I have a process of Authentication which contain an instantiation form and a task connected to a web service which search for the username and tha password in the database and return 1 if it's exist and 0 if not.
as you can see in the picture I could do this :
if it's return 1 we pass to the step1 else we end the process
what I want is if the web Service return 0 the process should be restarted automatically and come back to to the instantiation form !!
In order to access to Bonita Portal (and so to access Bonita forms) and Bonita Engine APIs a user need to be authenticated.
Default authentication mechanism use Bonita users database to check username and password.
Maybe tuning the default Bonita authentication configuration might answer your needs. Authentication process is fully documented in Bonita official documentation.
Related
I have writen my own session based authentication. In Global.asax I have added this function that takes enviroment username and check if it exist in database:
Protected Sub Session_Start(sender As Object, e As EventArgs)
Dim userData As UserLogin = _
New UserLogin(Convert.ToString(Environment.UserName))
If userData.IsValid Then
Authentication.SaveUserToSession(userData)
End If
End Sub
And this is how i save userstate to session in authentication class:
Public Shared Sub SaveUserToSession(user As UserLogin)
HttpContext.Current.Session("Username") = user.Username
HttpContext.Current.Session("isValid") = user.IsValid
HttpContext.Current.Session("isAdmin") = user.IsAdmin
HttpContext.Current.Session("ID") = user.Id
End Sub
When I display in view:
<ul >
<li>Welcome #HttpContext.Current.Session("Username")</li>
</ul>
Everyone sees the same username. Why is this happening?
System.Environment.UserName returns the identity under which the application pool that hosts your web site is running.
So in your case this is always your account.
So depending on the security method you have implemented you have to use the appropriate way to retrieve the currently logged on user name.
If you want to create an intranet web site that authenticates users logged into a Windows domain you can use ASP.NET Identity with Windows Authentication. You have to change authentication to Windows Authentication:
Normally, when you access Environment.UserName the get the name of the user owning the executing process and in ASP.NET this user is a service account (and not the user sending the request from a web browser). However, when you use Windows Authentication this behavior changes and you can now use Environment.UserName to get the name of the remote user. Obviously, this only works on an intranet with a Windows domain.
Really, you should not use Environment.UserName in an ASP.NET application because it changes behavior based on the authentication used. Instead you can inspect the User property which is available in both the controller and view in ASP.NET applications based on the newest versions of the framework and it will give you information about the remote user if he or she is logged in.
As per the MSDN documentation Environment.UserName "Gets the user name of the person who is currently logged on to the Windows operating system.".
So it's no use to you for getting the user that's logging into your website, and because you're always the user who is logged into the OS everyone will always get your data.
I'm working on a Grails application and want to integrate with a custom single-sign-on service (not CAS, but similar). I'm struggling to find all the pieces that I need to customize to make this happen. Can someone explain to me a general outline as to what I need to use to accomplish this? I've read the documentation on the plugin, but it assumes I know which beans to override and where to put all the needed files.
I've block-quoted what I think needs to be done based on my research below each point.
Order of Operations
1- The user requests secure content (everything is secure in the application for now)
I believe this setting is in the Config.groovy file:
grails.plugins.springsecurity.rejectIfNoRule = true
grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugins.springsecurity.interceptUrlMap = [
'/**':['ROLE_ADMIN']
]
2- Spring Security checks to see if the user has a specific value set in a cookie provided by the authentication service
I'm guessing I need to create an authentication filter, but I don't know where to put it or what it should look like.
If they don't, the user is redirected to this custom SSO service, they login, once authenticated, the user is redirected back to my application (with a new cookie set)
3- Spring security checks for the cookie value and validates it against the custom service (via HTTP POST)
From some research, I think that I need to use PreAuthenticatedProcessingFilter, but I haven't been able to find any examples of how to do this.
4- The custom service returns a series of name/value pairs, a user then needs to be created in the local application database (or the timestamp of "lastLoggedIn" is updated if they user's data is already in the database)
I believe this is done in the same PreAuthenticatedProcessingFilter as number 3 or in a GrailsUserDetailsService
5- The user's authentication is cached in the session for a period of time (6-8 hours) so that re-validation against the SSO service doesn't need to occur every time the user requests a new resource.
I'm not sure if this is something that's done inherently or if I need to add code to do this (and also set the session timeout)
I have a requirement to implement user privilege elevation in an MVC3 web app, for both Forms and Windows authentication, but this question is critical for Windows auth. This is for a higher privileged user to give assistance to a lower privileged user, e.g. when a clerical user is performing a task and requires an admin user to do a task before the clerical user can continue, the admin user should be able to elevate the same session to their privilege level, perform the admin task, and restore the lower privilege to the session. I don't see a way here without the clerical user logging off and the admin user logging on, given that we want to achieve this on the desktop of the clerical user alone. Maybe user switching is tidier than a whole new session, but I would very much like a "run as" equivalent for Windows authenticated web apps.
Is this even possible, and if so, how can I achieve this? I have no idea where to even begin looking.
Allow the "power user" to temporary set a specific role for other users and for example setting also an expiration of the role with a DateTime.
You could put an anchor somewhere on your site:
#Html.ActionLink("elevate to admin", "SwitchToAdmin", "Home")
and then have a controller action which will allow for inputting the administrator credentials:
public ActionResult SwitchToAdmin()
{
// TODO: Adjust the role name that your administrators will have
if (!User.IsInRole(#"DOMAIN\Administrators"))
{
// The user is not currently an admin => popup a Logon box
// so that the administrator could authenticate himself
return new HttpUnauthorizedResult();
}
else
{
// After inputting the correct username and password for the
// admin, we can now redirect to the home action and start performing
// the admin tasks
return RedirectToAction("index", "home");
}
}
The revert process will be the inverse. You could have a link which will call a controller action that will throw 401 if the user is an admin allowing for the normal user to enter his username and password.
In order to use Windows authentication to do this I think you will need:
The run as command
A shortcut on the user's desktop to start the other logon
Either a batch script to prompt for the user's logon information or a separate desktop program to gather the information (the shortcut points to whichever of these you choose)
once the information for the run as commandline is ready you could either start a browser or perhaps a custom program with an embedded browser.
An advantage of the program with embedded browser approach is that it can have extra security precautions such as forcibly closing itself after a timeout.
Anyway that's one possible solution. You might also try to come up with a less complicated way to solve the business need. Perhaps a remote desktop session for the admin?
The equivalent of the run as command is using user impersonation. That is running the commands that requires higher privileges as another user.
It should work as follows:
1) User try to access privileged resources. The webapp detect this either because it has a kind of table of all task reuiring higher privileges, or by intercepting the security exception it gets trying to perform the operation.
2)When this is detected you throw a "RequiresPrivilegesElevationException"(an exception you have to define). This exception i catched by the controller, that now knows it must prompt the user for higher privileges
3) the controller prompt the user for the admin (or higher privileges user password)
4) when the user send the credentilas (via https) credentials are used to create an impersonation context, and all operations are done within this impersonation context.
The drawback of thos approach is that the credentials and the privilege elevetion last for just one trip to the server...for any other request the user is forced to re insert the credentials. THERE IS NO SAFE WAY TO AVOID THIS due to security browser limitations
I'm using Spring Security 3 to protect access to a Spring-based Java Web application. The security mechanism is all configured through a standard Spring Security bean definition file, using the "security" schema. By default the user can access any URL and those that require a login are listed in the “http” element of the Spring configuration file. The system is configured so that a user who has not performed a login will be redirected to a login form before they can access such a URL.
The problem that I have is that certain URLs in the system are intended for programmatic access and return XML rather than HTML. For such URLs I need to be able to return a “user not logged in” XML instead of forcing a redirect to a login form. How can I reconfigure my “http” element (and its associated elements in the configuration file) to allow me to have one set of controlled URLs that will redirect to a login form when the user isn't logged in and another set that will return an error?
Cheers, Adam.
Maybe an authentication filter helps you. Inside the doFilter() method of Spring's AbstractAuthenticationProcessingFilter you could check whether a XML file is requested. If yes, you interrupt the chain and return an error XML file if there's no active user session. See here for more details:
http://mark.koli.ch/2010/07/spring-3-and-spring-security-setting-your-own-custom-j-spring-security-check-filter-processes-url.html
I've got an app built using asp.net mvc and deployed over 2 Amazon EC2 instances. I'm using forms authentication to authenticate users. I simply make a quick look up on the given username and password and if I found a match I set an authentication cookie, like so:
if(_repository.Login(username, password))
FormsAuthentication.SetAuthCookie(username, false);
This works fine as long as the application on one machine, but, once I leveraged Amazon Elastic Load Balancing to deploy the site on two machines, the site behaves in a very weird way. When a user logs in, the site recognizes a logged in user, after a refresh or two, the site no longer see the user as a logged in user. If the user keeps refreshing again for some time, the app sees the user as a logged in user again, and this goes forever.
I'm aware that such a problem might occur if I'm storing SessionState inproc. I'm not using SessionState at all.
What am I missing here guys?
Ps: I've edited the session state to be stored on a state server [Though i'm not using neither sessions nor TempData anywhere on my app] and the same weird behavior is there.
You need to synchronize your <machinekey> between all servers in your farm. Otherwise the forms authentication ticket is only good for the machine which issued it. I doubt this has anything to do with Session/TempData.