I defined a security check adapter and configured the property which is shown below.
<securityCheckDefinition name="MySecurityTest" class="com.sample.MyTest">
<property name="successStateExpirationSec" defaultValue="30" description="How long is a successful state valid for (seconds)"/>
</securityCheckDefinition>
The configuration means that when I pass the security check, I can access the protected resource under the scope for 30 seconds.
After 30 seconds, the server will force client to logout.
However, no user want their app repeatedly doing validation with high frequency.
We know we can increase the value of successStateExpirationSec, unfortunately, it cannot meet our requirement.
How can I extend the property "successStateExpirationSec" before the time
expired and without revalidation ?
It is not recommended to update the "SuccessStateExpirationSecond" after setting it and before it expires. I think Logical approach for your usecase is to determine the proper value "SuccessExpirationSecond" and set the properties to that value.
Instead of updating in the SecurityCheckDefinition in adapter.xml, you can also set it programatically by Extending "CredentialValidationSecurityCheck" .
Refer sample here .This allows you to set the default properties value.
Related
I know how to validate property if its match regexp:
regex = "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$"
for guid, but if its not send in payload - receiving error, is it a simple way to check if property exist and do validate only then?
As per now I check with choice if its exist and if so then do validation, but interested if its more smarter way to do such as if I will have 20 properties to check its becomes very messy flow.
For example 3 validations at the moment:
You could use the Validations Module All validator which seems to cover this use case. Note that you can not customize the exception or message. If this is not acceptable then you could use individual validations in the flow instead.
Example:
<validation:all doc:name="Validation">
<validation:validations>
<validation:is-not-empty doc:name="Validation" value="#[payload.firstName]" message="Firstname cannot be empty"/>
<validation:is-not-empty doc:name="Validation" value="#[payload.lastName]" message="Lastname cannot be empty"/>
<validation:is-number message="Not an adult" value="#[payload.age]" minValue="18" numberType="INTEGER"/>
<validation:is-email email="#[payload.email]" />
<validation:matches-regex message="Invalid SSN" value="#[payload.ssn]" regex="^(?!000|666)[0-8][0-9]{2}-(?!00)[0-9]{2}-(?!0000)[0-9]{4}$"/>
<validation:validate-size value="#[payload.ssn]" min="11" max="11" message="SSN too short"/>
</validation:validations>
</validation:all>
When a user's password is updated I want the Security stamp value to be updated every time that happens. I believe that is how Security stamp works from my research.
I place this code in the ApplicationUserManager.cs but this isn't working:
private static string NewSecurityStamp()
{
return Guid.NewGuid().ToString();
}
What and where do I need to get the security stamp value to change each time an update is made to the user's account?
That is what happens. However, the security stamp is only re-validated on an interval (every 30 minutes, by default), to reduce the number of database queries being made. You can lower this interval, even to zero, which effectively makes the stamp be re-validated with each request. However, that will increase the chatter back and forth to the database.
services.Configure<SecurityStampValidatorOptions>(o =>
{
// WARNING: this will issue a query for every request
// You might want to rather just compromise with an interval
// less than 30 minutes (5 minutes, 10 minutes, etc.)
o.ValidationInterval = TimeSpan.Zero;
});
An alternative option is to simply log the user out after such a change. If the goal is to simply make them re-login, that should do the trick much better. Just inject SignInManager<TUser>, and then call SignOutAsync on that instance. You'll need to redirect the user afterwards. That could be directly to the sign in page or to some area of the site that is protected, which will then cause them to be taken to the sign in page to authenticate. In either case, a redirect is necessary to have the auth cookie actually be deleted.
SetProperty on CngKey while giving access on machineKey always updates the CngKey. Is this correct behaviour?
I am setting permissions ACL on the CngKey. When permissions are set on the key using SetProperty, it gets updated every time i apply the same permissions.(I should update ideally for different rules/permissions) This is not the behaviour with RSACryptoServiceProvider or CAPI. it doesn't get updated for same rules being applied, but updates when we apply different rules.
Is this correct behaviour?
CngProperty permissions = new CngProperty(
NCRYPT_SECURITY_DESCR_PROPERTY,
sec.GetSecurityDescriptorBinaryForm(),
CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);
cngKey.SetProperty(permissions);
Expected -> CngKey shouldn't be updated (CngKey has a timestamp that gets updated that means key gets updated) for same permissions being applied, but should update on different permissions.
Actual:-> CngKey updates every time when SetProperty gets called.
Is there a way to set default values for custom user attributes in AWS-COGNITO at registration? I have a custom field "custom:status" and I'd like it to have a default value of "NOT_VALIDATED". I don't want the value to come from the client since the client might put "VALIDATED" instead and have extra permissions.
I have tried to set my status field in the pre signup lambda function but the value is ignored.
You can do it from a lambda trigger. In that case you don't have to update the attributes yourself but you can call adminUpdateUserAttributes on the user to update the attribute.
Another method would be to let it come from the client, but also send the value in the clientMetadata field of the request but encrypted. So that when it hits your pre-signup lambda you can make sure that the what the client passed is the same as the decrypted clientMetadata. If it is not just reject the registration as they tampered with the value.
My thinking was that Symfony2 would extend the ExpireAt on each page request made during the authenticated session. So if the timeout was 100 seconds and you made a page request, the new ExpireAt would be time() + 100. This "use it or lose it" authentication functionality is similar to what you get on a banking website.
The default functionality seems to be when the session timeout is set to 100 in the config.yml, the user only has 100 seconds to do what they can.
I don't think this will be to hard to implement but where should it be done? My first guess is in the isEqualTo method. Once you can determine the user is authentic you can re-up their expireAt. Or does the cookie need to be modified?
The answer lies in the refreshUser method of the UserProvider and the isEqualTo method of the UserClass.
The isEqualTo method tells the user provider whether to refreshUser(UserInstance user).
Step1 : isEqualTo() returns false; (as your understanding grow, so can this logic. But essentially, this triggers refreshUser().
In all the basic user provider examples, the refreshUser & loadUserByUsername are identical. The to do what I'm talking about, the refreshUser() needs to be a little different.
Step2 : modify refreshUser(UserInterface $user). What's being passed into this method is the original userClass. So the refreshUser is responsible for syncing the expiresAt or credentialsExpireAt
I use this logic in my refreshUser() to either extend the expiration date OR set it to the original expiration date (which is expired):
if( time() > $user->getCredentialsExpireAt() ){
$refreshedUser->setCredentialsExpireAt( $user->getCredentialsExpireAt() );
}