Hi i am gooling but without result.
I am trying to check one field in DB while encoding password to user. How?
The service
services:
my_password_encoder:
class: TB\WelcomePageBundle\Security\Encoder\MyPasswordEncoder
<?php
namespace TB\WelcomePageBundle\Security\Encoder;
use Symfony\Component\Security\Core\Encoder\BasePasswordEncoder;
use TB\UserBundle\Entity\User;
class MyPasswordEncoder extends BasePasswordEncoder
{
public function encodePassword($raw, $salt)
{
$user = new User;
$old_or_new=$user->getOldNew();
print_r($user);
print_r($old_or_new);die();
The point:
1. withdrawn one field from DB from current logging user.
2. Depend on the value i need: encode his password MY WAY and log in + CHANGE THE PASSWORD THE SYMFONY WAY and update DB.
3. Depend on the value just use the symfony way.
There is easy condition. The problem is just how i can withdrawn this field + encode password symfony way. (how encode password my way i know). + encode the password not more via my way but symfony and update DB.
My points is to migrate low secure passwords to symfony2. Why? Because i have existing DB where the passwords are encoded my way. So i need to "update" them.
THE MAIN PART OF QUESTION:
HOW CAN I GET THE USERNAME OF USER WHO TRY LOG IN IN ENCODE PASSWORD FUNCTION??? THX!!!
Related
I need current login and username in Alfresco to construct org.apache.chemistry.opencmis.client.api.Session instance as described here https://docs.alfresco.com/6.1/concepts/opencmis-ext-intro.html but I don't know how to do that, could you tell me?
My aim to get more than 1000 records from the repository using CMIS request and since I can not change the configuration I need use paging with org.apache.chemistry.opencmis.client.api.Session instance as described here https://issues.alfresco.com/jira/browse/MNT-15540 and here https://stackoverflow.com/a/21127909
Please, help me to get more than 1000 documents with single CMIS query?
Thank you!
You can't get the password but you can retrieve the username and authenticate with the alf token.
Java API: PersonService
getPerson
#Auditable(parameters="personRef")
PersonService.PersonInfo getPerson(NodeRef personRef)
throws NoSuchPersonException
Retrieve the person info for an existing person NodeRef
Parameters:
personRef - NodeRef
Returns:
PersonInfo (username, firstname, lastname)
Throws:
NoSuchPersonException - if the person doesn't exist
If you fetch the user's ticket, which you can do in a variety of ways, including the public REST API or your own custom web script, you can then use the ticket as the password when creating a CMIS session using OpenCMIS. This is the proper way to authenticate with CMIS when you don't know the user's password.
I use securedsocial to manage the singup and login of my project. The password created by securedsocial stored in the mongodb is as below:
"password" : {
"hasher" : "bcrypt",
"password" : "$2a$10$ttFOX3YrXwQyiUVVRWL1Ku54CediP/Z/pGQ8QOP2YBKL/s87wyGba",
"salt" : null
}
I now want to create a new user manually so i need to know how to encrypt the password the same way as securedsocial. Or if there is any tool to do this?
You can use the PasswordHasher the module uses to hash the passwords and then save them. By default SecureSocial uses BCrypt.
I'd like to e-mail all my users a link to a symfony site that I am writing, and have it so that when they follow that link they are logged in to the site (probably with a special role, like IS_AUTHENTICATED_REMEMBERED), and redirected to a certain page. How can I do this?
So the link would be something like:
http://example.com/?key=[some sort secret key with their account encoded in it]
i'd do something like this: generate the key with a hash function over the username.
Then send them a link to http://example.com/?user=username&hash=the-hash-result.
In the action that will recieve this url you can get the request parameter username and hash, apply the same hash funcion to the username you recived and compare the result to the hash key in the request parameters.
If match, just set the appropiate credentials to the user and log him in
Lets see some code, in your authentication class you should have a function to authenticate a user with the $user and $password parameters. Here or extending this class you can define a funciton like this:
function authenticate($user,$hash-key){
if(hashFunction($user) == $hash-key){
$user->setAuthFunction(true);//sort of
}
}
Hope it helped you!
Not so easy to implement I can tell you but you got to take a look to the UsernamePasswordFormAuthenticationListener::attemptAuthentication method...
Make your own service to atteptAuthentication automaticaly.
Inspired by this message and this code, I wrote a controller that gets the user from the database, verifies the secret key, then fakes a login token as follows:
$providerKey = 'secured_area'; // Name of firewall from security.yml - not sure this is correct.
$token = new UsernamePasswordToken($user, null, $providerKey, array('AUTO_LOGIN'));
$this->container->get('security.context')->setToken($token);
(you need this at the top of your file)
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
It seems to work, and the user has a role of AUTO_LOGIN so I can easily restrict them from accessing more sensitive stuff until they have logged in with a username and password as normal.
I have a question about how to use md5 and a salt to secure a password, I have already made many searches for answers to my questions.
An article I saw was using c# to convert password to md5 string, something like this:
public static string md5(string <b>sPassword</b>)
{
System.Security.Cryptography.MD5CryptoServiceProvider x = new System.Security.Cryptography.MD5CryptoServiceProvider();
byte[] bs = System.Text.Encoding.UTF8.GetBytes(sPassword);
bs = x.ComputeHash(bs);
System.Text.StringBuilder s = new System.Text.StringBuilder();
foreach (byte b in bs)
{
s.Append(b.ToString("x2").ToLower());
}
return s.ToString();
}
}
My question is the above code seems server side is its mean password traveling over internet in plain text doesn't it create any security issue or it does not matter i don't know (may be i am getting it wrong way or i am not clear about password security concept) ?
What i have done in my project is i am creating a secure password at client side with java script md5.js file and with user's entered password before posting login.aspx form back to server then at server side i am fetching hashed password of user from database(which was stored at the time of registration of user with same technique) and match both client side and server side hashed passwords if they match user authenticated.
i don't know weather i am doing it right way or not please let me know right way if i am wrong .
Now the problem is i want to use SALT with the md5 (md5+salt) to make password more secure with Randomly generated salt string. how to do this should i make a random salt string at server side while page_load of login page and then send it to client side and at client mix this salt with user password before posting form. after post again mix the password(fetched from database) with same random string and match both password to authenticate.
One more question, at the time of registration of a new user, where should originally user entered password convert in md5 at client side or server side if at server side then password should post to server as it is means original password.(like "MyPassword")
Firstly you should be aware that SHA1 is now industry standard, but it's still fine to use Md5 for most things.
Secondly to stop plain text transmitting over the public network, use an HTTPS connection (you may need to purchase a certificate from a recognised vendor).
Also if this is for a user system, consider using ASP.net's membership system. It does this all for you and has been extensively reviewed.
The basic flow of what you describe anyway would be:
User enters password
Server generates random salt
Hashed password = md5(salt + raw password)
Store hashed password and salt along side username, dispose of raw
When user logs in, find the associated salt with the username login is being attempted for.
Is password valid = does md5(salt + entered password) = store hash?
If they do, login
Once they have logged in, it might be a good idea also to regenerate a new salt and hash. Also the md5() should be applied to the password thousands of times before storing to make a dictionary attack uneconomical.
There are plenty of resources out there that go into this in more detail.
Good luck!
i forgot my drupal user id and password. Is there any way to recover it
http://example.com/<path-to-drupal>/user/password should bring you to a page where you can request a reset/new-password.
Edit:
The above path applies if you have 'clean URLs' enabled, if not use http://example.com/<path-to-drupal>/?q=user/password
This solution is valid for Drupal 5 or 6 but not for Drupal 7. This version does not use a standard hashed password. You can get your encoded password running the following command:
php /path_to_drupal_files/scripts/password-hash.sh your_password
Then you can see your password hash. This is the string that you should use in the database to update the admin password. You can use the following SQL query to update the Drupal database.
UPDATE users SET pass='YOUR_PASSWORD_HASH' where uid=1;
If you don't have access to the email (or want to bulk-update the passwords) you can update the database with a query like:
UPDATE users SET pass = md5('NEWPASSWORD') WHERE name = 'admin'