Authentication mechanishim in publish - authentication

Experts,
I have to implement authentication mechanism same as how author instance works. For example, if any user request for any page http:somehost:someport/content/geometrixx/en.html then system should open the page http:somehost:someport/content/geometrixx/en/toolbar/account/login.html and only after successful login sling should redirect to required page.
I looked into Login Selector Authentication Handler and Sling Authentication Service but it seems there is no configuration here. Could you please let me know your thoughts on how to proceed on this? How it will be possible without CUG and how similer mechanism works in Author instance?

Goto http:somehost:someport/useradmin search for anonymous user. click on the anonymous user -> click on permission tab -> remove the read permission on the path that shouldn't be accessible to anonymous users.

If you just want to redirect to the login page if the user is unauthenticated then you will have to do 2 things.
1. Go to /system/console and navigate to the Configuration. Select "Apache Sling Authentication Service". Disable Anonymous access.
2. Go to /libs/cq/security/config.publish/LoginSelectorHandler - Change the login page to the page you want.

Related

Odoo11 - Force authentication of a web page

I work under Odoo11 with the Python3 language.
When the person goes to a web page, I want them to automatically connect without going through an authentication page. Is that possible? And if so, by what means? Controllers, url to change?
I don't have any code to suggest, because I don't know where to start.
Thanks for your understanding and thanks for your help!
EDIT :
I have a list on the Odoo website visible to only one user.
If I sign in with another internal user, I don't see this list.
There are several people who need to access this list. The url in question will be given only to these people.
I just want to avoid them an authentication page. It is a request made by our hierarchy.
My idea was to call a function "to disconnect" from Odoo (in case they have an open session) then pass the connection parameters (hard for example) with the username and password but only for a url.
My use_case I will say,
Url access -> Disconnect Session -> Connect Odoo session with username and password with parameters in my controller -> redirection to this url
Thank you

Access specific URL in my app service when using Azure AD Authentication

We are currently having problem allowing a user to a specific URL without logging in in Azure AD authentication.
We are successful in getting token and using it for our API's. But we are currently having problem allowing user to access a URL without them logging in.
What we have tried so far was this links
https://learn.microsoft.com/en-us/graph/auth-v2-service
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
Thanks!
In your second link, in the azure portal-> your app service -> authentication and authorization screen, make sure the "action to take when request is not authenticated" is set to allow anonymous. if you set that option to "log in with active directory" that forces authentication on every page no matter what. And ensure in your code that page doesn't require login eg.remove the [authorize] tag.

Cypress cannot request API or display content with the new auth0-spa-js package

I tried to sign in to Auth0 with the new package (https://github.com/auth0/auth0-spa-js).
Attempt 1: I did try a best practice that uses cy.request() but seem like new the auth0-spa-js package now requires a random state string (which I don't have and it was generated from loginWithRedirect function) in the request URL. So I can not call sign in API of Auth0
Attempt 2: I set "chromeWebSecurity": false, I click sign in button -> my web is redirected to Auth0 page, the URL is load correctly but Auth0 refused to display 'auth0 url' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
Does you guy have any solution for this situation?
For now, this is the workaround solution of me.
Disable chrome security in Cypress config.
Login through the auth0 page (we will redirect to log-in page and log out due to the fact that I cannot generate the random state in the new auth0 package: auth0-spa-js)
Note: If you’re not custom login page in auth0, use the classic page in Universal Login. I found that the new UI of Auth0 login page has a lot of security enhance that prevents us render auth0 in an iframe. (like image below)
Auth0 seting
Then, Go to Auth0 -> Tenant Setting -> Advanced -> Enable Clickjacking Protection to allow auth0 load in an iframe.
Enalbe Clickjacking
Ok, that all the step that I did to make it work. Hope this help you

How to force login per client with keycloak (¿best practice?)

We are currently implementing keycloak and we are facing an issue that we are not sure what’s the best way to solve it.
We have different webapps making use of the sso and that’s working fine. The problem we have is when we make log in using the sso in one webapp and then we do the same in a different webapp.
Initially this second webapp does not know which user is coming (and it’s not necessary to be logged in to make use of it). When clicking on “login”, it automatically logs in the user (by making a redirection to keycloak and automatically logging the already logged user in the other webapp). This second logging happens “transparently” to the user, since the redirection to keycloak is very fast and it’s not noticeable. This behaviour is not very user friendly.
The question is: Taking into account that this second webapp can’t know upfront which user is accessing the site (unless actively redirecting to keycloak), is it possible to force always the users to log in for a specific keycloak client? By this I mean actually ask the visitor for user/pw even if keycloak knows already them from other keycloak clients.
Thanks in advance!
In the mail listing from keycloak, they gave me a good solution but for version 4:
in admin console, go to Authentication
make a copy of Browser flow
in this new flow, disable or delete Cookie
go to Clients -> (your client) -> Authentication Flow Overrides, change Browser Flow to your new flow, click Save."
Use logout endpoint as a default login button action in your app and redirect uri param use for login page, where you use your specific client (of course you need proper URI encoding):
https://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=https://auth-server/auth/realms/{realm-name}/protocol/openid-connect/auth?client_id=client_id&redirect_uri=.....&other_params....
=> user will be logged out and then it will be redirected to the login page

j_security_check is not available if user is already logged in

Apache tomcat version: 6.0.20
If user is already logged, and he tries to login again from login page, the j_security_check is not available error is encountered. Is it normal behaviour or I have to do something?
Actually I have different user roles for accessing different pages, and when access to a page is denied to a particular user, I want to redirect him to login page, where he can login with corresponding credentials.
This behavior is normal: the servlet spec only lays-out the procedure for container-managed authentication (i.e. login) when the user requests a protected resource and the user has not already provided credentials. All other scenarios are left undefined, including yours.
If you want to capture "forbidden" conditions, you can use <error-page> mappings in your WEB-INF/web.xml to send the user anywhere you want, including a login page. Just remember that the container will only accept a login after the above conditions are true, so you may have to log the user out first (by terminating the user's session).
What I might recommend is a "forbidden" page that says "You don't have access to this resource. If you'd like to log-in as a different user to access it, please click [HERE]" where [HERE] is a link to a servlet that terminates the user's session and then redirects to the resource the user was trying to access. This will cause the container to request authentication (i.e. present the login form), verify the credentials, and send the user to the desired resource.
If you are using a container (and webapp) along with version 3.0 of the servlet specification, there is a new HttpServletRequest.login() method that can be used to programmatically log a user into your webapp. You might be able to use that instead of terminating the session and doing all those redirects... instead, you could collect the username and password yourself and then ask the container to do the login for you.