I am using freeradius for authentication and authorization of PPPoE clients on Mikrotik server against MySQL server. I want to add capability to auth access to Mikrotik console but I need different SQL query for authorize check. Is is possible to do it? Additionally I don't need any accounting in that case.
I tried this condition in authorize section
if ( "%{Service-Type}" == "Login-User") {
It works as excepted but I don't know what to make different SQL query.
Related
The situation:
We have a rails application, which runs on 12 different servers (different sets of customers). User credentials are stored in the database of each server. We use Devise for auth.
We have an Android app that, when logging in, you have to select the correct server to connect to.
Requirements:
A centralised login page so users don't need to know which server/url to log in to. This is for the web and android. The user should either:
a) Type their username/email, and be forwarded to the correct server to login.
b) Type their username/email AND password, and be forwarded and logged in to the correct server.
Current Ideas:
Create a NoSQL db table with a list of usernames/emails with the server they need to log in to, the login page can grab the server and forward you on.
Use something like Auth0 to manage user data - however unsure how this would work with our current User credential tables spread across multiple servers.
This is not something I have a huge amount of knowledge on, and looking for criticism of the above ideas/better approaches.
I have implemented spring security with a restful API using spring boot and everything work perfectly.
I wan't to prevent multiple login with the same username and password from the same client. how can I do that ?
The only approach that I can think of is to identify the clients by their IP and then only allow one login per client. Here‘s a tutorial on how to block accounts after several login failed attempts from the same IP / client.
http://www.baeldung.com/spring-security-block-brute-force-authentication-attempts
Maybe it could give you an idea on how to solve your problem.
Please be aware that there are some problems coming with this, like dynamic IP addresses (the user gets a new IP address after disconnecting) and if more than one user uses the same proxy and therefore all of them have the same IP address.
Based on the EntityFramework and CustomUserService samples, I'm trying to authenticate users against a separate user database.
In the factory, I'm registering the service like this:
factory.UserService = new Registration<IUserService>(resolver => new CustomUserService());
However, if I want to use multiple user databases, how can I inject the repository or the connection string that I want to use?
The goal is have different clients getting authorization to use resources (like API) from the same authorization server, but point to different user repository. So, identity server would use a database where clients, scopes, redirect URIs, etxc, would be set. But to authenticate a user, I would like to use different database, depending on the client.
Is there any way of doing this?
Thanks
We had a very similar problem and solved it by using the tenant on the acr_values i.e. on the call to /connect/token, we passed in the following in addition to username, password etc:
acr_values=tenant:YourTenantString
YourTenantString will identify the database environment and from there, inside your user service you can extract it via:
var dbid = context.SignInMessage.Tenant;
from dbid we are able to get the connection string from config
I'm rather new with Rails and I decided to bust my own authentication system that checks for 3 variable constants: IP address, Rails session ID and HTTP client. The way I am getting those are:
ip_address = request.env['action_dispatch.remote_ip'].to_s
session_id = request.env['action_dispatch.request.unsigned_session_cookie']['session_id'].to_s
http_client = request.env['HTTP_USER_AGENT'].to_s
Basically, since this is for personal use (for my blog) only, all I want is a single user access at a time.
My question is besides the 'HTTP_USER_AGENT', how can one fake those pieces of information from my web app? Is it possible to send a different IP address and session ID to Rails? Just theoretically. I'd like a glimpse of what's possible here...
Thanks.
Anything that the browser sends can be forged from another browser to impersonate what your own browser is sending.
The only exception here is the remote IP address. That one is extracted from the connection by the web server and cannot be easily forged.
So using your authentication mechanism you might as well forget the session ID and user agent. Both are vulnerable to replay attacks.
So basically your method of protection then becomes IP address protection. That's fine for some simple personal pages, but if you store sensitive information on those pages you might want to think about using something more secure.
You can read the Rails Security Guide to get a better understanding of which attacks are possible and some basic security principles with Rails.
My team are coding a web app, which include a server and a client, I think it's obviously not advisable to send user's uid and password to server every request from client.
I am looking for a good choice to deal with this, maybe something like Oauth, is there any efficient approach?
For example, a user with username lyj and password 123456 request login from my client app, the server should check if it is permissible, after login success, the client can send more request to get other resource from server.
My problem is that, except userid and password, is there a way between server and client to make sure who is this guy, is there any suggest to transmit a access token between server and client?
Without much information on your platform and technologies I can only attempt a generic answer. There are several ways in which you can generate a token depending on how you want to use it. MD5 is a well established algorithm and you can use it to generate a oth token using something like username and email etc. Remember that you cannot decrypt MD5 string. So to do any kind of verification you will have to recreate the string using original parameters and then perform a check. If you want a hash that you can reverse you can look at something like base-64.
Both MD6 and base-64 are easily available as libraries in any back end you may be using.
* UPDATE
Looking at your comments that you are working with a stateless client, here is a possible approach to using tokens.
Client performs login for first time. (preferably HTTPS)
Server performs validation and generates a token using MD5(or any other of your choice) using (username+email+ip_address+time_stamp) and sends it back to client
Server creates a new session for this client in the table in the database using userID , ip_address and, time_stamp
Client passes this token back for any future requests.
When client passes the token , server retrieves the session from the database and generates the MD5 hash and compares it with the token client sent. If its the same you are good.
You can also use the time-stamp value a validity window for your tokens so they are not valid forever. Also its impossible to recreate this token unless someone can create the same MD5 hash at the same time down to milliseconds
Modern web application containers have embedded the session tracking functionality. Of course there is always the choice of cookies. Its up to you what to implement...