Spring Security - Programmatic login without a password - spring-mvc

I am trying to perform an automatic login when the user clicks a link in their email with Spring Security.
I have seen a lot of examples to perform a programmatic login like the following:
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password);
try {
Authentication auth = authenticationManager.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(auth);
repository.saveContext(SecurityContextHolder.getContext(), request, response);
rememberMeServices.loginSuccess(request, response, auth);
....
The problem I see is that I do not have the original password so I can't create a UsernamePasswordAuthenticationToken. Any other way to login the user if I do not have the plain text password (I have the one that is encoded)?
Thanks in advance.

Be careful that you know what you are doing in terms of allowing login from a link within an email. SMTP is not a secure protocol and so it is typically bad to rely on someone having an email as a form of authentication.
You do not need to use the AuthenticationManager if you already know they are authenticated. Instead you can just set the Authentication directly as shown below:
Authentication authentication = new UsernamePasswordAuthenticationToken(user, null,
AuthorityUtils.createAuthorityList("ROLE_USER"));
SecurityContextHolder.getContext().setAuthentication(authentication);
If you want a complete example, you can refer to the SignupController in the secure mail application that was the basis for Getting Started with Spring Security 3.1 (InfoQ video of presentation).

Related

Adding more claims to JWT obtained externally (ASP NET)

So at work I was given the task of designing a database API, now security assessment has stated that the system must use Authentication and Authorization.
On top of that Authentication Happens through their NetScalar that forces the user to login with company credentials and in turn gives the user a token. This token will then be sent to my API in the header of each request.
Now here comes the issue. The token only contains a username, I however want to do a
[Authorize(Roles = "Admin")]
Check on my controllers. Now as the user has already been authenticated with his password and username I know that he has is a valid user however I would like to assign a role to him.
Now I'm open for suggestions on how to do this but the simplest way of fixing this that I could think of was to at each request query my DB for the users role and add it to the token claims.
However I don't know how to do this and also I have no idea if this is a good solution.
I would appreciate any help with adding the claims (in code) or other solution (also code would be much appreciated).
Thank you!

Symfony / Login by GET/POST request

Is it possible to login by sending GET/POST request?
I'm trying to login from mobile app. So I want to somehow post username and password to php.
This is how I have it right now:
http://symfony.com/doc/current/security/form_login_setup.html
EDIT:
I tought this could help, but it is logging in without password or with wrong password, so I think it's not what I need?
$token = new UsernamePasswordToken($user, 'password', 'main', $user->getRoles());
$this->get('security.token_storage')->setToken($token);
Thanks
You are very close to the solution, you'll need to dispatch an InteractiveLoginEvent event to authenticate programmatically. See:
symfony2 programmatically authenticate user
How to programmatically login/authenticate a user?
I think the best options are:
Use basic http authentication. By passing the user credentials to http header formated as base64.
Perform a post to auth and return a token on success then use this token to perform actions. In that case is recommended on each action to renew the token and keep token related info in the database such as: ip, time, user_id, and infomation that if the token is used or not.

How to set up two-factor authentication with ASP.net Identity 2.0?

So I must be missing something super simple or I'm not fully understanding how two-factor authentication is supposed to work for ASP.net Identity 2.0.
My understanding is that two-factor authentication is supposed to work like GoDaddy or Google; when you attempt to log in from a computer without a valid second factor cookie, an email or SMS is sent with an auth code and you are presented with a second form to enter your auth code in order to complete the sign in process.
All of the code appears to be present in a new MVC 5 project, except I had to implement the SendAsync function for the Email Service:
public class EmailService : IIdentityMessageService
{
public Task SendAsync(IdentityMessage message)
{
// Plug in your email service here to send an email.
SmtpClient smtpClient = new SmtpClient("127.0.0.1", 25);
MailMessage mail = new MailMessage("sender#domain.com", message.Destination, message.Subject, message.Body);
smtpClient.Send(mail);
return Task.FromResult(0);
}
}
However, when I log in, no email is sent and no auth code form is displayed.
I went in to the Manage View (Views => Manage => Index) and uncommented the TwoFactor section. I logged back in, went to the manage screen, and enabled two-factor authentication for the account, but it didn't make a bit of difference.
Thoughts on what am I missing?
Edit
Ok, so it appears the crux of my problem may be related to registration confirmation. The two factor authentication only appears to work when the email has been confirmed. Otherwise the code does not send. So you either need to enable the email confirmation in the Registration, or set EmailConfirmed = true when you register the user.
The issue was that the email has to be marked as confirmed for two-factor authentication to work.

Authentication in Symfony2 without being able to read the password

I'm writing my first Symfony2 app after a few years with Symfony and am having trouble converting our user management code. It seems that to fit in with Symfony2's authentication model I have to provide user details including their (encrypted) passwords. We authenticate via a webservice that takes the username and password and responds with a confirmation and user level (user, admin etc), but it never sends the real password back to us.
What I want to do is accept the login details from a form, confirm they are valid and then set the user's roles according to the webservice's response. Where do I start?
You need to use a custom authentication provider to authenticate against your webservice. It is explained quite clearly in this blog post
You can create an user provider and its loadUserByName you can call the webservice. If success return the new UserInterface object with the password of the form empty salt string and the roles returned by the service. Also set encoder of the UserInterface to plaintext in security.yml. And then set the new created user provider in form_login auth provider in the firewall.

Login modes other than forms authentication is ASP.NET

Am trying to design login page for my website and I am looking for methods other than forms authentication. The way in which I am trying is to have a table in the database that stores user information and check for the user validity.
The point where I get struck is how do i set cookies and session variables and how will I carry it through out the system. Can anyone tell/suggest me where I can relevant material so as to move forward. And also is my idea of negating traditional forms authentication and going for a model I described, is it good also does any other better method exist?
You can do this even with forms authentication itself...
For Forms Authentication to work, you need not have to use the Complete Database Setup that MS uses to Authenticate. You can simply have your own Database and Validate a user yourself, and just set the cookie.
String UserName = "CoolGuy";
String PassWord = "Pwd"
Boolean isValidUser = YourClass.YourMethod(UserName, PassWord);
if (isValidUser)
{ FormsAuthentication.setAuthCookie(UserName, false); }
This will authenticate the user "CoolGuy" for the session, provided YourMethod returns true. And you need to put this code only in Login Page... and the user will automatically be authenticated for the entire session or whatever...
Please see my response to another similar question here... ASP.NET access controls

Resources