I am a bit confused by the method Engine.SetDownloadSource(). What I am trying to do is change the download URL for the bundled packages from an external website to an internal one. (If there is an easier way to do this, I am open to other suggestions).
Now for the problem. When calling this method it is asking for a user and password. I am not sure where I should get this info from.
string downloadSource = Path.Combine(WebSitePath(), "WebSetup/WebSetupData/", Path.GetFileName(args.DownloadSource));
Engine.SetDownloadSource(args.PackageOrContainerId, args.PayloadId, downloadSource, user, password);
WebSitePath() simply returns the base URL for the website. I can't find any hint about what username and password the MBA would use if I didn't change the link, and likewise I am not sure how to tell it to use the current windows user to download from the new link. Any help would be greatly appreciated.
Username and password are optional to support basic or digest HTTP authorization. Set them to null if you don't want to provide a user/password combination.
Related
one question, maybe it's a bit longer, but i really hope someone can help me 🙏
I've been reading the docs but simply can't figure it out.
Is there a way i can create a signup feature where user creates an account (only simple one, email and pw) , and that account data is saved somewhere in a json file
And then the user can login via post method by typing his credntials.
And if credentials are correct (out of any other credentials there are in that particular json file) he gets a random jwt.
I mean i know i need to set up the rules if email and pw match any user and pw from the json file
Thanks!
Mockoon offers mostly stateless and independant endpoints mocking. Which means, there is currently no easy way to "code" it for such advanced use cases.
You can simulate a POST /signup and POST /login call, make sure the request looks OK by using Mockoon's rules, but they will not be linked and the credentials will not be persisted.
A system of CRUD endpoints is currently under development but it will allow for JSON manipulation only, not the kind of behavior you describe which is also very close to a production application.
I'm trying to get my standalone webapplication to use my Liferay 6.2 as "user store". That means I want the user to log in to Liferay and then be able to move on to another application with some credentials and user specific information passed as well. Moving on and passing information is already working, the issue I'm having right now is making sure the user-object that is passed on is the user that is actually logged in right now.
I use the LFR_SESSION_STATE_ cookie do determine the logged in user. But when I log in again with another user I get a second cookie with a different user-id. So now I need to make sure that I'm passing the correct user. The USER_UUID cookie does not contain the same uuid as provided by Liferay (as of now I didn't check if it's a hash of the uuid).
Long story short, I'm looking for a way to recognize the currently logged in user and be able to pass the credentials and additional information to my application.
I will take care of security concerns like manipulated cookies etc. subsequently. Maybe that will raise another question wenn I get to that point ;-)
I'd really appriciate any help or push in the right direction.
Thanks in advance guys ... sebastian
Some possibilities:
Make your application a portlet application
Publish your Liferay Database through LDAP (EE only) and use a separate SSO application
Create a Liferay-Hook that sets a cookie (to "/") containing the required user information - encryption and signatures are on yourself. You can create hooks that get executed on every successful login
Hi StackOverflow Community!
I am working at BOX API . Everything is fine,but I want to change the Authentication behavior.
Authentication process first go to box website for ACCOUNT HOLDER Authentication. Is it possible to auto Authenticate using username/password and users view ACCOUNT HOLDER files directly?
I am looking forward.
Similar question asked here with a solution involving renewing bearer and access tokens. Only restriction is that the renewal needs to occur at least once every 14 days. I hope this is a workable solution for you.
It looks like this isn't possible. The Box API uses OAuth 2.0 authentication, which explicitly requires you to redirect the user to the Box website so that they can "allow" access to their account. See http://developers.box.com/oauth/
Which SDK are you using iOS, Windows, Ruby, other? It is possible to auto-login basically it would involve having the user configure their username and password somewhere. Then if you take those stored values and using javascript calls you can input the username and password into the appropriate fields and then submit the form. Depending on the api you'll be presented with a different login screen.
Disclaimer Box changes their login screen frequently and seems really buggy so I wouldn't recommend this route but if you want to do it any way the javascript will look something like:
var username = "user1";
var password = "superSecretPassword";
document.getElementById('login').value = 'username';
document.getElementById('password').value = 'password';
document.forms[0].submit();
I would like to make a vb .net application that auto logs into places and retrieves data from them. I have already succeeded in doing this by opening internet explorer programmably and tabbing to enter name and password. But this is messy, and needs to be well timed. I'm using VB .Net. Is there a way to interface with sites to auto login. Maybe I could inject a cookie, but then the browser could change. Any suggestions would be very helpful. Thanks
Well, it really depends on what authentication scheme the sites use. It is possible to pass a Credentials object with an HttpWebRequest which can be used to authenticate against sites that use basic authentication, windows authentication and similar. But I can't think of a reliable way that would work for any and all sites.
May not be something you'd consider, but the ideal tool for you is Selenium rather than reinventing the wheel and writing your own version in VB.net.
Best thing to do is have a quick look at that link, see what you think.
'In vb.net...add a webbrowser control. Then use
webbrowser1.navigate("www.gmail.com")
'Then in the webbrowsers document completed event paste something like this.
'where I wrote "123456" you will put the id of the html element for the username textbox.
'where I wrote "abcdef" you will put the id of the html element for the password textbox.
webbrowser1.Document.GetElementById("123456").InnerText = "yourusernamehere"
webbrowser1.Document.GetElementById("abcdef").InnerText = "yourpasswordhere"
webbrowser1.Document.DomDocument.forms(0).submit()
WatiN could be used for some of what you describe but I think almost anything will be messy unless you can find a way to do a silent login where some token is passed along to impersonate someone.
And CasperJS and PhantomJS may be a way forward too. Using a headless browser you can identify steps in JavaScript you would like to perform at a Website. Useful for interaction through to scraping.
Is there a way to interface with sites to auto login.
Yes, there is. Well, its just a POST HttpRequest or OAuth token.
You can always use direct POST requests with the required headers for any token auth. You can also test these command with cURL from the CLI.
~Without taking VB.net into account~, you can auto login to a website
by using:
Autologin via Keypass - http://keepass.info/ or https://www.keepassx.org/
Keypass automatically opens the login URL of the website, fill the login form and submits it.
Select website from your list, then press CTRL+U & CTRL+V - and you are logged in.
I'm wondering what the best method is for creating a forgot password function on a website. I have seen quite a few out there, here are a few or combination of:
passphrase question / answer (1 or more)
send email with new password
on screen give new password
confirmation through email: must click link to get new password
page requiring user to enter a new password
What combination or additional steps would you add to a forgot password function? I'm wondering about how they request the new password and how they end up getting it.
I'm operating on the principal that the password cannot be retrieved; a new password must be given/generated.
Edit I like what Cory said about not displaying if the username exists, but I'm wondering what to display instead. I'm thinking half the problem is that the user forgot which email address they used, which displaying some sort of "does not exist" message is useful. Any solutions?
I personally would send an email with a link to a short term page that lets them set a new password. Make the page name some kind of UID.
If that does not appeal to you, then sending them a new password and forcing them to change it on first access would do as well.
Option 1 is far easier.
A few important security concerns:
A passphrase question / answer actually lowers security since it typically becomes the weakest link in the process. It's often easier to guess someone's answer than it is a password - particularly if questions aren't carefully chosen.
Assuming emails operate as the username in your system (which is generally recommended for a variety of reasons), the response to a password reset request shouldn't indicate whether a valid account was found. It should simply state that a password request email has been sent to the address provided. Why? A response indicating that an email does/doesn't exist allows a hacker to harvest a list of user accounts by submitting multiple password requests (typically via an HTTP proxy like burp suite) and noting whether the email is found. To protect from login harvesting you must assure no login/auth related functions provide any indication of when a valid user's email has been entered on a login/pass reset form.
For more background, checkout the Web Application Hackers Handbook. It's an excellent read on creating secure authentication models.
EDIT: Regarding the question in your edit - I'd suggest:
"A password request email has been
sent to the address you provided. If
an email doesn't arrive shortly,
please check your spam folder. If no
email arrives, then no account exists
with the email you provided."
There's a trade-off being made here between ease of use and security. You have to balance this based on context - is security important enough to you and your users to justify this inconvenience?
Send email with new password.
FORCE a password change when they arrive and key in the new password.
This ensures that the person who wanted the password will be the only only getting in to the account.
If the email is sniffed, someone could get in to the account (of course), but the real party will discover this immediately (as their password you just sent them doesn't work).
Also send confirmations of password changes to the users.
If someone get the new password, and then an email saying "thanx for changing the password", they're going to be rather puzzled and will talk to an admin if they didn't do it.
Using the email verification/password reset link will give you better security.
If you look around this is how most websites do it and people are pretty used to this verification, so I'd recommend using this type of authentication.
I would think (gbrandt's) Option 2 would be a great method if it is combined with some personal information you already have for the user. i.e date of birth.
When the user requests a new password (reset) via entering his email address, he also has to enter a correct date of birth (or something else) before the password is reset and a new one is emailed to the user.
Only those who know him well can possibly annoy him by resetting his password! It cant be a stranger or a bot
Upon 5 or 7 bad email-address & date of birth combinations the user is emailed that his password has been requested to be reset and has failed due to an incorrect credential. Then password resetting for that account is suspended for 24hrs or any desired period.
(if too many users contact the webadmin regarding this email he'll know someone is trying to maliciously attain information from your website/app)
What do you guys think?
Option 1. is not a good idea, as generally his becomes easily guessable by others. Sarah Palin's personal email (Yahoo I think) was hacked in this way by a third party.
The other options are better and previous posts have outlined the detail.
The idea I was thinking about was to sign the data in the link that is sent to the user. Then, when the user clicks the link and the server receives the call, the server also gets the encrypted part and can validate that the data was untouched.
I have implemented a JAVA project for this use case. It is on GitHub, open source. It answers your question perfectly... implemented in Java.
As for the link in the email - it generates the link, plus validates it upon usage.
There are explanation for everything (and if something is missing - let me know...)
Have a look: https://github.com/OhadR/Authentication-Flows
See a Demo here.
This is the client web-app that uses the auth-flows, with the README with all explanations. it directs you the implementation: https://github.com/OhadR/authentication-flows/tree/master/authentication-flows