs to be correct.
Thanx in advance.
I assume that you're using AuthController class that Laravel provides, your user model class is called User and you're using Eloquent user provider as it's the default one.
In order to change the name of the table that stores users you need add the following to your User class:
protected $table = 'your_table';
If you want to change the column that is used to login users from email to another column, you need to add the following code to your AuthController:
protected $username = 'username';
Registration won't be available to your users if you don't define routes for those actions so no need to disable that.
In order to disable remember-me functionality you need to override setRememberToken() of your User model and make it empty. This way remember-me token won't be saved for that user which will prevent user from logging-in automatically:
public setRememberToken() {}
In my app, a new user can be created without specifying a password. I want to send that user an email with a Set Password link (including a token), exactly like the Reset Password email.
To use and write a token to the password_resets table, do I have to create a password_reset model?
Thanks
You should import DB class and then you can use DB class; somethings like this:
DB::table('reset_passwords')->action()->get();
without need to create a model.
I have question:
It is possible to customize query at authentication provider using jdbc-user-service ?
For example:
i have an application where users chose there roles when they insert there logins and passwords, so i want to create a query like this:
select login,password, enabled from xxxx where username=?
and after this query i want to attribute to this person (returned by this query),if exists, a role which is xxxx. I should also pass the role selected to this query.
xxxx is the role which is selected by user at first
I hope that you understand me and sorry if it is a stupid question , i'm still beginner.
I think you should consider writing custom authentication service class, instead of jdbc-user-service query. You hold the user role somehow and while building authorities of logged in user in UserDetails service, add appropriate role in the collection. OR The role of logged in user can be manipulated later. You are gonna have to try and manipulate spring security context. Read this forum page to know more.
I have a pretty common Spring Web MVC application using Hibernate. The user of the application are stored in a table called USER and there also username, password and a couple of other properties are stored. Also I am using Spring security with jdbc-user-service in order to secure the application so that only user from this table can access is with their username / password.
Now my problem is that once logged on, I need to access this user object quite often, e.g. in order to get all orders from this user, the address of this user and so on. I know how to access the Principal object, which shares username with my User Object, but I am wondering which would be the best strategy to easily access my custom User object. There are a couple of strategies like putting it in the session, write a findUserByUsername() method and call it whenever needed (which would result in hitting the database quite a lot I think) but I am looking for a smarter way. Is it somehow possible to inject a User object? Or should I rather put it in the session? If so, how would be the best way to achieve this? How could I hook in after the Spring frameworks login event?
Any suggestions?
Thanks
Paul
You could always scope a UserDetails bean to the session (link). This would, of course, be a stateful bean, so you would be free to store any information about your User entity that you need to and access it as long as the session is active. One trip to the database.
Note: The User object (and any related objects) will be detached from the Hibernate Session. Keep this in mind when either 'storing' the values within the bean or accessing them in later processing.
I'm using the MVC forms log in which works ok, but I need to call a data service which requires the same Username and Password combination from within a controller.
Using HttpContext.User.Identity.Name I can get the name, but what about the password? Is there any way to retrieve this after the user has already logged in?
First of all, you shouldn't be storing passwords in your application. Membership provider doesn't store the password in clear-text anywhere. All you have in database is salted hash. There is no way to obtain user's password after they logged in.
You would need to get the password from the Login action or create a custom MembershipProvider.
But consider changing the design if possible so you don't have to keep clear-text passwords. Once the user has been authenticated you know who it is, and lower layers in your application can trust upper layers with passing the authenticated principal to them. Otherwise why would they trust with passing correct username/password pair?