I have been working on this for several days, and hope someone can help me.
There are three requirements for the authentication processing.
Authentication using OpenID, login page is login.jsp. After login is successfully, display the username and email address at login-succ.jsp
There is a input field in the login.jsp, I also need to display the value of mymessage in the login-succ.jsp if login is successfully
After login successfully, user is in the login-succ.jsp, with his username email address and mymessage value. If user refresh the login-succ.jsp page, these three values should be display again.
I have tried to achieve these three requirements using CustomOpenIDAuthenticationFilter at my another post, but if I save the message into session and there are two instances of login.jsp, the two instances will overwrite the message values to each other after refresh action. I do not know if I am doing everything wrong. So can anyone please give me some suggestions about how to meet these three requirements using Spring security and Spring MVC.
Thanks.
To me, this feels like a design that is begging for some type of injection attack (taking a URL parameter that is displayed blindly on the page to the user is a really bad idea).
Instead, I would stick the message in the HttpSession prior to the user being redirected to OpenID login, and retrieve the message after they are successfully redirected. Obviously, you would need code to clear the message from the session upon failure, logout, etc.
Related
Before adding, yes it works when I give the entire url like http://localhost:8080/onedrive/oauth2/success/1 in the list of uri in azure uris. I am using code flow to authroize these tokens.
But as per the docs, it should work with me just mentioning the domain name there, like http://localhost:8080. Which it doesn't.
I want to do something like send the user id along with every request for me to keep track of which user I should link this accees token to, and have no idea to do so, if this issue is there. My current application logic is, when my application sends the user details and calls my spring API, I want to handle all these transfer of tokens in the server side, so I want to transfer this userId as my path variable. How do I go about doing this? Has anyone done this, can they explain to me any other different solution?
You can't add custom details to OAuth redirects and it is best practice to always register the full redirect uri.
In terms of tracking the user, after login the token has a user id and you can also get fields such as user name and email - so both the UI and API will know which user each token is for. I can provide further details on mechanics if needed.
The user id in a token is often a generated value, whereas the user id you want to use in API path segments is maybe a user id from your app's back end database - if so you will need to map between token details and database details.
If you provide redirect uri as http://localhost:8080/ then it means you are handling the api response in
/
endpoint and not
/onedrive/oauth2/success/1
To get to know the user to whom you are linking, few ideas which you can use are
1) Use security to obtain the logged in user credentials (Ex: Principal if you're using Spring security in java)
2) After successful authentication, use the user id you have and send one more request to backend and store it database with userid as a key
I've implemented really basic user authentication before - generate a session cookie when logging in, and when the user loads a page with authentication just check the cookie.
However, the complexity of Spring Security / Apache Shiro is really confusing me.
All I really want is:
be able to have a user log in once and see their username on every page they visit (like on Stackoverflow)
have this login persist for a reasonable length (cookie expiry time or something like that)
It looks like I have the option of using EhCache or implementing my own subclass of... something... to use something like postgres.
I seem to have gotten the first thing I want working in Apache Shiro:
Subject sub = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
token.setRememberMe(remember);
try {
sub.login(token);
// ...
But I'm super stuck on how to get this session to persist between restarts of the spring webserver. Like, I know Stackoverflow highly recommends a code example but I literally don't even know where to start. Right now my "progress" on trying to figure out how to persist sessions between restarts (bolded to clarify what I'm asking) is literally the single line
DefaultWebSecurityManager dwsm = new DefaultWebSecurityManager();
// ...
dwsm.setCacheManager(new EhCacheManager());
and I don't even know what that actually does.
I would really appreciate any kind of guidance here since I really don't even know where to begin and the documentation I've been able to find is unfortunately not super thorough.
thats one of the problems with just sessions. That they are not persistant over restarts unless you save your sessions.
Now days people usually use a token based approach like oauth2.
The flow in a token based authentication system is:
User sends his/hers credentials to an authorizationserver (oauth2).
If credentials were correct they get a token back
The client (webpage) makes a request to the backend to get the user object and supplies the token in this call as an "Authorization"-header.
The backend takes the token and sends it to the authorizationserver (oauth2) to check its validity.
if the token is valid the backend server fetches the user object and sends this to the client.
The client gets the username from the user object and stores this in its state (react, redux if such an app). In every call to the backend the client must supply the token it got from the first login so that the server always knows that the caller is whom he/she claims to be
I have a spring controller method which could be called in different scenarios. here is the example...
#RequestMapping("/resetpassword")
public ModelAndView resetpassword( #Valid #ModelAttribute("resetpasswordForm") ResetPawdFormForm resetPawdFormForm, ModelAndView modelAndView){
... this method could be executed in 3 different scenarios....
using the hyper link coming from the user reset password link sent to user email..
eg: localhost/myApp/login/resetpassword//
Here I can authenticate userID and activationSecretCode in DB and let user reset password
user can click on resetpassword link from user settings page.
eg: Since the user is already coming from user settings page, I can validate userSession and allow him to reset password
User can login for first time successfully, but are forced to reset password due to admin requirements for reset initial default password.
eg: in this user neither have session, nor passing any activationcode to validate.
login method validates userid/default password and redirects to resetpassword mapping(method=GET).
How can the system authenticate the user request and allow him to reset password?
One alternative for this is, to use flash attributes and set a authenticationKey as flash attributes...which could be verified in resetpassword method.
is there other way to implement this....
Note: I posted an issue in implementing this approach in
Post: Spring: How to pass Java objects during redirect while using ModelAttribute
Any help?
I think the best way to implement this is using three different action methods:
resetPassword (e-mails)
resetLoggedUserPassword (via settings)
changeDefaultPassword
They may even share the same view, but the behaviors are not equal, so I would avoid overloading the action responsibility.
EDIT: elaborating on your comment:
1) To secure the e-mail link, one way is to add a authentication token. The token can be as weak as a hashed user id plus some salt string, or as strong as a GUID with expiration time in a database table, generated whenever a user requests a password reset.
2) The settings way is not a problem, considering that the user is already logged in.
3) The temporary password action can be secured the same way as 1, or the same way as 2, if you put the user on the session. Logging in the user even with the default password status shouldn't be a concern if the code that verify the status of the account are inside a request filter.
I have a asp.net site that uses federated security for authenticating the user. Therefore a user navigates to the url which is redirected to a login page and if successful gets routed back to the main application. What I need to do is somehow have the main application allow some code to be ran before being redirected to the login page. This is because the intial request may have some query string parameters that I need to store in the users session as the request back to the main application is dropping them.
Is this possible... any thoughts or examples would be greatly appreciated!
I am not sure whether this may help:
You can turn off the WIF’s built-in redirection of unauthenticated sessions by modifying web.config file:
<microsoft.identityModel>
<service>
......
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="false"
......
and once your reconstruct your query string, you can update audienceUri and realm.
I want to secure my RESTful webservice in some way, i read for past few hours about spring security and I am not sure if I can achieve what I want with it.
Here is typical scenario:
User tries to access www.address.com/rest/getSomething - he gets 401 Unauthorized and he is not redirected.
He goes to www.address.com/rest/login with username and password parameters
His credentials are checked against those in database (I'm using JPA over Hibernate)
If they are correct user receives 200 OK, and info that he's logged in is stored in session, so he does not need to send username and pass when accessing other addresses. Info that he logged in succesfully (or not) is stored in DB
If login is unsuccessful he receives 401
User uses webservice as much as he wanst (on each access, his session is checked)
After lets say 10 minutes of inactivity his session ends, and he needs to log in again
He may visit www.address.com/rest/logout to logout properly (session invalidate maybe?)
I also want to introduce some kind of password recovery, if user accesses www.address.com/rest/remindPass an email will be sent with newly generated password.
EDIT:
And i forgot, about one more thing. I also need another filter for checking if user has enough privilage to access an address.