In Redmine is possible to register new account using web interface via
http://redmine/account/register
When Submit is performed browser sends a POST to account\register with this data:
utf8=%E2%9C%93&authenticity_token=6XEpkFIoAsXyIvAk3j%xxxxxxxroM3yJm5yV4dLoExNg%3D&user%5Blogin%5D=myuser&user%5Bpassword%5D=password&user%5Bpassword_confirmation%5D=password&user%5Bfirstname%5D=firstname&user%5Blastname%5D=lastname&user%5Bmail%5D=test123%40mydomain.tld&user%5Blanguage%5D=it&commit=Invia
In logfile is possible to see:
Started POST "/account/register" for 173.102.44.73 at 2017-03-09 15:53:13 +0100
[...]
{
"utf8"=>"✓",
"authenticity_token"=>"long_alphanumeric_string",
"user"=>{
"login"=>"mynewuser",
"password"=>"[FILTERED]",
"password_confirmation"=>"[FILTERED]",
"firstname"=>"myfirstname",
"lastname"=>"mylastname",
"mail"=>"test123#mydomain.tld",
"language"=>"it"
},
"commit"=>"Invia"
}
Redmine has Rest API support but I can't find how to register a new user using JSON.
EDIT: Is it possible to create/register new user via JSON POST using http://redmine/users.json as described here but Administrators rights are needed.
Web interface permits account registration for anonymous users, is it also possible via Rest API ?
The following should work:
create a redmine api-user i.e. api-user-cancreateusers
enable REST API in Administration -> Settings -> Authentication
generate/get the api-user api-key
give the api-user rights to create users
put the api-user name and key into your program/service
profit!
redmine-auth-doc
Edit:
give the api-user rights to create users
as hinted in the comment - it seems there is no such thing. the only way seems to give the api user admin rights (shudder)
alternatively fetch the account/register page and replay with the provided auth_token
Related
I have been reading the documentation for last 2 days. I'm new to feathersjs.
First issue: any link related to feathersjs is not accessible. Such as this.
Giving the following error:
This page isn’t working
legacy.docs.feathersjs.com redirected you too many times.
Hence I'm unable to traceback to similar types or any types of previously asked threads.
Second issue: It's a great framework to start with Real-time applications. But not all real time application just require alone DB access, their might be access required to something like Amazon S3, Microsoft Azure etc. In my case it's the same and it's more like problem with setting up routes.
I have executed the following commands:
feathers generate app
feathers generate service (service name: upload, REST, DB: Mongoose)
feathers generate authentication (username and password)
I have the setup with me, ready but how do I add another custom service?
The granularity of the service starts in the following way (Use case only for upload):
Conventional way of doing it >> router.post('/upload', (req, res, next) =>{});
Assume, I'm sending a file using data form, and some extra param like { storage: "s3"} in the req.
Postman --> POST (Only) to /upload ---> Process request (isStorageExistsInRequest?) --> Then perform the actual upload respectively to the specific Storage in Req and log the details in local db as well --> Send Response (Success or Failure)
Another thread on stack overflow where you have answered with this:
app.use('/Category/ExclusiveContents/:categoryId', {
create(data, params) {
// do complex stuff here
params.categoryId // the id of the category
data // -> additional data from the POST request
}
});
The solution can viewed in this way as well, since featherjs supports micro service approach, It would be great to have sub-routes like:
/upload_s3 -- uploads to s3
/upload_azure -- uploads to azure and so on.
/upload -- main route which is exposed to users. User requests, process request, call the respective sub-route. (Authentication and Auth to be included as well)
How to solve these types of problems using existing setup of feathersjs?
1) This is a deployment issue, Netlify is looking into it. The current documentation is not on the legacy domain though, what you are looking for can be found at docs.feathersjs.com/api/databases/querying.html.
2) A custom service can be added by running feathers generate service and choosing the custom service option. The functionality can then be implemented in src/services/<service-name>/<service-name>.class.js according to the service interface. For file uploads, an example on how to customize the parameters for feathers-blob (which is used in the file uploading guide) can be found in this issue.
I want to connect to our own oauth2 server, so I wrote an oauth2 login extension, there is the code when I get account information from oauth2 server.
$user = User::newFromName($username);
$user->setEmail($email);
$user->load();
if (!($user instanceof User && $user->getId())) {
$user->addToDatabase();
}
$user->setToken();
$user->setCookies();
$this->getContext()->setUser($user);
$user->saveSettings();
It will create user data if the user does not exist, but sometimes login will fail if you are not logout by click logout button, and I totally have no clue to solve this problem.
I found MediaWiki has login API, but it required a password and seems not has user auto-creating feature, any reference to accomplish it?
In MediaWiki 1.27+ login should be done by writing a PrimaryAuthenticationProvider (before 1.27 there was no non-hacky way to do it for non-password-based logins). See the inline documentation in that class, or this patch which provides similar functionality for OAuth1.
Here is the problem: I have a KB Called APP1 that will execute an WebService of an Identity Provider (centralizes all the logins/sessions for different applications) that will return true if there is a logged user in current WebSession that has been granted to access the Application or false otherwise. When I create an web panel at the same KB as the Identity Provider, it works just fine, I get TRUE when there's a logged user, and FALSE when there's not. But when I call it from APP1 it always returns false, I believe that the problem is because the WebSession won't work properly when called through an WS. Any ideas of how to solve it?
My first advice is to try using GAM Single Sign on (X Evolution 3)
WebServices should be Stateless. I think that using the Database instead of WebSession could do the job.
Nonetheless, in order to call a restful WebService you will have to do something more complex as dealing with CookieContainers as stated in the following link.
Consider this solution:
User tries to access App1
There's no web session (App1 doesn't know who is connecting)
App1 redirects User to an IdentityProvider's special login page
If User is not logged, it provides credentials and logs in
IdentityProvider has a session for the user (it knows who is connecting), then it redirects to the referer, appending to the url an encrypted userid parameter.
App1 decodes the parameter, now it knows who is connecting.
App1 saves the userid to the web session, now the user is authenticated
App1 and IdentityProvider must share an encryption key.
Consider that if the encryption key gets compromised or cracked anyone can impersonate another user.
Depending in how secure you want your system to be, you should study other security issues:
every time the user connects it's encrypted login is the same an it shows in the url, it can be easily solved adding a nonce or salt.
The system could be abused generating multiple requests until it gets a valid encrypted userid. It can be mitigated using a large Salt and/or blocking multiple attempts from the same source.
Note that this isn't a tested protocol and I didn't study the security in depth. I got some inspiration from OpenId, but this is a simplified protocol and I could be missing security holes.
MY AIM : I am creating a Service provider at my local server using opensaml-java latest library from shibboleth.I want a Test IdP.I chose https://fed-lab.org/ . There is no clear procedure for this configuration also
1.I have created Metadata programmatically using opensaml.
I need to check whether my metadata is correct according to its standard schema.How can i check this?
2.I have registered my SP at https://fed-lab.org/ site after logging in.
3.I have downloaded the Identity Provider from https://fed-lab.org/online/identity-provider-metadata/
It has two IDPSSODescriptors.
In that SIngleSignOnServices are
1.https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php and
2.https://fed-lab.org/simplesaml-test/module.php/fedlab/SingleSignOnService.php
I am using HTTP-Redirect binding
I have created the AuthnRequest message first . then did , deflate , base64encoding , URL encoding as per specification of SAML
https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=processedAuthnRequest
I am trying to access this URL , But I am getting nothing Response from the site.
WHere am I wrong ? please Let me help to figure it out.
Can u provide Test IdPs where there is a clear way(documentation) to do the configuration.
There is a very simple Idp at http://stubidp.kentor.se that doesn't require any kind of registration. Just enter your acs url and a subject nameid to send an unsolited Saml2Response.
It won't let you test everything (yet), but it can get you started on receiving a basic message and handling that.
First Project: Spring3, Security3, Hibernate, MYSQL - How to install user tracking into database
I am working on my first project with Spring3, Security3, Hibernate, MYSQL.
I have the system working great I use Spring3 and Security3 goign to MySQL for the login and
using Spring3 MVC, Hibernate and MYSQL for system data.
I have a number of questions. Once I login does Spring Security save the user object somewhere that I can have
Hibrernate access it. I want Hibernate to put the user name or role into each insert to the database so as
I do my searches the system knows to only show data for that user and only that user?
this somes like it should be easy. Spring should be saving the user somewhere the hibernate can access.
please help me out
Once the user is authenticated, you can access the user's authentication session details:
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
SecurityContext will allow you to grab the Authentication object, and from that you can retrieve the principal (an object representing the authenticated user), roles, etc. You could inspect this information and determine what data should be stored/displayed for each user.
If you can add a request filter or interceptor (the vocabulary may vary between frameworks), you could probably make these security checks abstract/generic enough to be applied across your entire web app (instead of adding a few lines of code to every resource method you're attempting to secure). Either way, SecurityContext should get you closer to what you want.