I have installed Orbeon Forms 2018.2.201901010020 CE in Tomcat-8.5.37 and tried to use the new logout button of the user menu - the login worked already in previous orbeon releases.
Specifying FORM as authentication method in the login section of the web.xml, all works smoothly.
But using FORM authentication one has to save the passwords in clear text, this is something to avoid.
So I tried DIGEST as authentication method, which permits to save encrypted passwords.
The login works and the user menu reports the logged-in user.
But the logout doesn't invalidate the session. Instead of showing the orbeon logout page, the form runner home page is shown and in the user menu the user is still displayed as logged in.
And clicking once more the logout button, all remains the same: the form runner home page is displayed with the user already logged in.
In the properties-local.xml I inserted the property for the user menu and for the container authentication:
<property
as="xs:boolean"
name="oxf.fr.authentication.user-menu.enable"
value="true"/>
<property
as="xs:string"
name="oxf.fr.authentication.method"
value="container"
/>
The users and roles are defined in tomcat_users.xml.
In the web.xml I changed the url-pattern in the security constraint for the form runner from <url-pattern>/fr/auth</url-pattern> to
<url-pattern>/fr/*</url-pattern>, so tomcat asked the authentication for all fr pages:
<security-constraint>
<web-resource-collection>
<web-resource-name>Form Runner</web-resource-name>
<!-- <url-pattern>/fr/auth</url-pattern> original -->
<url-pattern>/fr/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>orbeon-user</role-name>
</auth-constraint>
</security-constraint>
For the DIGEST authentication I used DIGEST in the login-config of the web.xml and added the CredentialHandler in the realm in the server.xml.
<login-config>
<auth-method>FORM</auth-method>
<!-- <auth-method>DIGEST</auth-method> -->
<form-login-config>
<form-login-page>/fr/login</form-login-page>
<form-error-page>/fr/login-error</form-error-page>
</form-login-config>
</login-config>
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase">
<!-- <CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="md5" saltLength="0" iterations="1" /> -->
</Realm>
In the tests I first opened the page http://localhost/8080/orbeon/home/ . This isn't an fr page, so it will be displayed without asking for a password.
Then I chosed the bookshelf application. This is an fr page, so a page for the authentication pops up.
With the FORM authentication the orbeon login page is displayed:
With the DIGEST authentication a tomcat login page is displayed:
In both cases, after a successful login the bookshelf summary page is displayed and the user menu shows the logged in user.
In the DIGEST authentication after clicking the logout button the next page displayed is the form runner home page instead of the orbeon logout page. The user remains logged in and the username is displayed in the user menu.
Clicking once more the logout button, all remains the same: the form runner home page is displayed with the user already logged in:
Nearby the links to the two orbeon logs:
orbeon.log for the FORM authentication orbeon log form authentication
orbeon.log for the DIGEST authentication orbeon log DIGEST authentication
NB. In the orbeon DIGEST log I saw broken pipe errors, in the orbeon FORM log i didn't see this errors.
What I have to change so that the logout works also with the DIGEST authentication?
Many thanks for any advice
In short, what I would recommend:
Don't use DIGEST in web.xml. Use FORM. Most web apps use some kind of form-based authentication.
Make sure to use HTTPS, not plain HTTP.
Make sure to use a security realm which does not store passwords in clear in the database. This is independent from whether you are using form-based authentication or not.
With BASIC auth, it is not be possible to log out easily. The same might be the case with DIGEST. I am not sure that's a problem worth solving.
See also HTTP Basic auth password storage more secure than Digest auth. My understanding is that DIGEST is out of date and less secure than properly done form-based auth over HTTPS with proper digesting of passwords in your database.
Related
I am sending out a newsletter and I will have links that go to secured pages. How do I set up WebLogin to redirect to the originally requested page once the user has logged in?
This is the behavior that I want:
Enter the URL www.mysite.com/protectedpage
Redirected to login page.
Successful login.
Redirected back to www.mysite.com/protectedpage
Using
MODx Evolution 1.0.14
WebLogin 1.1
PHP Version 5.3.6
Apache 2.0
MySQL 5.1.46
Any help appreciated. Thanks.
Being an Evolution extra the documentation is extremely light, however the source code suggests that WebLogin will take note of $_REQUEST["refurl"] (see git) which looks like it supports both resource alias and resource id.
Try adding a hidden form element to your login page with the id of your protected resource.
<input type="hidden" name="refurl" value="PROTECTED_PAGE_ID" />
I have a search controller which lists search results for users. For anonymous users (not logged in) I want to display the page as http.
For logged in users (authenticated) I want to display the page as https. The reason being is authenticated users will see an additional link in their search results. The link pops up a modal dialog form that needs to send a secure form.
I'm using grails 2.2 and spring security plugin 2.0. I haven't found anything in the spring security config files. It looks like a page can be https or http, but not rendered either way depending on some condition.
I prefer not to do all https for performance reasons. How could I do this, with some type of filter?
I have an application that is wired with Spring 3.1 authentication. I have some pages which makes AJAX requests to show some information on the dialog. Now, if the user's session has timed out, the Spring redirects to the login page. I don't want an AJAX based login page. I would like the user to be navigated to the login page entirely, by canceling current operation. Once user logs in, navigate user back to the last page where he was (from where the AJAX request was made).
The redirection stuff works fine if the request is made from a page.
The class which performs the redirect to the login page is the LoginUrlAuthenticationEntryPoint. I would write a customized AuthenticationEntryPoint implementation which detects the Ajax request (for example, by looking at the Accept header), and sends an error code instead of performing a redirect.
You'll still have to detect this on the client side though. There's not much Spring Security can do there, but you should be able to reload the current page from Javascript, which will force a login, followed by a redirect to the original page (default Spring Security behaviour).
I'm using Spring Security 3 to protect access to a Spring-based Java Web application. The security mechanism is all configured through a standard Spring Security bean definition file, using the "security" schema. By default the user can access any URL and those that require a login are listed in the “http” element of the Spring configuration file. The system is configured so that a user who has not performed a login will be redirected to a login form before they can access such a URL.
The problem that I have is that certain URLs in the system are intended for programmatic access and return XML rather than HTML. For such URLs I need to be able to return a “user not logged in” XML instead of forcing a redirect to a login form. How can I reconfigure my “http” element (and its associated elements in the configuration file) to allow me to have one set of controlled URLs that will redirect to a login form when the user isn't logged in and another set that will return an error?
Cheers, Adam.
Maybe an authentication filter helps you. Inside the doFilter() method of Spring's AbstractAuthenticationProcessingFilter you could check whether a XML file is requested. If yes, you interrupt the chain and return an error XML file if there's no active user session. See here for more details:
http://mark.koli.ch/2010/07/spring-3-and-spring-security-setting-your-own-custom-j-spring-security-check-filter-processes-url.html
Whenever cookies are disabled in my browser and then i try to login on login page it unable to create session and so unable to login in system. Then i change the cookie setting to
<sessionState cookieless="true" timeout="20" />
in my web.config and then try to login Post action of the login function it doesnt call and whenever i input username and password and sumbit it, it call simple login action instead of Post one. What is the issue?
You shouldn't confuse session with authentication. If you are using Forms Authentication a separate cookie will be used to track authenticated users. Here's a good article explaining how to enable cookieless forms authentication. You could set the cookieless attribute on the <forms> element.
Quote:
"im not using form authentication instead i have built my own login mechanism. I just want to login user whenever cookies are disabled in user browser"
End Quote
That's the problem with rolling your own login: you lose all the benefits of using Membership Providers. You should cast your "own login mechanism" into a custom membership provider so that you can benefit from what ASP.NET provides out of the box.
Writing a custom membership provider is not difficult, and there are loads of articles, samples and blogs on the subject.
4guysfromrolla.com, for example, has a series of articles dedicated to the ASP.NET membership provider.