I am trying to use the following:
1) form_login_ldap just for user authentification
2) A custom UserProvider for retrieving user roles from a MySQL database
Everything seems to work fine: I am able to login, the roles are used etc.
As soon as I change the roles in the database, isEqualTo() kicks in - the user is redirected to the login page. There the browser hangs in an endless loop. After using tcpdump I realized that form_login_ldap is trying to authenticate the user without a password.
I think I am generally missing the point how the password will be handled in this scenario. My UserProvider can't retrieve an (encrypted) password as he is querying MySQL and the user is authenticated using LDAP.
If the "refreshUser function of my UserProvider returns a new user object with the new roles, the password seems to be lost.
If within the UserProvider i just modify the array of roles for the user, the web application does not recognize that and old roles apply (I guess the session must be updated?).
How are form_login_ldap and my UserProvider supposed to interact? How do I make sure that upon "refreshUser" the password is still available?
What am I missing for my general picture?
Related
I like to implement the functionality
where if two users are trying to login with the same credentials then the first user should log out as soon as the second user login.
consider user one is logged in with his credentials from one machine
and he/ another user is trying to log in from another machine
then the user one session should be removed as soon as user one logged in.
Ps:
I tried to implement that by saving the current session id in the user table and overriding the OnCreated method from the IAuthSession interface and then checking in that if the request sessionId is the same as the saved session Id if same then process the request else call the lout endpoint.
But It will be not good for performance and I am not sure if it is a good way to do that?
PS: I am using a JWT token.
Update :
I am able to clear the session by using ICacheClient to get the session and then remove a session from the server using IRequest.RemoveSession(sessionId), but is it not log out the specific user.
You can't invalidate a user authenticating with stateless authentication like JWT which has the signed authentication embedded in the Token which is valid until the JWT expiry.
i.e. you can't revoke a JWT Token after it's already been issued.
There is a JwtAuthProvider.ValidateToken filter you can use to execute custom logic to prevent a user from authenticating which you may be able to use however that would require that you manage a collection of Token info you want to prevent from authenticating before its Token expiry.
So i have Symfony 4 app which should allow login via LDAP and based on your groups modify some of the values in this ldap directory.
The Login itselfs, and mapping from Ldap Groups to ROLE_ works perfectly.
The idea was that only the currently logedin user does a modification. Not a hidden Directory Admin.
For this i would need to $ldap->bind() with the user credentials each time a loged in user wants to modify the directory.
But for this i would need the password. The only way i could think of, would be to save the password in the session - but form a security standpoint this would be a very very bad idea.
Is there any other way? Like store the already binded connection somehow?
As far as I see in the Symfony security component - the UserProvider only refreshes the user from sesison - without calling ldap again.
The LdapBindAuthenticationProvider only uses the ->bind() call with the given credentials and catches an exception if password doesnt match.
But the connection itself is a simple fire & forget.
With WebSecurity, Registering a user is like this:
WebSecurity.CreateUserAndAccount(model.UserName, model.Password);
I know I can pass in custom parameters for my User table as well. What I'm wondering is - in a multi-tenant scenario, how do I allow WebSecurity to enforce uniqueness on Username and TenantId columns, instead of just Username?
Related - when logging in, how do I specify a `TenantId' so that forms auth assigns a cookie only if the user exists on the specified tenant?
Unfortunately I can only extend WebSecurity and don't have the option to replace it. Hopefully there's a way to make this work.
We've solved this problem in the past by just adding a tenant identifier to the username when saving the user and again when verifying the login credentials.
The user doesn't see this, but it works brilliantly and easily!
I'm writing my first Symfony2 app after a few years with Symfony and am having trouble converting our user management code. It seems that to fit in with Symfony2's authentication model I have to provide user details including their (encrypted) passwords. We authenticate via a webservice that takes the username and password and responds with a confirmation and user level (user, admin etc), but it never sends the real password back to us.
What I want to do is accept the login details from a form, confirm they are valid and then set the user's roles according to the webservice's response. Where do I start?
You need to use a custom authentication provider to authenticate against your webservice. It is explained quite clearly in this blog post
You can create an user provider and its loadUserByName you can call the webservice. If success return the new UserInterface object with the password of the form empty salt string and the roles returned by the service. Also set encoder of the UserInterface to plaintext in security.yml. And then set the new created user provider in form_login auth provider in the firewall.
I'm trying to create a custom login for my flex web app with spring-security.
I have an working version where we use the channelset.login with blazeds.
The problem i have is that i would like to split the authentication and the authorization.
I would like to ask the user to make some choices after the authentication to determine its roles.
Since the roles the user is authorized to are determined by this choices.
This means the user has to be authenticated and then the client needs to do a service call to the service and then the authorization process needs to take place.
Does anyone know if this is possible and have some tips of how this can be done?
Thanks in advance,
Arjen
Yes, that doesn't sound too far-fetched.
You can store the user roles in the database, make each role for new users something like SIGNUP which will only allow the user to signup, once his new role is determined, simply update that role and restrict the new role from being able to update the role again, unless you're admin.
You can also override the authentication process to do whatever you want to do: http://mark.koli.ch/2010/07/spring-3-and-spring-security-setting-your-own-custom-j-spring-security-check-filter-processes-url.html
The session object might need to be refreshed if you're using some form of ORM.