I am new to Spring. I have a requirement to log all successful login and logout attempts by a user using logback.
I am using one HandleInterceptor(org.springframework.web.servlet.HandlerInterceptor) to intercept all requests made to handlers.
Can I use the same interceptors to handle authentication requests too?
If not which interceptors to be used. Or is there any way around?
As you are only interested in login and logout operation, you should not use a handler interceptor on all requests.
There is a simple way to be notified all all login events : use an ApplicationListener that will listen to AuthenticationSuccessEvent or InteractiveAuthenticationSuccessEvent - you will find more details and example code on this other post Spring security: adding “On successful login event listener”
To be notified on logout, you can use a custom SuccessfullLogoutHandler or add a LogoutHandler to the LogoutFilter. You can configure it with the <logout> attribute in xml configuration or with a SecurityContextLogoutHandler if you are using java configuration in spring security 3.2
Related
I am implementing recaptcha with fosuserbundle.
Is it possible to stop user registration or password reset with an error message through event listeners?
Or should I just override the controllers?
I would prefer to avoid using a third bundle to integrate recaptcha
Thanks a lot for your time.
The registration_success occure just after sucessful submitting and perform the result in database so, just before performing you can send a httresponse (inside the response event) that provide redirection (or otherelse)
I am using Symfony login system which is symfony will take care of the entire login process for me as long as I got the configuration (firewall) correctly.
How can I perform some custom validation before it performs the authentication process? For example, check the length of username, validate captcha code and etc. If one of the requirement does not meet, I need to stop further action (authentication) and return error message.
I know there is some authentication handlers like authentication success handler or authentication failure handler which allow you to do some action upon authentication successful or failure. Is there any handler like this that allow me put my custom code before performing authentication action?
You can create a custom authenticator, this is all you need:
http://symfony.com/doc/current/cookbook/security/custom_password_authenticator.html#the-password-authenticator
I've successfully installed and tested the OAuth 2 workflow with Symfony 2 and FOSOAuthServerBundle.
I can request a code, and get a pair of access/refresh token successfully from a "login with" button on a third party test page i've set up and retrieve a user from my API through a custom API call. Pretty cool here.
However, each time I test the flow from the beginning, my oAuth server keeps on redirecting the user on the authorization page. Here are my questions.
Once a user has authorized and app, shouldn't the authorization part of the process be skipped with OAuth 2.0 ?
Is that fixed on the server side or should i change the way i request the credentials on client site ?
And finally... could i debug and fix this ?
If anyone struggles again, the solution is here :
https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/blob/master/Resources/doc/the_oauth_event_class.md
This feature is not default in FOSOAuthServer bundle. You have to create and EventListener and check client or user status, save the user's choice, and [quote:even bypass the authorization process].
Which is the best method to implement role based redirect after login in FOSUserBundle ?
Should I use a success handler and write the redirection logic in onAuthenticationSuccess
or Should I use a security listener and write the redirection logic in onSecurityInteractiveLogin
I think security listeners are used by other bundles to do some post-login operations like table update, setting cookie etc. While same can be done by success_handler, it is called once for each firewall configuration in app/config/security.yml. So you have full control over it. So I think it is better to implement redirection logic in onAuthenticationSuccess method of your success_handler service class.
Is there an event that gets fired right after ASP.NET authentication has failed to identify the user? I need to trigger an alarm every time that happens. Don't offer to implement custom membership provider nor to do it from the Login form's controller. I'm looking for native ASP.NET pipeline event. HttpApplication has two events: one for before Authentication and one after, but nothing for failure.
As far as I remeber, yes:
Have a close look at the logging capabilites of the HealthMonitoring section. It is not only possible to log errors, but also events such as successfull logins or failed login.
Have a look at http://www.asp.net/hosting/tutorials/logging-error-details-with-asp-net-health-monitoring-cs
I guess eventName="Failure Audits" is the way to go