If I remove
<authorities-by-username-query="myquery">
in my jdbc-user-service then my form always gives me 'bad credentials'. I've checked it triple times , I cannot authorize person without giving him at least one authority?
the idea is that all users should have an authority to determine what pages/links a user should access
if you only have users, Set the render for the authority field in the view to false and then tell the controller to always set the role as "ROLE_USER"
Related
I am new to LDAP trying to create schema for User authentication Purpose. DN: uid=55e44a75e4b0f16711714165,ou=people,dc=myDB,dc=com
Every thing is perfect I can add data like cn=Prashant, sn= thorat ,mail=xx#gmail.com,mobile:xxxxx , password=xxxx . And I can Authenticate user using mail and password.
Now I want to mark status here as deleted . So that on login I can Identify User status from LDAP. Is their any attribute or Object to add user status as deleted / active or need to create custom.
ref: http://www.zytrax.com/books/ldap/ape/#contents
There is no deleted attribute in any LDAP schema I am aware of. You could use the pwdAccountLockedTime attribute of the password-policy overlay: set it to 000001010000Z. See here. If you did that you would also have to use the password-policy response control when binding.
I have User table and Employee table, but I have only one login form for user(Admin). I want to login Employee also from same login page please help me as soon as possible? In MVC.
First check if username exits in the User table, if it does then match the password and return accordingly. If doesn't exist then check username in employee table and match password. If not found in both tables, return user doesn't exist.
I prefer having all my users in one table, then assigning them the Admin role if required.
But if that is not an option, check if the user exists in the admin table, if not, check the users table. If still not, don't log him in. Otherwise do the rest of the login process.
My preference is:
All users should be into a single table. And user table needs to contain a column "isAdmin[bool]".
when user press on the login button with correct username and password, system will check the role. if isAdmin == true then the user should log into the system with admin functionalists as well as the regular employee functionalists. Because a admin is also an employee.
when isAdmin==false the the user should log into the system with only employee functionalists.
Try to learn more about role based authentication.
Thanks
I have a module that can be accessed only by admin, except for a single action that can be accessed by all authenticated users.
Is there a way to reset the credential for that single action? I tried to use null but still get 403 Error. Is listing all actions in security.yml the only solution?
default:
credentials: [ admin ]
public:
credentials: null
Have you try to set en empty array or credential ?
public:
credentials: [ ]
Yes, you'll have to list all of the actions if you want fine grained control on who has access to what.
Or, another way (albeit ugly) is to set the action, which doesn't require any credentials, to is_secure : false and then check if they're authenticated through the action in the controller.
Also, if you want to do by using credentials, then you should set every user to have a default credential. i.e. with a credential called 'user'
Out of interest: how many actions do you have for this module?
EDIT: Also, what happens if you use a ~ instead of null?
You have to write all allowed credentials inside the public action if you want to have it accesible for logged users with all credentials (sf1.4 ad reference)
.. or you can open the action to the whole world:
default:
is_secure: true
myPublicAction:
is_secure: false
I am creating an online survey tool.
As an administrator, i would like to see what the users have answered and also be able to answer on their behalf. The system get's a users answers and other information based on his/her username, when they are logged in, using the built in membership provider.
There are currently three roles: Administrator, Moderator and Respondent
If i would like to show my administrator a list of users,
how would it be possible to create a "backdoor" for the administrator, so that he can "log" in as the user, see the users answers etc ? (Just like the user would be able to if he was logged in to his own account).
When answering and retrieving quyestions, the system is bound to `User.Identity.Name
My suggestion on how to solve this:
Currently, when i want to retrive a users answers i use the following code:
Firma_ID = db.Firma.Single(x => x.CVR_nummer == User.Identity.Name).firma_id;
var answers = db.Tabelform_Answers.Where(x => x.question_id == model.Question_ID && x.respondent == Firma_ID);
This is because i have a table named Firma, that has a column referencing to a users Name, called CVR_Nummer. I then retrieve all the records in the Tabelform_Answers table, that match question_id and Firma_ID (A users answers for a specific question).
Instead of using `Firma_ID = db.Firma.Single(x => x.CVR_nummer == User.Identity.Name).firma_id;
to retrive the Firma_ID of a given user, i could store it in the Session upon Login. When i want to view a specific users Answers as Administrator, i would then just change Firma_ID in the Session. Changing Firma_ID in the Session would only be allowed through a controller which has the following code:
[Authorize(Roles = "Administrator")]
Also, i would set the Session timeout to be the same as the Authentication timeout.
Can somebody tell me which pros and cons of this solution? Are there any other ways of storing a "global" variable for a Session? (Firma_ID)?
Thanks
If you only need to log in as your users, I went for a ticket-method.
I have a special login-page that can take a ticket-id. This ticket is created in the admin-gui when the admin wants to log in as another user. The login-page checks the ticket in the database, logs in the wanted user, and then deletes/marks the ticket as used. As an added security, a ticket is only valid for 10 seconds after creation.
Another option is to make answers from users available from the admin-gui...
also you can do in your log-in script override
so you have at present something like
if user name and password match string then user is logged in and based on this you get user permissions
instead have admin page,
where you can select user and then you can apply permissions of the user instead of admin.
I've got 3 apps: Backend, Frontend and Members.
And I've got 2 credentials: Administrators and Members.
Administrators are imported by default but Members are created in the Backend.
When a Member is created, an event handler also inserts this Member as a sf_guard_user and of course, the proper relations in sf_guard_user_group and sf_guard_user_permission.
That's the boring part, now the fun:
Frontend is not secured, but Members is and using these credentials: [administrator, member].
According to all this, Members created in the Backend that also get inserted (correctly as far as I can tell) should be able to login to the Members secured app, since they get the member group/permission/credential.
This is not happenning, the only ones that can login to the Members app are the administrators, which is not wrong, but either is the fact that correctly created Member users can't login to it.
The error thrown by the guard is the classic: The username and/or password is invalid.
Now that I edit the error, the salt comes to mind: How would one emulate the inserting of the salt as the guard does it? Maybe that's what I'm not inserting correctly (or inserting at all) and thus the password invalid error (and in fact everythine else I've described is ok! omg)
And that's my problem.
Thanks in advance :)
[administrator, member] means both are required, I believe.
I think you want [[administrator, member]] for the credential requirement.
Also, yes, you will want to make sure you use a salt, and set the algo.
parent::_set('password', call_user_func_array($algorithm, array($salt.$password)));
Salt before password, as well.