Is there a way to update the PasswordAnswer when using the ASP.NET 2.0 Membership API? I want to be clear, I'm not trying to change the password, but rather I'm trying the give the user the option to update the Security Question and Security Answer they specified when enrolling.
The base MembershipProvider class has an overridable method called ChangePasswordQuestionAndAnswer. You can use this to change the security question and answer. The signature looks like so:
public override bool ChangePasswordQuestionAndAnswer(string username, string password, string newPasswordQuestion, string newPasswordAnswer)
{
// your implementation here.
}
Related
I wonder if it is possible to create a new Authority in Jhispter. I tried adding a ROLE_WRITER:
/project/src/main/java/location/security/AuthoritiesConstants.java
package location.security;
/**
* Constants for Spring Security authorities.
*/
public final class AuthoritiesConstants {
public static final String ADMIN = "ROLE_ADMIN";
public static final String USER = "ROLE_USER";
public static final String WRITER = "ROLE_WRITER";
public static final String ANONYMOUS = "ROLE_ANONYMOUS";
private AuthoritiesConstants() {
}
}
When I run the app, it does not crash, but when I tried to change the localhost:9000/#/user-management ROLE in the profile, it did not offer me the option.
So I went to the database and add a new ROLE in the JHI_AUTHORITY Table and now it appears in the user-management, but I have the feeling that i'm getting into trouble if I mess around with the User Entity.
Is there any official way of doing it? (that I am not aware of)
Is there any danger with doing it?
Is there anything else that I should consider?
Thanks
Is there any official way of doing it? (that I am not aware of)
Have you seen src/main/resources/liquibase/authorities.csv? I think that is a right place to add a new authority before production, and when you are in production stage, then it is recommended to add your change(insert into) as liquibase changeset.
Is there any danger with doing it?
AFAIK new role will work like other existing roles in Spring security context. having said that I might misunderstood your question.
Is there anything else that I should consider?
Automation, this type of manual changes will cause dysfunction in production or new installation, so we need to automate this type of changes for both situations.
Although this is already answered, I think it's a good idea to put a link to a related tip posted in the official website of JHipster:
https://www.jhipster.tech/tips/025_tip_create_new_authority.html
I faced the same issue, I added drop-first: true parameter to src/main/resources/config/application-dev.yml:
....
liquibase:
contexts: dev
drop-first: true
....
It seems like it ais a parameter to regenerate the database (for development mode).
When deploying a JavaEE application as a WAR file (using the WAS Liberty Profile application server), the mappings between application roles and user groups are defined in server.xml. We have chosen to implement security by means of an EJB bean interceptor that compares the permissions stated on a method annotation with a set of permissions that are assigned to user.
This idea is based on an an original article in Java Magazine (Secure Java EE Authentication," Java Magazine, January/February 2013).
To take the idea further, we want to map the roles associated with the user to a more granular set of permissions. Unfortunately there is (currently) no way easy to obtain the list of roles associated with a user. Two suggested methods are proposed in this stack overflow article by #Josh and #Steve.
It struck me that if I can obtain the list of roles defined by the #DeclareRoles() annotation, I could use the request.isUserInRole(role) method for each of these roles without having to maintain a separate list of roles myself.
Has anyone used this method, or are there better methods to implement a finer grained security model since the article was written?
Well, you can certainly do something like:
#Stateless
#LocalBean
#DeclareRoles({ ROLE1, ROLE2, ROLE3 })
public class IsCallerInRoleDemoSessionBean {
#Resource
private SessionContext sessionContext;
#PermitAll
public Set<String> discoverRoles() {
Set<String> roleNames = new HashSet<>();
DeclareRoles declaredRoles = IsCallerInRoleDemoSessionBean.class.getAnnotation(DeclareRoles.class);
for (String roleName : declaredRoles.value())
if (sessionContext.isCallerInRole(roleName))
roleNames.add(roleName);
return roleNames;
}
}
This is from an old Arquillian Security Demo I did for someone a few years ago.
Ideally, this would also examine super-classes as well.
I have a simple application using the Play! framework's secure module. My 'Users' controller extends CRUD and is protected by #Check('admin'), so users have to be admins to access CRUD methods. However, I'd like anyone to be able to create new Users-- like a "Sign Up" or "Register" button.
What is a good way to do this, given that all of my Users methods except Create should be protected? Can I apply #Check("admin") to individual methods?
Here is my Users controller:
package controllers;
import play.*;
import play.mvc.*;
#Check("admin")
#With(Secure.class)
public class Users extends CRUD {
};
What is a good way to do this, given that all of my Users methods except Create should be protected?
In my practice, I create new controller in another package with the same name for doing this.
For example,
So, I think the best way is you should put Sign up method in the Non-Admin.
After I find some reference, this link has same idea with you and the answer of this topic is like what I said.
Can I apply #Check("admin") to individual methods?
Yes, you can. But you need to use #With(Secure.class) in that controller first.
You can see the example in Secure Module Documentation.
i am adding a new method into CalEventLocalServiceImpl using hook...
my code is ..
public class MyCalendarLocalServiceImpl extends CalEventLocalServiceWrapper {
public MyCalendarLocalServiceImpl(CalEventLocalService calEventLocalService) {
super(calEventLocalService);
// TODO Auto-generated constructor stub
}
public List getUserData(long userId) throws SystemException{
DynamicQuery query=DynamicQueryFactoryUtil.forClass(CalEvent.class)
.add(PropertyFactoryUtil.forName("userId").eq(userId));
List deatils=CalEventLocalServiceUtil.dynamicQuery(query);
return deatils;
}
}
liferay-hook.xml:
<service>
<service-type>
com.liferay.portlet.calendar.service.CalEventLocalService
</service-type>
<service-impl>
com.liferay.portlet.calendar.service.impl.MyCalendarLocalServiceImpl
</service-impl>
</service>
my question is how to use getUserData from jsp file.
Can anybody help me out....
i think u didn't gt my question...i want list of events based on USERID from Calendar ...to achieve this task what i need to do??
I assume getUserData() is not overridden but a new method (can't look up currently). This is not what you can do when overriding a service. Instead you'd have to add a new Service and make it available to the portal.
Remember that a customized ("hooked") jsp is running in the portal classloader, while your overloaded service is running in the hook's classloader. Thus, if you create a new service and make the service.jar available to Liferay (e.g. on the global classpath) you can call it from JSPs. The interface of Liferay services can not be extended through an overloaded service.
In case getUserData() is already in the interface (as I said I can't look up currently), you just need to call the CalendarLocalServiceUtil from your jsp and it will be delegated to your wrapper.
Just to add to Olaf's answer and comments...
if you you want to extend CalEventLocalService service with just "getUsetData" and use it in one jsp than building your own service might be overkill. Simply put your code from "getUserData" in jsp. Otherwise follow Olaf's suggestions.
I am looking for ways to restrict certain actions in Controller(s) based on whether the user is logged in or not. I looked at the Security interceptor but how would the Security controller code know which action is being executed and what is its required access level?
I am looking for something like:
#Auth-level("logged-in")
public static Member getProfile()
{
.....
}
#Auth-level("cookied")
public static void browseCatalog()
{
.....
}
#Auth-level("anonymous")
public static void contactUs()
{
.....
}
Is this possible in Play? Or is there a similar solution for the problem above?
The way I did this in my Struts application was to use XDoclet to create a mapping from my Action classes comments and using a Servlet filter to examine the request and figure out if access is allowed or not. I was hoping for an easier way to do this in Play!
Thanks!
Take a look at the following documentation for the secure module as an example of an action/controller interceptor...
http://www.playframework.org/documentation/1.1/secure
Pay particular notice of the #Check notation, which gives you what you are asking for.