I have legacy database for my app and I have to add app to common sign in where the user table related to sign in is not accessible, but I have access to app which gives JSON output for login authentication.
For this I'm trying to use spring security plugin but I am not able to figure out the entry point of url and how to redirect input from login page to url.
Thank you all above answers helped me alot along with objectpartners.com to customize spring security plugin
https://objectpartners.com/2013/07/11/custom-authentication-with-the-grails-spring-security-core-plugin/
https://github.com/JacobASeverson/smart-notes
Related
From various googling and reading https://www.jhipster.tech/security/#oauth2 , I gathered that in order to have mobile/social integration with JHipster generated app I should use OAuth2. Am I right to think this way? (I can't seem to find a clear cut answer to this)
I created a new application with JHipster v5.1.0 with OAuth2 enabled. I noticed a couple of features missing with regards to user management. Below are my questions.
How does a new user register a new account?
How does a user change password / reset forgotten password?
Hopefully someone with experience on the above can help clarify.
Thank you in advance.
For social login, yes your best option is OAuth 2.0. You can use JWT for mobile development with React Native (via JHipster Ignite) and Ionic (via Ionic for JHipster), so it's not necessarily required for mobile.
For user registration and change password, you'll need to enable those options in Keycloak or Okta. This blog post shows you how.
To summarize:
For Keycloak, you can enable registration by navigating to http://localhost:9080 and click on Administration Console. Login with admin/admin and click on the Login tab. This screen allows you to enable forgot password, remember me, and verify by email as well.
To enable self-service registration in Okta, you’ll need to navigate to the Classic UI from the Okta Developer Dashboard. There’s a link to toggle between the two in the top left corner of your screen.
Then navigate to Directory > Self-Registration and click Enable Registration. Set the default group to ROLE_USER, the Default redirect to a Custom URL with http://localhost:8080 as its value, and click Save.
NOTE: If you get an error that says 'http://localhost:8080' is not a valid redirect URI, it’s because you need to add http://localhost:8080 as a trusted redirect under Security > API > Trusted Origins. After making this change, navigate to Directory > Self-Service Registration and edit the settings to configure the custom URL again. It should work this time.
I am involved in development of a portal style application. The diagram above shows the core UI wireframe of the application. There is one main application mainApp which acts as the portal application. It contains a sidebar menu which provides "entry points" to launch various other web applications (App1, App2... AppN) which are independent, separately packaged and deployed war files, running in same Tomcat server as mainApp.
All applications are Spring (3.2.x) based and have spring-security (3.2.x) integrated. User only logs into mainApp using spring security's standard login form mechanism. Obvious expectation is that the user does not have to login to each individual application they launch from sidebar menu. Same user should be logged into each of the launched application automatically.
App1, App2,... AppN are loaded via their respective URLs in an iFrame within the mainApp's page as illustrated in the diagram as well.
As a very rudimentary first iteration, I have implemented a filter extending Spring's AbstractPreAuthenticatedProcessingFilter in each of the portal applications. The filter looks for a URL parameter authToken and automatically logs the user in, if the parameter is found and is Base64 (I know, very weak!) decoded to be the user name. If token is not found, user might see a spring security login screen inside iFrame (ugly).
Questions:
Is there a better, more secure way compared to query parameter, to pass the authentication token or ticket to the application being launched inside the iFrame? I presume I can not use request headers as there is no way to pass them when main portal app sets the URL in iFrame? Or is there a way? Or any other mechanism?
When the user logs out of the mainApp, how do I log the user out of each of the App1, App2...AppN that user has launched and got pre-authenticated into? Programatically hit the spring security /logout endpoint in each application when logout occurs in main portal app?
Thanks!
I have an idea:
You can set spring security login page to another page which redirect parent to login page:
spring security config:
formLogin().loginPage("/redirect_login.jsp")
redirect_login.jsp:
window.parent.location.href="./login.jsp"
I'm building an iOS app with Rails on the back-end.
The Rails application uses Devise for authentication and I want to use the same service for the authentication on the iOS app. Is there any way that after authenticating, keeping the session even after the app restarts, so that it goes straight to the content of the app instead of the login screen?
I've looked around, but haven't found a clear answer.
Thanks on advance!
One solution could be to extend the existing devise models and controllers to also handle a token based authentication system. Based on the request type html or json, the app can choose to authenticate a user either by the authentication token and email or a combination of username/email and password.
The authentication token could could be saved on the client side and reset only when the user logs out.
I was recently working on the same problem and found these sources to be extremely useful.
https://gist.github.com/josevalim/fb706b1e933ef01e4fb6
http://www.soryy.com/blog/2014/apis-with-devise/
https://github.com/lynndylanhurley/devise_token_auth
I am trying to authenticate users from Active Directory using devise and ldap in Rails .
I am successful in authenticating from Login Credentials which users enter.
But once user is authenticated his credentials will be saved in session.
I do not want users to login using credentials. But the application
should detect Domain once user logs into windows and use Windows authentication
if that Domain is present in Active Directory.
I followed this : http://everything-ruby.blogspot.in/2011/04/installing-windows-server-2008-ee-with_13.html and works fine.
Can anyone guide me in right path to achieve this?
Thanks in Advance
Kind of an old post but others may be interested:
It sounds to me that what you're trying to achieve is single sign-on. If so then you probably want to look into CAS (Central Authentication Services) instead. AD supports this and it's pretty easy in Rails as well.
I am working on an app that uses the Spring (Acegi) plugin for Grails. The plugin has facebook connect settings built in. I have followed the instructions to handle a facebook login within the app... however my knowledge of exactly whats going on is weak and what I really would like to do is give the user/visitor the option of either logging in and or registering on my app using their facebook account or create an account manually. I have roles that are setup in the app in the Spring Security plugin that are being bypassed using the facebook connect login option. Where can I intercept the login action in the Spring Security plugin to inject my own custom code to create the new user within the app if he/she doesnt exist.
My hope is that if they choose to create an account using facebook.. my app will create a corresponding account for the facebook user with default permissions. When the person logs in, permissions are set and authentication is required to access certain content.
I found a way of handling this using the Shiro Security plugin here:
http://sacharya.com/facebook-connect-with-jsecurity-on-grails/
I also stumbled upon Nimble. However, I really like Spring Security, could just be a comfort thing and maybe its time for me to try Shiro with Nimble.. I dont know.
I hope this makes sense. I appreciate any direction in making this happen.
Best
Mike
Have you tried using a SecurityListener class implementing a ApplicationListener?
public void onApplicationEvent(ApplicationEvent event)
{
if (event instanceof AuthenticationSuccessEvent)
{
...
}
}
See also: http://forum.springsource.org/showthread.php?t=66885