I'm new to Cuba-platform version 6.10.3. I have a problem where I am stuck.
I have a User entity where I create a new user which has parameters identical to those of the sec$User system entity. Now, I would like to pass the values entered in the User entity (name, password, lastname, email) and also the access group created specifically for the users (customers). Then register the attributes directly in the sec$User system entity and then log into the app with the credentials of the users created with their respective permissions.
I hope someone can help me. Thanks a lot to everyone.
In order to create a new sec$User entity, invoke the Metadata#create() method of the com.haulmont.cuba.core.global.Metadata bean.
Fill necessary fields.
To save new user to the database, use DataManager bean: com.haulmont.cuba.core.global.DataManager#commit(user)
If you need to login to the application automatically without having user password, you can use the "trusted login" feature.
When in web client, user com.haulmont.cuba.web.Connection bean to login.
When in web service (e.g. portal module) - use the com.haulmont.cuba.security.auth.AuthenticationService service.
And call its login method with TrustedClientCredentials:
#Inject
com.haulmont.cuba.web.auth.WebAuthConfig webAuthConfig;
// ...
authenticationService.login(new TrustedClientCredentials("username", webAuthConfig.getTrustedClientPassword(), Locale.ENGLISH);
See also
https://doc.cuba-platform.com/manual-6.10/login.html#login_additional_eatures
https://doc.cuba-platform.com/manual-6.10/web_login.html
Note that web client is working under the anonymous user until other user logs in. So you will need to add additional permissions to the user (write access to the User entity).
Thanks for the support, very helpful !
Related
I'm creating SSO solution for multiple existing projects. Most of the applications already use same database, so same users and I use these users in IdentityServer. But there is one app which has its own users DB and login screen. Users from this table are used in one of the tables in this app (FK).
My idea is to leave existing users DB as is. Add a column MasterUserGuid to Users table that will contain "master" user Guid (so the user that IdentityServer uses for authentication) and implement following flow:
User opens the app and is not signed in
User is redirected to IdentityServer and uses global credentials
User is redirected back to the app which gets global user GUID from claims and authenticates local user (with this GUID in the MasterUserGuid column), instead of using global user
The problem is that I don't know how to implement step 3 or if it's even possible/supported in IdentityServer4. At the moment I'm redirected to IdentityServer, am authenticated and redirected back, but then the app tries to use this external user.
While researching I've read that users should be in one table, so maybe this approach is totally wrong and it would be better to remove local users and break FK for mentioned table and do some manual migration of users.
Is the scenario described in the steps I provided possible and sane?
You need to adjust your application to authenticate via IdentityServer first. Remove all the ASP.NET Core Identity logic related to registration, login etc. assuming all of that will be done on IdentityServer side. Then implement the instance of IClaimsTransformation which will either replace your current ClaimsPrincipalor add additional identities to it if needed with the claim values you want (populated from local database). Here is the example:
public class MyClaimsTransformer : IClaimsTransformation
{
public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
var claims = new List<Claim>();
claims.Add(new Claim(...)); // put here your claim type and value
var identity = new ClaimsIdentity(claims);
principal.AddIdentity(identity);
return principal;
}
}
Then register your claims transformer in IOC in Startup.ConfigureServices method:
services.AddTransient<IClaimsTransformation, MyClaimsTransformer>();
Newbie to Parse Server here.
I have an app which reads data from Parse Server and displays it to users without logging them in.
I want to create another 'Admin' app which will allow ONLY ONE pre-populated admin user to login and change the data. Is this possible via Facebook login? I would prefer Facebook login because with normal (user, password) login I can't implement 2FA easily on Parse Server. Facebook login would take care of the issue since the user is already logged into Facebook using 2FA.
Is this possible? Any suggestions / pointers would be appreciated. I am coding both apps in React Native. The first app is complete.
The type of login has nothing to do with the abilities a user has. The simplest solution for your desired setup is using class-level permissions:
create a new Role object and name it accordingly, e.g. admin
add your admin user to that role
set class-level permissions for your data classes: grant public read access, limit write access to the admin role
Now every user can see all the data, but only members of the admin role are able to manipulate them. If you want you can add more users to the role to also give them write access.
BTW: all these steps can be performed in Parse Dashboard, no coding required.
EDIT
Actually you can have it even simpler, the class-level permissions can also be granted to a single user -- so no need for a role, if you really only need one admin.
Here is my development environment:
Intranet Website
Active Directory Authentication/Authorization
Asp Net Core
I am trying to get the data stored in Active Directory attributes when a user enters firstly to any page in our application. All users rights and permissions, employeeid, studentid, etc.... are stored in AD Attributes and Security Groups. Some Attributes need to be displayed on the website too.
Let's say my website got the following urls...
http://mysite/Home/Index
http://mysite/Student/Index
http://mysite/Student/MyJobs
http://mysite/Staff/Applications
etc....
Any users can go onto some areas/urls of the website freely from other Intranet portals and I don't know where should I write the code to fulfill that criteria. The problem is that, there is no specific entry point to the application like http://mysite/Login or Authenticate, etc. If there is, I could load all users details and rights from AD on that single entry point.
In MVC5 era, I used Custom Global Authorize Attribute and put it on the BaseController is inherited from all other controllers to load that AD data. I put the AD's data into Session on the first hit and use the Static Class to display on Views and use in Controllers. But when I did some research in MVC Core, some say that it's outdated and I should use the Authorize Policy instead of custom Authorize Attributes.
Getting the data from Active Directory is already achieved by using my old webservices and we don't need to worry about .Net core not supporting AD yet.
I looked at the tutorials about Policy and saw something about Claims and Custom User Managers. I couldn't decide which one I should use to load data from Active Directory to the object (probably Scoped Object DI) which lasts for the whole user's session.
Should I load the data onto claims attributes
Eg...
var claims = new List<Claim>();
claims.Add(new Claim("UserName", "John.Smith", ClaimValueTypes.String, Issuer));
claims.Add(new Claim("RefNo", "02343001", ClaimValueTypes.String, Issuer));
claims.Add(new Claim("Email", "MyEmail#email.com", ClaimValueTypes.String, Issuer));
Or Should I write customized SignInManager and IdentityUser?
Eg...
public class ApplicationUser : IdentityUser
{
public string RefNo { get; set; }
public string Email { get; set; }
}
Is there anywhere I could put my code to check AD and load data?
And should I store the data in that Claimed Object rather than using Session Data?
Could you guys please advise me? Feel free to criticize if I miss anything and my idea is not working.
You're right in saying there's no System.DirectoryServices yet (it's on the backlog, I promise) so there are a couple of places to do this.
If you're already using Integrated Authentication you have SIDs for group membership, which are resolved when you call IsInRole(), so you can use role based membership (rather than Claims based) to solve basic authentication problems.
However if you want to support a forms based mechanism then you should look at using the cookie middleware, raw, to at least give you a simple login, calling your web service to validate your login. You could query your API in the controller code, and write an identity cookie. This cookie automatically encrypted and signed, so it can't be tampered with.
The problem comes when you want roles, and attributes. If you head down the cookie route you might be tempted to put all of those as claims in the identity before writing the identity out as a cookie. This might work, provided there are not too many - cookies have a maximum size (browser dependent, but under 4k usually). You can used chunked cookies, but there's a performance impact here. Instead you might use a reference cookie, where you put in a reference to another store where the actual fully populated identity is stored, be it session, redis or something else.
Then in the claims transformation middleware you can pull the reference out, go to your store, and rehydrate the identity.
I'd honestly avoid trying to merge all of this into ASP.NET Identity. That's mean to be the sole source for user information in an application, and in your case that's not true. Your sole source should be AD.
There's also a port of Novell's ldap library to core, which should stand in nicely for DirectoryServices should you want to avoid your web services approach.
I have MVC4 application which uses SimpleMEmbershipProvider for authentication mechanism.
Everything works fine, apart of when I return to the application and authenticate using persistant cookie.
I am authenticated fine, but cannot access roles that I am assigned to. Effectively, cannot access roles at all:
string.Join(",", Roles.GetRolesForUser(User.Identity.Name))
returns empty string
What might be causing that?
This can happen when the SimpleMembershipProvider hasn't been initialized. The example MVC forms authentication template assumes that you'll be allowing anonymous access to your site and doesn’t initialize the membership provider until you go to the login page. However, a more common security technique is to require a login for any site access and to define menu choices in the _layout page to be determined by roles. But, if you use the persistent cookie, you don’t revisit the login page so the roles for the authenticated user aren’t loaded from the membership database.
What you want to do is initialize the provider when the user enters the site so that values get loaded. To do this, you want to add the following filter in the RegisterGlobalFilters method of the FilterConfig class in the App_Start folder
filters.Add(new YourAppNameSpace.Filters.InitializeSimpleMembershipAttribute());
This will cause the user data to be loaded from the database when a cookie authenticated user enters the site.
Another alternative technique is to add the [InitializeSimpleMembership] decorator to any controller method that cookie autheticated users might enter directly. This is kind of messy though if you have to put it on a lot of controllers. Therefore, putting it in the global filter is better in most cases.
I have a custom registration BrowserView where you have to extend some userdata (z3c.form with some fields including password). after successful saving these data i want the user to be logged in automaticaly and redirected to an other page in the site.
Thanks in advance for hints
So here's my working solution (thanks to mikko who pointed in the right direction):
authenticate your registration credentials in PAS
member = portal.acl_users.authenticate(username, password, portal.REQUEST)
for redirects it's neccessary to set the authentication cookie. You can do this with "updateCredentials" (see pas/plugins/cookie_handler)
if member:
portal.acl_users.updateCredentials(portal.REQUEST, portal.REQUEST.RESPONSE, username, password)
redirect to the next page
portal.REQUEST.RESPONSE.redirect(url)
If you want to extend the userdata for new members, and add new fields to the registration form, it's probably best to extend the utility that provides the default userdata schema and to do it in such a way that you seamlessly hook into the existing registration machinery.
There is an example product collective.examples.userdata which you can use0 and extend for this purpose. It also has good documentation that explains to you all the necessary steps.
http://plone.org/products/collective.examples.userdata