I have just started working with Gluu, and mostly it is working exactly as I want it to.
However I am experiencing some difficulties with registration.
Currently when a user registeres he/she is redirected to the gluu page. What I would like to happen is the user being redirected back to the page that sent the user to the registration page(or at the very least a static page).
I know that this needs to be done in the postRegistration part och the user registration script, however I am not quite sure about what it is that I need to do.
So has anyone done something like this before?
Edit:
So this is where I am currently at...
The postRegistration function takes in 4 parameters, self, user, requestParameters and configurationAttributes.
self I assume is just a reference to itself and therefore it is not really valuable in this case as there are no set functions that redirects in that class and it does not seem to hold any valuable parameters.
user is the user that is about to be registered and is sent down from org.gluu.oxtrust.action.RegisterPersonAction and is a org.gluu.oxtrust.model.GluuCustomPerson Object.
I believe that this is my best bet at fixing this problem... although I am not sure about how.
It does have a function setSourceServerName that seemed promising, but setting it did not change the outcome in any way.
requestParameters is just the query parameters sent in the URL. I tried setting these to valid openid code authentication parameters, but it had no effect.
configurationAttributes is simply the static parameters sent into the script from Gluu (just parameters set statically to the script)
Moreover the function must return a boolean so I assume that what needs to be done is changing the input parameters as a side effect and thus my only two options are the user object and requestParameters. requestParameters seems to be just a private map object in the registerPersonAction class, which does not seem to do anything special with it, so changing this shouldn't have the outcome that I want.
Therefore it must be the user object that I need to modify. However as previously stated, I do not yet know in what way
As a dirty hack you can edit the gluu pages to insert javascript that redirects the user
Related
To generalize this question I asked this morning, and please accept my apologies if this has been asked before and I simply don't know what to search for, but I'm curious how Rails handles the following situation:
Using Devise, I log in a user, with an ID of 2.
I click on a link that has been created to "edit my profile" (which simply would go to the /users/2/edit page).
Using Firebug (or something similar), I modify the form and change the action from action='/users/2' to action='/users/5'.
I change an element on the form, and click submit.
At this point, Rails appears to allow the submission and update user with ID 5 with my changes.
I'm guessing I'm not the first one to ask this question. It seems to me like Rails should handle this "out of the box", but I could be wrong. Does Rails handle this natively and I'm just missing something? Has this been asked before on SO or somewhere else that I'm missing?
A few things:
Don't create a route that accepts a DB id. Instead, make it something like /my_profile.
If an id is passed in the params, ignore it entirely in the controller. Instead lookup the current_user that is logged in and show them their own profile regardless of what profile/user id is passed in.
Finally, and possibly most important, use authorization (what a user is allowed to do) in order to disallow one user from editing another user's profile. Not to be confused with authentication (user logins/logouts).
With this approach it won't matter if the DOM is changed, because the server should never implicitly trust what is passed to it, which is the problem you're facing now. Any web/app server must always confirm that the parameters being passed to it are actually valid in the context of what the current user is allowed to do.
This idea that the server should never trust what's passed to it is a critical idea to apply to every single action in your app, without exception.
Guys i'have a question.
I'm currently buiding a wizard that has 5 step's until being completed.
The user starts by the first step where he generates the entry id.
From there on i start passing the id over the url like this:
host.com/{controller}/{view}/{id}
This is how my url looks like after the step1,
------- currently at view step2 passing the id=120
host.com/{controller}/step2/120
This isn't safe because as you know, anyone can change the id and affect other users's entries. Ofc, it can be quickly solved by reading if the authenticated user is proprietary of the entry that he must be trying to access in each view.
Now, my question is... is there a better way to do this?
Any tips for future work?
Is what i'm doing enougth?
(begginer doubt praying for a expert awnser)
Cheers
...It can be quickly solved by reading if the authenticated user is proprietary of the entry that he must be trying to access in each view.
Yes, that's true. You should start there.
Here are some other things that you could do:
You could make your entry ids Guids instead, so that a would-be hacker would never try to guess an entry id.
Because using GET for sensitive data is a bad idea, you could, as endyourif suggests, pass the entry ids with hidden fields instead.
If you are truly concerned about the user altering the ID in the URL, then you must spend the additional time adding an "isOwnedBy" like functionality.
As an additional security measure, you could pass it via a hidden variable in the form so it is at least not as easy to change as well.
Edit: I like #LeffeBrune's suggestion of encrypting the idea as well. However, I still suggest that the validation is performed on the function to ensure the user owns the object. It's just good practice.
Im wondering how to handle missing request parameters in a struts2 action :
Let's say you have an action to view a user profile.
The action will show the profile of a given user according to the userId parameter.
How do you handle the fact that this parameter may be missing (if user load directly the action from the url bar or if he plays with tamper data addon ...) ?
I see several options but I wonder if there are other options and which one is the best :
In each action, on prepare(), check if the expected parameters are given, if not redirect
In each action, on the method that process the request, check that parameters, if not then redirect
I also thought I could use validators to make sure parameters are there but it only works for a form, doesnt it ?
If you have any idea or any point of view on this question, I would love to hear it
Thanks
Validation operates on request parameters--it doesn't matter if it's via a form or request parameters.
As long as an action has appropriate setters, which it would in this case, the default validation works fine. Determining if the user has the rights to access the profile in question may also be handled using a custom validator, probably one that uses existing business logic to determine access rights.
All of that, however, may be wrapped up using Spring Security, and eliminate the need for writing your own interceptor and/or validator. Which solution is the most appropriate depends on your actual needs.
For one of my project's (weird) requirements, I want to use cookie less sessions. At the same time, "session.use_trans_sid" can not be turned on :(
Does anybody please let me know if is there any other way out ??
Thanks
Manish
Make a custom session manager that identifies the user based on, for example, IP address and user agent and other identifying factors (as IP+UA might not and probably will not be unique). Another (ugly) solution is to just implement the use_trans_sid functionality yourself by adding a session identifier GET parameter to every link by hand (if it's a small site) or with a hidden form (that's non-standard).
If you really want sessions without cookies, you can always put the SID in all your URLs manually. People used to do this quite a bit. :-)
The only other option is to keep the session data on the client and pass it back and forth to and from the server with each request, although technically that would be a sessionless architecture.
That means that for GETs each link has to be rewritten to include all the session variables, and for POSTs they have to be included as hidden fields.
What does the following line mean?
Put the boolean variable isLogin to your session such that you check the session each time your user goes to the secured site.
I would like to know how you can put a variable to a session. I know at the abstract level that
session is a semi-permanent
interactive information interchange,
also known as a dialogue, a
conversation or a meeting, between two
or more communicating devices, or
between a computer and user
I know that you can store data in a URL by separating variables by the character &.
I know at the abstract level that you need to use post orget and some read -function to check the data in the URL.
I know that cookies are files where you store data, but I have never stored data to them.
Does he mean that I should put the login -variable to the URL or to cookies?
Taking out all the context doesn't make it any easier to answer your question - actually I have to guess that you are talking about php, because it looks like you might be.
Sessions.
Sessions are a way of 'remembering' users for a limited time. Say I visit page A.php on your website first. Now, that website might define an isLoggedIn session variable for me. If a bit later I go to page B.php on your site, that site 'remembers' that variable and can tell what it' s value was.
Sessions and Cookies do have a relation, but that only matters when you want to know how sessions work. This will be important later on as you will need to know the weaknesses of sessions, but first it is important you get to know how to use them.
Before you can use session variables, you must call session_start(), to start a session - this must be called on each page that uses the session variables. Once we have we can simply access the array $_SESSION and all that's in there will be remembered with the session.
Take a look over here to get a more complete explanation and a number of examples.