I must send User information when user is approved. I want to send password too. It is possible in Orchard ? For user email and name I use tokens, but password token is not available. I´m using Workflows for this...
My email format:
Your account was activated!<br />
<br />
Yor credentials:<br />
<br />
Email: {User.Email} <br />
Name: {User.Name} <br />
Password: {User.password} // no work :/
Thanks for help !
This will be a bit of work if you don't want to compromise on security.
In Orchard 1.9 this should be safely possible to achieve with dynamic registration form and workflow, within that workflow context you should know the password's field value with {FormSubmission.Field:Password} so you can mail it with Send email activity.
But this will work only during registration and you have to notify user within that workflow, because plain password won't be saved anywhere and I'd advise against attempting that.
If you don't know how to create dynamic form or workflow you can read up on this article (there's also accompanying video at the end) http://www.ideliverable.com/blog/customizing-user-registration-and-login-with-dynamic-forms-and-workflows
Related
I need to run OWASP ZAP against one of our sites running on Netlify, but it is password protected (see screenshot for what I mean). For those who don't know how it works, when you visit the site, Netlify returns a 401 with the response of the request being the form. The form takes a password (input name is password) and POSTs it to the same URL (so https://myapp.netlify.app/ returns 401 and then the form POSTs it to https://myapp.netlify.app). I've created the context that should work, but I don't think it likes the 401 being returned as the same URL as the POST.
I'm sure I'm just doing a really stupid thing, but here is the relevant snippet from the config:
<authentication>
<type>2</type>
<strategy>EACH_RESP</strategy>
<pollurl/>
<polldata/>
<pollheaders/>
<pollfreq>60</pollfreq>
<pollunits>REQUESTS</pollunits>
<form>
<loginurl>https://myapp.netlify.app</loginurl>
<loginbody>password={%password%}</loginbody>
<loginpageurl>https://myapp.netlify.app</loginpageurl>
</form>
</authentication>
I also tried this snippet, in case it required the username (the UI kept enforcing the use of username):
<authentication>
<type>2</type>
<strategy>EACH_RESP</strategy>
<pollurl/>
<polldata/>
<pollheaders/>
<pollfreq>60</pollfreq>
<pollunits>REQUESTS</pollunits>
<form>
<loginurl>https://myapp.netlify.app</loginurl>
<loginbody>username={%username%}&password={%password%}</loginbody>
<loginpageurl>https://myapp.netlify.app</loginpageurl>
</form>
</authentication>
School boy error. I had everything configured properly, but wasn't providing the user (I thought the forced user would be picked up).
Running zap-baseline.py -t https://myapp.netlify.app/ -r testreport.html -n /zap/wrk/myapp.context -U testuser works.
I have a JSF 2.3 application.
In my LoginBean, the username and password entered by the user are varified and then the user is redirected to the URL initially inquired: for example if the user inquires:
http://myhostname/admin/manage.jsf
then because every resource under http:///admin requires authentication, the user is first redirected to the logon view, something like
http://myhostname/login/login.jsf
and then, upon successful authentication, they are redirected to their initially inquired URL (in this case, the first URL above)
However, if the initially inquired URL is a view that does not exist, i.e.
http://myhostname/admin/nonExisting.jsf
after the user gets authenticated, nothing happens: He / she is neither shown an error page, nor an erroneous log entry is made in the logs. Just the user remains on the login page.
How could I solve this?!
I added an error handling in the facelet like this:
<p:growl id="messages" autoUpdate="true" showDetail="true" />
and then, for the logon button:
<p:commandButton action="#{loginBean.login}" value="Log In" update="#form"/>
Now, when a non-existing view is returned, I do see the warning message:
but how coul I handle it earlier?
I have two facelets pages (login.xhtml and user-registration.xhtml). In the login page I have two forms, one for the login and another for the user registration (where I only ask for the email and password twice).
I would like to pass the email and password as attributes from the user registration form to the user-registration.xhtml page (where I ask for the rest of the user registration fields). I don't want to pass them as parameters in the GET url for security reasons.
Can I pass them as attributes while doing a redirect to the user-registration.xhtml page?
you can use this
<p:button outcome="page2" >
<f:param name="nameofData" value="theInformation"></f:param>
</p:button>
I suppose that this composant is in the page1.xhtml and the page1 and page2 are in the same folder (in case note you need to change your outcome) , and for your param you will send theInformation with a name in our case it is nameofData and you will get the informations with nameofData.
Hope that helped you
I am using a third party to process transactions. They have an api that says XML content should submitted via an HTTP POST variable named “XML”.
I know how to create the xml, but not sure how to post it to their site. They have a destination url. Can you tell me how to do the Post to their site?
You need to carefully check. Usually you just post XML to an URL. However in this case (indicated by the variable name) it seems that a (typically only used for html forms) form post is needed.
The easiest way is to create a html form with that one field, something like this:
<form method="post" action="http://their url" name="payload">
<input type="hidden" id="XML" name="XML" />
</form>
Then you can fill the field with your XML and do a payload.submit()
Let us know how it goes
I'm new at Spring Security. I'm using jsf2 with spring security 3. Three questions:
How can I access, from a session managed bean, the user info (name,password,roles) of the user currently logged in?
In order to use it in a view, for example for rendering elements depending on the roles of the user.
How can I know if a user is logged in? In order to show in a view a "login link" if the user is not logged in, or a "logout link" if the user is logged in. Which property of Spring Security do I have to use in my managed bean to store this info and use it in the view?
The "login link" is just a GET request to the URL of the login page. But how can I show "logout link"? Do it have to be a POST request and use "h:commandLink" like this?:
<h:commandLink value="Logout" action="#{request.contextPath}/j_spring_security_logout" />
Or can it be a GET request?:
<h:link value="Logout" outcome="#{request.contextPath}/j_spring_security_logout" />
Thank you very much in advanced.
The object authentication is who save this properties, you can obtain with next line in your managedBean:
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
A user is logged if his Authentication is not a instace of AnonymousAuthenticationToken, in your spring-security-context.xml you must define the urls intercepted by Spring.
The first interceptor is not analyzed by Spring. In this case the Authentication object is an instance of AnonymousAuthenticationToken.
The second interceptor is analyzed by Spring and the user is redirected to login page declared in spring-security-context.xml
/* This is a example for to obtain the rol name for example for generate automatic menu */
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
String namePrincipalRol = null;
if (auth instanceof AnonymousAuthenticationToken) {
namePrincipalRol = "ROLE_ANONYMOUS";
} else {
namePrincipalRol = auth.getAuthorities().iterator().next().getAuthority();
}
Good question, I am not sure but I think I remember having read that it must be POST, would be interesting to try. I use h:outputLink
Kind regards.