The usual way of authenticating user is to invoke:
SecurityUtils.subject.login(new UsernamePasswordToken(params.username, params.password))
However, what if I would like to log him in automagically, without necessity of typing username and password? I have created method in userService like this:
def logIn(User user){
Object userIdentity = user.email
String realmName = "ShiroDbRealm";
PrincipalCollection principals = new SimplePrincipalCollection(userIdentity, realmName);
Subject subject = new Subject.Builder().principals(principals).buildSubject();
ThreadContext.bind(subject)
}
But this does not work, any hints?
I have managed to solve the issue. I have created my own class that implements AuthenticationToken interface:
class UsernameToken implements AuthenticationToken{
private username;
public UsernameToken(String username) {
this.username = username;
}
public String getPrincipal() {
return username;
}
public String getCredentials() {
return username;
}
}
and created new Realm which looks exactly the same as the default one but without password verification. Now I can use
SecurityUtils.subject.login(new UsernameToken(user.username))
Related
Hello everyone,
I need to get authenticated in my JBoss AS 7 by using different ways. The app is using form-based authentication, I need to implement another way to do it but without login page, maybe by using token, certification, etc... I do not know how to do it, but the authentication needs to be performed without login.
Is there a way in Jboss?
Thanks,
Luis.
hi what are the security requirements for this other login method? you could use a certificate based authentication. all the different login method are listed here: https://docs.jboss.org/author/display/WFLY8/Authentication+Modules
If you need to create your own Login module you can follow examples such as this here https://github.com/radcortez/wildfly-custom-login-module:
public class CustomLoginModule extends UsersRolesLoginModule {
private CustomPrincipal principal;
#Override
public boolean login() throws LoginException {
boolean login = super.login();
if (login) {
principal = new CustomPrincipal(getUsername(), "An user description!");
}
return login;
}
#Override
protected Principal getIdentity() {
return principal != null ? principal : super.getIdentity();
}
}
public class CustomPrincipal extends SimplePrincipal {
private String description;
public CustomPrincipal(String name, String description) {
super(name);
this.description = description;
}
public String getDescription() {
return description;
}
public void setDescription(String description) {
this.description = description;
}
}
Basically use the classes from org.jboss.security
does that help?
cheers
oliver
i am writing a unitest for login in my project .
when i call the login function of my controller. Memership.GetUser giving null value for passed User.
below is Test case
[TestMethod]
public void Login()
{
//Arrange
AccountController account = new AccountController(_forgotPasswordTokensRepo, _IMessageTemplateDAO, _IEmailService, _ISettingDAO, _IProfileDAO);
List<AccountBO> TestUsers = new List<AccountBO>();
AccountBO objAccountBO = new AccountBO();
objAccountBO.Email = "uu#yopmail.com";
objAccountBO.Password = "123456789";
TestUsers.Add(objAccountBO);
var result = (JsonResult)account.Login(TestUsers[0]);
var json = new System.Web.Script.Serialization.JavaScriptSerializer();
string data = result.Data.ToString().Split('=')[1].Trim();
bool Processdata = Convert.ToBoolean(data.Replace('}', ' ').Trim());
Assert.AreEqual<bool>(true, Processdata);
}
Controller function is
public JsonResult Login(AccountBO account, string returnUrl = "")
{
bool hasBeenUnlocked = false;
if (ModelState.IsValid)
{
MembershipUser adminUser;
adminUser = Membership.GetUser(account.Email);
------so on
}
}
here adminUser = Membership.GetUser(account.Email) is giving null.
What do you expect GetUser to return? Are you expecting it to query the db/active directory and return a user with full credentials?
Unless I remember wrong, Membership is part of Asp.Net infrastructure so it is not set up in the context of your unit test. The solution is not to set it up. It is to stub out that functionality.
public interface IProvideUsers {
public MembershipUser Get(string email, string password);
}
public class AspNetMembershipProvider : IProvideUsers {
public MembershipUser Get(string email) {
//...
}
}
then in your controller
IProvideUsers users;
....
users.Get(account.Email, account.Password);
where users is injected via the constructor. Then in your tests you create your own implmentation of IProvideUsers and provide that.
This is my custom user authentication setup in my global.asax file, but I am currently providing the users manually in the Configure method; Is it possible to take values from a Redis server?
For example if user exists and the password is okay, can fill with these details automatically?
Plugins.Add(new AuthFeature(()=>
new AuthUserSession(),
new IAuthProvider[]{ new BasicAuthProvider() }
));
container.Register<ICacheClient>(new MemoryCacheClient());
var userRepo = new InMemoryAuthRepository();
container.Register<IUserAuthRepository>(userRepo);
string hash, salt;
new SaltedHash().GetHashAndSaltString("password", out hash, out salt);
userRepo.CreateUserAuth(new UserAuth
{
Id = 1,
DisplayName = "Haluk",
Email = "hal",
UserName = "haluk",
FirstName = "haluk",
LastName = "yılmaz",
PasswordHash = hash,
Salt = salt
}, "password");
Yes you can authenticate against a Redis data source. You can either use the built in RedisAuthRepository in place of the InMemoryAuthRepository, or if you have an existing Redis data set that you want to use instead of the built-in IAuthRepository pattern, I have included a solution for that, whereby you extend the BasicAuthProvider. The first method is the most straightforward:
Use the RedisAuthRepository:
So you need to establish a connection to Redis.
Then register your authentication providers.
Register the RedisAuthRepository, which the authentication providers will check credentials against, and is compatible with the RegistrationFeature
private IRedisClientsManager redisClientsManager;
public override void Configure(Funq.Container container)
{
// Configure ServiceStack to connect to Redis
// Replace with your connection details
redisClientsManager = new PooledRedisClientManager("127.0.0.1:6379");
container.Register<IRedisClientsManager>(c => redisClientsManager);
container.Register<ICacheClient>(c => c.Resolve<IRedisClientsManager>().GetCacheClient()).ReusedWithin(Funq.ReuseScope.None);
// Setup the authorisation feature
Plugins.Add(new AuthFeature(()=>
new AuthUserSession(),
new IAuthProvider[]{ new BasicAuthProvider() }
));
// Use a RedisAuthRepository
var userRepo = new RedisAuthRepository(redisClientsManager);
container.Register<IUserAuthRepository>(userRepo);
// You can then register users as required using the RegistrationFeature
}
Alternatively (if you have an existing user authentication dataset in Redis)
You can do this by creating a custom authentication provider that extends the existing BasicAuthProvider.
For this code you should also make sure that your familiar with the ServiceStack.Redis client.
Extend the BasicAuthProvider:
This MyRedisBasicAuthProvider extends the existing BasicAuthProvider, and instead of performing the credentials lookup from an IUserAuthRepository as given in your example code, it makes a Redis connection and matches the username to entry in Redis.
The code is fully commented but if there is anything you wish further explained, let me know.
public class MyRedisBasicAuthProvider : BasicAuthProvider
{
// The key at which we will store the user profile. i.e user:john.smith or user:homer.simpson
// Replace this key with your format as required
public const string UserKeyFormat = "user:{0}";
MyUser CurrentUser;
// Gets an instance of a redis client
static IRedisClient GetRedisClient()
{
// Get the RedisClientsManager from the Container
var redisClientManager = HostContext.TryResolve<IRedisClientsManager>();
if(redisClientManager == null)
throw new Exception("Redis is not configured");
// Return a client
return redisClientManager.GetClient();
}
// This method is used to verify the credentials provided
public override bool TryAuthenticate(IServiceBase authService, string userName, string password)
{
// Get a Redis client connection
using(var redisClient = GetRedisClient())
{
// Get a typed Redis Client
var userClient = redisClient.As<MyUser>();
// Try to find a matching user in Redis
CurrentUser = userClient.GetValue(string.Format(UserKeyFormat, userName));
// Check the user exists & their password is correct (You should use a hashed password here)
return CurrentUser != null && password == CurrentUser.Password;
}
}
// This method is used to populate the session details from the user profile and other source data as required
public override IHttpResult OnAuthenticated(IServiceBase authService, IAuthSession session, IAuthTokens tokens, Dictionary<string, string> authInfo)
{
// Populate the session with the details of the current user
session.PopulateWith<IAuthSession, MyUser>(CurrentUser);
// Save the session
authService.SaveSession(session);
return null;
}
public static void AddUserToRedis(MyUser user)
{
using(var redisClient = GetRedisClient())
{
// Get a typed Redis Client
var userClient = redisClient.As<MyUser>();
// Add the user to Redis
userClient.SetEntry(string.Format(UserKeyFormat, user.Username), user);
}
}
}
In the code above I have used a class MyUser to represent the user profile that I have stored in Redis, you can of course customise this class to match your user profile requirements. So this is the basic user profile class:
public class MyUser
{
public string Username { get; set; }
public string Password { get; set; } // Replace with a hashed password
public string Email { get; set; }
public string FirstName { get; set; }
public string LastName { get; set; }
}
Setting up ServiceStack with Redis & your custom Authentication Provider:
You will need to configure ServiceStack to use Redis and tell it to use your custom authentication provider. You do this by adding the following to your Configure method in your AppHost:
public override void Configure(Funq.Container container)
{
// Configure ServiceStack to connect to Redis
// Replace with your connection details
container.Register<IRedisClientsManager>(c => new PooledRedisClientManager("127.0.0.1:6379"));
container.Register<ICacheClient>(c => c.Resolve<IRedisClientsManager>().GetCacheClient()).ReusedWithin(Funq.ReuseScope.None);
// Add your custom credentials provider
Plugins.Add(new AuthFeature(() => new AuthUserSession(),
new IAuthProvider[] {
new MyRedisBasicAuthProvider()
}
));
// Add some test users. (If you have an existing Redis user source, you won't need to add test users.)
MyRedisBasicAuthProvider.AddUserToRedis(new MyUser {
Username = "john.smith",
Password = "test",
Email = "john.smith#email.com",
FirstName = "John",
LastName = "Smith",
});
MyRedisBasicAuthProvider.AddUserToRedis(new MyUser {
Username = "homer.simpson",
Password = "donuts",
Email = "homer.simpsons#springfield.com",
FirstName = "Homer",
LastName = "Simpson",
});
// Your other configuration settings ...
}
Notes:
In the example I haven't used a hash password, to keep the example straightforward, but this is trivial to do. Add another field public string Salt { get; set; } to the MyUser then instead of storing the plain password on MyUser store it as a hash of the password and salt i.e. hashedPassword = HashAlgorithm(password + salt). You already have code for it:
string hash, salt;
new SaltedHash().GetHashAndSaltString("password", out hash, out salt);
So this solution will now use a Redis data source to authenticate users when a service is secured using the [Authenticate] attribute. As with the standard basic provider, the credentials are authenticated at the standard /auth/basic route.
Using the Credentials provider instead of Basic:
If you want to use a credentials provider for form posts, instead of Basic authentication you can simple replace the word Basic with Credentials in the code above.
I hope this helps.
I am trying to write my own authentication, so I inherited CredentialsAuthProvider and have overridden the Authenticate method. Auth is working fine, also when i call another service i can see all data that i saved in the session.
The Problem is: When i try add the Authenticate attribute and call it from a client, it goes and throws an Unauthorized exception, even if i want to use Requered Role.
Auth service is:
public class CustomCredentialsAuthProvider : CredentialsAuthProvider
{
public override bool TryAuthenticate(IServiceBase authService, string userName, string password)
{
return true;
}
public override object Authenticate(IServiceBase authService, IAuthSession session, Auth request)
{
session.FirstName = "Name";
//...
session.Authenticate = true;
session.UserName = request.UserName;
session.Roles = new List<string>;
session.Roles.Add("admin")
//....
authService.SaveSession(session, SessionExpiry);
// Return custom object
return new UserAuthResponse { SessionId = session.Id ......};
}
AppHost is:
public override void Configure(Container container)
{
Plugins.Add(new AuthFeature(() => new AuthUserSession(), new IAuthProvider[] {
new CustomCredentialsAuthProvider()
}));
Plugins.Add(new RegistrationFeature());
container.Register<ICacheClient>(new MemoryCacheClient());
var userRep = new InMemoryAuthRepository();
container.Register<IUserAuthRepository>(userRep);
}
and test service:
[Authenticate]
public class TestService : Service {
public object Any(UserRequest request) {
return new UserResponse{Name = request.Name};
}
}
It is not real code, so sorry for syntax mistake!))))
But the idea is the same! Help me please what is wrong, why I got Unauthorized exception when i call Test service??????????
When I had this issue, I had to create a custom authenticate attribute [CustomAuthenticate] with guidance from this gist -> https://gist.github.com/joeriks/4518393
In the AuthenticateIfBasicAuth method, I set provider to use MyAuthProvider.Name instead of BasicAuthProvider.Name
Then,
[CustomAuthenticate]
public class TestService : Service {
public object Any(UserRequest request) {
return new UserResponse{Name = request.Name};
}
}
Also see: http://joeriks.com/2013/01/12/cors-basicauth-on-servicestack-with-custom-authentication/
How can I save something using FormsAuthentication? I don't want to store UserId through URL's.
For example, now I have this code:
//UserController class:
[HttpPost]
public ActionResult LogOn(LogOnModel model, string returnUrl)
{
if (ModelState.IsValid)
{
if (repository.ValidateUser(model.Login, model.Password))
{
FormsAuthentication.SetAuthCookie(model.Login, model.RememberMe);
if (Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
else
{
return RedirectToAction("Project", "Index");
}
}
else
{
ModelState.AddModelError("", "Incorrect name or password.");
}
}
return View(model);
}
ProjectController class:
public ViewResult Index()
{
return View(repository.GetUserProjects(
this.ControllerContext.HttpContext.User.Identity.Name));
}
ProjectRepository:
ProjectsContext context = new ProjectsContext();
UsersContext uCnt = new UsersContext();
public IEnumerable<Project> GetUserProjects(String username)
{
if (String.IsNullOrEmpty(username))
throw new ArgumentNullException("username", "Login is empty");
return this.uCnt.Users
.FirstOrDefault(u => u.Login == username)
.Projects
.ToList();
}
ProjectController and ProjectRepository don't looks like good code... Maybe someone can give advise, how to store UserID without using URL's? Best way to do this is save IDs on autorisation, I think. I don't found any properties in User.Identity to do this...
UPD
I beg a pardon, but I forgot to say that I'm using MVC-3 with Razor view.
And that UserId is not a string (User.Identity.Name is a string) it could be GUID or maybe my own object...
Save the UserID in the UserData property of the FormsAuthentication ticket in the authorization cookie when the user logs on:
string userData = userID.ToString();
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, user.Email,
DateTime.Now, DateTime.Now.AddMinutes(FormsAuthentication.Timeout.TotalMinutes),
createPersistentCookie, userData);
string hashedTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashedTicket);
HttpContext.Current.Response.Cookies.Add(cookie);
You can read it back in the PostAuthenticateRequest method in Global.asax:
HttpCookie formsCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
if (formsCookie != null)
{
FormsAuthenticationTicket auth = FormsAuthentication.Decrypt(formsCookie.Value);
Guid userID = new Guid(auth.UserData);
var principal = new CustomPrincipal(Roles.Provider.Name, new GenericIdentity(auth.Name), userID);
Context.User = Thread.CurrentPrincipal = principal;
}
Note that in this case, CustomPrincipal derives from RolePrincipal (although if you're not using Roles, I think you need to derive from GenericPrincipal), and simply adds the UserID property and overloads the constructor.
Now, wherever you need the UserID in your app, you can do this:
if(HttpContext.Current.Request.IsAuthenticated)
Guid userID = ((CustomPrincipal)HttpContext.Current.User).UserID;
Why not first make all your authorization calls via an interface. This way all of your code which uses authentication does not need to be concerned about how the login is performed, or how the Indentity is stored, etc.
public interface IAuthorization
{
bool ValidateUser(LoginUser u, string password);
LoginUser GetCurrentUser();
void LogIn(LoginUser user);
void LogOut();
IIdentity GetCurrentUserIdentity();
}
Implemenation for the IIdentity GetCurrentUserIdentity could be any way you like, but is commonly seen as a call to "HttpContext.Current.User.Identity"
public class Authorization : IAuthorization
{
/// <summary>
/// Get the IIdentity for the current logged in user
/// </summary>
/// <returns>IIdentity</returns>
public virtual IIdentity GetCurrentUserIdentity()
{
return HttpContext.Current.User.Identity;
}
/// <summary>
/// Log the user in
/// </summary>
/// <param name="user">User details</param>
public void LogIn(LoginUser user)
{
InvalidCredentialsOnNullUser(user);
FormsAuthentication.SetAuthCookie(user.Name, false);
}
/// <summary>
/// Log the user out
/// </summary>
public void LogOut()
{
FormsAuthentication.SignOut();
}
private static void InvalidCredentialsOnNullUser(LoginUser user)
{
if (user == null)
{
throw new InvalidCredentialException("That user doesn't exist or is not valid.");
}
}
// other methods....
}
The LoginUser class you see is information which is retrieved about a membership user. This is commonly done via a MembershipProvider but of course can be done other ways.
public class LoginUser
{
public string Name;
public Guid Key;
public string EmailAddress;
public bool IsApproved;
public bool IsLockedOut;
public DateTime CreationDate;
public DateTime? LastLoginDate;
public DateTime? LastPasswordChangedDate;
}
I'm not sure I understand the question correctly but if you're referring to a way of retrieving who the current user is without passing it through the URL (e.g. http://localhost/controller/action?username=RAMe0) then you can look at using Thread.CurrentPrincipal.Identity.Name or HttpContext.Current.User
There are subtle differences between the two however. Look here for more details.
Using FormsAuthentication you can store the Username in the User.Identity.Name property. Here's a simple example of what you probably are looking for. (Using the same SetAuth you're already using)
public ViewResult Index() {
return View(repository.GetUserProjects(this.User.Identity.Name));
}
This doesn't require you to pass the username in through a QueryString parameter.