Can you please let me know the differences between Form and Adapter Based Authentication. I've gone through the pdf provided by IBM but was not able to find actual difference.
Certain queries comes into my mind is:
How validation occurs? and comparison of username and password from server with entered j_username and j_password.
Right now for example it's accepting any combination of username and password.
Since they are using requrl = /j_security_check
How to validate username and password with server?
The main difference between Form and Adapter Based Authentication is that Form Based Authentication is using MobileFirst internal classes and methods, and When using Adapter Based Authentication you are responsible for the authentication procedures (which should be located inside an adapter) - you only declare in the securityTest what procedures to use for login and logout.
If you want to use Form-Based Authentication with username and password you can use Single Identity login module.
More information about Single Identity login module can be found here:
https://www-01.ibm.com/support/knowledgecenter/SSHS8R_7.0.0/com.ibm.worklight.dev.doc/devref/r_single_identity_login_module.html
Related
I'm using IdentityServer4 and EF Core in my Blazor WASM project with ASP.NET Core hosted option and in that project I use multiple databases.(dynamic string connection - duplicates of databases)
In the login page you choose what database to use and I store the database name in the cookies.
The system should work like that when you login using one database you can't use the other databases.
Every thing is working fine except that that I can change the database name in the cookies and then use the other databases.
My question is how can I modify the IdentityServer4 authroize so when you login using one database you can't access the another databases(return 403 error code when send http request if you changed database name in cookies) - database depended.
I thought maybe I could check each request if token is stored in AspNetUserTokens table ,but I noticed that the table is empty even after logged in successfully.
It sounds like the current database value should be set as a Claim on the user's identity, rather than in a raw cookie. Adding custom claims to the identity will protect them in an encrypted token.
Here's some documentation around this scenario, in particular look at implementing an IProfileService that adds your claim.
I'm working on a client-server application using WCF. The first client will be a desktop app (WPF) but I plan to add Xamarin (Android and iOS) and web client. I want this to be an internet service, and to potentially support a large number of clients, so I'm using http, a stateless service to conserve server resources.
I am having difficulties implementing authentication logic.
I found this great example that implements forms authentication:
http://www.dotnetspeak.com/wcf/securing-wcf-with-forms-authentication/
It allows me to handle authentication how I want - compare username and password against the database, create an authentication cookie and return it. Subsequent calls using this cookie will be authenticated automatically.
But the problem is, I don't know which user called the service. If GetMyData() is called by user1, I want to make sure he only gets his own data. I obviously don't want to have the client send their ID separately with each request, because that can be easily tampered with - just switch "user1" for "user2" and hey presto, you're getting someone else's data.
I can get to the authentication cookie inside the service method by calling
WebOperationContext.Current.IncomingRequest.Headers[HttpRequestHeader.Cookie]
(I can also see there's one other header called "Host")
The cookie is generated from a FormsAuthenticationTicket, which contains the username and password, but it's encrypted. I'm not sure whether it's possible for me to decrypt the cookie in my code, but I'm pretty sure it wouldn't be the correct approach. My method was called AFTER the underlying system authenticated the caller, so presumably the cookie was decrypted and the ticket was found to be valid. So why can't I get to the data?
Sadly, every article I've found only deals with authenticating the user, but nobody seems to care about which user is using the service afterwards, as long as he's authorized.
I suppose I could store the cookies server-side, along with mapping to the specific user, and find the user that way. But I want the service to be as stateless as possible for performance reasons. Also, this would involve doing fulltext matching on a 300 character long string - for every single request! Yikes!
It seems to me that what I need is a very common use case, so there must be a proper way to do it. I just can't seem to find it. Can anyone help me out?
If you have Forms authentication setup correctly then you can get the logged-in username via Thread.CurrentPrincipal.Identity.Name and send it to your service method for data access validation. Get the user id from username and validate ownership.
Thread.CurrentPrincipal.Identity.Name decrypts the cookie ticket and returns the logged-in username.
I'm currently new to Claim Based Model and Secure Token Service.
I have successfully installed thinktecture identity server and tested it.
The next step that i would like to make , is to change the login method from the normal method of user name and password to another biometric method (actually a fingerprint) ,
i.e. i would like to know how to make the thinktecture server to accept biometric data (where do I have to tune) rather than the user name and the password.
There's nothing built-in for that. You would need to do that yourself. The obvious place to start would be the login view/controller.
I'm currently using openAM to protect a small webapp of mine using a Java EE web agent. Someone tries to access the app, they get redirected to the openAM instance, they login, they go to the app. Simple stuff.
What I'd like is for openAM to pass the username that was successfully used to the web app. It's my understanding that "session attributes" should be used for this. When in the admin, I go to my Java EE webagent and open up the "Application" tab to see the "Session Attributes Processing". I see that HTTP_COOKIE is a choice for fetching.
1) is it the case that I should expect to see the username, if properly set up, as plaintext in the cookie?
2) what value do I enter in the session mapping to get the username? How do I find what value in the data store corresponds to this?
Thanks
We are using HTTP_HEADER with our agents. So if you are already using agents (which sounds like you are), then the following should work for you. In OpenAM web console:
Access Control > Top Level Realm > Agents > Web / J2EE / etc. > click on an agent
Application tab > Profile Attributes Processing section > Profile Attribute Fetch Mode:
Click on the "HTTP_HEADER" choice
Profile Attribute Mapping:
Map Key: [uid] ... Corresponding Map Value: uid
Click Add. It should look like [uid]=uid once you've added it. Add any other mapping you need that matches attributes to your backend authentication system. Ours is ldap.
In your web application, retrieve the HTTP Header elements and look for the token. It should look something like this: AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.AAJTSQABMDE.
You can then use the OpenAM REST interface to validate and retrieve attributes associated with the token such as user name, password, cn, etc. To retrieve all attributes, the URL would be like this:
http://<OpenAM_Host>:<Port>/<deploy_uri>/identity/attributes?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*
You can also specify attributes you want like this:
http://<OpenAM_Host>:<Port>/<deploy_uri>/identity/attributes?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*&attributenames=uid&attributenames=userpassword
References:
https://wikis.forgerock.org/confluence/display/openam/Use+OpenAM+RESTful+Services
http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/dev-guide/index/chap-rest.html
1) yes, the agent will create plaintext cookies (and if the user sends malicious ones it will recreate them just fine), however using HTTP_HEADER method to pass on attributes is considered as a better solution (since it's not stored on the client side).
2) Session Attributes Processing only works if you actually stored something in the session. For that you can either use the "User Attribute Mapping to Session Attribute" feature in Authentication All Core Settings or write some custom module to save derivative values. Otherwise if you just want to get the uid of the user, then use Profile Attributes Processing (uid key HTTP_UID value and your app will see a HTTP_UID cookie/header).
I am creating a new Silverlight 4 business application using RIA services. This will be using a SQL-Server 2005 DB. There is no AD setup so I am required to use SQL Server Authentication. The details that the user uses to login to the system will be used to hit the SQL Server.
E.g., if username="TestUser" and password="Password" is entered in the login screen of the application, these will be the credentials that will be used to access the DB.
I am wondering what the best way to do this will be? At this point the method of accessing the DB is undecided (EF or 'traditional' ADO.NET using stored procs).
I think current applications take the username and password entered into the login screen, use them to build a connection string and see if they can hit the DB using this, if it works they're in, if not they're declined.
I ended up going with EF and changing the AuthenticationServices Login() method to attempt to hit the database with the required username and password.
I wrote a blog post about how I Dynamically changed connection string for EF