After the user logs in with FORM authentication, I need to get the user's username. I'm using a custom login module that extends DatabaseServerLoginModule.
I'm runing JBoss EAP 6.2 (standalone) and Seam 2.3.1.
I've but a breakpoint in my loginmodule, and I can see from the stacktrace (and my browser's dev tools, where I can see the newly created JSESSIONID cookie) that the session has been created. I thought I could manually map JSESSIONIDs to usernames, but I can't see a way to find that. Inside my normal Seam Session scoped stuff, I could use FacesContext / ExternalContext.getSession(), but FacesContext.getCurrentInstance() is always null there.
In the stack trace I can see the FormAuthenticator and I thought I could get this stuff from there, but I haven't found a way to use a custom version of that.
I found something that recommended using an org.jboss.ejb3.annotation.SecurityDomain annotation along with a javax.annotation.Resource annotated / injected javax.ejb.SessionContext, but the SessionContext (from which I could call getCallerPrincipal) is always null. I guess Seam's idea of a Session and whatever that stuff maps to doesn't play well together.
Related
I am creating an app inside Sitecore and I only want it available to the users via a direct URL. I want the authentication to occur against LDAP. I tried going directly to the app and let it redirect to the auto login page and redirect me to the app but it didn't do it. Instead it took me to the Sitecore login page.
I'm wondering if it is possible for me to write some code to auto authenticate a LDAP user and redirect to the app page. I want the user to never see the login page or Sitecore desktop or any of the Sitecore screens other than that one app.
Thanks
We accomplished something similar by combining the AD module with some custom code in the Global.asax. Below are a few lines that might be helpful. You'll likely need a bunch of logic to check if the user is already logged in, and whether they are accessing a path you want to auto-login for.
NOTE: Make sure windows authentication is enabled in IIS.
protected void Session_Start(object sender, EventArgs e){
// The user from Windows Authentication in IIS
var user = Context.Request.ServerVariables["LOGON_USER"];
//Log the user in
bool success = Sitecore.Security.Authentication.AuthenticationManager.Provider.Login(user, false);
}
You'll note that the sample I provided goes directly to the provider. You can also call Login at the AuthenticationManager class, and this will also do some other work with cache. In my case, I was trying to bypass that.
UPDATE (2017-06-29):
In newer versions of Sitecore it is not recommended to make changes to the Global.asax. Unfortunately, there is no equivalent pipeline in Sitecore. You can attempt to use httpRequestBegin (where the UserResolver processor is) or httpRequestProcessed, but these will fire on every single request.
One alternative (credit to #Mark Cassidy on SlackChat) is to use the Initialize pipeline and in that processor register to the session start event.
It is possible yes, a quick Google search turned up these:
http://www.nehemiahj.com/2013/01/how-to-enable-single-sign-on-in-sitecore.html
based on the AD Module from Sitecore
http://sdn.sitecore.net/SDN5/Products/AD/AD11/Documentation.aspx
That should give you a good place to start from.
I am migrating from grails 2.2.2 to grails 2.3.4 to avoid a bug in 2.2.2 where the text value in the spring security property messages where not displaying, but I am running into all sorts of issues. Stuff that worked before, now it does not.
PROBLEM
When I run the grails app, the initial default page is index.gsp which is standard functionality but after installing and configuring the spring security core, spring security ldap, and spring securiy ui plugins I would like to make the /login/auth my default page.
In the previous release, I had it done via the UrlMappings.groovy config file by simply commenting, replacing or deleting this line
"/"(view:"/index")
for this one
"/"(view:"/login/auth")
My Config.groovy is set so that if the authentication is successfull to take me to the home page
grails.plugin.springsecurity.userLookup.userDomainClassName = 'security.Person'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'security.PersonAuthority'
grails.plugin.springsecurity.authority.className = 'security.Authority'
grails.plugin.springsecurity.requestMap.className = 'security.Requestmap'
grails.plugin.springsecurity.securityConfigType = 'Requestmap'
grails.plugin.springsecurity.successHandler.defaultTargetUrl = '/home/'
and my Requestmap entries in the Bootstrap (if they are of any importance for this issue are as follows):
for (String url in [
'/', '/index', '/index.gsp', '/**/favicon.ico',
'/**/js/**', '/**/css/**', '/**/images/**',
'/login', '/login.*', '/login/*',
'/logout', '/logout.*', '/logout/*']) {
new Requestmap(url: url, configAttribute: 'permitAll').save()
}
new Requestmap(url: '/home/*', configAttribute: 'IS_AUTHENTICATED_FULLY').save()
It turns that when i do that... Eureka the login/auth comes as soon as the application is started but when I put the correct authentication credentials it does not seem to authenticate, it does does a 'slight little flicker' and it shows itself again.
However, If I delete this line
"/"(view:"/login/auth")
and put this one back in
"/"(view:"/index")
and then when I restart the application I manually to login/auth and put the correct credentials then it correctly takes me to the home page.
QUESTIONS
Did I miss any config setting anywhere that would make the login/auth the first page (but also allowing me to authenticate)?
I am not sure if this should be a separate posted question, but now by design the login page it's part of the plugin, before it was generated by and part of my code and I could style at my will. Do I have to copy paste the LoginController and the Auth.gsp in my app in order to customize the view or is there a better preferred way?
Thanks in advance.
The authentication mechanism in Spring Security works by keeping track of a referral URL when the login page is shown. And then redirecting to this page on a successful login. If you want the login page to be the first page people see just make the root view require authentication. I'm assuming most, if not all, of your application requires authentication. If this is the case, you don't need to make the login page the root view. Assuming everything under /home/* is locked down then Spring Security will detect that and immediately redirect to the login page when any of the secured pages are requested.
Long story short, you're making it harder than it needs to be.
As to your second question, I do believe you just need to create your own versions of those files in your app to customize them.
Hey I'm not pretty sure about your problem but you can try making the default login url /login/auth by
grails.plugin.springsecurity.auth.loginFormUrl = '/login/auth'
we want to integrate CAS authentication into Sonar 3.7 LTS. We want to start working with the deprecated CAS plugin, which of course doesn't work. We already compared it with the LDAP plugin from here whose Authenticator interestingly implements the deprecated interface LoginPasswordAuthenticator. One of the main differences is that the CAS Authenticator plugin implements Authenticator. So we altered the CAS Plugin that it implements LoginPasswordAuthenticator instead.
Now comes the clue:
In both cases, the authenticator implementing Authenticator or LoginPasswordAuthenticator, the username passed to it is null. The authentication against the CAS server works like a charm, the plugin knows the username, but Sonar asks the plugin, if it knows the user with the name null. The effect is that when we click on login we get redirected to CAS, fill in the login form and get redirected back to Sonar, still not authenticated to Sonar itself.
We also considered using container authentication but are not sure if that works with Sonar.
Now the question(s):
Has someone got the CAS plugin working with Sonar 3.7? If yes, how and can you provide the sources/solution/plugin?
Is there another way besides the suggested ones above?
One additional note: We want to use Sonar in our existing Tomcat 7, so using Sonar 4 is a way we do not really want to go because the Sonar team decided to stop war support. If anything else fails though, using it is a pain-in-the-ass-but-acceptable solution.
Thanks for your help.
Try this fork: https://github.com/jerzykrlk/sonar-cas.
I restored the behaviour of the original plugin - it should work with Sonar 3.7. It is unofficial at the moment, and will require a manual build. But maybe it will become an official plugin at some point, again.
Thanks to #psqita we got the CAS plugin for Sonar up and running with Saml 1.1. Business requirements said that no anonymous access shall be allowed. Sadly, setting forceAuthentication to true sent us into an endless loop of painful redirecting between CAS and Sonar. So we figured out that Sonar alters its behavior drastically in a way that it ignores all authentication plugins.
Our solution: As of business requirement we could not allow anonymous access. So we implemented another Filter that redirects conditionally to CAS. Authentication and stuff is still done by the plugin. Sadly, we still do not know why there was this endless loop in the first place but now it doesn't happen anymore. Well that's IT I think...
Thank you for your support and happy holidays.
I am trying to setup a REST-webservice with RESTeasy that access EJBs that are deployed on a JBoss 7.1.1.
I've been successful in:
Setting up Beans to be accessed via REST
Configuring SSL for the connection
Setting up a PreProcessInterceptor that uses HTTP Basic Auth to ask the User for his credentials.
Currently I basically just check the credentials hardcoded in the interceptor.
This works to make sure that the User is authenticated, but our Beans query for the name of the currently logged in Principal for some Beancalls like this:
#Resource
private SessionContext context = null;
[...]
String userName = context.getCallerPrincipal().getName();
Currently userName is now always anonymous. What is the right way to set the caller principal? Do I do this in an Interceptor? Or in the Bean itself? My goal is to basically be able to call a method loginUserWithEJBOnJboss(String user, String pass) that uses the login-methods that are configured within the jboss and sets the principal correctly.
I am at a loss here, google didn't find anything. Maybe I am just searching for the wrong words.
So yeah, as always soon after asking I find the solution myself. I think sometimes I only ask because I know this will happen.
So the solution are these methods:
SecurityContextAssociation.setPrincipal(new SimplePrincipal(username));
SecurityContextAssociation.setCredential(password.toCharArray());
They do pretty much all I wanted :)
We are currently facing a production issue on Websphere 7 with respect to richfaces fileupload component. The problem description is that immediately after the file for upload is browsed and selected using this component, the basic authentication dialogbox appears asking for user credentials.
Following are the frameworks we are using in our project:
JSF 1.2 & Richfaces 3.3.3
Spring Framework 3.x
Spring Webflow 2.1
Spring Security 3.x (only basic authentication using login dialogbox)
The user is authenticated once when he wants to access the application at the beginning using basic authentication. All screens that dont use fileupload component are working fine. But if we use fileupload component, as I mentioned above, the file selection (even from local machine path) triggers the basic authentication dialogbox again. The strange thing is that this behaviour does not occur on our Dev Environment which uses Tomcat 6. On Tomcat, the fileupload is not triggering any user login and upload is working fine.
This problem is occuring only when the app. is deployed on Websphere 7. Can anybody please tell whether Websphere requires any additional configuration for accessing Files through this component ?
We have spent a lot of time investigating this problem without any meaningful results. As this is a production issue for us now, it is very critical and needs to be resolved at the earliest.
So please help in this regard. Thanks in advance.
I don't know the File Upload component, and the answer may well lie in the detail of how that works, but in general WebSphere will challenge if an HTTP request arrives for a protected resource and the request does not contain a valid LTPA cookie. The cookie is normally sent by the browser on each request when authentication has happended once, BUT it will only do so if it believes that the cookie is related to a given domain. So if the main part of your website were served from, say,
htpp://my.own.org.com/mysite
and the file upload were related to a subtly different host
http://my.other/filesite
Then the cookie would not be sent, and a challenge would result.
My approach to diagnosing this would be get some kind of traffic sniffer. See exactly what is flowing and the addresses being used. I'm predicting that you will see the LTPA cookie in the usual case and not in the upload case. Then it's a matter of figuring out "why".