I'm very new with Glass and I follow this link https://developers.google.com/glass/develop/mirror/quickstart/java to deploy project to Google app engine.
Now everything works, but every time when I close browser then open browser and access my site(mysite.appspot.com), it's require user permission again and again.
Please help me to solve it, thank you very much.
This is because the Java Quickstart demo utilizes sessions to identify users. One of the reasons a session's lifetime ends is due to a user quitting the browser. Therefore when you close and then reopen a browser, the web app has no way to identify you since the session has ended.
The code that checks for a user's identity in sessions is in AuthFilter.java of the Quickstart demo project:
if (AuthUtil.getUserId(httpRequest) == null
|| AuthUtil.getCredential(AuthUtil.getUserId(httpRequest)) == null
|| AuthUtil.getCredential(AuthUtil.getUserId(httpRequest)).getAccessToken() == null) {
// redirect to auth flow
httpResponse.sendRedirect(WebUtil.buildUrl(httpRequest, "/oauth2callback"));
return;
}
If the servlet cannot find the user ID (as is the case when the user ID is no longer saved in a session), it runs the user through the authentication process again that starts with the httpResponse.sendRedirect call in the code above.
Related
I am trying to use Mongo Realm (v10.0.0-beta.9) ; I use a JWT authentication (token being generated by AWS Cognito). It works pretty well since a user has been created (in Mongo Realms Users menu) and I was able to insert a data in my realm. But...
1. Empty user object
One strange thing nevertheless: the user I get from the authentication is empty
const credentials = Realm.Credentials.custom(jwt)
// Authenticate the user
const user: Realm.User = await app.logIn(credentials)
console.log("logged in with Jwt, user:", user) // display "logged in with Jwt, user: {}"
Is it normal? Examples speak about a identity field: console.log(`Logged in as ${newUser.identity}`);
2. React Native hot reload
A bothering thing: I can't reconnect to a realm when reloading the app (pressing r in the console where I npm started). I don't get any error, I just get... nothing. No log appears in Realm console.
The only solution I get is to kill the app, then restart it.
Did I miss a trick to handle that reconnection with RN hot relad?
I've had some troubles converting any Realm objects to printable strings; I always get {} just like you do. I think it could be related to this (unresolved) task on their GitHub.
On a similar note, there are some bugs in Realm's authentication system. I'm trying to get email/password, Facebook, and Google authentication going in my application but all of them currently seem to be broken on Realm's side.
Here are some related issues on their GitHub that you can follow for a solution.
Facebook
Google
Email/pass (fixed, but not released in the latest beta)
I don't have any information about JWT specifically but given these other authentication issues there's a good chance the issue isn't on your side. I recommend opening an Issue on their repository.
This is a summary of an issue I filed directly with expo (it ws closed but I have asked for it to be reopened):
This issue happens whether using AuthSession.startAsync,
AppAuth.authAsync or WebBrowser.openAuthSessionAsync on iOS in
local development and published release (expo managed). Haven't tried
on standalone build yet.
Steps to Reproduce
user presses 'sign in' button, (app calls one of the above methods to kick start authentication session with a Salesforce oauth provider)
user enters credentials successfully
app goes through oauth redirects and returns user to our app and we get our access token.
user presses 'sign out' button (app calls revoke endpoint for token, then calls server endpoint to delete any browser cookie sessions for given account reference)
app navigates to sign in screen
user presses 'sign in' again (app calls the same method from above to start the authentication session with Salesforce oauth provider again)
instead of opening the sign in page, the app redirects itself back with an access token as if the user had successfully entered their credentials, even though any cookies/session data the browser stores should be invalid and necessitate a sign in.
Expected Behaviour
steps 1 - 5 are all as expected. Step six should be
app redirects to Salesforce oauth provider sign in page, in unauthenticated state (ie no cookie or session data that was previously stored is still valid)
user is required to re-enter their credentials
oauth flow takes over and redirects the user into the app if the credentials were correct.
Actual Behavior
as per initial steps where the user is not even asked to enter their credentials (step 6):
instead of opening the sign in page, the app redirects itself back with an access token as if the user had successfully entered their credentials, even though any cookies/session data the browser stores should be invalid and necessitate a sign in.
Reproducible Demo
The code is in a private repo so I can't share details of it, but it's a very standard oauth flow, and seeing it's happening in all three of the method calls from the top suggests to me that it may be due to something in the WebBrowser.openAuthSessionAsync implementation. I have seen on the apple developer docs that SFAuthenticationSession has been deprecated in favour of ASWebAuthenticationSession. My understanding is that this (SFAuthenticationSession) is the browser used by expo's WebBrowser and the wrappers mentioned above (AppAuth and AuthSession) for the oauth interactions. I also see that it mentions it's for a one-time login, which perhaps explains why it would hold onto any session data and jump to the conclusion of re-authenticating without directly seeking credentials from the user, but it seems unhelpful to store a cookie without validating it, which is what appears to be the end result.
Notes
Essentially this is making it impossible for a user to sign out of our app, because the system browser, that we don't have control over, is keeping track of their authentication despite the session value no longer being valid against the server.
I've seen other people looking to find ways to clear cookies from the system browser, which may be what this issue relates to, though it doesn't appear to be possible to access the auth session's browser cookies in any way. This comment on a GitHub issue is exactly what I'm experiencing and need to find a solution to.
I would like users to be able to sign out, and then when they sign back in again they should have to enter their credentials again. Does anyone have any thoughts as to how this might be possible?
On iOS, it's now possible to pass in the following config to WebBrowser.openAuthSessionAsync to essentially treat it as incognito and ensure it doesn't retain any cookies. The effect is that the user will have to re-authenticate each time (even if there session is still active). I'm not aware of a similar approach for Android, however.
Code
const browserOptions = {
preferEphemeralSession: true
}
result = await WebBrowser.openAuthSessionAsync(authUrl, redirect, browserOptions)
I'd like to offer a WebService API to a set of intranet desktop applications.
Currently my web service configuration (launchSettings.json) is:
"windowsAuthentication": true,
"anonymousAuthentication": false
This approach needs this line of code at the Startup class:
services.AddAuthentication(IISDefaults.AuthenticationScheme);
When I test it the browser (Firefox in my case) calls the default controller. Then I get a prompt asking the user and password from the active directory user, which is already logged in. After a successful log-in I can see the user name and its status within my controller class:
var isAuthenticated = User.Identity.IsAuthenticated;
var userName = User.Identity.Name;
But as already noted: the current user it's already logged in into this Windows machine so, could I forward this information in order to avoid this log in prompt?
At test stages is not a big problem to enter this information, but I guess when other kind of clients (my custom desktop applications) try to use this WebServices they will need to also call the WebServices in such a way that the user gets authorized.
Please, consider I am getting started with the asp.net, core and webservices technologies, so if you need more information, let me know :D
Firefox doesn't support automatic login. Only Chrome and IE/Edge do.
I am encountering a strange situation with MobileFirst 7.1 where users are occasionally unable to authenticate/login. The only indication that something is awry is a message in the console.log
[AUDIT ] CWWKS1100A: Authentication did not succeed for user ID . An invalid user ID or password was specified.
My custom login module uses com.worklight.core.auth.ext.LdapLoginModule (so to clarify I have a login module which authenticates using LDAP). Like I say everything seems to work most of the time but occasionally users end up in a situation where they are unable to authenticate. I suspect that it is probably related to the session in some way, but that is only a guess based on my investigation.
I have added some logging to my 'secret' adapter which prints the session state to the console log, and obviously this appears in the logs just before the failed authentication message above, but it is empty ie. the session contains nothing.The user is obviously trying to access a secure adapter at this point, and because they are not authenticated they end up at the login page (form based authentication I should say also).
Anyway, I noticed that although there appears to be no session data, the jsessionid is there and has not changed i.e. it does not change even if I refresh the browser. This may not be an issue in itself of course, but interestingly if I remove this entry and refresh my browser I am able to login successfully.
I am pretty sure that my handler code calls the relevant success/failure methods in the correct places but of course there is nothing to stop the user refreshing their browser, which causes them to be re-directed to the login page (the app has been developed using AngularJS so is effectively a single-page navigation model).
The only reproducible test I have been able to come up with is when I login to the MobileFirst console and then try to login to our MF 'desktopbrowser' app. I have read that this situation causes a session-related conflict, but as I say the occasional issue I am seeing is not caused by this (though it may be related).
So the problem seems to have been more related to the flow of logic in our application after successfully logging in, than any inherent issue with the MF Platform.
For example when a user refreshes the browser they are effectively still logged in, but because the app (based on logic we have developed) takes the user to the login page on refresh, the user is effectively re-logging in to the same session. If this failed every time it would of course have been easier to pinpoint but it does not. The solution was to force logout on refresh (when the app initialises), thus cleaning up any session data. In future iterations it may of course be better to re-establish the application based on the authenticated session after refresh, but at present that was a step too far.
Another example of this was post login if the subsequent adapter calls failed (e.g. we authenticate and then retrieve profile data from a database), then we were also not logging the successfully authenticated user out.
I'm very new to liferay and am creating a hook on the login.events.pre event. My users will be signing in to the website by using their phone number, so I have to do some validations on the status of their phone line before letting liferay create a session for the user. I've already created the portlet and am able to execute some java code before letting liferay take care of the login validation, but I'm not sure how to stop the whole process if my validation fails. In other words, if I find out that the users phone line is suspended, I don't want liferay to allow them to sign in, even if the right login info has been provided by the user. Is it possible to do this in the login.events.pre event in liferay?
In this case you can invalidate the Session and redirect it to some customized error page in your hook.
Below piece of code might be helpful.
//Below code to get the current session
HttpSession session = null;
session=request.getSession(false);
//Below code to invalidate the session and to redirect to your customized error page
session.invalidate();
response.sendRedirect("/errorPage.html");