I've implemented Login Module, e i would not allow the same User on different devices connect to the same time.I thought of two solutions.
1 - If the User is an active session with the device"A" and connect the "B" device, forcing the device "A" to authenticate again.
2 - If the User is an active session with the device "A" block access to any other device with the same User.
To get the expected result, I need to control the users manually,
List<User> leggedUsers = new ArrayList<>(); ...
or worklight provides some way to implement this.
I don't think the following fully answers your question, but it may be one possible solution. See the answer to this question: Worklight Adapter Basic Authentication Caching?
Related
Has anyone combined SAML and Database connection in one login widget .
i.e: I want two options to login via SAML (may be a button ) as well as with User Name and Password to login with single email address.
But with Lock JS , An internal user to LDAP/SAML can login via SAML only (if both connections are allowed).
Coincidentally I've been pondering the same question today myself. On the surface the only way I've come up with to address this issue seems to be by steering Lock on initialisation using allowedConnections parameter. Docs here
https://auth0.com/docs/libraries/lock/v10/customization#allowedconnections-array-
Does mean you need a mechanism for the user deciding (or steering via some other means) which connection you're trying to initialise Lock with.
Seems a bit strange given you can happily show multiple social connections alongside each other.
The other way if you have the luxury of being able to steer a user to a certain identity provider via their email address is to use home realm discovery on the SAML connection by entering an email domain. This does not work for my use case where my user base is not corporate in nature and so I cannot glean which identity provider to steer them towards based off their email domain. Good luck and if you find a better way I'd be very interested to hear ;)
Can I set some properties for a worklight app from another worklight app, in the same project ?
I want to make one configuration app which configures properties, like date format/time format/enabling-disabling some functionalities etc, for different worklight applications in the same project.
Is that possible?
You could probably achieve this, but there is nothing built-in or existing that does this.
Whatever you do will have to go through the Worklight Server and not peer-to-peer.
Here's what you could possibly do (you'll need to actually implement it and see how feasible it is):
Note that this is highly simplified; it's just general steps.
User application
Application launches
User logs-in
Upon successful log-in, invoke some "RemoteControl" adapter procedure, "applySettings".
By default this will return a pre-defined configuration, a set of application settings that the client logic will know how to apply. Like some JSON object containing key:value pairs that you will apply logic based on them.
Since all client applications will connect to the Worklight Server, they are thus registered in the database with the user identity.
Controller application
In the Controller application, you will be able to retrieve a list of all registered users as well as retrieve the settings that are set for each of the listed users, using the "RemoteControl" adapter procedure "retrieveRegisteredUsersAndSettings".
Devise some UI for all users and the available settings and checkboxes etc which will be marked with whichever settings are enabled or disabled per user.
Have another procedure in the same "RemoteControl" adapter, "setSettings". This will store the user settings in the database
When the user logs-in, these same set settings from step 6 are applied instead of the previous default (now changed...) settings in step 3.
Notes:
You could also have it so the procedure will be invoked whenever doing any sort of request to the server rather than only after log-in. Purely applicative.
If you have more than 1 application, you could also save in the database using userPrefs which app the logged-in user uses and the retrieve this information as well in the controller application; you can then sort the display of all of this information in the UI.
I have an application that authenticates and authorizes the users within application. The application then connects to the database using a service ID. because of this, all actions on the database are run as the application and not the end user. I now have a requirement to tie all database actions to the end user. Can anyone tell me at a high level a couple of ways to solve this?
thanks
I know of two high level approaches. One is to use something like [Kerberos Delegation (Kerberos, delegation and how to do this correctly?) to actually take the user's authentication and log into the database as a user. The much more common approach is to store the end-user's ID in all created or updated rows and to trust the application to do this correctly.
I am developing a WCF service which can be consumed by mobile applications to authenticate users against the corporate extranet ActiveDirectory. I am using a customized version of this implementation from Microsoft. I need to implement the account lock out logic so that after n retries the account in the ActiveDirectory should get locked-out.
I tried with state-full WCF service to keep track of the failed log-ins. But the client can start over the next session and continue with the attack.
I know that the ActiveDirectory policy can be set to enforce this, but just querying the AD -like the Microsoft solution does to authenticate the user - does not lock out the user.
So, I am looking forward for a solution which will work like when log-in to Windows with incorrect password for n times the account will get locked-out as per the policy set in the AD.
I have not seen your code. So I'm guessing you have similar solution that is implemented in this example, have a look at this link
In above example, please have look at line
DirectoryEntry entry = new DirectoryEntry(_path, domainAndUsername, pwd);
this entry object would be used for authentication when you make a search call on active directory.
If you are using user/password that you want to authenticate then you need not to worry about locking it by your code. Active directory policy would be enough.
But after reading your comment I guess you have one specific user that you use to search mobile application users to check if they exist in your active directory or not. If this is the case effectively you are never authenticating against mobile users so those users never going to be blocked automatically.
I would be interested to know your answer.
There are basically two ways of doing this:
You continue the directory search method you are using, but track the number of logins for each user in a custom database, and check this database before doing the directory search.
Use the Windows login instead, and rely on AD to lockout the user. For a description of how to do this check: Active Directory (LDAP) - Check account locked out / Password expired
Edit
After seeing marc_s's comment, I am unsure if doing the directory search will lockout or not. It would actually be a serious security hole if you could try an infinate number of times. But you would need an account that is allowed to query AD before you could use it.
The code you linked to had this line
object obj = entry.NativeObject
Which was to force authentication. Have you included this line?
I searched google, SignalR wiki and SignalR code itself (for example, Broadcast function, Signaler and more), and found nothing.
I wrote ClientIDFactory and successfuly set ClientID to UserID.
It works, but now user cannot connect from more than one browser/tab.
I modified the function and added random string to the UserID. It works.
Now I need to find a way to get all connections for user(s), to send specific message to specific UserID.
I think about looping around client list, and find the UserID by string.split(), but other ways may be usefull.
I am not using Hub. only PersistentConnection.
Thanks,
I think your approach is not right hence this has surfaced. You have connect and disconnect method on server side to hook into. On Connection you need to persist connection with some meta data and then even if server restarts you can check meta data for unique user or unique client and reconnect them with new ID.
For example
If you are buying an item from mobile and you are not logged in (no meta data to relate to user) and you place 2 items in your basket. When you go on your desktop you wont see those two items in basket because server cannot relate to you as same user coming from same machine.
If you are logged in (meta data like email or username attached to current connection ID) and you browse from mobile and add 2 items in basket. When you login to your desktop (the new Connection ID can then be linked with same meta data email or userid) and then you can tell that its same user. If you then need to send a message to that user you have to send it to two client IDs which you can do by grouping them or sending it to two IDs.
If client lost connection ID it should be disconnected and on new connection it will have new connection ID so you should be thinking about mapping them.
If I connect with 7 IDs from 7 different mobiles notification would be sent to all 7 as long as your system knows that they are all intended recipient of this notifications. Implementation of persisting this knowledge is not part of signalR and so you have to implement it yourself.