is possible to deny a credential in security.yml?
For example:
default:
is_secure: true
credentials: admin
(i want that user have not the admin credential)
No, it is not possible. All you can do is add all the other credentials to the security file with a OR connector or add some php code in the actions.class.php.
Your best option is extending the sfBasicSecurityUser class, overriding the hasCredential() method to handle it (for example by adding a ! before the given credential). This is what the security filter uses to check if the user may access the requested action.
Then edit your app's myUser class to extend this new class, and voila.
Related
what I am trying to do:
I have an app that takes in login credentials: username and password for a user. I have a rest api that internally calls the keycloak REST API: /auth/realms/realmname/protocol/openid-connect/token
and gets the access token for this user.
Now I am building another REST API to access a resource where I want to do the following:
doSomething(accesstoken, data)
{
a) call keycloak API to validate access token and get roles.
b) if role == manager, process(data)
c) else: return error msg.
}
Now, how do I do (a): validating the access token and getting the roles associated with it.
I know we can do: auth/realms/realmname/protocol/openid-connect/userinfo
but that only gives the details about the user like name, email, etc. but does not display any roles.
Here's an example I got:
{
"name": "test user",
"sub": "e2bad34d-a1a9-4d70-ac84-bd3a3246023e",
"email_verified": false,
"preferred_username": "user",
"given_name": "test",
"family_name": "user"
}
As seen, it doesnt give the roles at all. How do I then tell what roles this access token has? Interestingly, when I search for this, many resources are suggesting the above userinfo endpoint. But this merely tells me taht the access token I provided is valid. Does not give roles for that.
In other words - it authenticates but does not authorize.
Please suggest.
Thanks,
Anand
In Keycloak admin Console, you can configure Mappers under your client. Add a builtin Mapper of type "User Realm Role", then open its configuration e.g. change Token Claim Name if you want.
Client roles can be configured similarly, but they are returned by default in the token under the name resource_access.${client_id}.roles
The the client side you can parse the token to find the roles. E.g. In an angular application and using the keycloak-angular adapter, you can have a the token as a json object by calling keycloak.getKeycloakInstance().tokenParsed.
In a spring boot application and using the Keycloak java api, you can find the roles under the field "otherClaim" in the following class
https://www.keycloak.org/docs-api/10.0/javadocs/org/keycloak/representations/AccessTokenResponse.html
In both representations you will find the roles under the "Token Claim Name" defined in the client mapper configuration
Additionally, if the full scope is not allowed then you need to add the relevant roles to the scope, so they can appear in the token.
After adding role in the roles section , need to move available roles into the Assigned Roles of the scope tab of the respective client section.
I am new to LDAP trying to create schema for User authentication Purpose. DN: uid=55e44a75e4b0f16711714165,ou=people,dc=myDB,dc=com
Every thing is perfect I can add data like cn=Prashant, sn= thorat ,mail=xx#gmail.com,mobile:xxxxx , password=xxxx . And I can Authenticate user using mail and password.
Now I want to mark status here as deleted . So that on login I can Identify User status from LDAP. Is their any attribute or Object to add user status as deleted / active or need to create custom.
ref: http://www.zytrax.com/books/ldap/ape/#contents
There is no deleted attribute in any LDAP schema I am aware of. You could use the pwdAccountLockedTime attribute of the password-policy overlay: set it to 000001010000Z. See here. If you did that you would also have to use the password-policy response control when binding.
I'm trying to login an account in Active Directory with have to change this password (pwdlastset = '0'). The problem I've found is that when this propertie of the entity is enabled, the ldap method can not authenticate with old password. I'am doing the connection with a ruby client and I need to authenticate the user before send the replace instruction to de unicodePwd to avoid security problems. How can I check old password when I have pwdlastset enabled?
A bit of pseudocode:
ldap_con.new(ldap_params)
auth = ldap_con.auth(login, old_pass) # Fail when pwdlastset eql 0
ldap_con.modify(:dn => dn, :operations => [:replace, "unicodePwd", new_pass]) if auth
If I change the pass without authenticate, someone can change the pass of an account without old credentials.
Thanks!
You can set the pwdLastSet to "-1" and then set the password for the user.
As I recall, these need to be done in two LDAP operations.
-jim
I am using Grails Spring Security Plugin 1.2.7.3 and would like to have the User authenticate via Email Address and Password. I would like Email Address to be the primary Login ID.
I came across the following Nabble post regarding case insensitive usernames, where the original poster is attempting to do the same. However, I was a bit confused on a few points:
I understand that I need to write my own implementation of UserDetailsService and register it in grails-app/conf/spring/resources.groovy.
However, I wasn't sure which folder the custom implementation of UserDetailsService should go (best practices). My guesses are either /grails-app/services, /grails-app/utils, or /src/groovy. Has anyone done this before and where is the best place for the custom UserDetailsService?
I read this chapter in the Docs: http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/11%20Custom%20UserDetailsService.html but I didn't really see guidance on what Grails folder to put it in.
I created my User domain class via s2 command:
s2-quickstart com.philiptenn.security User Role Requestmap
If I were to rename the field User.username to User.email so that my code is clearer, will I be in for a world of hurt?
I did a Find Usages on this field, and one stuck out in DefaultSecurityConfig.groovy: userLookup.usernamePropertyName = 'username'
Could I just update this to read:
DefaultSecurityConfig.groovy: userLookup.usernamePropertyName = 'email'
Thank you.
As you pointed out, you can override the default security configs in your own Config.groovy, the options all start with grails.plugins.springsecurity, so it would be grails.plugins.springsecurity.userLookup.usernamePropertyName = 'email' (docs). That's the first thing I'd try. If you check out the source of the GormUserDetailsService, the default userDetailsService, you'll see it uses that property for the lookup.
I have a module that can be accessed only by admin, except for a single action that can be accessed by all authenticated users.
Is there a way to reset the credential for that single action? I tried to use null but still get 403 Error. Is listing all actions in security.yml the only solution?
default:
credentials: [ admin ]
public:
credentials: null
Have you try to set en empty array or credential ?
public:
credentials: [ ]
Yes, you'll have to list all of the actions if you want fine grained control on who has access to what.
Or, another way (albeit ugly) is to set the action, which doesn't require any credentials, to is_secure : false and then check if they're authenticated through the action in the controller.
Also, if you want to do by using credentials, then you should set every user to have a default credential. i.e. with a credential called 'user'
Out of interest: how many actions do you have for this module?
EDIT: Also, what happens if you use a ~ instead of null?
You have to write all allowed credentials inside the public action if you want to have it accesible for logged users with all credentials (sf1.4 ad reference)
.. or you can open the action to the whole world:
default:
is_secure: true
myPublicAction:
is_secure: false