I have been having some trouble logging in when typing the credentials in the login page. For some reason, I am typing a wrong password even though I have checked the correct one in the database. So I thought of printing in the console the password that I type. How can I do that?
I wrote up an approach at http://burtbeckwith.com/blog/?p=2029 - this is a followup to this earlier post: http://burtbeckwith.com/blog/?p=2003
As I mention in the post, since this will print cleartext passwords on the console, be sure to remove this as soon as you determine and fix what's misconfigured.
Related
I am using Spring Security 3.2.5. I use ActiveDirectoryLdapAuthenticationProvider for my authentication provider. But I want to check my username and password before authenticating through Active Directory.
For example, Before authentication process starts via Active Directory, I want to check that username and password are not equal and there is no space in them or their size is not smaller than special size.
Update:
Spring Security does not allow empty username and/or password and raise this exception:
Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials.
I have looking around in different filters and I think I should do this checking in UsernamePasswordAuthenticationFilter but I am not sure and I don't know how to do it. I highly appreciate your help.
Thanks in advance.
Best Regards,
/Samaneh
By default Spring Security should error if the user attempts to submit an empty username or password. As far as testing password criteria prior to LDAP authentication attempt, that seems inherently insecure. By testing a precondition you may give an attacker insight as to what the password may be. Additionally, short circuiting the LDAP binding attempt would effectively circumvent any maximum invalid attempt threshold configured in Active Directory.
Simply put, when it comes to authentication, we don't want to give the user any specific details other than the username and password you provided were wrong.
Stack:
Devise 3.1.1
Rails 4.0.5
Omniauth 1.2.2
I started running into this issue where users can reset their passwords (via email), but the changed password never gets saved. Basically the only way they can login is through password reset.
I'm not necessarily looking for a solution, but can anyone recommend how to DEBUG what is going on? Ideally I'd like to follow the password reset path within Devise so I can verify the new password is getting saved, but I don't know where to start looking or where to put "puts" statements.
Also, it only happens on SOME accounts, which is even weirder.
Turns out a bug on my part. I was improperly overriding find_first_by_auth_conditions
I need to decrypt the password to send in email. Can anyone please guide me that how I can decrypt the "Spring Security" password in grails?
Thanks
Smac
Passwords aren't encrypted, implying that they can be decrypted, they're hashed. Hashing takes various inputs and generates a fixed-length output, so the process is lossy since a large original input cannot be stored completely within a small hash output.
But that's ok for passwords. Rather than decrypting (or "de-hashing") the stored password to see if a login attempt is valid, you hash the password from the login page and compare it to the stored hash value. These two don't have to be the same, and for example when using Bcrypt they won't be the same value, but the hash algorithm implementation will have logic to determine if two hashes are equivalent.
If you store passwords in a way that the original value can be retrieved, you might as well store them in cleartext. But that's crazy since then anyone with access to that table can see them.
As was mentioned in the comments, never send cleartext passwords by email. Instead configure a workflow where your users can reset their password. The http://grails.org/plugin/spring-security-ui plugin has this as a feature. If you don't want to use the whole plugin, feel free to steal the code for this feature. Basically the workflow is that a user requests a reset email for their username. Only ask for username, but not their email; use the one you already have. Generate a unique token and store it, and use it in the link in the email. When the user clicks the link you can validate the token and know that it wasn't just any arbitrary request from a hacker, but that it's from the user since you use their email address to verify their identity.
1) You should be using one way hashing algorithm for encrypting password Which can't be decrypted back. (Otherwise, its security threat for the application)
2) Text password should never be sent in emails. Infact, you should use workflow like sending the reset/forgot password link in the email.(The links can have UUId appended as a parameter for any new reset/forgot password request which is enough to identify).
Specifically, I have written a Rails app in which I'm using the default (in Rails 2.3.5) CookieStore session store and I've spotted an odd problem in development.
Myself and a few others had been using the site for a few weeks and we each had a login based on a username and password (each user registered themselves and I stored the (salted and hashed) data in the database). I was storing the user ID in the Rails session object (and, therefore, in the cookie that is passed back and forth between browser and server).
One important point here: since this is an intranet site, I set the cookies to stay alive for up to 2 weeks to avoid users having to log in all the time.
Today I reset the database, wiping all user records (and all other data, intentionally). A few users started registering themselves again and then one user found that the first time they went to the site since the wipe they were automatically logged-in as a different user!
I think I can see why this happened: the user ID passed from that user's browser to the server now matched a different user-record in my database. My initial thought was "oh dear, I wasn't expecting that!" but the more I thought about it the more I realised this was probably expected behaviour.
I realise I can change my Rails app to user ActiveRecordStore but before I did that I wanted to make sure I understand what's going on here. Specifically, does the combination of using CookieStore sessions and having the sessions stay alive for some time really create such a gaping security hole? Or am I missing something? Should the session_id be providing a little more security here?
The big security hole in this setup isn't the cookie length, it's setting the user_id in a cookie. This means that anyone who logs into your site can log in as anyone else just by changing that cookie! A hacker would just sequentially walk through user_id's, logging in and seeing if there's anything they want to steal or abuse.
If you want to roll your own authentication, try this instead: add a "token" string field to your user table. When somebody logs in, set this token to a random set of numbers and letters, and pass that as the cookie back to the user. The token should be at least 32 characaters, alphanumeric, upper and lower case.
Now when a user goes to a page, their account is looked up by that hash instead of their user_id. The value is that the hash is much harder to guess, and will never be repeated. Your user_id's were actually repeated when you reset the database, causing people to be logged in as each other.
UPDATE
#shingara is right that the cookie store does handle the security part already, my mistake. The user_id mixup is therefore a one-time occurrence because you reset the database. This is not a problem you'll face in a production environment, unless you reset the database again. If resetting is ever a possibility, then still do the token creation as I recommended. Otherwise, you're fine.
The simplest solution to the problem you had here would be to have changed the cookie name when you reset the database. The cookie name should be in config/initializers/session_store.rb
ActionController::Base.session = {
:key => '_your_app_session_v2',
You could also change the secret, but that may generate errors for your users if they request the site with an old cookie.
You case arrived only if you have 2 differents user with the same user_id. So it's not possible if you define the user_id like unique.
Another case, you can add in session, an hash with an unique key by user. when you check the session you get the user_id and check if the user_token is same . If not, the user is not authorized.
Thankyou for all the responses. They all answered my question in a way: yes, my setup (and my not setting a new session key after wiping the users) creates a security hole.
Lots of Rails tutorials advocate this setup without mentioning the fact that all you need is to monkey with your cookie to be fully authenticated as another user.
So, to summarise, I asked the question because I couldn't find anything discussing the danger of CookieStore session + long cookie lifetimes, and I found that surprising so thought I might be missing something obvious.
I had a similar issue and resolved it using a code snippet similar to
this comment by mdesantis on managing Rails secret token
How do I "log out" a user? Know that this is not officially supported, but I need a quick and dirty hack. Saw somewhere I just throw out a 401 access denied - but anyone know the syntax
http://httpd.apache.org/docs/1.3/howto/auth.html#basicfaq
Since browsers first started
implementing basic authentication,
website administrators have wanted to
know how to let the user log out.
Since the browser caches the username
and password with the authentication
realm, as described earlier in this
tutorial, this is not a function of
the server configuration, but is a
question of getting the browser to
forget the credential information, so
that the next time the resource is
requested, the username and password
must be supplied again. There are
numerous situations in which this is
desirable, such as when using a
browser in a public location, and not
wishing to leave the browser logged
in, so that the next person can get
into your bank account.
However, although this is perhaps the
most frequently asked question about
basic authentication, thus far none of
the major browser manufacturers have
seen this as being a desirable feature
to put into their products.
Consequently, the answer to this
question is, you can't. Sorry.
As you can see from the full explanation above, you can't.
The only workaround is to invalidate the user session and cause the browser to request username and password again.
Additionally, you can try (I haven't tried it yet) to empty the WWW-Authenticate HTTP header.