I want to create a jhipster application with different user role ( a client,
seller ...) but I don't know how since a jhipster generate automatically a list of users(admin, user)
If you want to create new Role with some rules, you must:
1. Add this role to
src/main/resources/config/liquibase/authorities.csv
like this:
NAME_OF_YOUR_ROLE
2. Connect this role with some user to
src/main/resources/config/liquibase/users_authorities.csv
like this:
5;NAME_OF_YOUR_ROLE
where 5 - is number of user in users.csv
3. Add to AuthoritiesConstants.java
public static final String NAME_OF_YOUR_ROLE = "NAME_OF_YOUR_ROLE";
Then you can work with your role in Spring Security or in AngularJs
Related
Hi I am developing a MERN application in which there will be some users say manager, associate and super admin where each one will have a different userid, role and permission. Based on that i will be displaying the required pages of the app. I am planning to create a seperate collection for each of these like below
USER_COLLECTION
{
user_id:1,
user_mail:ss#mail.com,
role_id:11,
permissions:[c,r,u,d]
}
ROLE_COLLECTION
{
role_id:11,
user_id:1,
role_name:"super_admin"
}
PERMISSIONS_COLLECTION
{
permission_id:111,
user_id:[1],// there can be multiple users for this permission
role_id:[11],// there can be multiple roles for this permission
permission_name:"CREATE"
}
will this approach work? Or should i take another approach?
I am trying to configure my Airflow (version 2.10) LDAP authentication with RBAC.
UI access is restricted by the AD groups (multiple groups for Python Developer, ML Developer, etc.)
Members belonging to a particular group only should be able to view the DAGs created by fellow group members while the other group members shouldn't be.
Able to provide access to users via AD groups but all the users are able to see all the DAGs created. I want to restrict this access based on the defined set of owners, (this can be achieved by switching off the LDAP and creating users directly in Airflow, but I want it with AD groups.)
added fiter_by_owner=True in airflow.cfg file, seems nothing is effected.
Any thoughts on this.
EDIT1:
From FAB,
we can configure roles & then map it to AD groups as below:
FAB_ROLES = {
"ReadOnly_Altered": [
[".*", "can_list"],
[".*", "can_show"],
[".*", "menu_access"],
[".*", "can_get"],
[".*", "can_info"]
]
}
FAB_ROLES_MAPPING = {
1: "ReadOnly_Altered"
}
And to use this, I assume we need to have the endpoints created from the application end similar to can_list, can_show .
In the case of Airflow, I am unable to find the end-points that provides access based on owner (or based on tags). I believe if we have them, I can map it to roles & then to AD groups accordingly.
With newer versions of Airlfow you can map LDAP groups to Airflow Groups.
Owner is an old and currently defunct feature which is deprecated.
You can see some examples about FAB configuration (Flask Application Builder implements all authentication features):
https://flask-appbuilder.readthedocs.io/en/latest/security.html
See the part which starts with:
You can give FlaskAppBuilder roles based on LDAP roles (note, this requires AUTH_LDAP_SEARCH to be set):
From the docs:
# a mapping from LDAP DN to a list of FAB roles
AUTH_ROLES_MAPPING = {
"cn=fab_users,ou=groups,dc=example,dc=com": ["User"],
"cn=fab_admins,ou=groups,dc=example,dc=com": ["Admin"],
}
# the LDAP user attribute which has their role DNs
AUTH_LDAP_GROUP_FIELD = "memberOf"
# if we should replace ALL the user's roles each login, or only on registration
AUTH_ROLES_SYNC_AT_LOGIN = True
# force users to re-auth after 30min of inactivity (to keep roles in sync)
PERMANENT_SESSION_LIFETIME = 1800
See here about roles (including custom roles) https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html
For instance, I have an application 'myApp' in app registrations and I have a user in Azure Active Directory User1 which is an Admin in AD. I want to use authentication via Azure AD in that app and want User1 to have a permissions only to access 'api/todos' and 'api/vehicles'. So there can be a role 'Role1with permissionsTodos,Vehicles`. Is there a way to configure that? Thanks.
Yes, there is a way to configure that. Azure works with a Role concept. This sample shows how to do it in a web API.
In short: You need to define the possible roles and assign users to them via the application configuration in the admin portal. And then you need to define which roles the user should be in using the [Authorize] attribute, on the web API controller methods, e.g. like in one of the sample's controllers:
[Authorize(Roles = "Admin, Observer, Writer, Approver")]
public ActionResult Index()
{
ViewBag.Message = "Tasks";
ViewData["tasks"] = TasksDbHelper.GetAllTasks();
return View();
}
As usual with [Authorize] it is inherited, so you can put it on the entire controller class.
I have a running java ee application and now i want to integrate keycloak as authentication server. The only thing i have troubles is the user storage. I want to have all the user data in my java application.
The problem now:
If the user registers on the keycloak frontend, my java application doesn´t know that the user has registered, so i cannot create a new entity. I found out that keycloak is able to load some custom modules (https://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html) but i haven´t found any examples.
Is there any solution where keycloak notifys my java application when the user registered?
I have had the same problem and I have resolved it using a filter. I just check if the principal exist and if not I insert it into my application DB:
KeycloakSecurityContext ctx = (KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName());
User userEntity = em.find(User.class, ctx.getToken().getSubject());
if (userEntity == null) {
....create user...
}
You can also use an event listener (keycloak events listener) as shown in Example Event Listener that prints events to System.out, but for this exact use case that solution was easier and faster.
You have to implement a custom Authentication SPI (inside success() method you create user on your app), deployed it , and add it to the registration flow
Keycloak documentation : Link
I'm creating a new web application that will be written using MVC 5 and Entity Framework Database First Approach. I would also like to use ASP.Net Identity to look after membership, authentication, authorisation etc.
I've read a good bit about the ASP.Net Identity on the web and how it works, however, I am still learning about this topic.
When I created my MVC 5 application in Visual Studio 2013 and looked at the Account Controller my first instinct was that I didn't like what I saw, i.e., a DbContext was being referenced named 'ApplicationDbContext'. The reason I didn't like this was because I prefer to keep my DbContext in the appropriate project within my solution, i.e., in my Model layer which adheres to the separation of concerns logic.
Also, the out of the box MVC 5 project uses Entity Framework Code First to create a default database and tables to store the Users, Roles etc.
Because I must use an existing database with an existing User table, this approach does not suit my needs.
I still want to use the latest ASP.Net Identity for my application as it looks to have many benefits, therefore, I found this article which stripped back alot of the Entity Framework code but still got OWIN powered authentication into an ASP.NET MVC.
http://www.khalidabuhakmeh.com/asp-net-mvc-5-authentication-breakdown-part-deux
Using the tutorial above, here is the HttpPost Login method for my Account Controller
[HttpPost]
[AllowAnonymous]
public ActionResult Login(LoginViewModel model, string returnUrl)
{
if (ModelState.IsValid)
{
//Calling my own custom Account Service which validates users login details
var user = _AccountService.VerifyPassword(model.UserName, model.Password, false);
if (user)
{
var identity = new ClaimsIdentity(new[] { new Claim(ClaimTypes.Name, model.UserName), }, DefaultAuthenticationTypes.ApplicationCookie, ClaimTypes.Name, ClaimTypes.Role);
//ToDo: Manually adding Role, but will pull from db later
identity.AddClaim(new Claim(ClaimTypes.Role, "guest"));
AuthenticationManager.SignIn(new AuthenticationProperties
{
IsPersistent = model.RememberMe
}, identity);
return RedirectToAction("Index", "MyDashboard");
}
else
{
ModelState.AddModelError("", "Invalid username or password.");
}
}
return View(model);
}
In my previous MVC applications I usually rolled my own custom membership and when a User logged into the site and was authenticated, I would have stored the any additional user details such as userID, DOB etc in the UserData string of the FormsAuthenticationTicket.
As the code above does not use FormsAuthentication, instead it uses OWIN CookieAuthentication, I am not sure how to store this additional user data.
Therefore, I have a few questions about the problems I am experiencing.
How do I store the userID or any other additional piece of user data (DOB etc) the way I used to in FormsAuthentication? Is this done by adding a Claim to the identity?
Does the method of using ASP.Net Identity/ OWIN above seem correct considering I am using Entity Framework Database First with an existing database?
Should I be using the out of the box code that is used in the Account Controller, i.e., UserManager, ApplicationUser, ApplicationDbContext etc and hooking this up to work with my existing database?
I apologise if my question is confusing, I suppose I'm just a little unsure of what approach I should be using whilst attempting to use ASP.Net Identity in my latest project.
Any feedback would be greatly appreciated.
Thanks.
1) The new Katana Cookie middleware supports claims. This is what makes this better than forms auth cookie; claims model any key/value pair and those can be stored in the authentication cookie. See this post for more details:
http://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/
2 & 3) As far as your storage for identity data, if you need to work with an existing table then you might not be able to use Microsoft's EF provided classes. Instead you'd be left on your own to implement IUserStore and all the other store interfaces your app needs. I'm not certain it's worth changing what you're already using to store the user data.
Keep in mind that the OWIN/Katana part is separate from the identity storage.
Here is the solution
To speed things up you can add sample app to your project and start by modifying the sample app, Samples app includes confirmation email, password recovery, roles admin and user role management etc. NuGet package is at:
Install-Package Microsoft.AspNet.Identity.Samples -Pre
See full details on sample app here: ASP.NET Identity 2.0: Customizing Users and Roles
Controll access to controller or Action by using below attributes
[Authorize] //Anyone with authorization
[Authorize(Roles="Administrator")] //Admin role only
Check if user is in role by
HttpContext.User.IsInRole("Administrator")
UserManager.IsInRole(userID, "Administrator")
Get profile data by
// Create manager
var manager = new UserManager<ApplicationUser>(
new UserStore<ApplicationUser>(new ApplicationDbContext()))
// Find user
var user = manager.FindById(User.Identity.GetUserId());
var profileProperty_1 = user.profileProperty_1