This question is specific for: https://github.com/marmelab/react-admin
My App.js look like that:
<Admin
customSagas={[ errorSagas ]}
loginPage={LoginPage}
authProvider={authProvider}
dataProvider={dataProvider}
>
<Resource name="topics" create={TopicCreate} list={TopicsList} show={TopicShow} />
<Resource name="clients" create={ClientCreate} list={ClientsList} show={ClientShow} />
<Resource name="genders"/>
<Resource name="interests-in"/>
</Admin>
If I'm not logged in and I go to /topics I got 401 and I redirected to /login.
If I'm logged in and I go to /blabla I get the Dashboard and Menu which is security issue.
I don't want that non-authorized user will be able to view the dashboard and the menu.
When I view the "source" of the page I can see all paths (URLS) to my admin api. It should be disabled as well.
How to avoid this kind of situations? someone help?
Lior
The only way I can think of would be to check for your security items inside the component where you are rendering the Admin. If your security checks fails, then don't even render the Admin.
Related
We have a working react-admin app with authentication up and running.
But now we have to add a resource that should be accessible without logging in. How can we do this?
Our App.js (shortened) looks like this:
<Admin authProvider={authProvider} dataProvider={simpleRestProvider(`${process.env.REACT_APP_BASE_URL}/api/v1`, httpClient)}>
<Resource name={'posts'} list={PostList} edit={PostEdit} create={PostCreate} icon={PostIcon} show={PostShow}/>
<Resource name={'messages'} create={MessagesCreate}/>
</Admin>
We want messages to be accessible without authentication. But all the other resources (removed from the snippet above) should still be protected by the authProvider.
We didn't find anything in the official docs about that. Only Checking Credentials During Navigation. But according to this issue and this comment it is no longer possible to do this.
Can anyone help us with this?
Thanks in advance.
I'm developing a web app with multiple roles. I had an idea of a way I could use React Router to restrict access on some routes with the onEnter trigger.
Now I wanted to know if this is a reliable way to to prevent access to unauthorized pages. Basically, how easy is it to hack this? It just shouldn't be too easy to hack, that's all.
Bare in mind that there's still server-side authentication on all the resources that are being loaded, so even if a user does breach through the React Router, no unauthorized data is ever returned.
<Route path="/" component={App}>
<IndexRoute onEnter={authenticateUser} />
<Route path="login" component={LoginPage} />
<Route path={roles.ADMIN.homeRoute} component={Admin} onEnter={authenticateAdmin}>
<IndexRoute component={DashboardPage} />
</Route>
<Route path={roles.OPERATIONS.homeRoute} component={Operations} onEnter={authenticateOperations}>
<IndexRoute component={DashboardPage} />
</Route>
</Route>
Currently the role routes are only populated with Dashboard, but the idea is that each Role route will contain multiple subroutes. With this configuration, I am hoping that I can authenticate a user for his role when entering a restricted role route, but then is able to navigate between subroutes without authenticating on every route change.
It would be as easy as modifying the state that caches your roles. As long as you have server side auth for each resource, this is not a problem. If anything, they might be able to see the layout of the component, but no data.
I got a problem with OpenAM. Need your help.
I installed OpenAM and simply configured it as an IDP - set name and circle of trust. Then I added a remote SP by uploading SP metadata, see below
<?xml version="1.0" encoding="UTF-8"?>
<EntitiesDescriptor Name="urn:mace:shibboleth:testshib:two" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" mlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<EntityDescriptor entityID="http://192.168.0.6:8080/employee/">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</NameIDFormat>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://192.168.0.6:8080/employee/" index="1" isDefault="true" />
</SPSSODescriptor>
</EntityDescriptor>
</EntitiesDescriptor>
SP and IDP are in the same Circle of Trust.
When I do SAML request for auth from SP to IDP, I get to login page of OpenAM with SAMLRequest=... as URL params. Decoded SAMLRequest is below
<samlp:AuthnRequest AssertionConsumerServiceURL="http://192.168.0.6:8080/employee/"
Destination="http://192.168.0.7:8181/openam/" ForceAuthn="false"
ID="ID_479ff8a2-8dc5-44b5-997f-0438a2d87417" IsPassive="false"
IssueInstant="2015-01-07T13:31:01.067Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer>http://192.168.0.6:8080/employee/</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
</samlp:AuthnRequest>
Then i do login and come to user profile page in OpenAM, instead of redirect to SP. Why it happens? What should I configure to enable redirect back to SP?
There are several things you could do:
Don’t use IP address when installing OpenAM, because cookies will not be saved on such addresses, so you can easily encounter weird problems like this.
If you have goto URL validation enabled (by default it'd disabled), then there were some old bugs around not handling redirect URLs correctly. Not sure which version you are using, so this may not really apply to you.
You should capture the network traffic with tools like LiveHTTPHeaders Firefox plugin or similar, so you can see how the HTTP requests go around. That should help you determine where exactly are things going wrong.
I want to login on my dotnetnuke hosted site, first i click on register button and enter username=musewerx, password, confirm password, display Name=Hassan Ali, email address=hasan.uok#gmail.com and click register button. but for login i enter username=musewerx and password a message occur
You are not currently authorized to login to this site.
And, on the given link below.
http://my.websecurestores.com/knowledgebase/3512/How-do-I-change-the-HOST-or-ADMIN-passwords-in-DotNetNuke.html
OR given video tutorial link
www.youtube.com/watch?v=HHHwB8OaQXg
i'll see for login that, they enter for admin login username=admin & password=dnnadmin and for host login username=host and password=dnnhost. and i follow this link but i am not login from host or admin. So what i do for login on dnn
When you install DotNetNuke, you must define a superuser account which is named "host" by default on the older versions.
You also could create an admin account for the default portal which is named "admin" by default on the older versions.
On recents versions, you could choose the username you want to use for the administration.
If you use the register link, you could register yourself with default permissions depending on the current website configuration. The admin could disallow registration for example.
Regarding the message "You are not currently allowed to login on this site", I believe that your website is configured with registration in "private mode". It means that an admin have to validate your account.
If you have an admin account or a superuser account, you could change the current "registration mode" in the site settings (menu "Admin > Site Settings"). You also could validate your account using the menu "Admin > Users" to edit your new account.
I assume your user is not authorized for login anymore, if this message appears (a user can be de-authorized in DNN - which means he can't login). If you have database access, you can try to change the IsApproved field to true in the aspnet_Membership table, and then restart the application.
A user usually gets un-authorized if there were a few unsuccessful login attempts.
Find below lines on web config,
> <system.webServer>
> <modules>
> <remove name="UrlRoutingModule"/>
> </modules>
</system.webServer>
and after that, replace above from below then everything works fine.
> <system.webServer>
> <modules runAllManagedModulesForAllRequests="true" >
> <remove name="UrlRoutingModule"/>
> </modules>
</system.webServer>
Is it possible?
It means i hope to create the widget to paste it at different pages on a site(or even in the master mage) to give users ability to quick login. Is it possible or all pages when login accessable have to be enumerated like this:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
As long as the page allows anonymous access, I don't see why this would be a problem. Just put a username/password field on the page and use the API to log them in:
if (Membership.ValidateUser(username, password))
{
FormsAuthentication.SetAuthCookie(username, true / false);
}
EDIT: You probably want to SSL any page with a password field on it.