I have spring security with 2 roles (ROLE_USER, ROLE_ADMIN).
Now, I want to implement admin panel. I have already done access to panel url only for users which have ROLE_ADMIN. But I want to make extra secure.
When user with ROLE_ADMIN open admin panel pages first time, he will have to enter a admin panel password. So, my question is What the good way to implement this feature?
Your suggested idea, by making user with role 'ROLE_ADMIN' re-enter his password is used to secure in case of leaving your device unlocked. It used for critical high potential actions like changing your mail password, which require something like token renewal. I think implementing Two-factor authentication add a second security layer.
Related
If you have an application that is being authenticated with Active Directory using Forms Authentication in MVC, how can you allow the user to change his password after it expires?
From what I am observing, if a user's password has expired, Membership provider will simply refuse to let you authenticate, thus not allowing the user to access the page. However, if I modify the page, to allow the user to go to it, and enter a user name, old password, and new password, it still seems to not work, just returning 'false' from the change password function.
Any insight or solutions on this?
Any insight or solutions on this?
Insight refering to scripts. if yes so please have a look at these links
http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/17/how-to-change-a-user-s-active-directory-password-with-powershell.aspx
http://community.spiceworks.com/scripts/show/1889-reset-ad-user-password
Moreover there are many self rest solution. Please update so that a name would be explained to you
Thanks.
Currently, it appears that Joomla has an opt-in 2FA implementation.
Is it possible to force our users to use 2FA login?
Two factor authentication is typically used for Administrators and up. Setting it up can be tricky (the user needs to download and initialize the google app), so each user should do it individually.
Since you're creating the users (you need a Super User to add new users) you could create a new user group with access only to com_users, so they may set up two-factor authentication; then once they do manually move them to a higher group which will give them full access to the administrator.
You will also need to create a template override so the admin users won't be able to change the two factor authentication preferences.
I am overriding sessionscontroller because I need a special behavior.
When the user signs up, he will be inactive and won't be able to login. I want to add that login to the login process.
The user will become active after an administrator authorizes him, changing one field in the CMS. How can I manage the login process so it doesnt allow inactive users to login?
You can simply add a "active" column to your user table and devise does the magic for you :).
Take a look at the link below to see how it works:
http://pivotallabs.com/users/carl/blog/articles/1619-standup-3-21-2011-deactivating-users-in-devise
I was thinking about writing my own MembershipProvider for my web app. People won't normally register but will be supplied with login info. Will membership then not be the right thing?
I still will have some roles and such as well and I might wan't to be able for people to Authenticate using ClientCertificate instead of normal login. I still wan't them to be membership verified (there is a identifiable field in Certificate and Database I could use) and use roles and such.
Is MembershipProvider perhaps only used with original login Authentication and not authorization?
There doesn't seem to happen anything special when a user is validated so hwo does the authorization atrtibute know who is autorized?
The existing membership works just fine if you want to supply login info. There is no requirement that user registration be initiated by the user. Just take the standard code and let the site administrator run it.
Yes, membership is just for authentication. The out of the box feature for authorization is the roles feature.
We are using 2.x spring security right now. I am asked to build an admin tool so that the ROLE_ADMIN can change to any user in the site and view the site as that person (each person on the site may see different stuff depending on the role which is dynamically granted base on the database) and of course the admin should be able to switch back to admin without logging in.
Is there a build in function, if not how should I do this?
Thanks in advance!
Use the existing Spring SwitchUserFilter:
http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.html
I don't know any spring-security out-of-the-box solution that will answer your requirement, but I can suggest you a way for implementing it.
Declare a url for the "view the site as" action with a query param to get the user name, for example: /myApp/viewTheSiteAs?user=marley
Write your own custom filter that will do the following:
2.1 Validate that the authenticated user is "admin" user
2.2 Extract the user from the action ("marley" :-))
2.3 Validate that it exists (using the UserDetailsService).
2.4 Construct new Authentication object with the granted authorities that fits the user you have extracted, and replace the current Authentication object with your own object: SecurityContextHolder.getContext().setAuthentication(myNewAuthObject)
Add a filter chain in spring security config file for /ViewTheSiteAs that will act as regular filter chain (should authenticate the "real" user as regular), and locate your custom filter at the end of the chain.
Doing the following will cause spring security to think that the user from viewTheSiteAs action is the authenticated one, and by that check the permissions according this user.
p.s. - this is not a security break since it downgrades the authenticated user permissions, which means "less powerful" user.
Good luck.