I currently have a welcome view that tells the user to log in before they can continue.
I'm primarily using this code to sign the user in.
However, how do I go about removing the welcome view if the user is signed in?
The documentation on the when clause doesn't say anything about authentication.
Am I forced to overwrite the context in order to change my welcome view?
I'm leaning towards doing something like:
vscode.commands.executeCommand('setContext', 'extension.authenticated', true)
But I'd rather not have to keep track of this context unless there are no other options.
Related
I am experienced Java backend developer, but an absolute novice with front-end and now I am trying to do web app with Vaadin for the first time in my life.
I got an idea how to create a main view but stumbled on login implementation.
In my application login is not mandatory. If user is not logging in it shall allow him to view the data in grid format and by clicking on a record get some additional details.
If user wants more functionality he is suppose to login and based on the user credentials there should be some changes in the grid view and some additional buttons shall appear, that will allow creating new entries and do something else.
I did go through the Vaadin tutorial, but it only explains what was written in their application, but doesn't teach how to do other things. I tried to find some clues in components documentation and Javadoc, but got lost there.
If someone can give me some tips on where to start digging, I will appreciate greatly.
Vaadin uses Spring Security.
You can use annotations to secure a whole view. But if you want to change certain parts of the view, you must do that programmatically.
Spring Security provides the SecurityContextHolder class to access the logged in user and the roles.
To check if the user has a certain role you can do
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null && auth.getAuthorities().stream().anyMatch(a -> a.getAuthority().equals("ADMIN"))) {
...
}
I authorized the group of a user to the cockpit-application. I gave the group full access to the Process Definition and Process Instance authorizations. (so pretty much as described in the documentation)
When I try to log the user in, I see the Welcome screen and in the application overview the option to navigate to the cockpit-application.
However, when I click this, I get the Login screen again.
For a fraction of a second I see the cockpit application, but then it immidiatly redirects to the login page. When I try to log in again, it keeps redirecting me to this login screen.
I configured another group to use the Tasklist application and that is working as expected.
I tried to give the authorization on user-level instead of group-level but the same problems occurs.
(n.b.: I am using the Spring-Camunda-Starter for this application.)
I found the problem, I accidentally removed one of the authorizations the system automatically creates when the user is created. I think I might have removed this, as I thought it was not necessary.
It is in the User Authorizations, every user has an authorization from it's own user to that user. When I added this, it fixed the problem.
I found the solution when another user logged in and had no problems. And the found this to be the only difference between the two accounts.
Hopefully this will help someone in the future!
I have designed a standard login screen in ASP.NET like below:
As usual when operator selects “Remember me”, we expect system to not ask operator for credentials anymore and go directly to default (home) page.
My business team saw something on internet and they believe that when “Remember me” has been selected we need to pre populate the username and password and wait for customer to press “LOG IN” button:
I haven’t seen this practice so often and I am not very comfortable to do it. Although, I don’t have a good technical argument to explain and change their mind.
I am basically looking for good argument to explain cons and pros of above scenario.
Never ever should you pre-populate a passwords edit field. If you do so, everybody is able to read the plain-text password, if he can open the login form on this computer. A few minutes on an unlocked office computer would be enough to check the browser history, afterwards the attacker can login whenever and whereever he wants.
If you have a remember me function, and the user has logged in using this function, then there is no need to display the login form at all. You can just display the content. In this case, an attacker can do things with the account, but he cannot login unnoticed later from somwhere else.
I think (hope) you saw the pre-populated password field, because the browser filled in the content, and not the website did it. Maybe there is a password manager installed.
Hard to find a meaningful title. I hope I get clearer now.
I'm building a service which is similar to doodle regarding the authentication model. The user can "create" something (using a form). There will be two different views. One for the creator where he can modify his settings and another one for public access.
I don't want to force users to register / log in. So I came up with a URL structure like doodle has:
/{some-id} -> public access
/{some-id}/admin/{some-token} -> settings page for the owner
The question now is how I can deal with this best. Currently I pass the token to all admin related Methods. But I don't feel comfortable with that.
I also thought about some server side session. I found two meteor packages but they are both not actively maintained anymore.
Another idea was to misuse the built in user management but without the user to recognize it. But I don't think that's feasible.
So now I'm asking you if you have a nice way of dealing with this. I hope I made clear what I want to do.
There are many ways of doing it. One way is to reuse Accounts package.
You user id is {some-id} and the password is {some-token}.
When you create new page. You create new user on server side using Account.createUser.
When you enter url /{some-id}/admin/{some-token}Meteor.loginWithPassword.
I'm trying to get my standalone webapplication to use my Liferay 6.2 as "user store". That means I want the user to log in to Liferay and then be able to move on to another application with some credentials and user specific information passed as well. Moving on and passing information is already working, the issue I'm having right now is making sure the user-object that is passed on is the user that is actually logged in right now.
I use the LFR_SESSION_STATE_ cookie do determine the logged in user. But when I log in again with another user I get a second cookie with a different user-id. So now I need to make sure that I'm passing the correct user. The USER_UUID cookie does not contain the same uuid as provided by Liferay (as of now I didn't check if it's a hash of the uuid).
Long story short, I'm looking for a way to recognize the currently logged in user and be able to pass the credentials and additional information to my application.
I will take care of security concerns like manipulated cookies etc. subsequently. Maybe that will raise another question wenn I get to that point ;-)
I'd really appriciate any help or push in the right direction.
Thanks in advance guys ... sebastian
Some possibilities:
Make your application a portlet application
Publish your Liferay Database through LDAP (EE only) and use a separate SSO application
Create a Liferay-Hook that sets a cookie (to "/") containing the required user information - encryption and signatures are on yourself. You can create hooks that get executed on every successful login