I am trying to find the best way to verify if the user is logged in and what role they are on, I'm thinking of a few ways to handle this.
1: Store the login status and role in a invisible control and read it.
2: Use a web service that WatiN can direct to that will return method calls
Any other ideas?
Does logging in produce visible changes in your UI? If it does, I would test for the existence of the markup which underlies these changes. If it doesn't I would ask myself the question, "What changes does logging in produce from a user's perspective?" I would then test for the existence of one or more of those changes. This might be something like the correct loading of a page that only a logged in user can access or the existence of a button or link to access content only provided to authenticated users.
This is what WatiN is designed to test: correctness of application function from the perspective of an actual user. I would hate to see you have to resort to adding hidden fields or extra web services just to support your testing tools.
We check this in exactly the way Waylon suggests.
public bool IsLoggedIn
{
get { return !this.loginLink.Exists && this.logoutLink.Exists; }
}
HTH!
Related
I want to guarantee that all of my users on sign-in have signed our EULA, and to me, it's similar to the built-in SignInResult.TwoFactorRequired, because I'd like to kick them through the EULA signing process before finalizing their sign-in. Does anyone know of any resources that shows how to create a custom SignInResult so that all of the users of my Identity server will have to follow the same rules on sign-in?
I'd implement a custom SignInManager, but PasswordSignInAsync still returns a concrete SignInResult and I'm not sure if it's possible to wedge in my additional desired states there.
Yeah, you're not going to be able to just override PasswordSignInAsync, but you could create a new method that returns your custom result class and simply hands off the actual sign-in part to PasswordSignInAsync.
However, by the time you get done create derived types, with custom methods and states, and bootstrap everything, it probably is just simpler and more straight-forward to just read the value from the user after sign in, and react accordingly. For example, you can (and probably should) set the EULA acceptance as a claim on the user. Then, you can just do something like:
// sign in user
if (User.FindFirstValue("eula") == null)
{
return Redirect("/eula");
}
Even better, you can create a custom action filter that checks if the user is authenticated, and if so, whether they have the claim. If not, then you redirect to your EULA acceptance page. Then that action filter can be made global in Startup.cs and you don't even need to think about it anymore.
Hard to find a meaningful title. I hope I get clearer now.
I'm building a service which is similar to doodle regarding the authentication model. The user can "create" something (using a form). There will be two different views. One for the creator where he can modify his settings and another one for public access.
I don't want to force users to register / log in. So I came up with a URL structure like doodle has:
/{some-id} -> public access
/{some-id}/admin/{some-token} -> settings page for the owner
The question now is how I can deal with this best. Currently I pass the token to all admin related Methods. But I don't feel comfortable with that.
I also thought about some server side session. I found two meteor packages but they are both not actively maintained anymore.
Another idea was to misuse the built in user management but without the user to recognize it. But I don't think that's feasible.
So now I'm asking you if you have a nice way of dealing with this. I hope I made clear what I want to do.
There are many ways of doing it. One way is to reuse Accounts package.
You user id is {some-id} and the password is {some-token}.
When you create new page. You create new user on server side using Account.createUser.
When you enter url /{some-id}/admin/{some-token}Meteor.loginWithPassword.
My meteor app uses github authentication. After a user has authenticated
Meteor.user()
return the current authenticated user (on the client and server).
What I now need is to run my application without authentication. But Meteor.user() should return some user because my code expects it. Is there anyway I can tell my meteor app what Meteor.user() should return ?
Meteor.user() always returns the current user. If there is no user logged in, then Meteor.user() returns null. You cannot change that behavior.
The thing to do then is probably modify your app code in such a way that different code is run when no user is logged in. You can do that like so:
if(Meteor.user()){
//do stuff when user is logged in
}
else{
//do stuff if user is not logged in
}
I am not sure what exactly you are trying to achieve, but maybe creating a custom login handle for anonymous user will help. Take a look here for a very nice explanation by Arunoda on extending Meteor's account system.
Though, I think that the best way to go would be to make your code independent on fact the Meteor.user() might be null'ish as #fritzi2000 suggested.
Please note that Meteor.user() may potentially return null even if the user is actually logged in and Meteor.userId() is set properly. This is because Meteor.user() is more or less equivalent to
Meteor.users.findOne({_id: Meteor.userId()});
so it relies on some particular data being fetched from the server. Hence, it's always better to verify the logged-in status with Meteor.userId().
I have read many questions like my question title, none of them give me a solution.
I am implement a website (using struts2 framework) and I dont know what is the most secure way to check if user is already logged or not. My site has the payment feature, so I should really be careful about this.
All the solution I have read are similar like this:
// Is there a "user" object stored in the user's HttpSession?
Object user = session.getAttribute (USER_HANDLE);
if (user == null) {
// The user has not logged in yet.
}
else {
// the user has logged in
}
I was wondering is there any chance some bad guys can create a fake session object like the user object and then can logged in the system without a valid password?
I also want to know is it practice way, at every required logged in page, not just check the user object is not null, but also check the username and password in the database?
Maybe you should use a security framework like spring security or Apache Shiro.
Security issues are always based on your requirements, in simple which kind of security you want ,because there are various layers of security regarding web. But as you have mentioned, This you can achieve using Struts2-Interceptors, because It provides you terminology to perform some essential operation before and after your action is called.For example refer this link.
My application has some features that are accessible to all users, and some other features to which access should be restricted to authenticated users only. All these restricted features exists within some set of GWT Places, thus, all Places available in application can be divided into two groups: "accessible for all", and "restricted". In my opinion, places with restricted access, could implement some interface (let's say it would be RestrictedAccess), and if user proceeds to one of them, and it has not been authenticated yet, it will be redirected to the login screen - it's more OO-approach than applying filters basis on URL.
What I'm trying to achieve is:
Information about if user has been
authenticated or not should be
stored on server (it's not something
that could be stored in a cookie...)
Login page is a standard GWT place+view+activity (!)
User name & password validation is done on the server side.
So far, I've introduced RestrictedAccess interface, which is implemented by some set of places. My FilteredActivityMapper.Filter implementation, which is passed to the FilteredActivityMapper wrapping application activity mapper has the following logic:
Place filter(Place place) {
if (place instanceof RestrictedAccess && !userHasBeenAuthenticated()) {
return new LoginPlace();
}
// return the original place - user has been already authenticated or
// place is accesible for all users
return place;
}
private boolean userHasBeenAuthenticated() {
// remote call - how to do ???
}
The problem is with userHasBeenAuthenticated() method (user should not be redirected to the LoginPlace, if it has been already authenticated). If I want to store this information on the server-side, I have to do GWT RPC/request factory call here, but both are asynchronous, so I cannot work on its result in the filter method.
I know that I can use web.xml filters or some external framework (e.g. spring security), but none of this approach allows me to have login page as a standard GWT - based form, or indicating in the more OO way that access to some place should be restricted.
Thanks in advance for any hints
EDIT: I've started to wondering if places filtering (restricted/not restricted) should take place on the client side at all. If, as it was suggested, there is a possibility to hack code indicating if user has been authenticated or not, there is also possibility to hack places filtering code, so that it will be possible to access restricted places without signing in.
Piotrek,
I think there is a security issue with calling userHasBeenAuthenticated() - it would be possible to hack the client side code to return true every time this function is called.
The solution I've implemented is to simply return SC_UNAUTHORIZED if an unauthenticated user attempts to access any remote service. I've overridden the RequestFactory onResponseReceived function which redirects to a login page if the response is SC_UNAUTHORIZED. Idea taken from:
http://code.google.com/p/google-web-toolkit/source/browse/trunk/samples/expenses/src/main/java/com/google/gwt/sample/gaerequest/client/GaeAuthRequestTransport.java
This works for our situation where the Activities and Places are all data-centric - each place change retrieves data from the server. If a user isn't authenticated they simply don't get the data and get redirected to a login page.
I realize your situation is slightly different in that some places are accessible to everyone, in which case you could configure only the restricted services to return SC_UNAUTHORIZED.
I have a similar application with the same requirements. As yet I have not got round to to the implementation but I was thinking along the same lines.
What I was planning on doing is storing the authentication state client side in an AuthenticationManager class. When the app starts I was going to request the login info from the server (I was thinking of running on app engine so I would get the authentication state and also get the open id login/logout URLs) and store this in the AuthenticationManager. Acegi/Spring Security works in a simlar way so this info is available server side if you use those too.
When the user logs in/out they will be redirected by the server and the new state will be retrieved. This should keep the client authentication state in line with the server. Each RPC request on the server has to be checked for authentication too. I was using the gwt-dispacth library and this has some rudimentary authentication checking and cross site script protection in in too (although I think latest GWT has this for generic RPC).
One issue is session timeouts. Again the gwt-dispath library has some code that detects this and returns session expired exceptions to the client which can be intercepted and the auth manager updated.
Hope that makes some sense.