I have a custom hash that I apply to passwords so that it matches the legacy .net membership provider hashing. I apply the hash clientside when registering users, but the forgot password link, since it is done by parse without the has, creates an issue.
Can I create a cloud code method or event handler that can capture password reset events so that I can hash it?
I tried creating my own forgot password cloud code function but it seems to not be able set the password since there is no logged in user during the cloud code function request.
If you want to manipulate user objects while in Cloud Code, use the Parse.useMasterKey() method to override the normal security settings. Although I can't really recommend trying to manipulate the password yourself of course.
Related
On a JHipster application, I've added a custom authentication provider, to verify user and password of Active Directory users that have login inside. This custom component implements AuthenticationProvider, and inside "authenticate" method, istance an ActiveDirectoryLdapAuthenticationProvider object to get authentication and verify presense on specifical groups.
With a simple A.D. test environment I've no problem, but in production, my company ask me to bind a service account, and I cannot found any method to setup manager-ad and password. How can I get around this problem?
On Spring documentation I've read the phrase "There is no concept of a "manager" user."
My app use 5.1.8.RELEASE
Thanks!
Looking at the code, it validates the user's credentials by binding using the user's credentials. That's really the only way to validate credentials.
I assume, since it has already made a successful bind, it just continues on making whatever search it needs to.
There might be a way to use different credentials for reading the groups, but it all depends on what your current code looks like. But there really is little point in doing this. You have to bind using the user's credentials to validate their credentials. So you may as well continue using that same connection.
I am wrapping the password credential provider and adding an extra password
field. I have it set up so I can do my own password validation logic and
work with the extra field.I have created the field already but i am unable to understand where to apply the logic in the code section for validation.Can anyone specifically point to the functions in the credential provider to do this?
its not in the CP itself, look on https://github.com/LastSquirrelIT/MultiOneTimePassword-CredentialProvider
for more understanding.
You can either stop the credential provider from completing serialization in the GetSerialization method, or you can implement and register a sub authentication filter
If going the filter route, you will need to come up with some shared secure process for sharing the password between the credential provider and the LSA, which is not trivial.
Is it possible to disable requests sent to Parse without a master key? I'd like to only access Parse through my custom backend and not give users direct access. Does public 'read' set on the User class mean that anyone can read the records in that class? If so, why is this a default - wouldn't that be against good security practices?
Thanks,
Daniel
Public read means that anyone with your api key can read the user collection from your parse server. Api key is not the best approach to protect your app because anybody can know it by putting "sniffing" your network requests.
In order to protect and provide access you can protect your objects with ACL's which allows you to create access for specific user (who is logged in) or to specific role. So you have couple of options:
Create a master user - each user must have username and password and when you create your parse objects make sure that only this specific user create/read/delete and update them. You must only to make sure that when you create an object you create ACL for this user so only this user will be able to modify and read the object. You can read more about parse-server security and ACL's in here: http://docs.parseplatform.org/rest/guide/#security
Using parse cloud code - In cloud code there is a nice feature of useMasterKey which provide full access to any object of parse-server so for each operation that you run (via JS SDK) you can also set the useMasterKey to true and then parse-server will ignore all the ACL's and will execute the query for you. The useMasterKey feature work only in cloud code context so it's safe. If you want to provide additional level of security you can run the cloud code function with your master user (from section 1) and check inside the cloud code for the user session so if the session is empty then you can return an error.
You can read more about cloud code in here: http://docs.parseplatform.org/cloudcode/guide/
This is the code which validate the user session:
if (!request.user || !request.user.get("sessionToken")) {
response.error("only logged in users are allowed to use this service");
return;
}
I'm new to both node, fine uploader and aws.
i'm trying to use the examples to upload to S3, using the s3handler.js example.
at the top of the file you set up the serverPublicKey, which i understand, the serverSecretKey, which i understand, but there is also a variable for 'clientSecretKey', I don't understand what this variable needs to be? does it have some sort of relationship with the clientpublickey which is used in the frontend javascript? I can't see any explanation of what the 'clientSecretKey' is
When you provision credentials for your uploader, you should have two pairs of keys: server-side, and client-side. The client-side keys should be heavily restricted. Only the most necessary privileges should be assigned to this IAM role/user. The server-side keys can be associated with an administrative-level user, if you prefer. In other words, create a client-side role that is specific to the operations that must be performed client-side by Fine Uploader. You can re-use an existing administrative-level user for all server-side tasks.
We've created a highly customized Joomla 1.5 based site and want our super administrator to be able to log into registered user accounts so we can provide better phone support and help them configure their accounts remotely.
This will obviously take some coding. Ideally we want a link from the admin side that will take us to the front end and automatically log us in as the registered user. We'll lock it down by IP address and also have some sort of password as well.
Where does the login get processed? It looks like /components/com_user/controller.php calls a function called $mainframe -> login(); Where does that function reside?
Our thought is to send a mock login form along with an additional super-user password field. Then we'll modify the login code to authorize the login if the password is present and the IP address is correct.
Any words of wisdom or caution with this approach?
There is actually a plugin that will do just this:
http://extensions.joomla.org/extensions/access-a-security/authentication/4806
You'll want to build an authentication plugin to handle this. You can enable as many authentication plugins as you like (the core plugin, OpenID, your own plugin, etc...). Joomla will run down the list of enabled plugins until one of them sets the status variable of the $response object to JAUTHENTICATE_STATUS_SUCCESS. The $response object gets passed in to your plugin's onAuthenticate method. Take a look at plugins/authentication/example.php for a clear example. You will probably end up cloning plugins/authentication/joomla.php and repurposing it for your needs.
I would publish your custom plugin after the core Joomla authentication plugin so that normal users will be able to log in faster.
Also, if you do want to go with a form as well, you will need to build a small component so that you can get the username and super-user password into the request.