I am using the following code in my logout button :
<a id="login-control-logout" href="${createLink(controller:'LicGenerator', action:'logout')}"><i class="icon-off"></i> Logout</a></li>
Inside my controller, I am using the following code :
def logout() {
request.getSession().invalidate()
response.setHeader("Cache-Control","no-cache,no-store,must-revalidate")
response.setHeader("Pragma","no-cache")
response.setDateHeader("Expires", 0)
redirect(uri:'/login.html')
}
It goes to login.html, but when I enter the username and password again, it doesn't log me back in and throws an error
type Status report
message /LicGenerator/j_security_check
description The requested resource (/LicGenerator/j_security_check) is not available.
When I refresh the browser, I got this error :
type Status report
message Invalid direct reference to form login page
description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).
Also, the back button takes me to page even though I added cache control to response.
Simply invalidating your session for spring security is probably not advisable. As there is a SecuritySession which also has cookies. It may be better to use whats provided by spring security already.
import grails.plugin.springsecurity.SpringSecurityUtils
redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl
Then you can configure your default login url via the config options for the spring security plugin
Related
I have a requirement to integrate with an external authentication provider which they require us to generate the state & nonce and using these parameters as an input for the embedded JS to generate the QR code, this QR code will be scanned by mobile for authentication.
for the standard login with external authentication provider, we call the Challenge() method to redirect to the login page, and the redirect url contains the state & nonce itself, is there a way to generate/get them without redirection?
If I generate random nonce & state at frontend side then scanning the QR code and completed the authentication in mobile, it returned the authentication code and threw "unable to unprotect the message.State." exception at the IS4, I tried to disable the state validation but it does not work.
configureOptions.ProtocolValidator = new OpenIdConnectProtocolValidator()
{
RequireState = false,
RequireStateValidation = false,
};
Any help would be much appreciated.
I've an issue on this feature.
SignIn action works well with ADFS and return to AuthServices/Acs
But Logout action don't call ADFS and redirect directly to returnUrl parameters (checked it with fiddler).
I'm calling this link : /AuthServices/Logout?ReturnUrl=~/&Status=LoggedOut
web.config is set up as this :
<kentor.authServices entityId="https://localhost:2181/AuthServices" returnUrl="https://localhost:2181/">
<identityProviders>
<add
entityId="https://ADFS DOMAIN/adfs/services/trust"
signOnUrl="https://ADFS DOMAIN/adfs/ls"
logoutUrl="https://ADFS DOMAIN/adfs/ls/?wa=wsignout1.0"
binding="HttpPost"
allowUnsolicitedAuthnResponse="true"
metadataLocation="https://ADFS DOMAIN/FederationMetadata/2007-06/FederationMetadata.xml"
wantAuthnRequestsSigned="true">
<signingCertificate fileName="~/App_Data/*****.cer" />
</add>
</identityProviders>
</kentor.authServices>
If I launch https://ADFS DOMAIN/adfs/ls/?wa=wsignout1.0 on another tabs, it is working, I return on signin page from my website.
So it seems to be an internal issue to retrieve logouturl and send it ?
Thanks for helps.
There are a number of requirements that need to be met before logout request will be issued:
You need to have a http://kentor.se/AuthServices/LogoutNameIdentifier claim and its issuer has to match the IDP that you're trying to logout from.
You need to have http://kentor.se/AuthServices/SessionIndex claim.
Your AuthServices IDP configuration needs a logoutUrl (I see you've specified this but probably it's easier to let AuthServices read it from the metadata)
You have specified a ServiceCertificate with either Signing or Both usage (i.e. not just Encryption)
Your AuthServices IDP configuration has DisableOutboundLogoutRequests =
false (this is the default)
Missing claims (first two points) is the most likely issue if you have some claims transformation happening during login or you are not retaining the original ClaimsIdentity. See also the documentation regarding ClaimsAuthenticationManager, e.g. https://github.com/KentorIT/authservices/blob/master/doc/ClaimsAuthenticationManager.md
You can turn on logging and see which of these points are failing:
https://github.com/KentorIT/authservices/blob/v0.21.2/Kentor.AuthServices/WebSSO/LogOutCommand.cs#L155-L170
I have setup my facebook auth per passportjs docs:
var passport = require('passport')
, FacebookStrategy = require('passport-facebook').Strategy;
passport.use(new FacebookStrategy({
clientID: FACEBOOK_APP_ID,
clientSecret: FACEBOOK_APP_SECRET,
callbackURL: "http://www.example.com/facebook/callback"
},
function(accessToken, refreshToken, profile, done) { ... });
}
));
app.get('/login/facebook', passport.authenticate('facebook'))
.get('/facebook/callback', passport.authenticate('facebook', {successRedirect: '/', failureRedirect: '/login'}));
All this works fine. However, there are cases (such as token expiration) when I want to automatically redirect the user to the page that the user was on before initiating the login request. So I tried to plumb a query string param through the login request (from client to server to facebook and back). But I cant see a way to specify that in the callbackURL.
Furthermore, when I tried hard-coding some context param to the config callbackURL (eg: "http://www.example.com/facebook/callback?redir=lastUserPage") I get an OAuth parse error. Interestingly enough, Facebook does respond correctly with the access code as well as the redir param, but it fails with OAUTH exception:
FacebookTokenError: Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request
at Strategy.parseErrorResponse (C:\Sources\node_modules\passport-facebook\lib\strategy.js:198:12)
at Strategy.OAuth2Strategy._createOAuthError (C:\Sources\node_modules\passport-facebook\node_modules\passport-oauth2\lib\strategy.js:345:16)
at C:\Sources\node_modules\passport-facebook\node_modules\passport-oauth2\lib\strategy.js:171:43
at C:\Sources\node_modules\passport-facebook\node_modules\passport-oauth2\node_modules\oauth\lib\oauth2.js:177:18
at passBackControl (C:\Sources\node_modules\passport-facebook\node_modules\passport-oauth2\node_modules\oauth\lib\oauth2.js:124:9)
at IncomingMessage.<anonymous> (C:\Sources\node_modules\passport-facebook\node_modules\passport-oauth2\node_modules\oauth\lib\oauth2.js:143:7)
at IncomingMessage.emit (events.js:117:20)
at _stream_readable.js:943:16
at process._tickCallback (node.js:419:13)
Note that I had this working using WIF before. I don't see any security concerns with passing additional query string parameters through the OAuth process..
Any idea how I can get past this?
I'm not sure how to do what you're asking, but for your desired end goal you could:
Save a cookie before authenticating
Authenticate the user
on the resulting callback page, check for the cookie and redirect if present.
Wouldn't this work just as easily?
I'm playing around with the grails 2 framework in addition with the spring-security-plugin.
I built a custom login form, which should be always visible on the main page.
Thus, the user should always be redirected to the main page. Regardless of whether an error occurs or not.
In the case of a successful login everything works very well, but in the case of an error the flash scope is lost during the redirect. So I can't display the reason for the failed authentication.
According to the documentation, only the parameter 'defaultFailureUrl' should be adjusted.
But this doesn't work as expected.
Are there any other parameters necessary to achieve this functionality?
My Config.groovy
// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.successHandler.defaultTargetUrl="/"
grails.plugin.springsecurity.successHandler.alwaysUseDefault=true
grails.plugin.springsecurity.failureHandler.defaultFailureUrl = '/'
grails.plugin.springsecurity.auth.loginFormUrl = '/'
grails.plugin.springsecurity.logout.postOnly = false // Logout through direct link
grails.plugin.springsecurity.userLookup.userDomainClassName = 'de.msg.login.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'de.msg.login.UserRole'
grails.plugin.springsecurity.authority.className = 'de.msg.login.Role'
I hope someone can figure out a solution ;)
As I understood you want to show the message on same login page after submit the login page.
Use this property probably it will work :
set this in config.groovy
failureHandler.useForward=false
See this link
I'm using Grails 2.1.1 with Cucumber and Geb. I have an Auth.feature that contains 2 scenarios. One is for authenticating successfully and the other is for testing invalid credentials.
The way I think I have to work this out is to have geb log out the user from the first scenario before it can run the second scenario. This is because my Given step checks to make sure I'm at the login page. After scenario 1 executes, I'm on a Dashboard page.
I guess my question is do I (a) use geb to sign out the valid user before completing the scenario or (b) is there a way to have it start over between scenarios?
Right now, I've implemented (a) and it works just fine. Just want to know if this is optimal.
Here is my feature
Feature: login to system
As a user of the system
I want to log in to the application
so that I can use it
Scenario: login
Given I access the login page
When I enter valid credentials
Then I see the dashboard
Scenario: auth fail
Given I access the login page
When I enter invalid credentials
Then I see appropriate error messages
And here is my Geb steps
Given(~'^I access the login page$') {->
to LoginPage
at LoginPage
}
When(~'^I enter valid credentials$') {
page.add('user_10001#test.com', '10001')
}
Then(~'^I see the dashboard$') {->
at DashboardPage
}
Then(~'^I see an error message on the login page$') { ->
at LoginPage
}
When(~'^I enter invalid credentials$') { ->
page.add('baduser', 'paddpassword')
}
Then(~'^I see appropriate error messages$') { ->
at LoginPage
// check for error message
}
Based on some more research I've done, it looks like there are a few ways to handle this:
Just like I am already doing it, by logging out at the end of a scenario (or you could do it at the beginning
Make logging out its own scenario
In the env.groovy Before hook, add to LogoutPage
Logout using a Background
Add the following line to the After hook in env.groovy:
bindingUpdater.browser.clearCookies()