in my REST server users authenticate using DigestAuthentication. When a user is logged in, he should, for instance, see some entries related to his username.
My problem is that, although users login succesfully, when they access a ServerResource implementation, I don't know what is the username of the user accessing this class.
This is my main
public class Main extends Application{
#Override
public synchronized Restlet createInboundRoot() {
Router router = new Router(getContext());
router.attach("/profile", UserResource.class);
return router;
}
public static void main(String[] args) throws Exception {
Component component = new Component();
component.getServers().add(Protocol.HTTP, 8182);
DigestAuthenticator guard = new DigestAuthenticator(null, testRealm, secretServerKey);
guard.setWrappedVerifier(new LocalVerifier() {
#Override
public char[] getLocalSecret(String arg0) {
.. return the user's password if it exists.
}
});
guard.setNext(new Main());
component.getDefaultHost().attach("/protected",guard);
Engine.getInstance().getRegisteredConverters()
.add(new JacksonConverter());
component.start();
}
}
Then, inside the class ServerResource mentioned in the Main.createInboundRoot(), how can I retrieve the username of the logged user?
Related
I have following issue.
I have multitenant system (with shared Database and shared Schema). Access token that is generated when user logs in contains information about tenantId. Idea is to allow logged user to change tenat
For example: My user works for 3 tenants(hospitals). When he is logged in, he should be able to change hospital.
So the main issues is how to generate new acces token for user that will contain updated tenantId.
It would be preferable that user doesnt have to provide password again (since he is already logged in), and that request to auth-server that he triggers would contain his current token (that will confirm that he is currently authenticated) and newTenandId.
Here is some custom code:
#Service
public class CustomAuthenticationProvider implements AuthenticationProvider {
#Autowired
private MessageSource validationMessageSource;
#Autowired
private UserDetailsService userDetailsService;
#Autowired
private PasswordEncoder passwordEncoder;
#Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = authentication.getName();
String password = authentication.getCredentials().toString();
SpringSecurityUserWithAdditionalData user = (SpringSecurityUserWithAdditionalData) userDetailsService.loadUserByUsername(username);
return checkPassword(user, password);
}
#Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
private Authentication checkPassword(SpringSecurityUserWithAdditionalData user, String rawPassword) throws AuthenticationException {
try {
if (passwordEncoder.matches(rawPassword, user.getPassword())) {
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword(), user.getAuthorities());
return token;
} else {
throw new GeneralException(validationMessageSource.getMessage("security.authentication.NotValid", new Object[] {}, LocaleContextHolder.getLocaleContext().getLocale()));
}
} catch (Exception e) {
throw new BadCredentialsException(e.getMessage());
}
}
}
#Configuration
#EnableWebSecurity
public class WebSecurityConfiguration {
#Autowired
private CustomAuthenticationProvider authenticationProvider;
// #formatter:off
#Bean
SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
http
...
.and()
.logout()
.clearAuthentication(true)
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
.logoutSuccessHandler(new CustomLogoutSuccessHandler())
.and()
.formLogin()
.loginPage("/login")
.loginPage("/changeTenant")
.permitAll().and();
return http.build();
}
// #formatter:on
#Bean
public PasswordEncoder passwordEncoder() {
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}
#Autowired
public void configureAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
/**
* JWT koji je generisao authorization server sadrzi granted permissions (Spring ih naziva granted authorities) u okviru "scope" claim-a.
* Umesto njega cemo koristiti custom claim koji sam nazvao GlobalConstants.JWT_CLAIM_ROLA_LIST za specifikaciju rola koje ima authenticated korisnik.
* Spring koristi default instance JwtAuthenticationConverter koja ocekuje granted authorities u okviru "scope"/"scp" claim-a.
* Da bi koristili umesto standardno "scope" claim-a koristili claim GlobalConstants.JWT_CLAIM_ROLA_LIST override-ovan je JwtAuthenticationConverter.
*/
#Bean
public JwtAuthenticationConverter jwtAuthenticationConverter() {
JwtGrantedAuthoritiesConverter converter = new JwtGrantedAuthoritiesConverter();
converter.setAuthoritiesClaimName(GlobalConstants.JWT_CLAIM_ROLA_LIST); // override authorities claim-a
converter.setAuthorityPrefix(""); // eksplicitno definisemo nazive, bez podrazumevanih prefiksa (ROLE_ SCOPE_ i slicno)
JwtAuthenticationConverter jwtConverter = new JwtAuthenticationConverter();
jwtConverter.setJwtGrantedAuthoritiesConverter(converter);
return jwtConverter;
}
#Bean
InitializingBean forcePostProcessor(BeanPostProcessor meterRegistryPostProcessor, MeterRegistry registry) {
return () -> meterRegistryPostProcessor.postProcessAfterInitialization(registry, "");
}
}
If you need any additional information, please say.
I tried adding custom fields to custom login form, that will have hidden tenantId field. But i could not manage to make it work.
The authentication process should be designed to return a list of all the tenants the user has access to, typically as a list of authorities.
Separately you need a back-end call (linked to the UI) that allows the user to choose the current tenant from the list of authorities returned in authn.
The value of the current tenant must be stored in the session.
If you really want to hack this via the auth roles, you could store the real auth token and generate your own token with only the current tenant. When user changes tenant they get a new token with the new tenant (obviously after checking against the real token)
I'm testing some custom authorization without the default Entity Framework stuff.
I have created an "ASP.NET Core Web App (Model-View-Controller)" project using "Authentication type" = "Individual Accounts".
In Program.cs I have:
builder.Services.AddTransient<IUserStore<CustomIdentityUser>, CustomUserStore>();
builder.Services
.AddDefaultIdentity<CustomIdentityUser>()
.AddUserStore<CustomUserStore>();
For the moment CustomIdentityUser is just an empty class.
CustomUserStore looks like this:
public class CustomUserStore : IUserStore<CustomIdentityUser>
{
public void Dispose()
{
GC.SuppressFinalize(this);
}
public Task<CustomIdentityUser> FindByNameAsync(string normalizedUserName, CancellationToken cancellationToken)
{
// Use dummy user for now
//return new Task<CustomIdentityUser>(() => new CustomIdentityUser());
return new Task<CustomIdentityUser>(() => { throw new Exception("THIS DOES NOT HAPPEN!"); });
}
...
(All other methods from IUserStore currently throws NotImplementedException.)
If I start the application, go the the login page, enter some credentials and click login I can see that FindByNameAsync in CustomUserStore is called. Good, it seems the application actually uses my custom user store to look for the user whose name I just entered.
But that's where my luck ends. The user interface seems to be waiting for the login to complete. The Task returned from FindByNameAsync doesn't seem to be started at all...why? I think that the caller should get CustomIdentityUser instance from it (and then probably call GetPasswordHashAsync in CustomUserStore).
why do you return new task in FindByNameAsync , also CustomUserStore
should be for extending identity properties. in my opinion, creating a service for identity functionality and using dependency injection
create an interface with the name IIdentity.cs
public Task<IdentityResult> UpdateUserAsync(string id , UpdateUserVm updatedUser);
then the implementation class IdentityService
public class IdentityService : IIdentity
{
...
public async Task<IdentityResult> UpdateUserAsync(string id, UpdateUserVm updatedUser)
{
var currentUser = await _userManager.FindByIdAsync(id);
currentUser.PhoneNumber = updatedUser.PhoneNumber;
return currentUser != null ? await _userManager.UpdateAsync(currentUser) : IdentityResult.Failed();
}
}
then register the service
service.AddScoped<IIdentity, IdentityService>();
in controller
public class AccountController : Controller
{
private readonly IIdentity _identityService;
public AccountController(IIdentity identityService) =>
(_identityService) = (identityService);
[HttpPost]
public async Task<IActionResult> UpdateProfile(params)
{
...
await _identityService.UpdateUserAsync(params)
}
}
A page that asks the already signed in user to confirm their password one more time for security purposes on certain actions. Once confirmed it will go back to whatever request(action)they made in the first place. Should I use an user API for this? How can I achieve something like this?
Public IActionResult IndexMethod()
{
//process request only if user was verified using that verification page.
//It can take in parameters such as tokens if needed
}
In my opinion, if you want to confirm their password one more time for security purposes on certain actions. I suggest you could try to use action filter instead of directly going to the action and you could store the previous url into session.
More details, you could refer to below test demo:
1.Enable session:
Add below codes into Startup.cs's ConfigureServices method:
services.AddSession();
Add below codes into Configure method:
app.UseSession();
2.Create a filter:
public class ConfirmActionFilter : ActionFilterAttribute
{
public override void OnActionExecuted(ActionExecutedContext context)
{
base.OnActionExecuted(context);
}
public override void OnActionExecuting(ActionExecutingContext context)
{
//We will store the user is comfirmed into session and check it at the filter
if (String.IsNullOrEmpty(context.HttpContext.Session.GetString("checked")))
{
//store the path into session route .
context.HttpContext.Session.SetString("route", context.HttpContext.Request.Path);
//redirect to the confrim controller action
context.Result = new RedirectToActionResult("Index", "Confirm", context.HttpContext.Request.RouteValues);
}
}
}
3.Add confirm controller:
public class ConfirmController : Controller
{
public IActionResult Index()
{
//You could get the path
HttpContext.Session.SetString("checked","true");
return View();
}
public IActionResult Checked() {
// redirect to the path user has accessed.
var re = HttpContext.Session.GetString("route");
return new RedirectResult(re);
}
}
filter usage:
[ConfirmActionFilter]
public class HomeController : Controller
Result:
If the user access firstly, you will find it will go to the confirm method.
I'd like to use Firebase for my web app that is for people with dementia in a care home. They do not have email or social network accounts so will need a simple username / password sign up / sign in.
What is the easiest way to do this? From what I can see in the docs I'd have to use a custom auth flow but I do not have an existing auth server.
If I do need ot do this what is the easiest way to provide the token? In Azure there is Functions and AWS has Lambda but I see nothing here is Firebase
You are correct that username/password sign-in is not supported natively in Firebase Auth at this moment.
You can implement a custom provider as shown in this example. This allows you to meet any custom requirements, but is admittedly a bit more involved than using the built-in providers. There is an example of this here that you can use as a starting point.
A workaround you could take without needing to use custom auth with another backend is to accept usernames in your UI, but on the underlying logic, append "#yourowndomain.com" before calling the functions to sign up or sign in with email.
So you would be using email/password authentication, mapping <username> to <username>#yourowndomain.com
You can use sign in with custom token
Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.
You need to save username and password in your database or rtdb or firestore
When user touch the login button, client will send username and password to your backend. If the username and password correct, generate custom token and send it back to the client
Client then can login with custom token from the server using signInWithCustomToken() method
More detail can be read in this documentation
Appending a dummy domain at end is a kind of a patch up and should be avoided.
To enable username login just follow these simple steps.
Sign Up
During sign up take the userid , email and password . Register the user with normal email and password. On Success of it save the email against the user_id in a separate node(branch).
mButtonSignUp.setOnClickListener(new View.OnClickListener() {
#Override
public void onClick(View v) {
if(isValid()){
mProgressBar.setVisibility(View.VISIBLE);
final String userId = mEditTextUserId.getText().toString();
final String emailId = mEditTextEmail.getText().toString() ;
String password = mEditTextPassword.getText().toString() ;
firebaseRef.createUser(emailId, password, new Firebase.ResultHandler() {
#Override
public void onSuccess() {
firebaseRef.child("user_ids").child(userId).setValue(emailId);
Toast.makeText(getBaseContext(),"You are successfully registered ",Toast.LENGTH_SHORT).show();
mProgressBar.setVisibility(View.GONE);
}
#Override
public void onError(FirebaseError firebaseError) {
mProgressBar.setVisibility(View.GONE);
Toast.makeText(getBaseContext(),firebaseError.toString(),Toast.LENGTH_SHORT).show();
}
});
}
}
});
Database
Database structure will look like this
Login
Check if the user has entered an email or userId. If it is a email id then directly perform login with it otherwise fetch the email id associated with the username and perform login.
Button buttonLogIn = (Button)findViewById(R.id.button_login);
buttonLogIn.setOnClickListener(new View.OnClickListener() {
#Override
public void onClick(View v) {
mProgressBar.setVisibility(View.VISIBLE);
String username = mEditTextEmail.getText().toString() ;
final String password = mEditTextPassWord.getText().toString() ;
// Check if it is an email or not
if(android.util.Patterns.EMAIL_ADDRESS.matcher(username).matches()) {
performLogin(username,password);
}else{
//get the emailId associated with the username
firebaseRef.child("user_ids").child(username)
.addListenerForSingleValueEvent(new ValueEventListener() {
#Override
public void onDataChange(DataSnapshot dataSnapshot) {
if(dataSnapshot!=null){
String userEmail = dataSnapshot.getValue(String.class);
performLogin(userEmail,password);
}
}
#Override
public void onCancelled(FirebaseError firebaseError) {
//Handle Error
}
});
}
}
});
private void performLogin(String emailId, String password) {
firebaseRef.authWithPassword(emailId,password, new Firebase.AuthResultHandler() {
#Override
public void onAuthenticated(AuthData authData) {
uid = authData.getUid() ;
Toast.makeText(getBaseContext(), authData.toString(), Toast.LENGTH_SHORT).show();
}
#Override
public void onAuthenticationError(FirebaseError firebaseError) {
Toast.makeText(getBaseContext(), firebaseError.toString(), Toast.LENGTH_SHORT).show();
}
});
}
You may use Alfonso's solution as well. And where you need a real e-mail, you can set an textfield for an e-mail when the user registers and you can keep it in your database and you can use it.
I couldn't find support by firebase for this.
However, doing the following will solve your problem.
SIGN UP
private void clickListener() {
registerbtn.setOnClickListener(new View.OnClickListener() {
#Override
public void onClick(View view) {
String email = emailEdit.getText().toString();
String pass = passwordEdit.getText().toString();
if (email.isEmpty()) {
emailEdit.setError("Lutfen Kullanici Adinizi Giriniz.");
return;
}
if (pass.isEmpty()) {
passwordEdit.setError("Lütfen Parolanizi Giriniz.");
return;
}
email=email+"#gmail.com";
createAccount(email,pass);
}
});
}
private void createAccount(String email, String pass){
auth.createUserWithEmailAndPassword(email, pass)
.addOnCompleteListener(new OnCompleteListener<AuthResult>() {
#Override
public void onComplete(#NonNull Task<AuthResult> task) {
if (task.isSuccessful()){
FirebaseUser user=auth.getCurrentUser();
updateUi(user,pass);
}
else{
Toast.makeText(MainActivity.this, "Error: "+
task.getException().getMessage(), Toast.LENGTH_SHORT).show();
}
}
});
}
This way we add the phrase "#gmail.com" to the email. email=email+"#gmail.com";
Let the value we take as an example be "abdulkerim". Even if the user enters the phrase "abdulkerim", we get a username instead of an email, thanks to the "#gmail.com" we added to the end.
database view
Hello everyone,
I need to get authenticated in my JBoss AS 7 by using different ways. The app is using form-based authentication, I need to implement another way to do it but without login page, maybe by using token, certification, etc... I do not know how to do it, but the authentication needs to be performed without login.
Is there a way in Jboss?
Thanks,
Luis.
hi what are the security requirements for this other login method? you could use a certificate based authentication. all the different login method are listed here: https://docs.jboss.org/author/display/WFLY8/Authentication+Modules
If you need to create your own Login module you can follow examples such as this here https://github.com/radcortez/wildfly-custom-login-module:
public class CustomLoginModule extends UsersRolesLoginModule {
private CustomPrincipal principal;
#Override
public boolean login() throws LoginException {
boolean login = super.login();
if (login) {
principal = new CustomPrincipal(getUsername(), "An user description!");
}
return login;
}
#Override
protected Principal getIdentity() {
return principal != null ? principal : super.getIdentity();
}
}
public class CustomPrincipal extends SimplePrincipal {
private String description;
public CustomPrincipal(String name, String description) {
super(name);
this.description = description;
}
public String getDescription() {
return description;
}
public void setDescription(String description) {
this.description = description;
}
}
Basically use the classes from org.jboss.security
does that help?
cheers
oliver