I have used the Silverlight BusinessApplication template in VS2010. I have changed the AuthenticationService to use my own Authentication methods - the requirement is that the user logs into the system with their SQL login (no AD in the company).
On login, I construct a SQLConnection, attempt to open it, then I get their details (friendly name, roles etc) from a User table. I then store the username and password that they entered and any time they hit the DB through a DomainService I override CreateObjectContext and insert the username and password they entered into the DB.
I have changed the AuthenticationService to inherit from IAuthentication and LinqToEntitiesDomainService, mainly for accessing the User table.
I'm running into an issue when starting the application, before the user has logged in. The LoginStatus control that comes with the BusinessApplication template has the following line:
private readonly AuthenticationService authService = WebContext.Current.Authentication;
This causes the constructor of my AuthenticationService to be called and, as part of that, the ObjectContext is attempted to be created but the user has not yet logged in so I have no username + password to add into the connection string. For dev. purposes I just use my username and password if not logged in but I'm now required to fix this.
Any ideas on how I can get round this? My options as far as I can see are:
Don't use EF (I would rather use it as the rest of my data access is done using EF).
Create a dummy user in the DB and use this as the credentials if not logged in (not ideal).
Is there another way round this? On construction of my AuthenticationService prevent CreateObjectContext being called?
Any help/suggestions appreciated.
Update
I changed my AuthenticationService to inherit from DomainService rather than LinqToEntitiesDomainService and used a SqlDataReader to get the User data that was required but I'm stil curious as to whether there is another way.
Follow this example:
http://code.msdn.microsoft.com/Custom-Authentication-96ca3d20/view/Reviews
Note that there is a DbDomainService in case you use DbContext, not ObjectContext.
Related
I'am creating application which can be used by unknown and logged in users. Only difference is that logged in user can use some additional functions like saving its content in database.
All communication is based on ajax calls, so what I need is to deny access to some controller functions (end points) in backend for unknown users and on the client side I need to know that it is in logged in state to set this extra functions active. Only one page, login form should be in dialog. I'm little bit confused, because standard Spring Security aproach doesn't fit this case. I was reading this tutorial but I cant't fully understand it.
First: What Principal object does? They send credentials to this endpoint on submit with login() function but where is handled password check? What if I have my users in database?
Second Is it possible to write this configuration in XML style? I guess that it can be done with <intercept-url/> in spring-security.xml file.
Principal Object
The Principal Object is used to be able to get basic information about a user that is attempting to login when using automatic server authentication (i.e. LDAP). However, you will only be able to get a username from the principal object. With a server JBoss/WildFly, for example, you can link the server to Active Directory to allow Microsoft Windows to authenticate users.
Simple Solution
First, Spring Security will add additional complexity to your application where it doesn't sound like you are trying to do that. Instead, use a simple Servlet Filter. If you are using LDAP on a JBoss/WildFly sever, you can make a POST to j_security_check and the server will send the request to the filter if correct credentials are provided. Inside the filter, you may use the getName() function of the Principal object to get the username so that you may store it in the user's session. However, if you are not using LDAP, you may make a simple POST to a Java Servlet or Spring Controller (with an #RequestMapping) to attempt to login the user and store the user's information in the session.
At this point, you can filter out what URLs you will allow users to see. For example, the URL that contains /administrator/some/other/stuff.jsp could be restricted if the URL contains the word "administrator" in the first directory of the URL.
I have an app that requires login for users. However, to keep matters simple, we are only supplying the user with a unique code, so that they just enter the code and that code logs them in. This code is only valid for two weeks, and will never be repeated.
However, our Admin also needs to log in but the admin requires a username and password.
How will I modify the AppController to allow for both logins? I'm using the AclExtras plugin for Authentication
The one login is located under APP/Users/enter (for the users), the other is under APP/Users/login (for the admins)
Implement a custom Auth adapter that checks for the token. No need to have a separate action except you explicitly want that.
Cake is iterating over all loaded auth adapters so you can have username and password and the token in the same form. If the regular form adapter returns false but the token auth adapter true the user is logged in.
Check the books section about auth. It has all information you need to understand what needs to be done.
You can just make a simple if/else in your AppController checking if the field for unique code is passed, if not then you can implement login with username/password. In all other cases you can implement login by unique code.
I am building a web service that will allow the user to login and then it will download all there timetable data from another site (Which I don't own). I want to only need them to enter there username and password once to login to my service then to use it again to login to the next. I need to store there downloaded data against there user details, but I know I have to hash the password for security reasons in the DB so how can I use this to login to the second service. I though of unhashing but that defeats the whole point of hashing in the first place.
The reason I want to do this is so that the timetabe can then be downloaded to an android app so it can be viewed when there is no data connection.
Any Ideas would be helpful.
if those services gives you a "Token" after you login , you can store that in your database to access again to those services, so when the user logged on your webservice , before hash their information you can use it to login to the others services, and then store their "Token"
this approach only works if they give you something like a token after login, if they dont, i think you will need store the login information as it is , and at least encode on base64, that is not that secure but not that obvious
other idea is maybe create a separate database with only the login information and can be access only with their login (hashed) , but that means you need to create an user on your database and grant access only to that specific DB ,read-only
im sure there are more solutions, but hope that it can be helpful
I am interested in testing the incoming password field for a particular admin level password. If it matches, I want it to manually have Auth log in with whatever username they want (submitted via form)
My understanding is Auth, in taking the data, will only authorize it if it sees the same email/hashed password in the database. Is there a way to get around this check to manually set it? Even $this->Auth->login(..) will do this check right?
$this->Auth->login($userId)
Auth::login accepts either a username/password combination or simply a user id (the primary key of the user model in the database).
see my answer here: Using username instead of email in CakePHP's Auth Component
It's not the same question, but the idea is, when the login fails, you can intercept it and do what you want.
I have a table in my SQL2008 DB for Users and one for Roles and then the UserRoles bridging table. I am at the point where I have to RoleProvider to work and have decorated some of my Actions with [Authorize(Roles = "Administrator,Developer")]
I actually build the navigation on my site per user so the RoleProvider is just to prevent a lower level user from getting the URL from his Admin buddy and going to a page that he is not supposed to.
We build the site navigation on a per user base and have a mapping between the user, his role and the pages that the role he is in is allowed to see. I just want to know if there is any way to change the [Authorize(Roles = "")] to get the list of roles with permission to that action dynamically from my database? That way I do not have to go decorate all actions that I have, it will just be pulled from the DB as if by magic.
A simple example will be appreciated, thank you.
Jack
I basically wrote my own CustomAuthorize class that inherits from AuthorizeAttribute and in the OnAuthorization I did the look-up for access. If the user does not have access I basically do:
filterContext.Result = new HttpUnauthorizedResult();
filterContext.Result = new RedirectResult("/accessDenied");
Works, and I decorate my methods with: [CustomAuthorize]