I followed the example screencast by Peter Ledbrook on using the spring security core. I set the password on my user as follows:
springSecurityService.encodePassword("password")
When I attempt to log in, it doesn't decrypt the password properly. If I change the app to not encrypt the password, it will log in perfectly.
I looked at the auto-generated Login controller and I am not seeing where it's doing the decryption of the password. Has anyone else had this problem? Is there something that I am missing to make this work?
Thanks!
As of version 1.2 the User domain class encrypts the password, so by using springSecurityService.encodePassword you're double-encoding. See the docs: http://grails-plugins.github.com/grails-spring-security-core/docs/manual/
Related
We have a code that logins to Sharepoint Online using :
https://login.microsoftonline.com/extSTS.srf or https://login.microsoftonline.com/RST2.srf, but recently we starting to get authentication failed saying that "Incorrect Username or Password" and after some retries it returns:
"0x80048823 message : AADSTS70002: Error validating credentials. AADSTS50053: You've tried to sign in too many times with an incorrect user ID or password."
While using same username and password to login in the browser works fine, and neither password or username were changed, also code didn't changed. As same code works fine for another Sharepoint tenants. Seems that something changed in the Microsoft login servers, where it's started to not accept user credentials, while web browser login works fine.
Please advise.
Thanks
Microsoft Rep has helped me get this far.
They had us create a "Cloud Only" user. This user was setup as "#" so if your name is bill and your corporate sharepoint site is name is FakeCompany.sharepoint.com then you would have the person as "bill#FakeCompany.onmicrosoft.com"
This user was able to login to https://login.microsoftonline.com/extSTS.srf by just passing username and password.
Our on prem AD users are still having issues, i mentioned this and got the following response.
There is no issue with sync as you are able to login to portal using the same account and password.
The solution you need is documented in https://learn.microsoft.com/en-gb/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal#enable-direct-authentication-for-legacy-applications
You need to create a home realm discovery (HRD) policy where "AllowCloudPasswordValidation":true.
We have not yet implemented the last solution but the creating of a cloud account may help some of you.
So I think I understand what they are trying to say. There are 2 paths that you are able to authenticate with according to the node-sp-auth example.
"Managed" and "Federated"
"Managed" was the easier version and allowed for you to be able to just provide username and credentials in a soap assertion to login.
Federated is a lot more complicated. You need to first perform a post to Microsoft to validate the user hitting your adfs server. https://adfs.XXXXXXX.com/adfs/services/trust/13/usernamemixed
Then you take the saml:Assertion from that response and put it into the "Token" section of the call you make to https://login.microsoftonline.com/extSTS.srf utilizing the templates from the node-sp-auth.
I have C# code that performs all these steps but I am getting an error
AADSTS70002: Error validating credentials. AADSTS50008: SAML token is invalid. AADSTS50006: Invalid signature. Signature verification failed.
Even though the signature is being generated by Microsoft in their SAML.
node-sp-auth code refrence is OnlineUserCredential.ts file.
If someone can figure out the last mile I can post a comprehensive C# solution.
I've just happened to notice that using
springSecurityService.reauthenticate(userid, password)
for manual user authentication (in a controller) succeeds regardless of the value for password, i.e. correct password, wrong password, null password, etc.
Am I missing something?
The declaration of springSecurityService's method is
void reauthenticate(String username, String password = null)
so at first I was pretty confident that a password check was in place.
Config
Grails 3.2.4
Spring Security Plugin (core) 3.1.1
The reauthenticate method updates the current Security context with UserDetails instance found by the email you provide to the reauthenticate method. It does not perform any validation as it is an internal call. It also removes the user from the user cache to force a refresh at next login.
So if you do not pass the password parameter, it is going to use the password from the UserDetails instance and set the authentication context with these details.
Have a look at the code here
I hope this helps.
I have configured liferay to authenticated to OpenLdap. Cas, import and export is activated.
User create from OpenLdap can authenticate to portal, also is imported into Liferay. It seems importing process is ok.
When user try to modify an attribute other than password the data is modified on OpenLdap.
The problem is when user try to modify their password. Liferay ask for current pass and the new one. It get a error saying credentials an incorrect.
If i try to modify the password of the user with a administrator user, Liferay only ask for the new password. After that, the user with de password changed by de admin user can log in with the new password. So, it seems password is modified correctly on OpenLdap. If user, try to modify again the password, Liferay say that everything was ok, but the user cannot autenticate with the new passord, only with old password.
After that if I try to change de password again with admin user, Liferay say that everthing was ok but the user now cannot authenticate with new password.
I'm using Liferay 6.2 ce.
I have modified :
ldap.auth.method=password-compare
ldap.auth.password.encryption.algorithm=SHA
ldap.auth.method=bind
on portal-setup-wizard.propertiesenter code here
Any Idea?
Thanks very much in advance.
with several values without success.
Compare is not a best practice for LDAP in general.
"Bind is preferred by most vendors so that you don't have to worry about encryption strategies."
Also there appears to be a bug in LifeRay that may affect your version.
I've recently updated Glassfish from 3.1.2 to 4.0 and wanted to set up a JDBCRealm that I used before on my app which uses FORM based authentication. The passwords are hashed with SHA-256 in the database (that is the default Digest Algorithm option).
The realm has a property that became mandatory in this Glassfish version: Password Encryption Algorithm. Quite incredibly, the official Glassfish documentation says it's optional, and the note under the input field says it is a risk to leave it empty, however you cannot leave it empty as it is mandatory.
I cannot log in in my app that was working before no matter what I set in this property. (This is true to both the newly registered and old users.) I was googling for days but couldn't find the options for this field. What are the options?
Also, I'm using Glassfish with MySQL. Does Glassfish send the hashed passwords encrypted to the DB or is it just some instruction to MySQL to store the hashed passwords with this kind of encryption?
This question helped me somewhat but didn't solve my problem.
UPDATE: Actually, I don't use the classic FORM based authentication, but a custom JSF form with programmatic login using HttpServletRequest#login(), but I don't think it matters in this issue.
I've tested a simple use case with Glassfish 4.1 and a JDBC Realm configured for MySQL.
You can set up a simple user table:
name: stores the username
password: stores the SHA-256 hash of the user's
password (without salting)
group: stores the user group (i.e. admin, user)
I.e.
INSERT INTO users (name, password, group) VALUES ("admin", SHA2("password", 256), "admins");
In the admin console, go to Configurations > Security > Realms and edit your realm.
In the "Password Encryption Algorithm" field enter "AES".
In the "Digest Algorithm" field enter "SHA-256".
In the "Charset" field enter "UTF-8".
I have this problem:
I have enabled Liferay to import and export users from/to OpenLDAP server.
When I create a user in Liferay I obtain this page:
So, I have create a new user and Liferay has assigned to it a password (3zbPk6KA).
But.. if I try to login with new user (and generated password) I obtain the error message of incorrect credentials. In LDAP server I can see the new account but, the corresponding password seems to be different from that generated by Liferay..
In Java console i read this warning:
14:20:15,882 WARN [http-bio-8080-exec-6][LDAPAuth:208] Passwords do not match for userDN cn=myUser,ou=users,dc=myProject,dc=com
Some suggestions?
Had this problem too. what's your value for Ldap password policy and what's your liferay version ?
I think you have 2 options :
Disable Ldap password policy, and if your Liferay version has no bug on exporting new user's autogenerated passwords, Your scenario is supposed to work. Else, you'll have to create a patch/hook that sends that password to LDAP
Enable LDAP password policy, setup a fixed default LDAP password, and hook the login process, so that you inform the new registered user (Screen Message + validation email) on her initial password. Note that there's still a security issue here, because of the fixed password, as someone could create accounts for other users if he knows their e-mails and tries to register before them.
You have to unmark "required" in controlpanel→portal→configuration→autenticathion→LDAP to di
I don't know why that specific scenario doesn't work. I have used Liferay 6.1 and know there are a number of bugs with the LDAP function of version 6.1. The problem that I faced was that checking "Use LDAP Password Policy" resulted in a user being created without a password.
However, if your password is being created in Liferay, you can turn off the export in Liferay LDAP wizard and programmatically export users through a hook using Java LDAP look up. I had to do it and it fixed a number of similar issues for me.
The link is a below
http://abhirampal.com/2014/12/20/liferay-ldap-export-to-active-directory-disabled-user-bug/