Before implementing j_security_check using MySQL realm authentication in my web app. I had the form info sent to a servlet (action controller) which would authenticate the user and then add some info regarding the user to the session object. Other servlets could then make use of this session object. After implementing j_security_check I dont know how to add the details of the login to the session object since j_security_check is being called instead of my controller and then it forwards to the requested page. Its like as soon as a user signs in - the data specified on the form is needed to create the session object , however i currently cant find any way of accessing the data submitted since its being passed to j_security_check. I tried using filters but i cant seem to read the submitted data directed towards j_security_check.Any suggestions on what i should do (I just want to set a session object as soon as a user signs in)
The only information you can get in j_security_check is username and password. I don't see a use case of storing password in the session.
But, anytime the username can be obtained using HttpServletRequest.getRemoteUser()
Related
So I have this JSF project that uses form based authentication. On the first attempt to open my JSF page, I get redirected to my login server. There the authentication takes place and on success I get redirected to my application. Unfortunately I don't know how to get the information that the authentication server provides, like username.
I have a page where a text is saying "Signed in as ". should be set by a ManagedBean with the method getCurrentUserPrincipal().
<h:outputText value="#{myBean.getCurrentUserPrincipal()}"/>
The method is currently empty. I tried it with WSSubject.getCallerPrincipal() and FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal() but that returned null.
How can I get the information I need with that method?
Is it even possible?
I'm not sure what information you would need, so if something is missing, I will provide if I can.
Inject the principal into your managed bean like:
#Inject
private Principal principal;
then, based on your html above for outputText field, provide a getter in your managed bean something like:
public String getCurrentUserPrincipal() {
return principal.getName();
}
After some digging I found out that our authenticating server was a siteminder service and the informations came back in a cookie (SMSESSION) and header information of the response.
So, it would be enough to read the header information to get the user name.
But the principal or subject would still return null. To get this and also make security working, I added a TAI to Liberty. How this is done, you can read here and here. My myTAI.jar is really simple. Because I have a ldap registry configured, I need the user security name (String, e.g. uid=..,ou=..,ou=..) of the given username (header) for further authentication and return this:
return TAIResult.create(HttpServletResponse.SC_OK, userSecName);
In the background Liberty will then do some further authentication and creates the principle and subject. If everything is correctly configured and the user is authorized to enter the application, he will and will have principle and subject objects available.
I'm using passport-facebook for logging into the site using facebook(the implementation is complete and working good) .Now , I want to redirect the user to a page containing a form which they are supposed to fill once they login from fb, and without doing it (that is without filling the form and submitting it) they shouldnt be able to access any other links on the site.
Here is the approach I thought of: Once the user logs in I would make a Database query inside the strategy to see whether they have previously submitted the data, if they have already submitted I would set the session.filledOrNot = true in the object which I'll be returning to the done callback and use this property to either allow them to proceed or redirect back the same page.
Is this a good approach?
This can be done in 2 ways.
1.You can either make the user the fill the form while sign up/registration(whatever you call it). If the user doesn't fill the form, don't let them sign up at all.
2.The second way is what you are suggesting. Let the user sign up with out filling the form and once the user logs in, check in your database where your condition "session.filledOrNot = true" is satisfied or not. The disadvantage is you need to make this query in every api request, not just the login request.
When a user hits login page of a Portal (it could be Liferay, Jboss Portal..), JSESSIONID cookieis created by the container. After entering credentials in the login page, same JSESSIONID gets carried over.
Here, end user will come to know the JSESSIONIDbefore he could get authenticated (by checking the JSESSIONID in the login page). This will increase vulnerability of the site for hacking because one can know the JSESSIONID before one gets authenticated.
This post advices to have a different JSESSIONID after authentication.
So, creating a new JSESSIOND can be achieved by Portal server being used (am using Liferay CE 6.0) or it has to be handled by web application developer? If it has to be handled by web application developer what is the best way to do? request.getSession(true) is the only option?? If I need to instruct Liferay to create a new JSESSIONID after authentication how it can be done?
This looks a lot like the session fixation problem I solved for Liferay 5.2.5 a long time ago. The solution consists of creating a custom Tomcat Valve that will force a new session ID. So the solution isn't really specific for Liferay and is dependent on if you use Tomcat or not.
I suspect it shouldn't be too difficult to adapt my old solution to a newer Liferay/Tomcat combination. You can find the necessary information about my solution in my old and currently unmaintained blog (if I only had more time...): Fixing session fixation in Liferay
The problem here is not that the user knows the session ID (the user always knows it, it is sent by his browser). The attack scenario is that the user, while logged out, clicks on the link that already has JSESSIONID embedded, then authenticates and this session becomes a logged-in session. Now someone who initially created the link can use the same session to act as the user. More details at https://en.wikipedia.org/wiki/Session_fixation
So yes, use the web or app server to re-set session ID after a user authenticates. You do not need to write it yourself. For Tomcat 7: http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection
You can fix this issue by setting the following property to true like Liferay has as default.
#
# Set this to true to invalidate the session when a user logs into the
# portal. This helps prevents phishing. Set this to false if you need the
# guest user and the authenticated user to have the same session.
#
# Set this to false if the property "company.security.auth.requires.https"
# is set to true and you want to maintain the same credentials across HTTP
# and HTTPS sessions.
#
session.enable.phishing.protection=true
#Thiago:
This session.enable.phishing.protection=true is by default true in portal.properties. Anyhow, I have added this entry in portal-ext.properties. But, even then JSESSIONID remains same before and after login.
I have implemented a filter as per this link. After implementing this filter, when I hit login page of Liferay, one JSESSIONID gets created. After I enter the credentials and login, the same JSESSIONID is retained.
I have implemented this filter in a Servlet and not in any of my Portlets or in Liferay's ROOT application. My Servlet is deployed in LR + Jboss AS bundle. Am first hitting the Servlet and from here I have a link which will redirect to Liferay's login page. I have implemented this filter in my Servlet because Container will append JSESSIONID for first time request as it doesn't know if cookies are enabled or not. Since, JSESSIONID is getting appended, am not able to retrieve my images in Servlet (because url is myImage.jpg;jsessionid=). Hence, I have implemented this filter.
Is this filter conflicting with Liferay's configuration? Even after setting session.enable.phishing.protection=true same JSESSIONID is retained means what else could be the problem?
Put this code inside the portal-ext.properties.
It will fix the problem, each and every time logged in, new session id will be generated.
session.enable.phishing.protection=true
com.liferay.util.servlet.SessionParameters=true
I have to secure a section of my GWT based application from accessing it directly via some url.
Actually there is an index page which is login page. The use gives credentials and enters into the app (the module to be saved).
Currently what I am doing is that when a user logs in I save his username into session ( session.setAttribute(“username”, username) ) and load the required view of user.
Now whenever user navigates the application I call a method via RPC which checks if the “username” attribute is set or not in the session; if it is set then method returns true and false otherwise.
And of course if it returned false then I load the index view of application (which says user to log in).
Now I have to call this method before I load any module which should be accessed by loggined user only to restrict illegal access via url etc.
From the scenario given above kindly guide me; if it is the right strategy to secure some module. Or are there other good ways to do the same thing.
Cheers!
Raza
While your approach would work, I feel a Servlet Filter is the best place to authorize web server requests. Since all the requests have to pass through the filters before hitting the servlet, this is the best place to make proceed/abort/redirect decisions, based on the url pattern and your session attributes.
Having ( /* ) security filters also ensures that all your web app requests pass through the authorization test first, leaving the servlet code to just do the business stuff.
So how do you maintain the form security about posting data to different page problem? For instance you have a member and he/she tries to change the personal settings and you redirected member to
www.domain.com/member/change/member_id
member changed the values and post the data to another page by changing the action with firebug or something else. For instance
www.domain.com/member/change/member_id_2
How do you handle this problem without using sessions?
This problem arises when there are no server side validations!
So, the solution is to have server side validations.
Why not use Session state? It's designed for that.
Alternatively use cookies or URL's with unique session style ID embedded in it, which allows you to tie it back to a specific user.
How do you handle members without session?
Before modifying anything, check if the current user has the right to do so. For example, if you're user #1 and your details are at /members/change/1, you post to the same url, and with firebug you change the form to point to /members/change/2. When processing the form, you have to check if the userid in the form is the current user's id, and if not, display an error.
You could crypt the identity information (member_id) and add it as parameter or url path. When the request is posted to the member_id form, you can verify that the crypted member_id (which is part of the request) matches the member_id.