I'm fresh in Symfony. To go further with my project I try today to plan how to organize "users". In my project I will have few different type of accounts:
A administrator
G guardian
KC known customer
KCX known customer with sub accounts
NC new customer
I know how every type of user will be created in project.
A - defined in advance (only one account)
G - created by A, A will put email and name in simple form, and after that G will get e-mail with link to set the password (more than 1 accounts)
NC - normal register form on website with access for every not logged in user
KC - A or G will upgrade NC by setting internal customer code in NC's data
KCX - it will be sub account for KC with separated e-mail and password to log in, this type of account could be set only by KC user
So, as you can see, only NC user is created by standard register form. Standard registration I can solve by FOSUserBundle. But how to solve other things?
- How to let A create new G?
- How to let A and G upgrade NC to KC?
- How to let KC create KCX?
Should I use security.yml and try to solve everything by roles?
Best regards, I will be thankful for any advice.
L
For all of these actions you should create Controller actions that will only allow users with certain roles access. From these actions you will retrieve users from your database and handle as you would handle any other objects.
Restrictions for routes(and controller actions behind them) are set within security.yml.
FOSUserBundle is not required for this setup at all. If you do not know full capabilities of that bundle, you might want to refrain from using it in your custom setup.
Related
How would I go about hardcoding a role in ASP.NET MVC within the program itself, rather than through a database, for authentication (and then how could I add people to this role)?
What I'm trying to do is have 3 roles: Progammer, DatabaseAdministrator, and SystemsAdministrator. I'd like to be able to add people to those roles (also hardcoded), and then authenticate people based on role, rather than username. Right now, I am authenticating people like this:
If (#User.Identity.Name == "DOMAIN\\first.m.last")
What I want to be able to do is:
If (#User.Identity.Role == "ROLENAME")
However, I only have three roles and 8 people; I do not want to have to create a table in my database for them. So I'd create the role DatabaseAdministrator, and then add three people into as the string "DOMAIN\first.m.last". Then, I could have the action populate the view based on their rolename.
Everything I've seen so far has you do it through the database. Would appreciate any help. Thanks!
I am assuming that you are using Windows Authentication.
With that said you can easily authorize based on the users Active Directory Groups. This will keep you out of the database and all you have to do is add a user to an AD group if the users change.
Then you can authorize on the controller or action with this annotation.
[Authorize(Roles = #"DOMAIN\ADGroup")]
Java 8 + Spring MVC 4
I am learning to the programme and came across one scenario.
There are different roles
1) Admin
i) ABC Admin
ii) XYZ Admin
2) Normal
ABC Admin logged into the system and created a contract, with contract_id: 123
Edit URL is : localhost:8080/myApp/contract/edit/123
XYZ Admin logged into the system and copy pasted above edit URL in the browser.
(Ideally, XYZ Admin should not be able to edit the ABC admin contracts and vice versa)
I need some suggestions/ideas what should I use for this.
I did a search on google and got spring security will be the fit case for this.
You can use
#PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER')") for access multiple role on a single method
or
#PreAuthorize("hasRole('ROLE_ADMIN')") for only one role on method level in Controller/DAO classes.
I have created a secondary User store using LDAP. By default, all users of the secondary store have no permission. Is it a way to assign the suscriber role to all users in one operation or I have to do it manually for each user ?
Thanks
Since by default WSO2 uses groupId('Organization) of the user to share the Application in the Devpotal as mentioned here in the documentation: sharing applications
You can go to the Carbon UI and search for the LDAP users among which you want to share an Application. Next to the User click on the 'User Profile' tab. There you can edit the value next to the 'Organization' column. For this, your secondary user store should be 'ReadWriteLDAPUserStore'. Similarly, edit the value for each user in the secondary user store to the same value to share the Application among them.
In fact, in the ldap user store if you configure LDAP groups there are automatically created as a role and you can apply permissions to a role which will be apply to all users of your LDAP group.
But I didn't find a way to share applications between users of a LDAP group ...
Here is a better way to achieve it. In the official documentation it is mentioned that it allows the Applications to be shared if we have common roles, in as you said WSO2 treats AD groups as roles. Lets assume you have two users user1 and user2 in your LDAP store both of which are the part of AD group 'AD_Group'.
So mention the AD group name common to the users among which application needs to be shared : -
Also change the configuration as following in the deployment.toml file : -
[apim.devportal]
enable_application_sharing = true
#application_sharing_type = "default"
application_sharing_claim=http://wso2.org/claims/role
I need to give roles (including the Member role), memberdata, and user folders to certain OpenID users before they first log in to my Plone site. That is, I need to programmatically add OpenID users to my Plone site. portal_registration.addMember cannot add an OpenID user. plone.openid has its own PAS plugin which does not create member objects. What do I do that is replicable in a setuphandler? The usual way to do this is to manually log in the OpenID user, then add roles, memberdata, and sharing after the login. Howwever, that user story is not programmatically replicable.
The only thing that should matter is the user id generated for each user. It should be possible to just create regular members beforehand with user ids matching the open id identity urls, assing them roles and then use openid (only) as an alternative authentication method for those users.
Update: As Chris commented below, it's not possible to add users with URL as their id through Plone UI, but they must be created directly into PAS users folder through ZMI (Zope Management Interface).
Could anyone please provide me with guidance on whether it's possible to use aspNetActiveDirectoryProvider for Authentication and aspsqlProfile Provider to store user specific details?
I'm not quiet getting my head around on how do I get userID that's required for aspnet_profile table if I were to switch to Active Direcory.
Also, is it possible to change password from aspnet admin page if active directory is used?
Regards,
Changing password is possible with AD provider: see ActiveDirectoryMembershipProvider.ChangePassword method.
ASP.NET profile generally associates profile with user name. Typically, user name value will be same as the user identity value used by authentication system. So in active directory case, it would be user's domain qualified login-name (in form of <domain>/<login>) - see this link for more info: http://msdn.microsoft.com/en-us/library/ewfkf772.aspx
You may also create a custom profile provider if you need more control at database schema side - sample is already available from microsoft and you can use that as base, check these links:
http://msdn.microsoft.com/en-us/magazine/cc163457.aspx
http://www.asp.net/downloads/sandbox/table-profile-provider-samples