I am using Worklight 6.1 and am using a challange handler to determine if my user is logged or not.
Once logged in, I have the following code attached to my logout button in my app:
on(logoutBtn, "click", lang.hitch(this, function() {
WL.Client.logout('AdapterAuthRealm', { onSuccess:lang.hitch(this, function() {
this.gotoView("login");
}), onFailure:lang.hitch(this, function() {
WL.Logger.error("Unable to logout");
})});
return false;
}));
Clicking it opens the login view, but when the user tries to login again, the following error is shown:
"Cannot change identity of an already logged in user in realm 'AdapterAuthRealm'.
The application must logout first."`
According to the following SO question:
Worklight: WL.Server.setActiveUser - Cann't modify - Illegal State: Cannot change identity
I will first have to clear the active user before setting a new one:
WL.Server.setActiveUser("AdapterAuthRealm", null);
I actually expected WL.Client.logout to do this automaticly, but doing so myself in my onLogout function in my adapter does not seem to have any effect:
<realm loginModule="NonValidatingLoginModule" name="AdapterAuthRealm">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="PortalAdapter.onAuthRequired"/>
<parameter name="logout-function" value="PortalAdapter.onLogout"/>
</realm>
And
function onLogout() {
WL.Logger.info("invoke logout request");
WL.Server.setActiveUser("AdapterAuthRealm", null);
var input = {
method : 'get',
returnedContentType : 'text/plain',
path : '/logoutUrl'
};
WL.Server.invokeHttp(input);
}
Adding it to my login function in my adapter as follows:
var userIdentity = { userId: username, displayName: username, attributes: {}};
WL.Server.setActiveUser("AdapterAuthRealm", null);
WL.Server.setActiveUser("AdapterAuthRealm", userIdentity);
Results in an infenite loop of login / logout requests of my app.
My questions:
When/where am I supposed to clear my active user?
When using a challange handler, is it allowed to use the WL.Client.logout method?
Your realm should have a logout function which should point to adapter procedure to logout. you can add this as a parameter for realm.
you can add the WL.Server.setActiveUser("AdapterAuthRealm",null); to the onLogout() procedure in adapter
<realm loginModule="loginModule" name="AdapterAuthRealm">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="LoginAdapter.onAuthRequired"/>
<parameter name="logout-function" value="LoginAdapter.onLogout"/>
</realm>
2 Yes. you can use WL.Client.Logout();` when using challenge handler
Related
I am trying to implement OAuth2 authentication in a Dropwizard web-application. I have created the required Authenticator and Authorizer classes and added the code supplied in the Dropwizard manual in my Application's run-method as follows:
environment.jersey().register(new AuthDynamicFeature(
new OAuthCredentialAuthFilter.Builder<User>()
.setAuthenticator(new TokenAuthenticator(service))
.setAuthorizer(new TokenAuthorizer())
.setPrefix("Bearer")
.buildAuthFilter()));
environment.jersey().register(RolesAllowedDynamicFeature.class);
//If you want to use #Auth to inject a custom Principal type into your resource
environment.jersey().register(new AuthValueFactoryProvider.Binder<>(User.class));
My required behavior is that after my client has logged in by providing his/her credentials on my login page, I want to redirect the client to a greeting page I have created using Dropwizard Views and is under the path: "/me" as follows:
//After succesfull login and token generation
return Response.seeOther(new URI("/me")).build(); // redirect to greeting page
And my greeting resource looks as follows:
#Path("/me")
#Produces(MediaType.TEXT_HTML)
public class UserResource {
#GET
public UserView getView(#Auth User user) {
return new UserView(user);
}
}
Currently I am getting a "Credentials are required to access this resource." response after logging in. After some reading on token authentication (nice explanation here) I picked up that the token must be sent from the client in the header of each request. So my question is how do I tell the user's browser (client) to include the token in the header of future requests?
I managed to solve this by doing the following:
In order to verify the user, a token must be sent in the header of the request in the form of Authorization: Bearer <token-value>. This token is sent by the server upon authentication and must be stored by the client / user to be sent in future requests. I managed to store the token by using an ajax request when my login form is submitted as follows:
<#-- Handle form submission response to save the token on the client side-->
<script>
$('#loginForm').submit(function(event){
event.preventDefault();
$.ajax({
url: $(this).attr('action'),
type: 'POST',
data : $(this).serialize(),
dataType: 'json',
success: function(data){
//alert("The server says success!!: " +data);
console.log(data);
window.sessionStorage.accessToken = data.token;
window.location = data.url;
},
error: function(data){
alert("The server says error! : ");
console.log(data);
}
});
});
</script>
The login resource then produces JSON which is received in the data-variable in the code above. The required token resides in data.token - which is then stored. I added a second entry in the JSON named "url" to indicate the path to redirect to after successful authentication.
Now the token is stored on the client side when needed. In order to send this token in the request header, I needed to alter my approach to using the Views provided by Dropwizard. Instead of directly requiring authentication, I split the View's resource and the authenticated data resources. To clarify consider the following example. A user logs in, gets the token and then goes to a page that displays his/her username. For the page, a View resource is created with a .ftl file to serve as a template. Something like:
#Path("/me")
#Produces(MediaType.TEXT_HTML)
public class UserResource {
#GET
public UserView getView() {
return new UserView();
}
}
and...
public class UserView extends View {
public UserView() {
super("user.ftl");
}
}
And user.ftl:
<#include "include/head.html">
<#include "include/header.html">
<!-- Header -->
<div id ="headerWrapper">
</div>
<div class="container-fluid">
<div id="name">
<p>Hello user</p>
</div>
</div>
<#include "include/footer.html">
Now to retrieve the username I create a new resource which produces JSON on a new path. For example:
#Path("/getdetails")
#Produces(MediaType.APPLICATION_JSON)
public class UserDetailsResource {
#GET
#Timed
#UnitOfWork
public User getDetails(#Auth User user) {
return user;
}
}
This resource requires authentication and provides JSON from which the username can be retrieved. Now to get the username and place it inside the view, simply add a script to the users.ftl with an ajax request to the getdetails resource, providing the token in the header and using the result to place the username in the view. See script below.
<script>
$.ajax({
url: '/getdetails',
type: 'GET',
headers: {"Authorization": window.sessionStorage.accessToken},
dataType: 'json',
success: function(data){
//alert("The server says success!!: " +data);
console.log(data);
$("#name").text('Hello '+data.username);
},
error: function(data){
alert("The server says error! : ");
console.log(data);
}
});
</script>
I am using a FormBasedAuthenticator with SingleIdentityLoginModule on IBM MobileFirst platform v7.0.
<realm loginModule="StrongDummy" name="PageAccess">
<className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
</realm>
<loginModule name="StrongDummy" expirationInSeconds="-1">
<className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
</loginModule>
I'm invoking this as seen below:
var reqURL = '/j_security_check';
var options = {};
options.parameters = {
j_username : "admin",
j_password : "admin"
};
options.headers = {};
sampleAppRealmChallengeHandler.submitLoginForm(reqURL, options, $rootScope.sampleAppRealmChallengeHandler.submitLoginFormCallback);
When I try to login using any credentials it shows an error "SingleIdentityLoginModule missing console.username paramater".
I'm not sure what I'm missing here or where to put that "console.username" parameter.
Please see attached image.
The single identity login module is used to grant access to a protected resource to a single user, the identity of which is defined in the worklight.properties file. Use this module only for test purposes.
More details in the link here.
I am trying to make an LDAP authentication system using IBM Worklight Studio 6.2.0.01
The login system works fine, no problem with that part, but the logout function doesn't actually log out the user!
Realm:
<realm loginModule="LDAPLoginModule" name="LDAPRealm">
<className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
</realm>
LoginModule:
<loginModule name="LDAPLoginModule">
<className>com.worklight.core.auth.ext.LdapLoginModule</className>
<parameter name="ldapProviderUrl" value="<Correct LDAP URL ( For security left blank on stackoverflow )>"/>
<parameter name="ldapTimeoutMs" value="2000"/>
<parameter name="ldapSecurityAuthentication" value="simple"/>
<parameter name="validationType" value="exists"/>
<parameter name="ldapSecurityPrincipalPattern" value="{username}"/>
</loginModule>
SecurityTest:
<customSecurityTest name="LDAPSecurityTest">
<test realm="wl_directUpdateRealm" step="1"/>
<test isInternalUserID="true" realm="LDAPRealm"/>
</customSecurityTest>
AdapterXML (important part)
<procedure name="getUsername" securityTest="LDAPSecurityTest" />
<procedure name="onLogout" />
AdapterJS
function getUsername(){
return {username: ""};
}
function onLogout(){
WL.Server.setActiveUser("LDAPRealm", null);
}
The getUsername function gets called everytime the app wants to check if a user is currently logged in, it has NO function other than that.
The logout function (App-side)
$scope.setUsername = function(){
var invocationData = { adapter: "DummyAdapter", procedure: "getUsername"}
WL.Client.invokeProcedure(invocationData, {
onSuccess: function(result){},
onFailure: function(result){);
}
$scope.logout = function(){
WL.Client.logout("LDAPRealm", {onSuccess: $scope.setUsername});
}
Result: This makes the app go to the login page by noticing the user has logged out, only problem is.. it hasn't completely logged out the user. What can I do to make the user completely logged out?
PS: Why don't I use WL.Client.reloadApp after WL.Client.logout()? Two reasons:
White screen and reloading the whole app is just dirty, it's not user friendly at all.
WL.Client.reloadApp gives a fatal signal 11 ( code 1 ) on Android Lollipop ( Android 5.0 ). At least, this is with my worklight version (6.2.0.01).
Please, is there a way I can avoid WL.Client.reloadApp and still log out the user from the server? If not: What may cause the fatal signal 11 ( code 1 ) error in Android Lollipop? I've tested it thoroughly on iOS 8.0, Android 2.3.5, Android 4.4.2 and Android 5.0. Only one that fails is the 5.0
Thank you and sorry for the long post
I have fixed the problem by removing the WL.Client.reloadApp function from logout onsuccess, I did this as such:
$scope.logout = function(){
WL.Client.logout("LDAPRealm", {onSuccess: function(){
$scope.setUsername() // <-- this function is the secret function
// that triggers the securitytest
// which then gives back the login page because
// you had just logged out :)
}});
}
As for the adapter not logging out the user: This comment was false, this bug was originating from another problem. So my code which was posted on StackOverflow was fine. But still:
Android 5.0 and WL.Client.reloadApp don't go to well (5th November 2014 in case an update fixes this)
I am trying to create the following authentication for an app:
User enters phone number and receives an SMS with a code generated in the server (the SMS is handled through an external service). If the user enters the right code he is logged in.
This means I must have two login stages: registering user with a phone and logging him in with the code, so this is what I think the client should look like:
Meteor.getSmsCode = function(phone, username, callback) {
Accounts.callLoginMethod({
methodName: 'getsmscode',
methodArguments: [{
getsmscode: true,
phone: phone,
username: username
}],
userCallback: callback
});
};
Meteor.loginWithCode = function(phone, code, callback) {
Accounts.callLoginMethod({
methodName: 'login',
methodArguments: [{
hascode: true,
phone: phone,
code: code
}],
userCallback: callback
});
};
But I am confused about the server side - there should be two methods:
the first should only register a user (and communicate with the SMS service) and second should log him in.
This is the server test code for now:
Meteor.users.insert({phone: '123456789', code: '123', username:'ilyo'});
Accounts.registerLoginHandler(function(loginRequest) {
var user = Meteor.users.findOne({phone: loginRequest.phone});
if(user.code !== loginRequest.code) {
return null;
}
var stampedToken = Accounts._generateStampedLoginToken();
var hashStampedToken = Accounts._hashStampedToken(stampedToken);
Meteor.users.update(userId,
{$push: {'services.resume.loginTokens': hashStampedToken}}
);
return {
id: user._id,
token: stampedToken.token
};
});
And this is what happens when I try it:
Why an I getting the 500?
Why doesn't the user have a code and phone fields?
What method should I use for the getSmsCode?
Meteor.createUser is described on How can I create users server side in Meteor?
Then, the Accounts.onCreateUser would contain business logic http://docs.meteor.com/#accounts_oncreateuser
A more exact message for the 500 would be on the server-side stdout. Probably security.
Your Login Handler must return an object as follows:
{ userId: user._id }
Sorry I don't elaborate in the whole problem, I don't agree on your full approach but looks you are in the right path to get the feature you need.
Also, this question is one year old, now there are a few packages at atmosphere that address this kind of authentication =)
I have a problem in getting the logged in user in my spring-extjs application.I am using spring security 2.0.4.Here are the details of what i have tried.
Controller class:
#RequestMapping(value="/StaffingApplication/index.action", method = RequestMethod.GET)
public String printUser(ModelMap model) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
String name = auth.getName(); //get logged in username
System.out.println(name);
model.addAttribute("username", name);
return "index.jsp";
}
login.js file
var login = new Ext.FormPanel({
labelWidth:80,
url:'j_spring_security_check',
frame:true,
title:'Please Login',
defaultType:'textfield',
width:300,
height:130,
monitorValid:true,
// Specific attributes for the text fields for username / password.
// The "name" attribute defines the name of variables sent to the server.
items:[{
fieldLabel:'Username',
name:'j_username',
allowBlank:false
},{
fieldLabel:'Password',
name:'j_password',
inputType:'password',
allowBlank:false
}],
// All the magic happens after the user clicks the button
buttons:[{
text:'Login',
formBind: true,
// Function that fires when user clicks the button
handler:function(){
login.getForm().submit({
method:'POST',
// Functions that fire (success or failure) when the server responds.
// The server would actually respond with valid JSON,
// something like: response.write "{ success: true}" or
// response.write "{ success: false, errors: { reason: 'Login failed. Try again.' }}"
// depending on the logic contained within your server script.
// If a success occurs, the user is notified with an alert messagebox,
// and when they click "OK", they are redirected to whatever page
// you define as redirect.
success:function(){
Ext.Msg.alert('Status', 'Login Successful!', function(btn, text){
if (btn == 'ok'){
window.location = 'index.action';
}
});
},
// Failure function, see comment above re: success and failure.
// You can see here, if login fails, it throws a messagebox
// at the user telling him / her as much.
failure:function(form, action){
if(action.failureType == 'server'){
obj = Ext.util.JSON.decode(action.response.responseText);
Ext.Msg.alert('Login Failed!', obj.errors.reason);
}else{
Ext.Msg.alert('Warning!', 'Authentication server is unreachable : ' + action.response.responseText);
//window.location='loginFailure.html'+action.response.responseText;
}
login.getForm().reset();
}
});
}
}]
});
On my jsp page I access it like this.
<div id="header" class="header">Options Staffing Application
<div style="" id="user-status">
<a href='<c:url value="j_spring_security_logout"/>'>Logout</a>
<h3>Username : ${username}</h3>
</div>
</div>
But I just get a blank in place of username.
When I try to print it in the controller I get the value printed,but doesn't seem to be displayed on the jsp page.Went throgh other threads but did not help.Any help would be appreciated
Thanks for the time
Sachin
You don't need to put the username into an object model because you can access it from a jsp just like the way you do in the controller class:
<h3>Username <%=SecurityContextHolder.getContext().getAuthentication().getName(); =></h3>
Or even better:
<h3>Username <sec:authentication property="name" /></h3>
But i'm not sure if you can use that taglib in Spring Security 2