Fetching current loggedin user using spring security - authentication

I have a problem in getting the logged in user in my spring-extjs application.I am using spring security 2.0.4.Here are the details of what i have tried.
Controller class:
#RequestMapping(value="/StaffingApplication/index.action", method = RequestMethod.GET)
public String printUser(ModelMap model) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
String name = auth.getName(); //get logged in username
System.out.println(name);
model.addAttribute("username", name);
return "index.jsp";
}
login.js file
var login = new Ext.FormPanel({
labelWidth:80,
url:'j_spring_security_check',
frame:true,
title:'Please Login',
defaultType:'textfield',
width:300,
height:130,
monitorValid:true,
// Specific attributes for the text fields for username / password.
// The "name" attribute defines the name of variables sent to the server.
items:[{
fieldLabel:'Username',
name:'j_username',
allowBlank:false
},{
fieldLabel:'Password',
name:'j_password',
inputType:'password',
allowBlank:false
}],
// All the magic happens after the user clicks the button
buttons:[{
text:'Login',
formBind: true,
// Function that fires when user clicks the button
handler:function(){
login.getForm().submit({
method:'POST',
// Functions that fire (success or failure) when the server responds.
// The server would actually respond with valid JSON,
// something like: response.write "{ success: true}" or
// response.write "{ success: false, errors: { reason: 'Login failed. Try again.' }}"
// depending on the logic contained within your server script.
// If a success occurs, the user is notified with an alert messagebox,
// and when they click "OK", they are redirected to whatever page
// you define as redirect.
success:function(){
Ext.Msg.alert('Status', 'Login Successful!', function(btn, text){
if (btn == 'ok'){
window.location = 'index.action';
}
});
},
// Failure function, see comment above re: success and failure.
// You can see here, if login fails, it throws a messagebox
// at the user telling him / her as much.
failure:function(form, action){
if(action.failureType == 'server'){
obj = Ext.util.JSON.decode(action.response.responseText);
Ext.Msg.alert('Login Failed!', obj.errors.reason);
}else{
Ext.Msg.alert('Warning!', 'Authentication server is unreachable : ' + action.response.responseText);
//window.location='loginFailure.html'+action.response.responseText;
}
login.getForm().reset();
}
});
}
}]
});
On my jsp page I access it like this.
<div id="header" class="header">Options Staffing Application
<div style="" id="user-status">
<a href='<c:url value="j_spring_security_logout"/>'>Logout</a>
<h3>Username : ${username}</h3>
</div>
</div>
But I just get a blank in place of username.
When I try to print it in the controller I get the value printed,but doesn't seem to be displayed on the jsp page.Went throgh other threads but did not help.Any help would be appreciated
Thanks for the time
Sachin


You don't need to put the username into an object model because you can access it from a jsp just like the way you do in the controller class:
<h3>Username <%=SecurityContextHolder.getContext().getAuthentication().getName(); =></h3>
Or even better:
<h3>Username <sec:authentication property="name" /></h3>
But i'm not sure if you can use that taglib in Spring Security 2

Related

Cro user session gets forgotten

I'm trying to learn out Cro (and Perl6 simultaneously) ;)
My study app is based on the documentation of Cro. I added some authentication which does work, but the user session gets forgotten immediately.
You can check out the code at https://gitlab.com/ecocode/beaverapp
go to the login pasge and login with "user" and "pwd". You get rerouted to / (which indicates the login succeeded), but the message there is "Current user: -". So the session gets lost.
The relevant part of Routes.pm6 :
class UserSession does Cro::HTTP::Auth {
has $.username is rw;
method logged-in() {
defined $!username;
}
}
my $routes = route {
subset LoggedIn of UserSession where *.logged-in;
get -> UserSession $s {
content 'text/html', "Current user: {$s.logged-in ?? $s.username !! '-'}";
}
get -> LoggedIn $user, 'users-only' {
content 'text/html', "Secret page just for *YOU*, $user.username()";
}
get -> 'login' {
content 'text/html', q:to/HTML/;
<form method="POST" action="/login">
<div>
Username: <input type="text" name="username" />
</div>
<div>
Password: <input type="password" name="password" />
</div>
<input type="submit" value="Log In" />
</form>
HTML
}
post -> UserSession $user, 'login' {
request-body -> (:$username, :$password, *%) {
if valid-user-pass($username, $password) {
$user.username = $username;
redirect '/', :see-other;
}
else {
content 'text/html', "Bad username/password";
}
}
}
sub valid-user-pass($username, $password) {
# Call a database or similar here
return $username eq 'user' && $password eq 'pwd';
}
}
sub routes(Beaverapp $beaverapp) is export {
route {
# Apply middleware, then delegate to the routes.
before Cro::HTTP::Session::InMemory[UserSession].new;
delegate <*> => $routes;
}
}
I think the problem is due to the middleware session management not working. How should I correct this? Or maybe the problem is due to something else?

The behavior you saw was indeed caused by a bug in cookie-treatment inside of HTTP/2 stack.
As for now, the bug is fixed and the code in OP post works.

After discussion on cro irc channel, this problem only appears when using https 2. So the code above is correct.

Invalid CSRF when logging in to keystone

I'm entirely new to coding. I've looked around a bit, but not found anything relevant.
When logging into keystone to view our mongoDB database I get an error message saying:
Something went wrong; please refresh your browser and try again.
Doing that does not help. Neither does deleting the browser history or attempting from another lap top.
Looking at the javascript console in the browser, the error states invalid csrf.
I think this is the relevant source code in the keystone folder:
handleSubmit (e) {
e.preventDefault();
// If either password or mail are missing, show an error
if (!this.state.email || !this.state.password) {
return this.displayError('Please enter an email address and password to sign in.');
}
xhr({
url: `${Keystone.adminPath}/api/session/signin`,
method: 'post',
json: {
email: this.state.email,
password: this.state.password,
},
headers: assign({}, Keystone.csrf.header),
}, (err, resp, body) => {
if (err || body && body.error) {
return body.error === 'invalid csrf'
? this.displayError('Something went wrong; please refresh your browser and try again.')
: this.displayError('The email and password you entered are not valid.');
} else {
// Redirect to where we came from or to the default admin path
if (Keystone.redirect) {
top.location.href = Keystone.redirect;
} else {
top.location.href = this.props.from ? this.props.from : Keystone.adminPath;
}
}
});
},
How can I go about solving this / debugging the error? Thanks for any help!

This usually happens when session affinity fails. Are you using default in-memory session management? Maybe, try using a database for maintaining session state.
If you use MongoDB, Try the following config setting
'session store': 'mongo',
See 'session store' section under http://keystonejs.com/docs/configuration/#options-database for more details.

Dropwizard authentication header token

I am trying to implement OAuth2 authentication in a Dropwizard web-application. I have created the required Authenticator and Authorizer classes and added the code supplied in the Dropwizard manual in my Application's run-method as follows:
environment.jersey().register(new AuthDynamicFeature(
new OAuthCredentialAuthFilter.Builder<User>()
.setAuthenticator(new TokenAuthenticator(service))
.setAuthorizer(new TokenAuthorizer())
.setPrefix("Bearer")
.buildAuthFilter()));
environment.jersey().register(RolesAllowedDynamicFeature.class);
//If you want to use #Auth to inject a custom Principal type into your resource
environment.jersey().register(new AuthValueFactoryProvider.Binder<>(User.class));
My required behavior is that after my client has logged in by providing his/her credentials on my login page, I want to redirect the client to a greeting page I have created using Dropwizard Views and is under the path: "/me" as follows:
//After succesfull login and token generation
return Response.seeOther(new URI("/me")).build(); // redirect to greeting page
And my greeting resource looks as follows:
#Path("/me")
#Produces(MediaType.TEXT_HTML)
public class UserResource {
#GET
public UserView getView(#Auth User user) {
return new UserView(user);
}
}
Currently I am getting a "Credentials are required to access this resource." response after logging in. After some reading on token authentication (nice explanation here) I picked up that the token must be sent from the client in the header of each request. So my question is how do I tell the user's browser (client) to include the token in the header of future requests?

I managed to solve this by doing the following:
In order to verify the user, a token must be sent in the header of the request in the form of Authorization: Bearer <token-value>. This token is sent by the server upon authentication and must be stored by the client / user to be sent in future requests. I managed to store the token by using an ajax request when my login form is submitted as follows:
<#-- Handle form submission response to save the token on the client side-->
<script>
$('#loginForm').submit(function(event){
event.preventDefault();
$.ajax({
url: $(this).attr('action'),
type: 'POST',
data : $(this).serialize(),
dataType: 'json',
success: function(data){
//alert("The server says success!!: " +data);
console.log(data);
window.sessionStorage.accessToken = data.token;
window.location = data.url;
},
error: function(data){
alert("The server says error! : ");
console.log(data);
}
});
});
</script>
The login resource then produces JSON which is received in the data-variable in the code above. The required token resides in data.token - which is then stored. I added a second entry in the JSON named "url" to indicate the path to redirect to after successful authentication.
Now the token is stored on the client side when needed. In order to send this token in the request header, I needed to alter my approach to using the Views provided by Dropwizard. Instead of directly requiring authentication, I split the View's resource and the authenticated data resources. To clarify consider the following example. A user logs in, gets the token and then goes to a page that displays his/her username. For the page, a View resource is created with a .ftl file to serve as a template. Something like:
#Path("/me")
#Produces(MediaType.TEXT_HTML)
public class UserResource {
#GET
public UserView getView() {
return new UserView();
}
}
and...
public class UserView extends View {
public UserView() {
super("user.ftl");
}
}
And user.ftl:
<#include "include/head.html">
<#include "include/header.html">
<!-- Header -->
<div id ="headerWrapper">
</div>
<div class="container-fluid">
<div id="name">
<p>Hello user</p>
</div>
</div>
<#include "include/footer.html">
Now to retrieve the username I create a new resource which produces JSON on a new path. For example:
#Path("/getdetails")
#Produces(MediaType.APPLICATION_JSON)
public class UserDetailsResource {
#GET
#Timed
#UnitOfWork
public User getDetails(#Auth User user) {
return user;
}
}
This resource requires authentication and provides JSON from which the username can be retrieved. Now to get the username and place it inside the view, simply add a script to the users.ftl with an ajax request to the getdetails resource, providing the token in the header and using the result to place the username in the view. See script below.
<script>
$.ajax({
url: '/getdetails',
type: 'GET',
headers: {"Authorization": window.sessionStorage.accessToken},
dataType: 'json',
success: function(data){
//alert("The server says success!!: " +data);
console.log(data);
$("#name").text('Hello '+data.username);
},
error: function(data){
alert("The server says error! : ");
console.log(data);
}
});
</script>

MEAN Stack app authorization - register seems to by trying to login

When I try to register as a new user I get an error message saying invalid username or password which makes me think the app is trying to login when it should be trying to register.
The form:
form(class='form-auth' ng-submit='register()')
p(class='text-warning'){{error_message}}
label(for='email') Email
input(type="email", ng-model='users.email', name="email", placeholder='Email')
label(for='password') Password
input(type="password", ng-model='users.password', name="password", placeholder='Password')
input(type="submit" class='submitBtn' value='Go')
The 'register' controller (in file 'myApp.js' in the public Javascript directory)
app.controller('authController', function($scope, $rootScope, $http, $location){
$scope.user = {email: '', password: ''};
$scope.error_message = '';
$scope.register = function(){
$http.post('/auth/signup', $scope.user).success(function(data){
if(data.state == 'success'){
$rootScope.authenticated = true;
$rootScope.current_user = data.user.username;
$location.path('/');
}
else{
$scope.error_message = data.message;
}
});
};
});
I've got auth and passport in the main app.js file. I have a login function above the register one but it seems to be closed properly. Is there something wrong here?

The ng-model of the inputs should be "user.email, user.password" instead of "users.email, users.password" like its in your controller $scope.user.
Like $scope.users doesnt exist, empty values are sent to the backend.

Google Auth2.0 log out

I'm currently trying to make a site where the user can log in with his google+ account. Most of it is working. I get them to grant access to my website. They can log in and I get their name and user ID, and I show content specific to their google account on my site.
When however someone else wants to log in and I try to 'log out' of the site, the google log in still remembers that it just logged in and after logging out it instantly runs the code to log in again. If I delete the SSID cookie from google it doesn't do this, so I'm assuming that's where google stores the fact that I just logged in with x.
Is there a way to when I log out make google not instantly log in with the same account, but rather ask for the e-mail and password of a google user?
I feel like I'm missing something obvious here, but I can't figure out how to deal with this.
Code I use to Auth and get data:
<button class ="btn btn-primary" id="authorize-button" style="visibility: hidden">Log in</button>
<script>
var clientId = '';
var apiKey = '';
var scopes = '';
function handleClientLoad() {
gapi.client.setApiKey(apiKey);
window.setTimeout(checkAuth,1);
}
function checkAuth() {
//alert("authorize");
gapi.auth.authorize({client_id: clientId, scope: scopes, immediate: true}, handleAuthResult);
}
function handleAuthResult(authResult) {
//alert("authorized");
//alert(authResult.access_token);
var authorizeButton = document.getElementById('authorize-button');
if (authResult && !authResult.error) {
authorizeButton.style.visibility = 'hidden';
makeApiCall();
} else {
authorizeButton.style.visibility = '';
authorizeButton.onclick = handleAuthClick;
}
var token = document.createElement('h4');
token.appendChild(document.createTextNode(authResult.access_token));
document.getElementById('content').appendChild(token);
}
function handleAuthClick(event) {
gapi.auth.authorize({client_id: clientId, scope: scopes, immediate: false}, handleAuthResult);
return false;
}
var x;
function makeApiCall() {
//return;
gapi.client.load('plus', 'v1', function() {
var request = gapi.client.plus.people.get({
'userId': 'me'
});
request.execute(function(resp) {
x = resp.id;
var heading2 = document.createElement('h4');
var heading3 = document.createElement('h4');
heading3.appendChild(document.createTextNode(resp.displayName));
heading2.appendChild(document.createTextNode(resp.id));
document.getElementById('content2').appendChild(heading2);
document.getElementById('content3').appendChild(heading3);
$.post("token.php", {id: x});
});
});
}

When you make the auth call, set approvalprompt to force. This will force the consent dialog to appear every time. It overrides the default setting of "auto." You can learn more at https://developers.google.com/+/web/signin/#sign-in_button_attributes.
gapi.auth.authorize({client_id: clientId, scope: scopes, immediate: true, approvalprompt: force}

After the user authorizes your app, they are basically logged in to your app any time that they are also logged in to Google, especially when immediate mode is turned on.
What some sites do is have a logout link or button that displays a page or dialog that says something along the lines of "You're logged in to Google and this site with account blah#blah.com. If you want to switch accounts, go to google.com and log out of your Google session."
You can also track the logged in status of a user using your own cookies and setting and removing them during the appropriate events in your code. You would want to discard any tokens that your app obtained on behalf of the user during a log out event. When the user logged in again, they would not need to re-authorize your application with the popup (or redirect window), but you'd still get a new access token during the callback.