I am new to grails.
I create a grails application in netbeans 7.2.1.
I am using grails-1.3.4.
I need to implement ForgotPassword functionality.
So for that I download and install the dependencies of Spring Security UI plugin and install this plugin too.
I am able to register user, also able to verify it through email.
Now I am using ForgotPassword functionality of this plugin and It is sending mail with the request token.
On clicking the link sent in the mail I am able to see the reset password form.
But when I entered correct password in both i.e. New Password and Re-enter Password.
Its just staying on the same page, not giving any error and no message is being displayed just stays on the ResetPassword form.
and password is not getting changed.
I have create User and Role domain class using s2-quickstart command and added an email field to User class.
EDIT :
When I click the reset password link mentioned in the mail I got reset password form but also sees an error message as in attached image
Thanks in advance.
You're probably double-encoding the password. See the section "Password Encryption" in http://grails-plugins.github.com/grails-spring-security-ui/docs/manual/guide/10%20Customization.html for the configuration setting for this.
Btw - you're new to Grails but using 1.3.4? You should be using 2.1.x or 2.2.x
Along the same lines as Burt's response, are you by any chance using multiple data sources? If so, you may be running into this issue. The last comment on that page describes a possible workaround.
Related
We are creating an app that has a feature to reset their password respectively, since we are using keycloak so that thing will be featured via keycloak page itself, but our client need the forgot password will be provided in the app, so i need to hit the forgot password api like below flow.
App Forgot Password Page > Fill email only and proceed > User receive reset password link > Open link > Keycloak reset password page
But seems that api is not existed in the keycloak.
As far i only found below apis
PUT /{realm}/users/{id}/reset-password (need bearer, not possible since we are unable to use realm account user)
PUT /{realm}/users/{id}/execute-actions-email (don't know how to use it and need bearer, not possible since we are unable to use realm account user)
Any suggestion?
Thank you in advance
Hi there, this is 2021, my solution at this time was by using keycloak library in java service, so the service working as aggregator between my web app to keycloak, and still we are using above apis mentioned that need realm access. Good luck.
You can set required action for the user to UPDATE_PASSWORD and when user tries to log in, they will be prompted with Setting up their password.
Keycloak Admin APIs - UserResource
You can update the user and in the UserRepresentation you can set that required action.
I've been trying to use the Grails Spring Security OpenID plugin and while following the tutorial instructions https://grails-plugins.github.io/grails-spring-security-openid/docs/manual/guide/tutorials.html it just doesn't work at:
Navigate to http://localhost:8080/openidtest/secure/admins and you should be prompted with the login screen. Leave the Use OpenID checkbox checked and enter a valid OpenID. Don't check the remember-me checkbox yet (it doesn't work with the extended workflows where you create a new user or link an OpenID) and click the "Log in" button.
After authenticating at the OpenID provider, you'll be redirected to the registration page. Note that there's a link to just associate the current OpenID with a local account - for now click the "link this OpenID" link.
When I try to log in, I simply get:
Sorry, we were not able to find a user with that username and password.
The documentation is not recent, and last I saw in some other post was that Burt said he had some github issues and had not been able to updated it (I think it was a stackoverflow comment around October 2013).
Does anyone know if there is a configuration or setting that must be changed? or a new step perhaps?
Thanks in advance
So I have come to this conclusion from reading a few different sources and trying things out. I stand to be corrected, however, the current solution is working for me.
My humble understanding: The OpenID input in the plugin requests a link from the OpenID Account provider (e.g. google) with which the user will be authenticated.
Websites can just have a link for each provider they want to support instead of asking for a link, so that you would have a "Login with Google" button with the link prefilled (which by the way is https://www.google.com/accounts/o8/id).
It can help to just look at how other websites do it. You can also just google openid and your provider to find out their links.
Note that some providers have a static link, while it looks like others have user specific links. I'm not yet sure how to deal with user specific links yet.
I've upgraded to Devise 3.2.1 and Rails 4.0, and I'm trying to figure out my signup now that one doesn't login on confirmation.
I allow users to create a message and specify the recipient of the message via an email address. Then I send emails notifying the recipient that they've received a message on the service. If the recipient doesn't have an account on the service, I create the account without a password, and the email I send to the recipient acts a confirmation email. With prior versions, the recipient would then click on the link, thus confirming, and then be taken to a password creation stage and then finally, they'd have a confirmed account created with password and can go see the message.
With Devise 3.1, they no longer allow login via confirmation as they consider it a security risk, however I fear it may greatly increase the complexity of my sign up process. I can no longer redirect to a password creation page as they aren't logged in. I'm toying with the idea of taking them to a special signup page or creating the account and then sending a special form of password reset.
I don't want to notify them via email, then send them a second email as a confirmation. That adds unnecessary complexity to my signup.
I wondered if anyone else has dealt with this issue and how they handled it. I'd like to avoid using:
config.allow_insecure_sign_in_after_confirmation = true
as that will go away soon and is really not the right way.
Is there a secure, yet fast way to do this with Devise 3.2?
Thanks!
I'm switching to using sorcery ( https://github.com/NoamB/sorcery ) for greater control over authentication and building my flow with that.
This is precisely the problem that devise invitable gem solves in a secure manner. I would recommend using this tool, rather than trying to hand-roll your own solution which is more likely to contain security flaws.
The gem workflow is basically:
An admin invites a new user.
The new user is created with a random password. (I actually helped write this bit!)
The user is sent an invitation email. (This is fully customisable in how it works, but has some simple default settings.)
The user receives a link, which contains a URL with a unique invitation_token.
After clicking this link, the user must choose their real password.
I have a project that is built on LocomtiveCMS, which already has reset password functionality built in. However, the reset password email it currently sends has just a basic skeleton wording.
How do I make a custom message to use in the email sent out for resetting a password?
Inside your main app, all you have to do is to add a new file at this location: /app/views/locomotive/devise_mailer/reset_password_instructions.html.haml.
After a restart of your server, Devise should use this file as the new template for the reset password instructions.
We did that for LocomotiveHosting.com (which is built on top on the LocomotiveCMS engine) and it works well.
Thanks!
Did
The login requirement for our Grails app is that after two failed login attempts, the user is prompted with a new question right below the fields asking if the user forgot the password.
I'm using Spring Security plugin, is it possible to code it?
I know in the latest version of spring-security-core (1.1.3), there's an LoginController.authfail callback. You have access to the username there, so you could persist the number of consecutive failed login attempts as a field in the session. If it gets to 2, your login/auth.gsp page and LoginController.auth method could be updated to display this new question and process it on form submission.
Without knowing more specifics it's hard to tell if that will do everything you need, but it might be worth taking a look at.