There are multiple web modules (wars) in an ear file. Each web-module has it's own spring security configuration.
Lets say, web_module_1.war and web_module_2.war
Now, when user is logged-in to web_module_1.war module and then navigate to url of web_module_2.war. In this case, user is redirected to login page of web_module_2.war even though he is logged in.
How to pass credentials of logged in user to web_module_2.war to avoid login page for logged in user.
Related
I am using this SAML plugin for SSO in Jenkins https://plugins.jenkins.io/saml/.
Before that it used Jenkins own user database and an admin user for everybody. The plugin works - it gets Azure login page and user gets redirected to Jenkins main view. Although if I go on my Jenkins url and add /login, then it gives me the login page, but the security realm is only SSO, so that would mean there is no way in signing in with the admin user - this happens even when user is authenticated.
Is there a way to disable or possibly redirect from /login to the main url?
What are the security implications of storing a user's unique ID in a cookie?
Logging-in is managed separately. The presence or abscense of this cookie is simply used to determine:
Is this a returning user?
If so, who did this user last login as.
These are all merely hints, the user doesn't get any more rights (before login) than a first-time visitor to the site.
Background
My web app front-end is implemented in Angular4 and backend is all APIs and stateless. JWTs obtained from Firebase Authentication are used for authentication. As such, when a user arrives on the home page, I have no way of knowing who the user (potentially) is and whether they are logged-in, till the time the user goes to the PWA (at /app).
When the user goes to the home page of my web app, I want the (stateless) server to be able to redirect them to the PWA if they have logged-in in the recent past (say 2 days). This can be achieved simply by the presence/ absence of a cookie, but I would also like to be able to show them a personalised greeting when /app page loads up.
Very open to suggestions for a better way to achieve this.
I would like to make a login page where users provide credentials and then have other pages check if the user is authenticated before serving those internal pages in Undertow.
While the example shows how to authenticate a user (for what will eventually turn into a login page), if the user were to navigate to another page after authenticating, how do I test if that new page request was been made by the authenticated user?
I have referenced http://undertow.io/documentation/core/security.html and https://github.com/undertow-io/undertow/tree/master/examples/src/main/java/io/undertow/examples/security/basic.
This is an ancient question no one answered, but I did manage to learn about Keycloak which is Wildfly (Undertow) + SSO/Secure login.
Scenario:
I built a Facebook tab application that requires authorization.
The application is installed on a Facebook page.
When an unauthorized user accesses the application I redirect to the OAuth dialog:
http://www.facebook.com/dialog/oauth?client_id=appid&redirect_uri=http://www.facebook.com/pages/page name/pageid?sk=app_appid&scope=user_birthday,user_location&display=page
Note the "redirect_uri" is the Application on the installed Facebook page.
So, if the user allows we redirect to the tab application - This works fine!
But, if the user denies access (clicks Cancel button - using new OAuth dialog).
The user is again redirected to the tab application and again redirected to the OAuth dialog.
I have noted from the documentation that when the user denies access the browser will redirect to the "redirect_uri" with the following parameters: error=access_denied&
error_description=The+user+denied+your+request.
But if Facebook is using an additional redirect to my application from the "redirectt_uri": http://www.facebook.com/pages/page name/pageid?sk=app_appid
...the error response seems to be lost.
Note: I can successfully capture the error parameters when setting the "redirect_uri" to the canvas url, but I need to have the redirect_uri formatted to open the application in the context of the installed Page if the user allows access.
How would I capture the error parameters in this scenario?
I solved this by adding a flag to the app_data parameter for the redirect_uri. When the user accesses the application initially, this flag is set. I check for OAuth token, if one does not exist I redirect to the OAuth dialog with a redirect_uri to the application installed on the Fan Page. The redirect_uri now includes the flag in the app_data parameter. So, after "Canceling" the application, Facebook redirects to the installed application on the Fan Page - I then check for the flag and redirect to an error page.
If I understand correctly, to make API calls from my desktop application (let's call it from now and on 'client' as in the OAuth2 standard) I need to obtain an access_token which is an identifier that combines both the application id and the user's, who's data I want to access, id ('resource owner').
Following client flow on the authentication guide (developers.facebook.com/docs/authentication/) I understand that I need to send request to h**ps://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=http://example.com&response_type=token. In result, the page will be redirected to h**p://example.com/#access_token=XXX. If the client is a pure desktop app, then redirect_uri can be h**p://www.facebook.com/connect/login_success.html. Since the client owns the web control the access_token can be easily extracted from the redirected address.
The client side flow consists of 3 OAuth steps:
User authentication, if resource owner is not logged in to Facebook, a dialog, asking for Facebook credentials, will be shown. If the resource owner is logged in, the session will be authenticated using the cookie on Facebook's servers. Security - CHECK V !
App authorization, if resource owner didn't give permission for the app yet, the permission dialog will ask from the resource owner to grant permissions to the app, if the resource owner previously grated all needed permission, the permissions dialog will not be shown. Security - CHECK V!
App authentication - Now, here is where it gets sticky. The guide says: "App authentication is handled by verifying that the redirect_uri is in the same domain as the Site URL configured in the Developer App". Security - In my opinion - FAIL!
Why do I think that the last step is a security fail? First of all, both app id and redirect_uri are public information that anyone can obtain. Second of all, redirect_uri can be h**p://www.facebook.com/connect/login_success.html.
Let's look at the following scenario. A desktop app, EVE, shows to the user a web control where the user logs in to facebook and grants EVE some basic permissions. Resource owner has no reason to suspect anything. Next, EVE hides the the web control, and tries to load on it h**ps://www.facebook.com/dialog/oauth?client_id=OTHER_APP_ID&redirect_uri=http://www.facebook.com/connect/login_success.html&response_type=token. The app can try and load this url with the most popular facebook apps application ids. The app will get the Success message if the user previously authorized the OTHER_APP, since both login dialog and permissions dialog will not be shown. This will give EVE an access_token to access all resources of the resource owner that the resource owner granted to OTHER_APP and not to EVE.
So, is this a security hole? Did I miss something in the follow?
(UPDATE)
Clearly in a case of a desktop app, the security issues are irrelevant since the app has already the username and the facebook session and even the username and password, it can do anything with the users account.
(UPDATE)
For JavaScript apps that run in a web browser redirect_uri actually works! (See answer and comments by hnrt).
CURRENT QUESTION:
The only remaining mystery is how the client authentication works on iPhone and Android apps? Is the security whole is similar to the one when using a desktop application? Is there some difference in jailbreaked iPhones or rooted Androids?
Cheers!
If I understood correctly, your scenario would require that the user has already authenticated himself for the other apps using the same web control that EVE can use to talk to Facebook. If that is the case, then there are already much bigger security problems :) EVE could just hijack the whole session and all its authentication tokens.
[UPDATE] Regarding Javascript applications, same origin policy prevents EVE from accessing the reply of the /dialog/oauth?client_id=OTHER_APP request. The only way to access the data is to wait at redirect_uri and parse the redirected request. Here the "site url"-protection kicks in.
I am not sure how things work in iPhone and Android applications, but I would be really surprised if their web controls allowed access to the authentication data (=cookies) of other applications.