I'm looking for best practices around how to deal with password fields in my Java standalone application (Netbeans+Spring+Hibernate+MySQL database+Swing).
1) I've created a table with a password column.... so, which data type must be this column?
2) Which kind of algorythms for SALTing passwords do you recomend to follow and implement on my app?
3) Do you recommend saving password as a plain-text or after being transformed according with the algorythm?
4) Sample codes of all this process
I hope we can help many other developers who must deal with Spring for standalone apps and around the tasks with Hibernate on this kind of questions.
Thanks in advance for any suggestions.
You should never store the password as a plain text in your application. Its not recommended for a highly secured application. You can use the PasswordEncoder provided by the Spring Framework itself to store the password in an encoded format to the database. You need to do following settings in your applocationContext.xml file.
<security:authentication-manager>
<security:authentication-provider >
<security:jdbc-user-service data-source-ref="dataSource"
users-by-username-query="
select emailid username,password,'true' enabled from tbl_LoginDetails
where emailid=?"
authorities-by-username-query="
select a.emailid username,b.authority from tbl_LoginDetails a,tbl_UserRoles b
where a.userId=b.userId
and a.emailid=?"/>
<security:password-encoder ref="passwordEncoder">
</security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<bean name="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"></bean>
At the time of user registration you need to encode the password yourself in the controller before storing in the database with the class ShaPasswordEncoder.
Hope this helps you.
Related
I have installed two different PHP frameworks Laravel 5.3 and Yii2 advanced. Both frameworks provide authentication out of the box which is great.
And both have the checkbox Remember me on the login page.
In Laravel, I have found that there is a remember_token field on users table which is as per my understanding used for the remember me feature.
But there is no such extra field on Yii2's user table.
So, I guess both provides the same feature but working differently. So I want to know that how that feature is working on both the frameworks?
Any help would be appreciated.
Note: I'm asking this because I have one system built with Yii2 and now I'm going to build a new system with Laravel. New Laravel system will use the same user table of the Yii2. Means the user can login into both the system with the same credentials.
Thanks,
Parth vora
Yii2 have auth_key - its default name, but you can define ur own column name and then declare it in identity class, which implements yii\web\IdentityInterface, in function getAuthKey().
The remember me function in Yii 2 (and most php frameworks) makes use of cookie-based login.
From the docs:
getAuthKey() returns a key used to verify cookie-based login. The key is stored in the login cookie and will be later compared with the server-side version to make sure the login cookie is valid.
Yii uses the auth_key field by default. That's probably the same field as Laravel's remember_token.
How it works is as follows:
Login with the remember me field checked.
Yii sets a cookie containing the user's (serialized) id, auth_key and duration (amount of seconds representing the duration of validity for this cookie). In yii2, the cookie name is specified by the identityCookie array in the config (user component).
All guests' requests are checked for the existance of the cookie, if it exists and is valid, the user is logged in.
That's basicly how cookie based logins work, so I'm assuming that Laravel uses a similar, if not exact same implementation.
My company has their own database and it contains user and group tables.I am creating a workflow manager using Activiti API also i am using Activiti-REST. I need to fetch user data and group data from my company database instead of using ACT_ID _USER and ACT_ID_GROUP. I searched through internet and post in their forum but i didnt get any sensible answers.
In the forum they suggest to use LDAP but i dont have touch LDAP.
I went through activiti source.can i just modify its iBATIS mapping files related to ACT_ID _USER.Will it work. Or their any better approach. Also activiti-rest api must work according to our own tables.
Please can some one show some good references regarding to this.
you have to implement the interface org.activiti.engine.impl.interceptor.SessionFactory and return the type of org.activiti.engine.impl.interceptor.Session appropiate (org.activiti.engine.impl.persistence.entity.UserIdentityManager.class or org.activiti.engine.impl.persistence.entity.GroupIdentityManager.class), then you have to create your own User/Group Manager (usually extending the org.activiti.engine.impl.persistence.entity.UserEntityManager or org.activiti.engine.impl.persistence.entity.GroupEntityManager).
Finally you have to register your Custom Session Factories on your processEngineConfiguration, for more info (a little outdated because in 5.13 the session types changed) is available on this blog post
I have a metro application in which I have Login-Page where am entering values for username and password fields.Based on these values my application will need to call web-services.Can anyone give me advice to store and retrieve the values from Login-Page?
Thank you.
You can also use the CredentialPicker class. See https://gist.github.com/3790578 for a full example using the CredentialPicker and then storing it in the PasswordVault.
Sounds like you need the PasswordVault API. Check out the sample app... Credential locker sample # http://code.msdn.microsoft.com/windowsapps/PasswordVault-f01be74a and read up on the PasswordVault class # http://msdn.microsoft.com/en-us/library/windows/apps/windows.security.credentials.passwordvault.aspx
First Project: Spring3, Security3, Hibernate, MYSQL - How to install user tracking into database
I am working on my first project with Spring3, Security3, Hibernate, MYSQL.
I have the system working great I use Spring3 and Security3 goign to MySQL for the login and
using Spring3 MVC, Hibernate and MYSQL for system data.
I have a number of questions. Once I login does Spring Security save the user object somewhere that I can have
Hibrernate access it. I want Hibernate to put the user name or role into each insert to the database so as
I do my searches the system knows to only show data for that user and only that user?
this somes like it should be easy. Spring should be saving the user somewhere the hibernate can access.
please help me out
Once the user is authenticated, you can access the user's authentication session details:
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
SecurityContext will allow you to grab the Authentication object, and from that you can retrieve the principal (an object representing the authenticated user), roles, etc. You could inspect this information and determine what data should be stored/displayed for each user.
If you can add a request filter or interceptor (the vocabulary may vary between frameworks), you could probably make these security checks abstract/generic enough to be applied across your entire web app (instead of adding a few lines of code to every resource method you're attempting to secure). Either way, SecurityContext should get you closer to what you want.
I'm building an extra layer on top of Movable Type for integration with another system. Part of this involves pre-processing and filtering requests before they get to the MT scripts (comment control, translating external users into MT users etc).
For example, new comments to posts are submitted to a script in the new layer before requests are passed on to mt-comments.cgi. In this instance, I'm denying access to mt-comments.cgi from all but a specific IP as I don't want people being able to post new comments 'directly'.
I'd like to know the general purpose of all mt-*.cgi scripts such that I can deny access to those not relevant and control access to all others.
The mt-*.cgi scripts I have, along with their (estimated) purpose, are:
*Script* *Private access?* *Purpose*
mt-add-notify.cgi ? ?
mt-atom.cgi ? ?
mt.cgi Yes Main MT engine
mt-check.cgi ? ?
mt-comments.cgi Yes Handles inbound new comments
mt-config.cgi Yes Stores main MT configuration
mt-feed.cgi ? ?
mt-ftsearch.cgi ? ?
mt-search.cgi Yes Handles search requests, returns results
mt-tb.cgi ? ?
mt-testbg.cgi ? ?
mt-upgrade.cgi Yes Upgrade tool
mt-wizard.cgi Yes Setup/config wizard
mt-xmlrpc.cgi ? ?
I'd appreciate answers to fill in the blanks.
By 'private access', I mean: can access be limited (e.g. via .htaccess) to a known set of IPs only? The inverse of this being: must access be available to all IPs?
Answers clearly elaborating on the purpose and use of a script, such that it may be of use to others, are always welcome.
Thanks very much to anyone who can help!
I've filled in the purpose on each of these. I'm pretty sure everything can be private as long as you proxy requests properly, but not positive. Some of these scripts can (and should) be blocked out completely.
*Script* *Private access?* *Purpose*
mt-add-notify.cgi ? Provide Movable Type email notification support
mt-atom.cgi ? An Atom Publishing API interface for communicating with Movable Type.
mt.cgi Yes Main MT engine
mt-check.cgi ? Determines whether you have all of the components you need to run Movable Type
mt-comments.cgi Yes Handles inbound new comments
mt-config.cgi Yes Stores main MT configuration
mt-feed.cgi ? Movable Type application for producing activity feeds.
mt-ftsearch.cgi ? Freetext search
mt-search.cgi Yes Handles search requests, returns results
mt-tb.cgi ? Handles blog trackbacks
mt-testbg.cgi ? Tests for background tasks
mt-upgrade.cgi Yes Upgrade tool
mt-wizard.cgi Yes Setup/config wizard
mt-xmlrpc.cgi ? XML RPC interface (external blog tool posting)
I knew a few of these, but the easiest way to find out what each does is crack open the file and see which Perl module it calls (such at MT::Trackback), then run perldoc lib/MT/Trackback.pm for each. It will give you all sorts of information about what each script can do.