I'm struggling with a custom authentication mechanism for Symfony2.
What I want to do:
I need a modified behaviour of the regular UsernamePasswordForm based authentication. The only modification required is, that the credentials aren't checked against the database, but some custom unix auth deamon. The users themselves are still located in the database.
What I did:
I played around will a full fledged custom authentication provider based on this Symfony cookbook entry and will most parts just extending the different UsernamePassword classes, but it didn't work out yet. I had especially some problems setting up the AuthenticationListener in the service configuration as the UsernamePasswordFormAuthenticationListener has a lot of required parameters. Currently I'm not sure if it will work out at the end, cause I've got some issues with our database setup.
What I need:
Is there a simpler way to modified the default login form without the complete requirement of a full AuthenticationProvider? Imho it's a quite common issue to have some custom modifications in the default behaviour.
Would be happy about any ideas or hints.
I have not tried this myself but you should be able to insert your own AuthenticationProvider by setting a paramter:
security.authentication.provider.dao.class:
..Security\Core\Authentication\Provider\MyDaoAuthenticationProvider
Your provider would extend the Dao and overide checkAuthentication.
Again, I have not actually done this and the security system is very touchy so it may or may not work.
Answering my own question: I finally managed to solve my issue thanks to this blog post showing a solution. The basic idea is to extend the default form login authentication and "steal" its listener. This way you can reuse most of the existing code. The critical parts are the creation and configuration of an AuthenticationProvider and a SecurityFactory. And don't miss to use your own provider key instead of form_login in the security.yml.
In the blog post the author creates his own UserProvider, but it's working with just the default database one, too.
Related
I have a GWT application that resides within a single web page, which I believe is fairly typical. I am in the process of securing it, and I need advice on choosing a proper approach. My ultimate intention is to check for presence of authenticated session on every gwtrpc server call.
In the past when dealing with servlet/JSP-based web application, I used filter and filter-mapping definitions in web.xml. And that worked like a charm considering that such applications usually consisted of many web pages, and redirection to a login page went right along with it. But in case of GWT and its often-used single screen nature, I feel that overriding RemoteServiceServlet's processPost() function may be a better approach. My intention would be to check for presence of an existing session, and then throw an appropriate exception if needed. The client would then react accordingly (i.e. login popup, etc) by determining the course of action based on whatever exception is thrown back to it.
I am aware of other existing solutions such as Spring security, but I would really like to hear opinions on my idea. Thank you.
I don't think that you should check for an authenticated session yourself. Let the application container deal with that. Of course, in order to do that, you will need a login-config section and security constraints in your web.xml file.
A good way to secure specific parts of your application is to check (prior to the actual display of the screen) if the current user is allowed to. From your remote servlet you can call getThreadLocalRequest().getUserPrincipal() to get the actual user (null if not authenticated) and getThreadLocalRequest().isUserInRole("admin") to make the autorization.
Hope this is helpful for you !
Currently I am working on a project that combines basic authentication with the cornice / pyramid framework.
From the logging I observe that every time a url is access the used credentials get checked twice. Since in our user case this does involve a lot of database checks, it is a potential target for an (unintended) DoS attack.
In my view I define a cornice Service with a factory.
In my app setup I configured the pyramid provided BasicAuthenticationPolicy with the resource intensive check as a callback for authentication
Also in the app setup I configure the pyramid provided ACLAuthorizationPolicy for authorisation.
So I was wondering, what I am missing, as I would really like to prevent the second check to take place. (Should I cache this on the request object in some secure way?)
Found by studing the code this is intended behaviour.
This behaviour is only triggered when the authenticated_userid property is used (which I do).
Solved this issue by 'caching' call's to my authentication function via a decorator. Which should be fine as the same objects will be referenced via the function parameters.
Documentation can be found in the pyramid package pyramid/authentication.py
I am trying to implement custom authentication using the new ASP.NET Identity in an MVC 5 project.
I have a single username and password that I want to use to restrict which pages of the website the user can see via [Authorize] tags on controllers and views. (Easy)
I am migrating from a FormsAuthentication model whereby this was as simple as putting the credentials in the web.config.
Because I only have a single username and password I don't want to use a database as the UserStore, instead I want ASP.NET Identity to retrieve the username and password from a custom configurationsection in the web.config (don't worry about that part).
After much search, I can't find a code sample that doesn't rely on a database for ASP.NET Identity authentication.
So i'm looking for a code sample that at the point of authentication, the user can put in custom code to check the username & password against the credentials in the custom ConfigurationSection of the web.config.
Can someone please point me in the right direction thanks.
Update : I've tried looking at this code sample but it doesn't even compile out of the box.. poor.
http://code.msdn.microsoft.com/Simple-Aspnet-Identiy-Core-7475a961
Update : The reason that I don't want to use FormsAuthentication is that I am writing a NuGet package that will be installed into a web application. One of the things the NuGet package will do is create a custom ConfigurationSection in the web.config that includes (among other things) a single username and password. I thought this would be safer as it wouldn't alter any existing FormsAuthentication settings currently in the target web application.
Update : I think I have got it working. Will post findings soon.
-- Lee
You don't have to migrate to Identity framework, FormsAuthentication still works. And Andrew is correct, using Identity framework makes little sense here, since it is all about managing users.
However, if you insist on using it, you can implement your own UserManager and IUserStore. Some guidance can be found in Scott K. Allen blog post. See the links on the bottom - samples of implementations - you can take some of these and convert to your needs.
I would imagine your IUserStore will be simple, because there is only one user and most of the methods don't have to be implemented. And for the ones required (I think you'll need FindUserById and related) you'll need to reach to web.config via ConfigurationManager
What is the preferred way of integrating a custom membership provider with Orchard?
I have seen a couple of posts around implementing a new IMembershipService and IUserService (from Orchard.Users) and then there other modules such as OpenAuthentication which seem to do a lot more than that (but still uses the UserPart??).
We already have an ASP.NET Membership provider written, can this be integrated as is?
Custom implementation of IMembershipService is a way to go if you don't want to use the default Orchard.Users module at all. Useful when you still want to do forms authentication, but just store the auth data somewhere else, not in UserPart.
If you would like to create a totally custom authentication scheme, that overrides the form-based default one (username + password), override IAuthenticationService.
So, generally speaking:
IMembershipProvider is about authentication data management (create/retrieve users)
IAuthenticationProvider is about performing the authentication (sign in/out/get current user etc.)
Depending on your needs you can override either one or both.
The common auth modules, like the OpenAuth one, add additional authentication options to the existing default one without actually replacing it, IIRC.
I posted a variation of this question to the CouchDB user list and haven't received a response yet.
I'm curious to know if anyone else has built a so-called "CouchApp"; a pure HTML/JavaScript application hosted directly within CouchDB. If so, how did you handle user authentication? I'd like to be able to create a typical login form (username, password) and then use those credentials either against a view or some other mechanism before passing the user along to the application (while storing their (encrypted) user ID in a cookie, presumably).
I'm used to simply proxying through something like couchdb-python and a normal web server, but would like to know any best practices with respect to authenticating users in these kinds of CouchApps.
Edit: A year later, and this is now built into CouchDB. This video is a great demonstration. (Thanks Daniel!)
CouchDB has released a simple authentication api but has no in built authentication mechanisms as of yet. The simplest and easiest way to do this is to use an http proxy for authentication. However this has limitations on how much you can restrict access on a per document basis. When CouchDB gets some more support for built-in authentication modules then it should be easier.
If you want to try your hand at coding an authentication module then you can check out the source for the javascript security_validation tests in this file:
http://svn.apache.org/repos/asf/couchdb/trunk/share/www/script/couch_tests.js
and the default_authentication_handler in this file here:
http://svn.apache.org/repos/asf/couchdb/trunk/src/couchdb/couch_httpd.erl
that would get you started anyway.
This question has been around for a while (1.5 years!) and things have matured quite a bit since it was answered. Watch the video above, but it doesn't explain how to build it into your app. It looks like most of the answers are now found here: Security Features Overview and at the end of this document: CouchDB Security.