My Requirement
I need to authenticate the users at login with my own logic like, For eg: calling an external authentication server and using OpenDirectory in case if the server is not reachable.
What I know
I know that i need to create an authorization plugin like the apple's sample NullAuthPlugin and add an entry in authorizationdb at 'system.login.console' right to invoke my plugin to achieve this.
What I need
Can I able to achieve my requirement without replacing the loginwindow GUI ie the mechanism <string>loginwindow:login</string>??
ie,Can i able to achieve this by keeping the existing mac's login screen as such and obtain the credentials to perform my own authentication ?? If possbile where should i place my mechanism at 'system.login.console' ?
My idea
I think of replacing the <string>builtin:authenticate,privileged</string> with my own plugin to achieve my requirement ? Is it OK to replace the buitin login mechanism ?
Is my approach correct ? Can anyone help me to clarify regarding this ?
From what I understood you can create an authorizationplugin and put it after <string> loginwindow: login </ string>.
It will not replace the macOS auth but it will add a layer, I'm not sure what it will look like if you remove <string> builtin: authenticate, privileged </ string>, but I think I remember that I tried something like that and it was crashing.
Otherwise you can also write a PAM module, the PAM stack is just invoked on it: <string> builtin: authenticate, privileged </ string>
If you add a module with sufficient control flag on /etc/pam.d/authorization file it will do the job.
Related
I'm trying to set up a reverse proxy for single sign on to an application. the URL to reach my app and the defined authentication method is "http://servername.domain/app/main?authsource=sso_rp"
My current config just sends me to the application login prompt. I've tested my authentication source and confirmed its working. My question is, does my URL rewrite config look like it should? there are no conditions or variables defined. i know I'm missing something simple but this isn't documented on the vendor end so seeking your help.
I have been crawling through various forums and blogs for an AuthorizationPlugin example or understanding which can show me how to create a mac authorization plugin that do not affect any UI components. I want to use it for a remote access kind of solution. I have been able to get NameAndPasswordPlugin example work. But I am not able to achieve below requirements:
Do not change the default UI. i.e not have any custom UI components
Ability to read and write into default UI fields, especially username (if any) and password
Work on need basis. i.e. I need the mechanism to pass through when remote access session is not ON. In that case I want it to fall back to loginwindow:login mechanism
Also how would it communicate with outside world ? I was not able to read or write into files from plugin. I saw an example where some pipes where used. not sure what the recommended method
You don't need a SFAuthorizationPluginView, you just need an authorization plugin. You insert your plugin into the list of plugins and it can read from contexts set by previous plugins and write to or create contexts for later plugins.
For example, if you are working with console login this bash command shows you what mechanisms are configured (mechanisms are instances of a plugin)
security authorizationdb read system.login.console
If you add your plugin after builtin:authenticate,privileged then you can use this code in your mechanismInvoke function to read the values.
err = mechanism->fPlugin->fCallbacks->GetHintValue(mechanism->fEngine, "username", &value);
if (err == noErr) {
//Log the event
os_log(OS_LOG_DEBUG, "Login for user '%{public}s'.",(const char *)value->data);
}
where mechanism->fPlugin->fCallbacks->GetHintValue and mechanism->fEngine are the callback and engineref you setup as part of your plugin. There is also a "SetContextValue" function for writing the username or password.
You will need to write an authorization plugin which will set the context values "username" (kAuthorizationEnvironmentUsername) and "password" (kAuthorizationEnvironmentPassword). Then set result as kAuthorizationResultAllow. You would also need to place your plugin just before loginwindow:login.
Recently, I have been working on a CredentialProvider in order to unlock automatically (the trigger can be any event, so let’s say the end of a timer) a Windows Vista (or more recent version) user session.
For that I read some useful articles on the subject, the change between GINA and this new architecture. http://msdn.microsoft.com/en-us/magazine/cc163489.aspx.
I think, like everyone in the process of creating a custom CredentialProvider, I didn’t start from scratch but from the sample code provided by Microsoft. And then I tried to change the behaviour (things like logging) in the different functions.
So in the end I can use the custom CredentialProvider, enter the SetUsageScenario methods but still I cannot reach the Set or GetSerialization method. From what I’ve understood in the technical documentation on CredentialProvider (still provided by Microsoft) theses two methods should be called automatically. Is there something I missed ?
Also, my original idea was to get an authentication package using Kerberos in order to perform an implicit user authentication. I got this idea by seeking information on other SO or MSDN threads like
Is this approach the good one ?
Thank you very much for your time answering my questions. Any clarifications are welcomed, even if they don’t directly resolve my problems :-)
First of all - you need to set autologon flag to true in your implementation of the ICredentialProviderCredential::SetSelected(BOOL *pbAutoLogon) and ICredentialProvider::GetCredentialCount methods.
Next, you need to call ICredentialProviderEvents::CredentialsChanged when your timer is hit.
LogonUI will recreate your credentials, and because autologon is set to true it will call your GetSerialization() method.
SetSerialization and GetSerialization functions are called from your provider by LogonUI. After user enters username/password and presses ENTER button, LogonUI calls GetSerialization function and provides a pointer, as one of the four parameters, that will point in future to CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION structure created and filled by you, and then this structure will be sent from LogonUI to Winlogon to perform authentication. I don't know how to make LogonUI to call GetSerialization from your credential provider code and as far as I know you can't call GetSerialization by your own because where will you pass your filled CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION structure if no one requested it, but only LogonUI can path it to Winlogon?
There is a document called "Credential Provider Technical Reference", there you can read some details about credential providers. In the Shell samples folder there is a strange folder called "Autologon", maybe it will help you! Good Luck!
Everything is customizable but SessionFeature (Also it is derived from IPlugin :) ) is mandatory.
I want to use MySessionFeature:IPlugin but everywhere in Controller,Attribute ... it is used as strong-typed.
Is it by-design or something else?
SessionFeature contains useful overloads and sets the ss-id,ss-pid and ss-opts cookies on the response that are required for everything in ServiceStack that relies on the Session to work like the IAuthSession/CustomUserSession and Authentication.
You can register the Session plugin without Authentication, but when you register the Authentication plugin it will automatically register the Session Plugin if you haven't already.
I'm still working on my first Grails application. This time, my problem is to limit access to some actions for particular users.
Assume users add some object, e.g. books. I would like to give access to edit a book only to admin and the user that added the book. I'm currently using Acegi plugin. I know there is newer version of that plugin, but I'm not sure if it changes anything in my problem.
The second thing is some kind similar. I have a sidebar and there is "Hello ${currentUser.username}. currentUser is a method that returns an instance of currently logged user. But the problem is that I don't have any idea where can I put this message to be able to use it everywhere. Should I put it in some service and include it everywhere? I tried to create an ApplicationController that is extended by all other controllers, but that doesn't seem to work. Have you got any ideas?
Thanks!
Grzegorz
You should use the newer Spring Security Core plugin since it has an ACL add-on plugin that does exactly what you're looking for. See http://grails.org/plugin/spring-security-acl for details.
For the second question, there's a taglib for that. In the Acegi plugin use this:
Hello <g:loggedInUserInfo field="username"/>
(see http://www.grails.org/AcegiSecurity+Plugin+-+Artifacts) and in the Spring Security Core plugin use this:
Hello <sec:username/>
(see the "Security Tags" section of http://burtbeckwith.github.com/grails-spring-security-core/docs/manual/)
For ROLE access you'll just need to specify that a particular ROLE for a particular URL has access to that action. That is if you are using the plugin's RequestMap approach. If you're using the annotation approach, just annotate the action in the controller with:
#Secured(['WHATEVER_ROLE'])
As far as only allowing the user who created the book to edit it, you can pull the user domain out of the authentication with authenticateService.userDomain(), then you can compare that user with the user who created the book (assuming you have some sort of createdBy property on your Book domain.
def loggedInUser = authenticateService.userDomain()
if (book.createdBy.equals(loggedInUser)) {
// allow editing
}
Something like that, anyway.