How does share know that user is not connected (and redirect him to login page)?
Even if a user is connected i'd like to check if he has some permission and redirect him to login page if not. So i'd like to know how Share manage authenticated user from session.
Can i use a filter, or listener or servlet or any other mecanism to intercept ALL url on share and check if connected user has require permission.
I'm using alfresco 5.0.d.
Thank you in advance for your help.
Depending on the authentication method being used and which services of Share are accessed (pages, proxy servlet or web scripts), there are multiple places where checks against the current user are made:
class SSOAuthenticationFilter - a servlet filter handling what it says in its name, Single Sign-On (SSO), e.g. Kerberos, NTLM or CAS / external authentication
class PageView - part of the Surf framework that checks if the current user has the required privileges for the current page (limited differentiation of guest, user, admin as defined by the page XML definition)
class SlingshotPageView - an enhancement / specialisation of the PageView class
class EndpointProxyServlet - handling authentication for any backend ReST API calls proxied via Share
classes PresentationContainer and instances of Authenticator interface - handling direct calls to any web scripts outside of normal page rendition cycles
Technically you can use a filter to intercept all servlet invocations on Share, but I it is not ideal from a maintenance point of view (web.xml is not easily extensible and overriden on upgrades). If all you are interested in are page rendition requests, you can use Surf extension modules to inject post-processing code that is able to generate redirection responses if user permissions are lacking. Via the root-scoped "status" object you can send the HTTP redirect responses and define a target location.
Related
I am currently recording a web with Login LDAP that means I need to input username and password in popup authentication (screenshot attached).
After I am done recording, I play back the script, and it always failed.
And I followed tutorial from https://www.blazemeter.com/blog/windows-authentication-apache-jmeter but it still failed.
Here is my Test Plan:
Here is HTTP Authorization Manager setting:
Please help.
Thanks,
Rio
If you really "followed the tutorial" you should know what is your authentication type challenge, the choice is in:
Basic Access
NTLM
Kerberos
Your setup is wrong for any of the types as you should have either base url or domain or domain+realm+appropriate configuration in jaas.conf and krb5.conf files.
I don't think sending one request is sufficient for simulating log in process, real users do the following:
open login page (at least 1 request)
type credentials (you need to mimic the time required to type using Timers)
perform login (another at least 2 request)
You may also need to perform correlation of dynamic parameters (if any), check out How to Handle Correlation in JMeter to learn more about the concept / implementation
Your approach of AJAX requests simulation is wrong, as per the definition AJAX requests are Asynchronous, to wit real browsers execute them at the same time while in your setup they are sequential. So consider placing the AJAX calls under the Parallel Controller
Is there standard way to change runtime permissions for a user to be able to call certain odata resources of a SAP gateway service, other than manually writing code in every service implementation method to check if the request is allowed?
For example, based on some setting in customizing, the odata paths below /foo and /bar for user x should be forbidden, i.e. HTTP GET/POST/DELETE <host>:<port>/foo/test and HTTP GET/POST/DELETE <host>:<port>/bar/test should yield HTTP 403 for user x, but HTTP GET/POST/DELETE <host>:<port>/something should be OK.
Is there a way where this can be controlled at a single place rather than being required to implement a check in every method implementing the odata requests?
The proper place for the authorization check is in the backend method. Any authorization error should populate back to the service and yield a 403 for example.
If you for some reason don't want that, you could write your own HTTP handler and insert it in SICF to be called on all paths.
The standard role setup only allows access or no access to a service, the "pattern" access you are referring to is missing. But I can't really understand why you would want it? It will make your Odata services kind of un-predictable for the consumer, wouldn't it?
I've been creating API and consumer by following Simple API Development with Laravel from Aaron Kuzemchak. I got the problem after I success to auth via API from my consumer; I do not know how to check it, if the consummer already success logged in or not at the other pages...
For example, at the first; I show the login page, click the submit button to check the credentials via API. The login attempt is working, success to logged in and redirect to dashboard. But, if I haven't logged in and accessed the dashboard from URL, i got the dashboard :O
The API server and the consumer have separated machine and the database only exists at the API server.
Am I doing this right (with the flow for the API and Consumer) ?
At the consumer, how can I get to know if the user already logged in or not (after success attempt the credential)? (somehow? someidea?)
Thank you before... :)
This question is very confusing, probably because I haven't watched that screencast yet, but shouldn't Auth::check() be what you are looking for? It will return true or false depending on if the user is logged in.
Just to make sure:
You have a back end API built from the tutorial posted here: http://kuzemchak.net/blog/entry/laracon-slides-and-video
You're using HTTP Basic authentication as described in the above tutorial
You're building a (consumer) front end web interface for users on a separate server
Your consumer interface uses forms based authentication (a login form)
The backend API uses HTTP basic authentication (and the consumer sends an API key for the user with each request). As such, the backend won't keep track of a user being logged in. That means your consumer interface will need to do this.
You could use the Laravel Auth class for this normally, but your front end would normally have access to the database and the bundled authentication drivers could just check a username/password.
I'd say your options are:
Store details of the user in a session using the Session class (feels a bit nasty but simple)
Write an authentication driver and then use the Auth class (advanced but cleaner: http://www.karlvalentin.de/1903/write-your-own-auth-driver-for-laravel-4.html)
Just talk straight to the database using the existing Auth class and Eloquent
I'm using CAS (Central Authentication Service) from Jasig in a client JSF app running on tomcat 6 server. I would like to limit the access to the app just for the users specified in my database rather than all the users which can be authenticated using that CAS service. When the user attempts to log in, I need to check if his username is also in my database's table user and if it is - allow the access to the app. Otherwise, I would like to redirect user to a page "You don't have permission to access this part of the application". So I need authorization as well. Is there a good way to authorize the users in jsf 2.0? Thanks in advance for any help/suggestions.
Sounds like you need to design a custom Authentication Handler class in CAS. In theory, your handler would extend this [1], perform all the necessary checks and database look ups and will then be able to return a signal that indicates whether or not the user could authN.
You should then reference your custom handler in the deploerConfigContext.xml file.
For displaying the message, you could either throw an exception with the proper messages code, such that the message would appear above the login form, or you could alter the spring webflow and generate a new view-state which the user would be redirected to, if they fail to get access. The first approach is much easier to implement.
Another approach would be to take advantage of the isUserInRole() method [2] using the persondir api.
[1] http://developer.jasig.org/projects/cas/cas-server-core/cas-server/cas-server-core/apidocs/org/jasig/cas/authentication/handler/support/AbstractUsernamePasswordAuthenticationHandler.html
[2] https://wiki.jasig.org/pages/viewpage.action?pageId=47874068
My question is this: With a web application, after performing a login authentication for a protected resource, how can I run some sort of function (in this case, I want to run a function to initialize some user-dependent session-scope variables) BEFORE the web-app redirects to the protected resource.
I am programming a web application using servlets and JSP's, all within the struts framework. I believe I have followed the correct JAAS or J2EE standards for security.
In other words, I have configured the web-application via the web.xml file to redirect all requests for protected material to a login form that asks the user for login information. It then submits to j_Security_check which performs the authentication and authorization before redirecting the user to the protected materials.
So, I need to run a function sometime just after the web application says "yes, this person is who they say they are" and before the web application shoves them at where they want to go.
Hope you can help me. Thanks in advance.
If you use serverside sessions:
Create a servlet filter
In the filter: See if an attribute in the session has been set
If not: Check if user is authenticated and perform your operation if they are. Then set the attribute in the session
Thus, the operation will be executed only once.