I'm very new to liferay and am creating a hook on the login.events.pre event. My users will be signing in to the website by using their phone number, so I have to do some validations on the status of their phone line before letting liferay create a session for the user. I've already created the portlet and am able to execute some java code before letting liferay take care of the login validation, but I'm not sure how to stop the whole process if my validation fails. In other words, if I find out that the users phone line is suspended, I don't want liferay to allow them to sign in, even if the right login info has been provided by the user. Is it possible to do this in the login.events.pre event in liferay?
In this case you can invalidate the Session and redirect it to some customized error page in your hook.
Below piece of code might be helpful.
//Below code to get the current session
HttpSession session = null;
session=request.getSession(false);
//Below code to invalidate the session and to redirect to your customized error page
session.invalidate();
response.sendRedirect("/errorPage.html");
Related
In Typo3 post v10 onwards, how can I log in an FE user programmatically with just a user Id number, using the new authentication services and without having to render a form to submit?
I have a custom Typo3 v10 plugin that authenticates users and has worked fine in Typo3 v9 and v10. After checking credentials, I use the following:
$userToLogin = 123; //known user id.
$feUser = $GLOBALS['TSFE']->fe_user;
unset($feUser->user);
$feUser->createUserSession($userToLogin);
$feUser->loginSessionStarted = TRUE;
$feUser->user = $feUser->fetchUserSession();
$GLOBALS['TSFE']->loginUser = 1;
$GLOBALS['TSFE']->initUserGroups();
//reload the page so that restricted subpages appear in menus
$this->redirectToUri($this->linkThisPage);
I need to upgrade to V11 and thus to use the authentication service process instead, as $GLOBALS['TSFE']->loginUser is removed in Typo3 v11.
I get it from this post that this involves setting up a custom service, which is registered in the plugin localConf.php file. The issue is about how to trigger the login process? The example linked above resorts to rendering a mostly hidden form with a "Confirm" submit button that the user must press to trigger the login process. This may work, but looks bad, as the user has already authenticated elsewhere.
Does anyone know how can I trigger the authentication process programatically in a controller, without requiring the form submission? Many thanks in advance.
The Authentication Service login is triggered when Typo3 finds the request parameter with a logintype=login then your authentication service can do what it needs to do
This is a summary of an issue I filed directly with expo (it ws closed but I have asked for it to be reopened):
This issue happens whether using AuthSession.startAsync,
AppAuth.authAsync or WebBrowser.openAuthSessionAsync on iOS in
local development and published release (expo managed). Haven't tried
on standalone build yet.
Steps to Reproduce
user presses 'sign in' button, (app calls one of the above methods to kick start authentication session with a Salesforce oauth provider)
user enters credentials successfully
app goes through oauth redirects and returns user to our app and we get our access token.
user presses 'sign out' button (app calls revoke endpoint for token, then calls server endpoint to delete any browser cookie sessions for given account reference)
app navigates to sign in screen
user presses 'sign in' again (app calls the same method from above to start the authentication session with Salesforce oauth provider again)
instead of opening the sign in page, the app redirects itself back with an access token as if the user had successfully entered their credentials, even though any cookies/session data the browser stores should be invalid and necessitate a sign in.
Expected Behaviour
steps 1 - 5 are all as expected. Step six should be
app redirects to Salesforce oauth provider sign in page, in unauthenticated state (ie no cookie or session data that was previously stored is still valid)
user is required to re-enter their credentials
oauth flow takes over and redirects the user into the app if the credentials were correct.
Actual Behavior
as per initial steps where the user is not even asked to enter their credentials (step 6):
instead of opening the sign in page, the app redirects itself back with an access token as if the user had successfully entered their credentials, even though any cookies/session data the browser stores should be invalid and necessitate a sign in.
Reproducible Demo
The code is in a private repo so I can't share details of it, but it's a very standard oauth flow, and seeing it's happening in all three of the method calls from the top suggests to me that it may be due to something in the WebBrowser.openAuthSessionAsync implementation. I have seen on the apple developer docs that SFAuthenticationSession has been deprecated in favour of ASWebAuthenticationSession. My understanding is that this (SFAuthenticationSession) is the browser used by expo's WebBrowser and the wrappers mentioned above (AppAuth and AuthSession) for the oauth interactions. I also see that it mentions it's for a one-time login, which perhaps explains why it would hold onto any session data and jump to the conclusion of re-authenticating without directly seeking credentials from the user, but it seems unhelpful to store a cookie without validating it, which is what appears to be the end result.
Notes
Essentially this is making it impossible for a user to sign out of our app, because the system browser, that we don't have control over, is keeping track of their authentication despite the session value no longer being valid against the server.
I've seen other people looking to find ways to clear cookies from the system browser, which may be what this issue relates to, though it doesn't appear to be possible to access the auth session's browser cookies in any way. This comment on a GitHub issue is exactly what I'm experiencing and need to find a solution to.
I would like users to be able to sign out, and then when they sign back in again they should have to enter their credentials again. Does anyone have any thoughts as to how this might be possible?
On iOS, it's now possible to pass in the following config to WebBrowser.openAuthSessionAsync to essentially treat it as incognito and ensure it doesn't retain any cookies. The effect is that the user will have to re-authenticate each time (even if there session is still active). I'm not aware of a similar approach for Android, however.
Code
const browserOptions = {
preferEphemeralSession: true
}
result = await WebBrowser.openAuthSessionAsync(authUrl, redirect, browserOptions)
I am encountering a strange situation with MobileFirst 7.1 where users are occasionally unable to authenticate/login. The only indication that something is awry is a message in the console.log
[AUDIT ] CWWKS1100A: Authentication did not succeed for user ID . An invalid user ID or password was specified.
My custom login module uses com.worklight.core.auth.ext.LdapLoginModule (so to clarify I have a login module which authenticates using LDAP). Like I say everything seems to work most of the time but occasionally users end up in a situation where they are unable to authenticate. I suspect that it is probably related to the session in some way, but that is only a guess based on my investigation.
I have added some logging to my 'secret' adapter which prints the session state to the console log, and obviously this appears in the logs just before the failed authentication message above, but it is empty ie. the session contains nothing.The user is obviously trying to access a secure adapter at this point, and because they are not authenticated they end up at the login page (form based authentication I should say also).
Anyway, I noticed that although there appears to be no session data, the jsessionid is there and has not changed i.e. it does not change even if I refresh the browser. This may not be an issue in itself of course, but interestingly if I remove this entry and refresh my browser I am able to login successfully.
I am pretty sure that my handler code calls the relevant success/failure methods in the correct places but of course there is nothing to stop the user refreshing their browser, which causes them to be re-directed to the login page (the app has been developed using AngularJS so is effectively a single-page navigation model).
The only reproducible test I have been able to come up with is when I login to the MobileFirst console and then try to login to our MF 'desktopbrowser' app. I have read that this situation causes a session-related conflict, but as I say the occasional issue I am seeing is not caused by this (though it may be related).
So the problem seems to have been more related to the flow of logic in our application after successfully logging in, than any inherent issue with the MF Platform.
For example when a user refreshes the browser they are effectively still logged in, but because the app (based on logic we have developed) takes the user to the login page on refresh, the user is effectively re-logging in to the same session. If this failed every time it would of course have been easier to pinpoint but it does not. The solution was to force logout on refresh (when the app initialises), thus cleaning up any session data. In future iterations it may of course be better to re-establish the application based on the authenticated session after refresh, but at present that was a step too far.
Another example of this was post login if the subsequent adapter calls failed (e.g. we authenticate and then retrieve profile data from a database), then we were also not logging the successfully authenticated user out.
i want an automaticalle login in my services when the user is already logged in into cas.
At the moment i must click the login button in every service manually to login.
My goal is when i'am logged in into cas and i join for example my jenkins service my user logged in automatically without clicking the log in button.
Can someone help me?
If you're using something like Spring Security or similar to manage it, then it can do it automatically for you. But since you seems to be making a Single Page Application(as you've said that you're needing a loggin button), and by going with that assuption, you'd need to have that login anyways. Except of course if you've set a script to check if there's a valid cookie already. More details appreciated(sorry, can't just comment)
I have a grails application and I want to connect my user's account to their LinkedIn accounts.
So my steps are:
Have the user click on a button that redirects to:
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=MY_API_KEY&scope=r_network&state=SOME_TEXT&redirect_uri=MY_REDIRECT_URI
Then LinkedIn redirects to the specified redirect_uri and I get the authorization code as a parameter in the response. With that code I do a post to:
https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=MY_AUTHORIZATION_CODE&redirect_uri=SAME_REDIREC_URI_AS_BEFORE&client_id=MY_API_KEY&client_secret=MY_API_SECRET
That works like charm! I get the Access Token and I save it in the User domain class together with the expiration date.
Now my issue comes when I want to have a piece of code with the logic to refresh the Access Token before it expires to avoid having the user clicking on the button every now and then. I know of applications where you link your account to LinkedIn and never have to refresh the token again.
In the documentation: http://developer.linkedin.com/documents/handling-errors-invalid-tokens you can find a section called Refreshing Access Tokens that says:
Refreshing an access token is very simple and can happen without an authorization dialog appearing for the user. In other words, it's a seamless process that doesn't affect your application's user experience.
Simply have your application go through the authorization flow in order to fetch a new access token with an additional 60 day life span.
So how can I follow the same process describe above if it starts with a click of the user in a button.
I have tried doing a GET using he HTTPClient class from groovy like follows:
new RESTClient(accessTokenRequestUrl, ContentType.URLENC)
where the accessTokenRequestUrl is the same used above in the button href. This should eventually call my redirect_uri where I use the authorization code to request the access token but it never gets to that point.
I have tried using the RESTClient add-on for Firefox and it works ok but it doesn't if the call is done from within the application.
Any thoughts?
Thanks in advance!
Cheers,
Juan
If you use the Linkedin JavaScript API, then the access token will be automatically refreshed without any user intervention. Make sure inside your initialization string you set authorize: true so that refresh is seamlessly done as follows:
<script type="text/javascript" src="http://platform.linkedin.com/in.js">
api_key: YOUR_KEY_HERE
authorize: true
</script>