dbcp2 basic datasource is being used for one of our java applications and database password is set by calling this setter
setPassword(final String password)
passwords are stored in AWS secrete manager, and now there is a password rotation logic build for the database, so now whenever a password is rotated my application fails to authenticate DB, I need to redeploy my application bypassing the new password.
I can read the latest password within the application but I don't see any callback APIs to refresh the password after expiry in dbcp.
Is there any option in DBCP to refresh the password without redeploying the application?
Related
I have an MVC 4 web application that requires user to login. Most of the users don't have email accounts. If someone forgot his password, how do I reset it? All the reset password systems I find require some sort of email account. I just want something simple, such as reset it to a default password, and the user can change his password once he logon using that default password. The problem is the password is encrypted in SQL Server. I can't find a tool that encrypt password.
First off the most widely used authentication implementations go to considerable lengths to prevent user credentials being stored in a reversible (i.e. plane text, or something that could be encrypted) format. Instead you should hash & salt plane text credentials and compare with a stored value.
Next to securely reset a users credentials you need to authenticate them through some other means, this is as you mention most commonly achieved through email, but if this isn't possible you should look at other out-of-band methods of authentication, perhaps send the user a SMS with a one time code, or make them answer a series of security questions. Once you have validated the users identity, force them to set a new password and override your stored hash for the user.
I'm well aware that passwords should be hashed and then saved to the database. But in my situation, I need to get the User's Username and Password in order to activate their accounts on my Linux VPS.
Depending on which server they subscribe on, they'll be reactivated on a monthly basis, so I'll need access to user passwords at all times (not just when they register).
Is there a way to store the passwords in the database unhashed or would that be too risky?
In my iOS app I have my user authenticate against our Domino server and store the username and password. I have some web pages that I want the user to see and am loading them in a UIWebView. However, every time I try to go to the page I am being challenged for authentication. I think I need to send a post to the server with my username and password but I am not sure how to do that?
I've never done that with iOS, so take this with a grain of salt, but I think there are generally two ways to do it:
You can likely pass the UN/password combination along as HTTP Basic authentication in each request. I believe it's the case that Domino will honor those credentials even when session auth is enabled.
If you're using session auth, you can do what you intimate: POST to a Domino URL containing the ?Login command (typically, "/names.nsf?Login" is a good choice) with Username and Password parameters (along the lines of How can I login to Domino via Ajax? ). The resultant value of a successful login will contain an authentication token cookie (typically DomAuthSessId or LtpaToken, depending on whether or not you're using SSO). By including that in the Cookie header in future requests, you should be able to continue the login.
I have an application that uses Spring Security LDAP for User authentication.
What I'm trying to do is build a feature that requires the User to provide their password again for validation of credentials before performing an important process.
The user is already signed in, so I wouldn't want to kick the user out by killing their current session.
This sounds like it could be a tricky requirement to fill. I have one somewhat outside the box solution that could meet the requirement:
Create a sister Grails application that uses the same Grails/Spring Security/LDAP structure as your primary app.
Expose a /verifyLdapCredentials Service in the sister application to accept the user's LDAP credentials
Authenticate against LDAP
Sends a success/failure response back to the primary application
Unauthenticate from the sister application immediately to prepare for the next request
I ended up creating a separate service and controller to make a simple LDAP auth and lookup.
The service would login with the Spring config settings, then apply the username and supplied password and validate CN result.
I have an ASP.NET MVC web app which requires the user to login with their domain username and password by validating against ActiveDirectoryMembershipProvider.
On login I use ValidateUser(username, password) to validate the user's credentials, and I then set the forms auth cookie so that in future requests the user is not asked to enter their username and password again
FormsAuthentication.SetAuthCookie(m.Username, true);
This is fine, but I need to periodically re-validate the user to make sure their domain password has not changed, and I don't want them to have to enter their credentials again.
One way of doing this would just be to store the user's password in plain text in the session object, or perhaps encrypting it then later decrypting it. Then I could call ValidateUser once more, and log the user out if necessary.
In other web apps where I've rolled my own auth I would simply store a hash of the user's password and compare that to the hash stored in the database.
There doesn't appear to be a single method on ActiveDirectoryMembershipProvider which would let me do that.
What is the logical thing to do here?
The answer is to periodically (every 30 minutes or so) check User.IsApproved and User.LastPasswordChangedDate to make sure the users credentials are still valid.
To do this you need to manually create the FormsAuthenticationTicket and cookie, rather than using FormsAuthentication.SetAuthCookie.
Put the date you validated the user inside UserData and compare this against LastPasswordChangedDate.
I've implemented this and it works perfectly.
More information here
Check if Active Directory password is different from cookie