We have a requirement to enable drag and drop of content from Alfresco to a PLM application. Now we have created a new custom view with the PLM product and have incorporated an SWT browser in that view. The idea is that the user would enter the alfresco url and he would be able to drag and drop contents from Alfresco to PLM product using this new view.
The trouble here is that we are being asked to develop it as a single sign on application. The moment the URL is entered by the user, alfresco would ask the user his login credentials.
The user authenticates himself and would be able to view different documents.
But in order to actually download them, we need to set the user info. specifically the user name and password in the request to Alfresco. This is where we got stuck.
Is it possible to get a session or an equivalent identifier codefully [ Note that user visited alfresco url and has authenticated himself. So, we dont have any hold of his information there. ].
Requesting you to share any ideas...
Thanks,
Pavan.
Note: A new UI that would prompt the user to enter user name and password might be possible. But we do not want to resort to that approach.
First, some background.
Most web SSO systems work by authenticating the user themselves, and then setting a custom HTTP header containing the user identify (normally a plain username) which is sent to your web applications by a proxy. I'm not sure if that would work for you, but you may wish to investigate integrating CAS with Alfresco, assuming that both your applications are webapps.
Other options for SSO with Alfresco which might work for non-webapps are NTLM (old and insecure) and Kerberos (much more secure; recommended). These normally integrate with your operating system login session but must be configured in the user's web browser as well as in all the applications that you wish to SSO enable.
In summary, there are a few options that may be available but it depends on the nature of the second application that you want to integrate Alfresco with. I would suggest that you do some further technical investigation based on these areas and any others which others might suggest, and then come back with any specific questions that you have.
Related
I'm looking to completely decouple user management, login, permissions, and user data from my application. The main reason for this, is the application will consist of a WordPress site, native app, and a custom PHP API that all need to allow a user to login.
I don't want to use WP as the user login as I don't want to tie all our user data to WP in case we want to migrate to something else in the future. I've looked at things like Auth0, but it seems like it fairly heavy and costly.
What I'd like to do instead is build a separate service that can be used to store user fields, meta data, permissions, and act as a login service.
Based on those credentials, I can give access to certain sections of WP, unlock content on the Native App, and authenticate for certain access level for our API. Has anyone had any experience with decoupling their user management with a similar scenario?
if you really want to decouple the user-management from your app, you can use specifications like oAuth2.0 or OpenID - they are two different specs, and you should have a look and see what fits you the best.
If you write your code in Java, you can use (for free) Spring Security together with authentication-flows - that will cover all security issues as well as all user management flows like registration, forgot password, change password etc.
although I didn't gone to such length as implementing an Auth0, I created a separate user management (wp users) by leveraging on wordpress rest api and its native js client(backbone js). It's by no means completed, but the functionality is there.
Below is the screenshot:
I am creating a project which has a login portal with multiple applications and websites. I want to allow the user to login and then click any application and have access to it. Some considerations are: each application is defined in a user profile, ie which users can see what. also each application privileges are different for each user. so user a may be an administrator of application a but just a normal users in application b.
What i know.
I can have one auth cookie created in the main portal which with setting the machine key and same authcookie name, each application can use it. I have done a test with this and it seems to work.
My problem
As each site/ virtual directory has different privileges per user and per application when the user access a site i need to get his privileges from the databases but I cant then overwrite the auth cookie userdata with the new details because he may have multiple tabs etc open at a time on different sites. So how can i have an extra cookie store per user and per application for holding application specific details. I know I could go to the database each time but that's allot of overhead for each post back.
Maybe another option is to use the main authcooke for checking the user is logged in then have a new auth cookie per aplication and user, but how can i have 2 authcookies, that may get confusing and the second needs to timeout when the main one does et c i think
Any help suggestions would be gratefully appreciated
THanks
------------------- EDIT -----------------------------
we have one user table for all all sites not 1 per each site. then we map the user to an application and then the user application and role. so when you get to an application it has to check if the user has access and what there role is. all other user details are already in the auth cookie when loggedinto the main site. We do it this way because we have to manage users in one application not each application. Hope this helps understand my requirements.
What you are describing is a 'classic' SSO (single sign-on) example. There are lots of ways people have tried this and they are well documented on Google.
One way to do this is to have your SSO server (e.g. the first place you land and log in) to issue a security 'token' (e.g. a Guid) and then either store this in a cookie or append to URLs. Each subsequent call to an application can look-up the token in a database, verify it's validity and carry on (or boot the user out if invalid).
Using a database also allows you to set a timeout for all applications for which the token is valid.
This can then be extended to allow the database to store which apps each user can access etc. I've described this in very broad terms but it may be a good starting point.
Hope this helps
BTW: querying the database on each request isn't too much of an overhead. I have applications that do just that and are still performant when loaded with 300+ users.
Big picture: I have been asked to create a search engine for our company's intranet. Such a search engine will crawl pages supplied to it by XML files for each independent application on the intranet. Problem is, the entire intranet is using Forms Authentication, and so the crawler will have to have access to each application without actually having user credentials (e.g. username and password).
Each application within the intranet has its access controlled by a permission manager, which is essentially a wrapper on the default Role Manager ASP.NET comes with. Each application can define its own roles and assign people who have those roles.
Please note that there are potentially hundreds of applications.
The crawler has access to the permission manager's database, so it knows what all the roles are. Therefore my idea was to have the crawler create a cookie that identifies it as having all roles for each application.
The problem I'm running into is this: how do I create a forms authentication cookie which already has the roles assigned in it without creating a corresponding user (IPrincipal).
It is entirely possible that I've failed to completely understand how Forms Authentication works, and if so, please tell me what I can do differently.
This is probably not what you want to hear, but...
I would just have the crawler authenticate like anyone else.
Given that this is a crawler you control, why fight Forms Authentication? Seems logical to create a user with all required roles in each application (hopefully you have a central administration point for the hundreds of apps, else I would not want to be an administrator there ;-)
If you do anything that allows "just the crawler" special access (bypass user-based authentication based on... what? The crawler's user agent? A specific origin IP?), you create a security hole that a hacker can leverage to gain access to all of the intranet applications that have otherwise been diligently secured with user IDs, passwords and roles (in fact, the security hole is particularly wide because you propose granting access to EVERY role in the system).
It sounds like what you want is an appropriately encrypted System.Web.Security.FormsAuthenticationTicket (which then gets attached to HTTP requests as a cookie).
The encryption logic is located in System.Web.Security.FormsAuthentication.Encrypt(), which I think uses the MachineKey as the encryption key. Also have a look at the GetAuthCookie() logic (using Reflector).
You might have to write your own version of the encryption method, but what you want to do should be possible, provided you have a copy of the remote site's encryption keys. You don't need the user's passwords -- only the user name is encoded into the Ticket.
It seems to me that the problem is not yet well defined, (at least to me!).
Why do you need to crawl the pages and index them if there are fine grained permissions on them?! How do you show search results without violating the permissions? Why not index the back end by passing the pages altogether (I mean index the database records not the pages)....
Technology
ASP.NET, VB.NET 2.0 (soon to be 4.0)
Overview
I'm writing a Login / Authentication Portal, so that a web application can use it to login a user, and then they can use the application using their credentials.
The login portal will be a separate application, and initially only available via an extranet as well as intranet for certain applications; but future apps will need to authenticate via the web (happy to implement as a separate instance). I basically want other individual applications to be able to authenticate users via this portal.
So that...
A user goes to an application's web url (i.e. www.application.com / http://apps/application - intranet) and clicks "login".
User's browser is redirected to the portal application, with a query
string
www.loginportal.com/login.aspx?url=www.application.com/login.aspx
(or other page).
User fills in their credentials (username, password), and clicks
"login" button.
Browser redirects back to url i.e. www.applications.com/default.aspx or login.aspx and is authenticated and logged in; and can use app.
Completed
I have the authentication itself sorted, and will implement as a class library in the local applications via a dll.
Need
So I basically need to know, how to:-
1. Post data to the portal url (could be different domain).
2. Redirect browser with post.
3. Make sure that the authentication is secure, and not easily hackable (I know how to use urlencode and htmlencode etc) - just not sure about implications of posting data across domains.
Any help greatly appreciated...
Cheers,
Duncan.
Seriously tough stuff, here. If it were me, I'd lean heavily on Windows Identity Foundation. I believe it can support this scenario (haven't actually done it; someone else at my company is developing against it).
OK, so this is the solution I ended up using:
In the original application (the one that needs the authentication; step 1 above) I redirect the user to my login portal, and include the original url as a get parameter.
The user then types in their details, username and password.
Next, the server-side code authenticates them, and redirects to a new page, where I send back to the page an html form which includes the request datetime (for security) along with a encrypted string (including the datetime of the request) of the data I want sent back to the original form.
I also add a JavaScript post method which sends the data to the original url as a form post. Because I'm using the same class library at both ends, I can encrypt and decrypt the data using the same method and the original requesting application has all the user data, including the ability to check the datetime of the request (I allow a set amount of time between the authentication and the picking up by the original app, making sure these are within say 5 minutes.
And job done.
If anyone wants the code, I can provide it, just don't have it with me at the moment, if I remember I'll post it.
Not the most elegant solution, but it works, and it's secure, so I'm happy. :).
Here is the situation. I have a site that only allows one user to be logged in at one time. However, I need a server to scrape this site and put data into the database. However the admin need to be be able to log into this site from time to time.
So what I would like is for the server to proxy the admins login so that the server won't attempt to login while the admin is logged in.
How would I go about doing this?
Thanks
EDIT: Sorry, it totally slipped my mind, the reason I need to come up with such a complicated setup is because I do not have the source for this site, nor does the site allow any sort of extensibility. Basically I plan to add features by proxying the site through a more featured filled version of the page that will allow the user to access features not availilbe for the sites normal interface.
If this is a web application you've built yourself, you should be able to track this pretty easily. You just need code that stores the login state of your users in a global way. Possible ways of doing this would be to utilize the database (if this is database driven) or store it in an Application variable (if this is done in ASP.NET).
Then whatever process you've put in place where the server is "scraping" the site can check to see if anyone is logged in before logging in itself.
However, I must ask -- is this something you've built yourself or are you trying to add functionality to an existing product? The reason I ask is that I can't figure out why you tagged this with "proxy" and not the language it was written in. If you don't have access to the source code, for example, that would change things.