I would like anyone to go to the server's home page and just see the dashboard—without having an account or logging in. They would have to log in if they wanted to see/do anything else.
Is this even possible?
If it's possible use some plugin based on Matrix Authorization Strategy for example this. Then add read permission for Anonymous Users.
Related
I have ran to the situation where I have to remove Facebook/Google authentication option from my app. So I want to know all the pain during this process.
What about user data ? Is there any possibility to link newly created user with data from previous facebook-login-based user ?
Any other situations which I have to fix ?
Oh my God. I personally do not think that you should do that. Yes, if their users in your application that have logged in with one of these providers, then yes their data possibly could be deleted. I mean if you have stored the access tokens to retrieve information about them, then you will be fine I think. But, if you remove OAuth2.0 then your users will not be able to log in with anything else, such as local authentication, due to the fact that they have not created an account via your local authentication system, as they do not have provided a password for their account. They only gave consent to read or write data about themselves, and you only know their email or username. Last but not least, a move like will definitely harm your User Experience (UX) throughout your application and your marketing as well.
I hope that helps! Try to search about some alternatives to solve your issues.
I'm looking to add 2 factor login to my Silex app.
However, I'm having some road blocks on how to get this working correctly.
my biggest sticking point is having the firewall not fully log the user in and instead direct them to a page to confirm their identity.
I've thought about using Symfony Guard, but looking at the documentation, I didn't see anything that would let me prevent the user from being logged in.
I don't have any code yet, at this point, I'm just tying to design the flow and after I have a concrete execution plan, I was going to then begin writing code.
I remember reading a blog post about doing this in Sf2, but I cannot find it now. Here's the gist:
the login part is the usual one
create a listener for the controller event, and redirect to the 2FA controller unless the user has a role (ROLE_GOOGLE_AUTHENTICATED or similar) and unless the user is requesting that route
on that url render a form and check if it's a post, and if the code verifies add that role to the user
I'm sure you can adapt it for silex. You can also check the bundles that exist for Sf2 on how they work exactly.
As an administrator, how do I get an API token for a user other than myself, without logging in as them? When I visit the user configuration page, all I see is that "Token is hidden", and I cannot change it either.
There is a Jenkins System Property, jenkins.security.ApiTokenProperty.showTokenToAdmins . You need access to the master/OC process startup to change it.
Documented at the bottom of https://wiki.jenkins-ci.org/display/JENKINS/Features+controlled+by+system+properties
(We are going to do our best to leave this at false.)
I am using ApacheDS 2.0.0.v20130628,I use Spring security ldap to authenticate users.
For a new user,once user registers an account with the web application an email will be sent to make the account active so that his email will also be verified.Until User clicks on the link sent to his email,User should not be able to Login to the application.So how can I disable the user account till then?
I came across with an attribute on web nsAccountLock,But I am unable to find this attribute in ApacheDS.
I want to know is there anything in ldap-user-service like "active" which is used in a SQL query for JDBC User service in spring security?
Any suggestions as how to go about on this?
nsAccountLock is used to lock accounts in Oracle Directory Server. But not in apache Directory server. even i'm facing the same issue for finding attribute for disabling user in Apache DS. its looks like they havent created any attribute for it.
I have used 'pager' as a option to know if the user is enabled or disabled.
Use the 'pwdAccountLockedTime' operationsl attribute, that's the standard way in Apache DS.
For more details refer
I'm trying to setup a "private beta" for a site that I'm working on. The site uses open id. I don't want anyone to even browse the pages if they aren't part of the beta. What's the best way to implement this? Any suggestions?
For example:
When the site goes live, users will go to http://www.mydomain.com which will not require them to log in.
For the beta I want to restrict access. Users that go to http://www.mydomain.com will be redirected to a login page. Anyone attempting to access ANY PART OF THE SITE who is not authenticated will be redirected back to the login page.
I could stick [Authorize] attributes all over my controller actions, but that seems stupid.
If you're using ASP.NET MVC, it comes with authentication/authorization out of the box. You should be able to use that to setup authentication on your site.
Alternatively you could setup app server settings - IIS lets you setup username/password on a specific site it's serving, regardless of what the actual application may do. If you have access to the app server this might be the best solution.
If you're using IIS6, you can setup authorization easily. Right-click on your site > Properties > Directory Security Tab > Authentication and Access Control > Edit, and enter a username/pwd of your choice. Done.
The real question is how are they being invited to the private beta?
You could setup a password which drops a cookie much like serverfault.com does.
OR
If you know who you are inviting: you could add them to the system before hand using the email/login information that you already know about them (assuming you are inviting them via email)
I have implemented a function in a web application a while ago where we go the possibility to block access to the full website unless the user was an administrator (which in our case meant that the user account was a member of a specific group in Active Directory).
It was based on two things. First, all pages in the web application inherited not directly from the Page class, but from a custom page class in our web application. Second, we had a value like this in the appSettings section of web.config file:
<add key="adminaccessonly" value="0" />
The custom page class would check that value when loading. If it was not 0 it would redirect to a page (that did not inherit the same custom page class, though) informing the user that "the site is not available right now". If the value was 0 the page would load as usual.
In that application we used this to be able to take the site "offline" when we deployed a new version, giving us some time to verify that all was good before we let in the users again.
Best way are invitation system (based on invitation code) or manually confirmation access after create profile in your system. imho
Or you could host the site on a private server, and set up a VPN to use it. Depending on your resources and needs this may be the easiest and most secure way to do what you want without modifying your codebase.
OR alternatively you could use Apache or IIS to force authentication on access to the website directory. Keeping the authentication info in .htaccess for a while.
Even though you use open id authentication, you may still need some form of authorization mechanism. The simplest form would be a user-roles system in your database that assigns different roles to users
In your case, just assign the private_beta role to your private beta invitees and ensure you your authorization mechanism that all users have private_beta privilege before they may continue.
If you don't want to provide authorization for the public site (where everyone can do everything, once authenticated), then, you may only need to do a quick-and-dirty post-processing (for private beta only) on your open_id authenticated users to check them off a short list (which you can store on a text file.