I am working on bringing WebSockets functionality to my Grails application. I use Atmosphere Meteor plugin 0.7.1 for this purpose.
The workflow is simple:
User logs in the system.
User open page with WebSockets functionality
User clicks a Connect button to establish the connection... and the server doesn't recognize him.
I would like to know which user connected my webSocket.
Usually it's quite easy to detect current user by calling springSecurityService.getPrincipal() in any controller. I managed to inject springSecurityService to my MeteorHandler, however it says that the principal is null. It feels strange for me, as the handler has access to JSESSIONID cookie, so I expect it to retrieve the correct session data.
Also, request.session command returns different HttpSession object, compared to the same command performed in regular controller action.
So is there any way to retrieve current logged in user on webSockets connection?
Thanks in advance.
The Principal object could be easily retrieved from request.userPrincipal.principal
It is exactly the same object as in springSecurityService.getPrincipal()
Find more here: https://github.com/kensiprell/grails-atmosphere-meteor/issues/28#issuecomment-34629462
Related
I am trying to figure out how can we detect if we are logged in to a site from Firefox Extensions.
I am planning to invoke a rest api in the target site to detect if the user is loggedin or not. I am not sure what is the right place to make such calls.
Going though documentation, seems like main.js is could be the place where I want to put such method, but then I am not sure how to call form my views this particular method in main.js
There is no generic way to determine that a user is logged in to a site. Every site can, and does, choose their own method of doing so. The most common method is to store a session cookie on the user's machine through the browser. However, the specifics are nearly certain to be different at each site. There is also the question of, in your situation, if there is the possibility that the site permits the user to be logged in for an extended period of time (i.e. not just in a session).
The most probable way to successfully determine how the fact that the user is logged in is recorded on the machine is to look at the differences between what cookies are stored (for the site) prior to the user being logged in, while the user is logged in, and after the user is logged out. There are a large number of extensions dealing with cookies. One of them should probably be able to help with letting you look at the information you need to examine for this investigation.
Once you have that information, you can use a variety of different interfaces in Firefox to access the cookies and see if the user is logged in. Obviously, you will want to listen for changes, and/or listen for a page from the site to be loaded (overlay/bootstrapped, SDK) rather than pooling for changes in the cookies.
MDN refs about the cookie interfaces:
Deal with individual cookies:nsICookie, nsICookie2 nsICookieManager, nsICookieManager2
Deals with the entire cookie string: nsICookieService
For the project I'm working on i need to be able to authenticate visitors based on their IP address under certain conditions.
The way I have been doing it is by comparing the visitor's IP address to a table in my database. If the IP checks out i get the related user from the DB and log it in with limited access.
However I've been doing this using the Session_start() method in global.asax and creating a session variable that specifies if the user is logged in via IP or not. I then restrict certain functions if the user is logged in via IP.
However this hasn't been working well enough, mainly because when the user firsts visits the site i want to let him know that he's been logged in via his IP address, but the session start seems to be fired after the view has been rendered so the message isn't displayed until the visitor refreshes the page or visits a subpage. Just having a session variable also doesn't seem safe enough(though i admit i haven't researched that properly).
I´ve tried to do the checking and auto login in the Application_BeginRequest() method but the authentication manager hasn't been initialized that early in the request so i can't log the user in.
Anyone that can point me in the right direction? What the best way to accomplish this would be?
You can use and extend the AuthorizeAttribute and override OnAuthorization so that you can put your checking there.
I'm new to Grails, and have jumped into version 2. I'm developing a project that uses Spring Security 3 - and this is working fine - but I want to use my organisations LDAP server (if / when it is available) to do the following:
authenticate users
update the local user data with details from LDAP
create the user if they don't exist
update the local users password (in case the LDAP server isn't available)
log that user in
I may have skipped a lot of fundamental stuff on my way to getting this working, like actually how Grails works - and I'm struggling to understand how to actually interrupt the Spring Security authentication process with an LDAP lookup, then how to get those details back in a way that I can use them to either update an existing user or create a new one...
I found a basic tutorial here: http://jamesjefferies.com/2011/01/06/grails-spring-security-ldap/ which means I can authenticate myself as a user from the LDAP server - although Spring Security still shows me as logged out, but will not let me log in either until I manually log out... so its kind of in a login-limbo.
The magic is doing my head in... at first I was amazed that I could build an entire web-app with a few commands and a few hours customization - but it's coming back to bite me now - as is the lack of useful examples... and the Spring Security LDAP plugin documentation is somewhat lacking (or maybe its my lack of understanding).
So, primarily I would like some help to complete the authentication so that it checks the user database for an existing user and updates them, or creates the user if they don't exist... but I would also love it if someone could give me a brief overview of the authentication process in Grails so I can understand whats actually happening, and where I should intercept things.
Cheers in advance for any help
Steve
There is a good example here that shows how to implement a custom user details mapper. I used that method on an LDAP login Grails 2.0 app successfully. Basically you have a CustomUserDetailsContextMapper that implements the UserDetailsContextMapper interface which you then use to override the default implementation by registering the bean in conf>spring>resources.groovy. Then inside your CustomUserDetailsContextMapper you check for a user(your domain class) with a matching username and if none exists you creates one using data from the ctx.originalAttrs which contains data from the ldap query results. You must then return a new org.springframework.security.core.userdetails.User. You can extend this class to add other fields that you want to be able to access directly from the principal object.
We are attempting to integrate an ASP.NET MVC site with our client's SSO system using PingFederate. I would like to use the built in FormsAuthentication framework to do this. The way I've gone about it so far is:
Set up my Web.config so that my FormsAuthentication LoginURL goes to my site's "BeginAuthentication" action on a "Security" controller. From this action, I set up some session variables (what URL was being accessed, for example, since Ping won't send this info back to me), and then redirect to our client's login page on an external site (www.client.com/Login for example).
From here, the authentication takes place and a cookie is generated on the same domain as the one that our application is running on which contains the unique identifier of the authenticated user, I've set it up so that once this happens, the Ping server will redirect to my "EndAuthentication" action on my "Security" controller.
In this action, I call my membership class's "ValidateUser" method which takes this unique identifier from the cookie and loads in the user on our application that this ID refers to. I save that logged in user in our Session (Session["LoggedInAs"], for example) and expire the cookie that contains the id of the authenticated user that the SSO system provided for me.
All of this works well. The issue I'm wondering about is what happens after our user has already authenticated and manually goes back to our client's login page (www.client.com/login) and logs in as another user. If they do that, then the flow from #2 above to number 3 happens as normal - but since there already exists an authenticated user on our site, it seems as though the FormsAuthentication system doesn't bother kicking off anything so I don't get a chance to check for the cookie I'm looking for to login as this new user. What I'd like to do is, somewhere in my Global.asax file (probably FormsAuthenticate_OnAuthenticate), check to see if the cookie that the SSO system sends to me exists, and if so, sign out of the application using FormsAuthentication.SignOut().
Another issue that seems to be related is that if I let my Session expire, the FormsAuthentication still seems to think I am authenticated and it lets me access a page even though no currently logged in user exists in my Session, so the page doesn't render correctly. Should I tap into the Session_End event and do FormsAuthentication.SignOut() here as well?
Basically, I want to know when the authentication ticket created by
System.Web.Security.FormsAuthentication.SetAuthCookie(..) gets checked in the flow of a request so that I can determine whether I need to SignOut() and force revalidation or not.
Thanks for any help. Sorry for the length of this message, trying to be as detailed as possible.
Mustafa
Welcome to the small section of Hades that is mixing session with formsauth.
If your needs are as complex as presented, you would get more sleep if you implement a full provider stack to share amongst the participating sites. Easier said than done, I know.
But to address your question:
from http://www.codeproject.com/Articles/39026/Exploring-Web-config-system-web-httpModules.aspx
On the way in....Check ticket and set identity #
app.AuthenticateRequest += System.Web.Security.FormsAuthenticationModule.OnEnter-->OnAuthenticate
On the way out... set the ticket and redirect as necessary
app.EndRequest += System.Web.Security.FormsAuthenticationModule.OnLeave
Reflector is your friend. ;-)
I don't know about a specific event for when the cookie is checked, but you could place the appropriate logic in Application_BeginRequest() and check the user's authentication state there.
Another issue that seems to be related
is that if I let my Session expire,
the FormsAuthentication still seems to
think I am authenticated and it lets
me access a page even though no
currently logged in user exists in my
Session, so the page doesn't render
correctly.
The life of the cookie (how long until ASP.NET feels it needs to ask for a password again) and how you are managing state are unrelated. The ASP.NET authentication is cookie based so that, should a developer want to, he could turn off viewstate, session, use no query strings or hidden fields and authentication still works.
If you want to tie the interval at which you request the password to how you are persisting data, then you will want your session expiration to be roughly the same as the cookie expiration, but they will never quite match up. It would be better to have two policies (one for how fast you throw away a users session data and one for how long you are willing to wait before you need to reask for a password)
I have an experience with CakePHP and now started coding on ASP.NET MVC framework.
I have a problem with the login system. How can I restrict users from logging only one time simultaneously on my system?
I can create a field in my DB where Customer becomes active when logs in. If he logs out I can make active false. But what if the session just ends? How can I catch this?
This article provides a possible solution.
This is, unfortunately, something of a challenge due to the way that the session end event are implemented as you don't have access to the information you need when they fire.
So turn the problem on its head a little, if you track the session that they last logged in on then if you get a request from that same authenticated user in a different session then remove the auth for that session (in effect the older session) with an appropriate redirect to a suitable message.
The key here is tracking not only who is currently logged in but also the session ID for that login.
Details are a bit more complicated - but you can perform the test at a request level or by adding your own base page class, deriving all your "real" pages from that and checking in a page event.