(Using CakePHP) I'm looking to setup a sub-domain for user creation, password changes and credit card information vies...as in:
secure.mydomain.com (https)
- User/Create
- User/Login
- User/UpdateCreditCardInfo
app.mydomain.com (http)
- once logged in using the "secure" site, the user will be able to access application specific views
Using the CakePHP Auth component on both my sub-domains...how do I persist the login information when the user is authenticated on "secure" then is redirected to "app" sub-domain?
See: http://book.cakephp.org/view/173/Sessions
To provide a custom configuration, set Session.save Configuration to a filename. CakePHP will use your file in the CONFIGS directory for the settings.
Configure::write('Session.save','my_session');
This will allow you to customize session handling.
// Cookie path is now '/' even if you app is within a sub
// directory on the domain
$this->path = '/';
ini_set('session.cookie_path', $this->path);
// Session cookie now persists across all subdomains
ini_set('session.cookie_domain', env('HTTP_BASE'));
That's a general problem with cookies. They're only valid within the domain they were set and its subdomains. app.example.com is not a subdomain of secure.example.com, so you can't transition cookies between them.
You can set a cookie at example.com and make it valid for all its subdomains, including app. and secure.. You can then modify the cookie on these subdomains.
Related
The authentication process for O365 requires adding the redirect URL in a whitelist on the app’s dashboard on Azure.
However, this whitelist doesn't work with domain names. It requires to add the entire URL for every page which is not possible if you have a huge number of URLs, plus some of the URLs are dynamically generated by the backend.
Is it possible to whitelist the domain with all its sub-directories/URLs in one go?
No, it is not (unless you want to use wildcards, which you shouldn't).
In general when you need dynamic redirects,
you should store the location you want to redirect to locally in a cookie/session/local storage/session storage.
Then use a single redirect URL, and when you get the redirect there, get that stored "local redirect URL" from where you stored it, and redirect the user there.
I touched upon this on a recent article: https://joonasw.net/view/avoiding-wildcard-reply-urls-with-msal-js
Want to check current subdomain in url is valid or not. I'm able to validate if current url has subdomain or not. I want to make an api call from angular to backend with subdomain name and check if its valid. Where will be the best place in angular to do this? app.run ? some factory ?
If valid then only it should display site contents, otherwise redirect to unauthorized page. I also needs to check the current session cookies if they are valid for current subdomain. I guess I can do this by creating cookie for that subdomain only and not global domain cookie, right?
I am following along with this article:
https://www.firebase.com/blog/2014-07-25-ionic-simple-login.html
I am building an android app though.
When I click the facebook login button, Facebook gives me this error:
Given URL is not allowed by the Application configuration.: One or more of the given URLs is not allowed by the App's settings. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App's domains.
On Facebook Developers, in my app's basic settings, I have the site url and mobile site url set to http://localhost/. On the advanced screen, I have "Valid OAuth redirect URIs" set to include these urls:
https://auth.firebase.com/v2/<firebase-app-name>/auth/facebook/callback
http://localhost
http://127.0.0.1
http://<firebase-app-name>.firebaseapp.com/
Client OAuth Login and Embedded browser OAuth Login switches in the same section are set to "Yes".
In the Status & Review tab, I have made this app available to the general public.
I thought it might have something to do with the whitelisting of the URLs, but the article doesn't mention whitelisting android apps. I did edit my project root's config.xml file to include
<access origin="*.firebaseio.com" />
<access origin="auth.firebase.com" />
Strangely I don't see this in <project-root>/platforms/android/res/xml/config.xml after running cordova build. This is just a guess at this point, I have no clue what's going on and could use some help!
Note: <firebase-app-name> is set to the actual name of the firebase app, and my controller also includes the proper name.
Update: I have been playing around with the urls in App Domains, Site URL, and Mobile Site URL on the facebook developers page, figured that might be the other problem, but so far no luck.
In order to use Firebase authentication, you'll need to set the Site URL to https://auth.firebase.com/v2/<firebase-app-name>/auth/facebook/callback.
#yatin, the problem yo have is you are including the .firebaseio.com extension of your app name.
For example
your appname = tester
your url = tester.firebaseio.com
https://auth.firebase.com/v2/tester.firebaseio.com/auth/facebook/callback -- WRONG
https://auth.firebase.com/v2/tester/auth/facebook/callback -- RIGHT
N.B. The app name without the .firebaseio.com
I have seen lot of examples where, there is a custom Login page with Angular JS, and then we make a rest POST call with the username/pwd, and then Spring authenticates based on whatever Auth Service we provide. Then we receive a success, grab the user object from Spring Security and then create a Session cookie in Angular.
https://github.com/witoldsz/angular-http-auth/blob/master/src/http-auth-interceptor.js
I also have seen, integrating Siteminder with Spring Security where we install a policy agent on the web server, and then grab request headers with Spring Security, and then pull the roles and build a user profile object.
I'm looking for a solution where I can combine both the above. This is the scenario :
When the user requests for index.html (Angular), the policy agent on the web server intercepts, authenticates with a Siteminder login page and then passes the headers to the app server. The Spring Security on app server will read the headers and pull the roles from our app database and then build a userprofile object. Now here, I want to continue the flow and display angular page, but Im trying to figure out, how do I send the user profile object to angular, because angular is not making a POST call at this point. Also, how do I get the http-auth-interceptor in play, because I need to keep checking if the user is still authenticated on the change of every view/state in Angular.
Help appreciated ! Thanks !
You may implement a tiny JSON REST service "/your-app/profile" which is protected by SiteMinder, reads and evaluates the headers and returns the result as a JSON object.
Your Angular App (e.g. /your-app/index.html) should better also be protected by SiteMinder so you receive an immediate redirect to the SSO Login when accessing it without session. In addition, it must read the JSON REST resource "/your-app/profile" when loaded. It must also expect that SMSESSION is missing when reading "/your-app/profile" and react accordingly - perform a reload of the protected index.html page to trigger a SM SSO re-login (if "/your-app/index.html" is protected, otherwise you must trigger login by a redirect to some protected resource).
If you want to constantly check to see if SiteMinder session is still present, you may either access the "/your-app/profile" or check for the presence of the SMSESSION cookie (only in case it is not set as HTTP-only).
One SECURITY NOTE: If you rely on the seamless SSO which is provided via SMSESSION cookie, be aware of the possible CSRF (Cross-Site Request Forgery) attacks!
Apparently both roles and the username will be available in spring if the integration is done as this describes
Integrating Spring Security with SiteMinder
I have an application built in symfony 2.3 and FOSUserBundle for authenticating its users.
This application serves multiple users based on urls, pages looks like this /urlidentifier/login. This urlidentifier is a variable and it look for a [0-9A-Za-z] + to fill that slot.
FOSUserBundle config params like Login check path and logout path are saved and cached to a file (Symfony frozen parameter).For a single website user are easily authenticated with prefixing the FOSUserBundle parameters as well as Routing.
The real issue occur when the user are switch through multiple url (super privileges)
Scenario
When a super admin is logged and authenticated via urlidentifier1/login. He could switch himself to another website without logging out. Now the url changes from urlidentifier1/index to urlidentifier2/index, he would be logged in, But when he tries to logout, The parameters like logout path would be urlidentifier1/logout. When logout is triggered we will get an error like
"You must configure the logout path to be handled by the firewall using form_login in your security firewall configuration...”
How can I make the backend use such dynamic URLs?