First Project: Spring3, Security3, Hibernate, MYSQL - How to install user tracking into database
I am working on my first project with Spring3, Security3, Hibernate, MYSQL.
I have the system working great I use Spring3 and Security3 goign to MySQL for the login and
using Spring3 MVC, Hibernate and MYSQL for system data.
I have a number of questions. Once I login does Spring Security save the user object somewhere that I can have
Hibrernate access it. I want Hibernate to put the user name or role into each insert to the database so as
I do my searches the system knows to only show data for that user and only that user?
this somes like it should be easy. Spring should be saving the user somewhere the hibernate can access.
please help me out
Once the user is authenticated, you can access the user's authentication session details:
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
SecurityContext will allow you to grab the Authentication object, and from that you can retrieve the principal (an object representing the authenticated user), roles, etc. You could inspect this information and determine what data should be stored/displayed for each user.
If you can add a request filter or interceptor (the vocabulary may vary between frameworks), you could probably make these security checks abstract/generic enough to be applied across your entire web app (instead of adding a few lines of code to every resource method you're attempting to secure). Either way, SecurityContext should get you closer to what you want.
Related
I want to configure Apereo CAS 6.0.x to perform X.509 authentication and then retrieve principal attributes from a database table.
Rudimentary X.509 authentication is working with these lines in application.properties (and appropriate reverse proxy setup):
cas.authn.x509.extractCert=true
cas.authn.x509.sslHeaderName=SSL_CLIENT_CERT
cas.authn.x509.principalDescriptor=SUBJECT_DN
The default "Log In Successful" page shows that it knows how to get my certificate's subject DN.
But I can't figure out how to tell CAS to then use that subject DN value to query my database for additional attributes.
This page explicitly mentions my need (though with LDAP instead of JDBC), but does not say specifically how to achieve it:
In many cases it is necessary to perform authentication by one means and resolve principals by another. The PrincipalResolver component provides this functionality. A common use case for this this mix-and-match strategy arises with X.509 authentication. It is common to store certificates in an LDAP directory and query the directory to resolve the principal ID and attributes from directory attributes. The X509CertificateAuthenticationHandler may be be combined with an LDAP-based principal resolver to accommodate this case.
What properties need to be set so that the X509 authentication handler resolves the principal against the database?
The missing ingredient was this line in application.properties:
cas.authn.x509.principalType=SUBJECT_DN
Without it, CAS does not attempt to query any attributeRepository settings that you may have.
I have installed two different PHP frameworks Laravel 5.3 and Yii2 advanced. Both frameworks provide authentication out of the box which is great.
And both have the checkbox Remember me on the login page.
In Laravel, I have found that there is a remember_token field on users table which is as per my understanding used for the remember me feature.
But there is no such extra field on Yii2's user table.
So, I guess both provides the same feature but working differently. So I want to know that how that feature is working on both the frameworks?
Any help would be appreciated.
Note: I'm asking this because I have one system built with Yii2 and now I'm going to build a new system with Laravel. New Laravel system will use the same user table of the Yii2. Means the user can login into both the system with the same credentials.
Thanks,
Parth vora
Yii2 have auth_key - its default name, but you can define ur own column name and then declare it in identity class, which implements yii\web\IdentityInterface, in function getAuthKey().
The remember me function in Yii 2 (and most php frameworks) makes use of cookie-based login.
From the docs:
getAuthKey() returns a key used to verify cookie-based login. The key is stored in the login cookie and will be later compared with the server-side version to make sure the login cookie is valid.
Yii uses the auth_key field by default. That's probably the same field as Laravel's remember_token.
How it works is as follows:
Login with the remember me field checked.
Yii sets a cookie containing the user's (serialized) id, auth_key and duration (amount of seconds representing the duration of validity for this cookie). In yii2, the cookie name is specified by the identityCookie array in the config (user component).
All guests' requests are checked for the existance of the cookie, if it exists and is valid, the user is logged in.
That's basicly how cookie based logins work, so I'm assuming that Laravel uses a similar, if not exact same implementation.
Hi there I am developing a web app and I am using Spring Security. In the app the user can change his/her details (username, password and some other fields). I am using a custom User Details Class for this and my Spring Security configuration is the default (keep in mind no cache method is declared, so I suppose NullUserCache is used). All the user records come from DataBase using JDBC Connector (MySQL).
Now when a user changes his/her info or/and username-password those changes update the corresponding columns in DataBase. So now the DB is updated. Because I have not implemented setters in my Custom User Details Class, I force the user to logout log out automatically. But now he/she can login using both the new username and the old one.
Suppose now that the user changed something on the other fields (for example if the age was changed from 20 to 21). When user logins using the new username I can see 21. If user logins using the old username I can see 20!.
I guess Spring Security now creates a new User (during login) which didn't exist and the old one is never removed!
So after reading many posts in the web and trying the corresponding solutions I 'm still unable to fix that.
What I have used (in the controller that is responsible for account editing):
if (authenticate != null){
new SecurityContextLogoutHandler().logout(request, response, authenticate);
}
SecurityContextHolder.getContext().setAuthentication(null);
SecurityContextHolder.clearContext();
What I understand and believe is that Spring Security holds somewhere (I thought User Cache) the username, maybe along with the password and now it sees the old username as a different User. The only way to prevent this from happening is to restart the app. After restarting the user only logins using the new username.
Is there any way I can remove that "user"-username? Any suggestion would be usefull, I am really confused and the only case close to mine was this but his problem was with the oracle connector using connection cache..
UPDATE problem tracked down to a problem inside loadbyusername method..read more on the 14th comment below :)
Happy coding!
I finally found the source of that problem..black hole closed. Credits #Jebil and #Robin Winch for their help!
Well everything worked as it should except the fact that the HashMap on the rensposible for the login DAO, was never cleared..so after every successful login attempt the HashMap returned was appended and so after every username update, it contained both old and new values..solution was simple..before accessing the DB HashMap should be cleared!
Happy dividing by 0 :P
Here is the problem: I have a KB Called APP1 that will execute an WebService of an Identity Provider (centralizes all the logins/sessions for different applications) that will return true if there is a logged user in current WebSession that has been granted to access the Application or false otherwise. When I create an web panel at the same KB as the Identity Provider, it works just fine, I get TRUE when there's a logged user, and FALSE when there's not. But when I call it from APP1 it always returns false, I believe that the problem is because the WebSession won't work properly when called through an WS. Any ideas of how to solve it?
My first advice is to try using GAM Single Sign on (X Evolution 3)
WebServices should be Stateless. I think that using the Database instead of WebSession could do the job.
Nonetheless, in order to call a restful WebService you will have to do something more complex as dealing with CookieContainers as stated in the following link.
Consider this solution:
User tries to access App1
There's no web session (App1 doesn't know who is connecting)
App1 redirects User to an IdentityProvider's special login page
If User is not logged, it provides credentials and logs in
IdentityProvider has a session for the user (it knows who is connecting), then it redirects to the referer, appending to the url an encrypted userid parameter.
App1 decodes the parameter, now it knows who is connecting.
App1 saves the userid to the web session, now the user is authenticated
App1 and IdentityProvider must share an encryption key.
Consider that if the encryption key gets compromised or cracked anyone can impersonate another user.
Depending in how secure you want your system to be, you should study other security issues:
every time the user connects it's encrypted login is the same an it shows in the url, it can be easily solved adding a nonce or salt.
The system could be abused generating multiple requests until it gets a valid encrypted userid. It can be mitigated using a large Salt and/or blocking multiple attempts from the same source.
Note that this isn't a tested protocol and I didn't study the security in depth. I got some inspiration from OpenId, but this is a simplified protocol and I could be missing security holes.
I've a MySql database hosted in my web site, with a table named UsrLic
Where any one wants to buy my software must register and enter his/her Generated Machine Key (+ username, email ...etc).
So my question is:
I want to automate this process from my software, how this Process will be?
Should I connect and update my database directly from my software ( and this means I must save all my database connection parameters in it * my database username , password , server * and then use ADO or MyDac to connect to this database ? and if yes how secure is this process ?
or any other suggestions .
I recommend creating an API on your web site in PHP and calling the API from Delphi.
That way, the database is only available to your web server and not to the client application, ever. In fact, you should run your database on localhost or with a private IP so that only machines on the same physical network can reach it.
I have implemented this and am implementing it again as we speak.
PHP
Create a new file named register_config.php. In this file, setup your MySQL connection information.
Create a file named register.php. In this file, put your registration functions. From this file, include 'register_config.php'. You will pass parameters to the functions you create here, and they will do the reading and writing to your database.
Create a file named register_api.php. From this file, include 'register.php'. Here, you will process POST or GET variables that are sent from your client application, call functions in register.php, and return results back to the client, all via HTTP.
You will have to research connecting to and querying a MySQL database. The W3Schools tutorials will have you doing this very quickly.
For example:
Your Delphi program calls https://mysite/register_api.php with Post() and sends the following values:
name=Marcus
email=marcus#gmail.com
Here's how the beginning of register_api.php might look:
// Our actual database and registration functions are in this library
include 'register.php';
// These are the name value pairs sent via POST from the client
$name = $_POST['name'];
$email = $_POST['email'];
// Sanitize and validate the input here...
// Register them in the DB by calling my function in register.php
if registerBuyer($name, $email) {
// Let them know we succeeded
echo "OK";
} else {
// Let them know we failed
echo "ERROR";
}
Delphi
Use Indy's TIdHTTP component and its Post() or Get() method to post data to register_api.php on the website.
You will get the response back in text from your API.
Keep it simple.
Security
All validation should be done on the server (API). The server must be the gatekeeper.
Sanitize all input to the API from the user (the client) before you call any functions, especially queries.
If you are using shared web hosting, make sure that register.php and register_config.php are not world readable.
If you are passing sensitive information, and it sounds like you are, you should call the registration API function from Delphi over HTTPS. HTTPS provides end to end protection so that nobody can sniff the data being sent off the wire.
Simply hookup a TIdSSLIOHandlerSocketOpenSSL component to your TIdHTTP component, and you're good to go, minus any certificate verification.
Use the SSL component's OnVerifyPeer event to write your own certificate verification method. This is important. If you don't verify the server side certificate, other sites can impersonate you with DNS poisoning and collect the data from your users instead of you. Though this is important, don't let this hold you up since it requires a bit more understanding. Add this in a future version.
Why don't you use e.g. share*it? They also handle the buying process (i don't see how you would do this for yourself..) and let you create a reg key through a delphi app.