I'm trying to check the roles for the current user in a controller method, and using the traditional springSecurityService.principal as well as springSecurityService.currentUser both yield null, springSecurityService is not null.
I've verified that the users have logged in, one thing might be that this call is made by the DataTables library in an Ajax call.
Oof, this answer is a little embarrassing. I was adding the datatables code a couple months ago and didn't want to try to troubleshoot issues with authentication until later, so I added the URL for the ajax call to the chainMap with no filters.
Of course I forgot completely about this and was puzzled as to why the currentUser was null. Once I removed the ajax call from the chainMap, it was there.
A gentle reminder that you should comment around configuration that is intended to be temporary, and check back once you are finished implementing a feature that all of your kludges are gone!
Related
I am attempting to create dual authentication using firebase and devise for ruby on rails. I already have the devise session controller extended and I am accessing firebase. It is based on whitelisted locations. (Probably not very secure but its mostly for a fun proof of concept project.) I want to get the username/email from the devise login page so i can find that user in the firebase database to look for the params associated with that name. I have already tried to look through documentation but i might have missed something.
If anyone could tell me how to grab the username in the deviseSessions_controller. I would be grateful.
Thank you ahead of time.
It turns out that its accesable through params. Didn't realize this earlier.
params[:user][:email] got me my email.
I use restful_authentication plugin in rails 2.3.5. application.
In this application, I want to permit to login with a single session for a single account at the same time.
In other words, I don't want the users to login with single account using several computers.
Does the restful_authentication plugin support this function?
If not, how can I realize this function?
Please give me some advise.
Thank you very much in advance.
Out of the box, no. You could track the session ID in a table with the user ID and then check that the same session ID is being used. However, this is clunky and you're going to cause problems for the user when he forgets to log out. You'll need to implement some kind of timeout for the sessions as well, so that you don't end up with sessions locking a user out forever.
The alternative would be to switch to authlogic. It also does not support this out of the box, but it should be easier to implement. One likely solution has been posted here. I haven't tested what was written there, but the approach looks a lot like what I would attempt to do in this situation.
Having used both restful_authentication and authlogic in many apps, authlogic wins hands-down. There's also Devise, which many people have had success with. (I'm not one of them, but maybe my needs didn't align with what this gem was offering.) You should definitely explore Devise and authlogic before hacking something into your existing setup, because the more modular designs of the newer gems should yield cleaner code when it's over.
Also: Update your Rails to the latest 2.3.*. There have been many security fixes since 2.3.5.
I am using spring security in grails and need authenticate (a) customer in my Customer class and I don't want use Role class or such a thing just want use authentication and annotation.
My customer just log in and with the log in must be authenticated.
Any body have done that ?
How I can write my own provider calss for authentication a customer?
I need some code to see how it's working
Thanks
The Spring Security Core plugin has to be the single best documented plugin available for Grails. Check out Peter's tutorials here. The two videos and code samples on that page should be more than enough to get you going.
If after watching Peter's videos you are still not satisfied take a look at the official Spring Security Core docs here. Section 5.4 covers what you want to know.
In short, if you want to use annotations in each controller and don't care about the user's role then the following code will make sure they are logged in. Placing this at the top of the controller you are worried about will make it so all actions in that controller require a user to be logged in.
import grails.plugins.springsecurity.Secured
#Secured(['IS_AUTHENTICATED_FULLY'])
I have a Rails 3.0 project using devise and I've been requested to register in DB every succesful login and every failed attempt.
From the devise documentation I think I'd have to extend FailureApp but the examples are just redirecting users and not using the model at all. In stackoverflow I've just found this question but it remained unanswered, which is not encouraging
Can anyone tell me if I'm correct in this approach or it can't be done this way, or if there is some easier alternative I'm missing?
(I know there is no code yet, I'm just looking for a small guidance before diving in)
Thanks.
Spent a little bit of time looking into this myself and figured someone else might find this useful.
The create action in the devise controller calls warden.authenticate!, which attempts to authenticate the user with the supplied params. If authentication fails then authenticate! will call the devise failure app, which then runs the SessionsController#new action. Note, any filters you have for the create action will not run if authentication fails.
So the solution is to add a filter after the new action which checks the contents of env["warden.options"] and takes the appropriate action.
e.g.
def instrument_failed_login
instrument "failed_login.staff" if failed_login?
end
def failed_login?
(options = env["warden.options"]) && options[:action] == "unauthenticated"
end
An alternative and more maintainable way of adding logging around Devise authentication is to use the Warden Callbacks in an initializer. This is preferable because it uses the Warden API's designed for this and doesn't involve copy/pasting controller code.
Warden::Manager.before_failure do |env, opts|
logger.error("opts[:scope] authentication failure: #{opts[:message]}")
end
You can do the same with Warden::Manager#after_authentication and Warden::Manager#before_logout.
Modifying Devise::SessionsController to do your dirty work will do the trick.
Simply copy that file into your app/controllers/devise/sessions_controller.rb
Once you've done that, just add some code to where the user successfully logs in and where he fails to log in that will do what you want.
You'll probably want to create a new model for tracking login records.
I want to log the user activity through my Rails 2.3.8 application. I don't care what the activity is, just the last time any given user did anything on the site, including viewing pages, commenting, logging in, etc.
One method that I can think of is creating at last_active DateTime attribute in the user model and constantly updating this attribute based on a user's activity (or possibly taking advantage of the updated_at column). I could put an after_filter on every action of every controller to call an update method, but this seems hacky and excessive. There must be a better way. Would an observer work? If so - how? Is there something built-in to Rails that I'm missing here?
Thanks!
Put your after_filter on the ApplicationController. You can turn it off in other controllers with skip_after_filter as needed.