Toolbar SF informs client that user is authenticated. Despite being disconnected, the toolbar still represents a user authenticated (authenticated => yes).
Any one help me?
I would suggest reading the Symfony documentation for the Security Component. It clearly states that when you allow anonymous access that the authentication => yes is merely stating that an anonymous user is being used.
In fact, if you go to the homepage right now, you'll have access and you'll see that you're "authenticated" as anon.. Don't be fooled by the "Yes" next to Authenticated, you're just an anonymous user (Quoted 5/27/2018)
If you follow the rest of the documentation you should be able to figure out how to only allow legitimate non-anonymous users to access the page.
Related
I am using the Meteor Account package for OAuth login with google.
My use case is to allow users to login with google. And later, provide them options to opt for linking to Google calendar.
i.e by default I need only email/profile scope during login. And, when the user clicks the button inside the app ( like Update events to my Google calendar ), I want to get the permissions for accessing https://www.googleapis.com/auth/calendar.events.
One option I figured out is to call LoginWithGoogle the second time with the requestPermissions.
My questions are,
Is this the correct way?
If so, how do I prompt the user to provide permission ( without further button click) if the user is denied or revoked this access later point? i.e when getting 403 - insufficientPermissions error.
What are the exceptions that I need to take care of?
Your help is highly appreciated.
I would like to track anonymous user actions as if the user would be authenticated. The goal is to let users perform actions(normally reserved to authenticated users), save it in Database with a special status (not visible until user will log into the application).
For example,
an anonymous user reply to a comment.
The system detect that the user is not logged in, save the comment with special status 'waiting for authentication'.
The system ask user to log in, in order to complete the registration of the comment.
User log into the application.
The system check for 'waiting for authentication' status and update/associate entries to the user authenticated.
Have you any suggestions / experiences to implement this type of functionality? Maybe Symfony has already in feature/bundle for that?
What you are trying to do is simillar to Lazy Registration, which is a proven concept. It is well implemented here at stackoverflow. It allows you to post messages after providing an email address. It works similar to this one:
http://www.90percentofeverything.com/2009/03/16/signup-forms-must-die-heres-how-we-killed-ours/
However, if you really want to go your way, without asking user for an email address, I would recommend storing data at browser local storage. It would save you a lot of work on backend side. Data would be transferred to the backend only when user registers. This way you will also prevent database pollution with users who never registered. http://blog.teamtreehouse.com/storing-data-on-the-client-with-localstorage
You could use ip address but it won't be very effective because one user can access your website from many ip addresses (wifi, 3g/4g connection ...).
You can rely on cookies but once he logs in from another device you can't do anything about it.
IMO, you should save actions and link them to a uniq token that you send to the anonymous user, once he's authenticated he can provide the generated token and then you save actions for that user. Becareful to not forget removing saved anonymous-actions once they are "identified".
What exactly do you have to do to authenticate users against an external source while accessing pages on a CQ publish instance?
From what I have read, a custom AuthenticationHandler can be used for this. The AuthenticationHandler can be configured to be called against the paths requiring authentication and inside the extractCredentials() method, the users will be authenticated against the external source and an AuthenticationInfo object will be returned.
If the supplied credentials are invalid, null would be returned from this method to indicate the same. The SlingAuthenticator will then call requestCredentials() where the user can be redirected to the login page.
Is this understanding correct? If so, what does SlingAuthenticator do with the AuthenticationInfo object returned from extractCredentials()?
In some places, having a custom LoginModule (by overriding AbstractLoginModule) is also suggested for the same purpose. Are these 2 different approaches (custom AuthenticationHandler and Loginmodule) for having custom authentication or are they used together somehow? If so, how do they interact?
And also, the concept of CUG (Closed User Group) can be used to redirect users to the login page if they don't have access to a page. Can CUG still be used with a custom auth mechanism or it only works if the users are present in CQ repository?
Any light shed on this would be much appreciated :)
Your understanding is correct. The AuthenticationInfo object ultimately contains a JCR user id -- but rather than having to use the JCR password for the user, a 3rd party service basically says "this user has authenticated successfully and can access the repository as X".
Example: you're using OpenID or SAML to verify a user is X. user X is then mapped to a user Y in the repository.
I haven't used LoginModule but from what I'm reading, that's just extending login processing for the JackRabbit repo. So, rather than using AuthenticationHandler to redirect a user to some other place and processing the response, you're plugging further down into the chain where there's already AuthenticationInfo (or something like that) being given to JackRabbit to verify and return a session for a user.
So, let's say you did successfully authenticate with OpenID but the user you're mapped to doesn't exist. You could write a login module to create the user in this case (and assign user to a default group). For instance, if user came in with a gmail id, the JCR user could be gmail_$id. And the login module, seeing the name starts with gmail, will know it's ok to create that user automatically.
As far as CUG, yes, all the above can be used in conjunction with it. Basically, if a request doesn't have access to a resource and the request hasn't been authenticated, the authentication handling system kicks in. If a user has authenticated but still doesn't have access to the resource (e.g. not part of a group that can read it), a 403 will be generated.
I want to create a custom login screen that will attempt to authenticate a user via integrated Windows Authentication (using SPNEGO or whatever) and if that attempt fails, fall back to a forms based approach.
The process would ideally work like this...
User Logged in as Valid AD User
User attempts to access application and is redirected to IdentityServer.
Custom logic attempts to validate user using AD credentials and succeeds.
User is authenticated and redirected...
User Not Logged in as Valid AD User
User attempts to access application and is redirected to IdentityServer.
Custom logic attempts to validate user using AD credentials and fails.
User is presented with a form to enter username and password.
User is authenticated and redirected...
I was hoping to create a custom IUserService implementation to achieve this, but from reading the documentation it's not obvious how this would be done.
Am I going to have to create a custom identity provider to achieve this?
Any guidance would be greatly appreciated.
I think, it's not so much the custom IUserService you have to worry about. The IUserService looks up a user once IdSrv3 has collected credentials from the user. So your integration needs to occur earlier.
What's tricky is falling back. If you have a page that is protected by windows auth, it's the client that decides if it can authenticate or not. if it can't authenticate the user it will usually prompt the user for credentials & try to submit these. It won't automagiclly know what to do.
The approach with probably the best user experience is to show a page & allow the user to choose how to login, much like you can choose to login with Google, etc. You can then hook this up as an external provider.
I have an active field on the users collection and I want to prevent the users with that field set to false to login on the application. I could allow them to login in the future, so I can't delete their account or change their password. How can I disallow them to login in meteor?
While this does not stop them from logging in directly it will logout them out as soon as they login which depending on the your use may work as a hack around:
Meteor.autorun(function(){
if(typeof Meteor.user().blocked !== "undefined"){
Meteor.logout(function(){alert('Your account is blocked at the moment, please contact us for more information');});
}
});
Where blocked is the invalid account attribute you have set
Probably the safest thing to do is to move the user's data to another collection and delete the user's account. Of course that may not be desirable if existing data in the system is linked to that user's id.
I looked through the docs and couldn't find anything that sounded like you could set an account invalidation flag (this seems like it would be a really useful feature though).
Warning I am not a security expert. The following advice could be awful:
If you need to leave the user account in place, one thing you could try is moving or modifying the SRP data in the user's account. For example you could just append the string '--disabled--' to the 'services.password.srp.salt'. That will prevent the user from logging back in and clearly you can reverse the process just by removing the string.