In applicationContext I have changed the following code to support passwords depending on the following regular expression, however I can't find a way to validate that the user doesn't provide the same password they had before or their username, any help on that?
<property name="allowedPasswordPattern" value="^((?=.*?[A-Z])|(?=.*?[a-z]))(?=.*?[0-9])(?=.*?[\\!\\$\\#\\#\\=\\(\\)\\:\\+\\-\\*]).{6,10}"></property>
Related
I'm still learning REST API principles and this one still confuses me. Password inside User Resource is private and of course cannot be placed in a response, while sometimes we need to get user data for public (e.g. when someone seeing someone else's user page). How do we handle this based on REST API principles? Should I remove password inside response before sending it?
Yes, you should not return the password in response. I would suggest you should create two DTOs
UserInputDTO: This contains the password and other values
UserOutputDTO: Here you have only those fields which are useful for the output and we can exclude password field and fields related to your internal implementation.
If your input and output looks same then you can add JsonIgnore annotation on the password field.
If by removing you meant setting it null then still the user can see the fieldname password, and if at any time you forgot to set it null then it will be a security issue. To solve this issue, you can use the JsonIgnore annotation.
When I configure ZAP as in the guideline https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication
the username and password are not replaced with the ones defined in the Users context setting.
Any idea why this happens?
This is same issue as in https://github.com/zaproxy/zaproxy/issues/2079.
Have a look at https://github.com/zaproxy/zaproxy/wiki/FAQformauth particularly the 'Diagnosing problems' section.
I tried to get password for the particular profile, but I'm struggling to do so.
My friends suggested that we can get profile information when we pass profile id. Can any one help me how to do this?
Here is a code snippet of what we've done so far using profileId:
Repository repository = getConnection();
RepositoryView view=repository.getView("user");
RqlStatement stat=RqlStatement.parseRqlStatement("email=?0");
Object param[]={resetEmail};
RepositoryItem[] emailCheck=stat.executeQuery(view, param);
Map profile= new HashMap();
profile.put("userId",profileId);
Please help me get profile information when we pass profile id.
First of all, in ATG the Profile's password is hashed to prevent any malicious attacker from reading it in clear text. Depending on your ATG version it will be hashed in MD5 or SHA-1 plus some salt, so you will NOT be able to see a clear text password.
Second, why do you need to access the password? If you have a specific requirement, such as logging the user in, post it and I will be able to assist.
That said, assuming that you have a valid scenario where you need to access the hashed password, how to do it depends on whether you just need the password of the user that is logged in, or some other user.
For the currently logged in user, you just need to resolve the /atg/userprofiling/Profile component, and do
String password = (String) profile.getPropertyValue("password");
Obviously the "password" string should replaced with a constant or with the Profile propertyManager, depending on your project's coding practices.
If you want to access the password (remember, you can't access the clear text password, only the hashed version of it) of any other user, you need to locate the user first. The /atg/userprofiling/ProfileItemFinder component has tools to help you with these, so you'll have to inject it into whatever component you are writing:
RepositoryItem user = profileItemFinder.findByEmail("your#email.com", "user")[0];
String password = (String) user.getPropertyValue("password");
Hope this helps.
Edit
If all you have is the profile id, you can use the following snippet after injecting the /atg/userprofiling/ProfileTools component:
Profile user = profileTools.findProfile("profile id");
String password = (String) user.getPropertyValue("password");
After having gotten more comfortable in Behaviour-Driven Developement using SpecFlow, I was wondering about having multiple scenarios for the same feature as follows:
Register.feature
Feature: Register a new user
In order to use the system,
one must register with the system
so that one gets authorized and may login
Scenario: Register a new user using valid credentials
Given I am on the registration page
When I have entered my desired username "UserName" and password "password"
And I have confirmed my password "password"
And I click the register button
Then I shall get confirmation that I am now a registered user
Beside the fact that my scenario might have gotten a bit too fat, one must also manage to validate other scenarios within the registration process such as:
Input user name is too short
Input password is too short
Input password doesn't contain numbers
Input password doesn't match the confirm password
Just to name a few. I have read about tags using SpecFlow Feature File so that I could perhaps do as follows:
#shorterPasswordProvided
Scenario: Register a user using a password that is too short
Given I am on the registration page
When I have entered my desired user name
And I have provided a password that is too short "allo"
And I click the Register button
Then I shall get an error message which mentions about the password minimum length
#noCredentialsAtAll
Scenario: Register a user using no credentials at all
Given I am on the registration page
When I click on the Register button with no credentials entered
Then I shall get an error message that says I have to fill all required fields in
Then, using the [BeforeScenario("myTag")] should do the trick.
The hooks allows for the execution of a subset of the tests to be executed following certain rules. So, a When method could then be executed with a predefined context, that is, the hook for which it was meant to be executed, and that is mentioned through the BeforeScenario or the like attribute.
Have I understood correctly, or am I in fog here?
Am I pushing too far?
Am I missing something?
Are all the "too short password", "no credentials provided" considered different usage scenarios, or are they something else which could only fit somewhere else in the code, like the unit tests themselves?
I mean, all those scenarios belongs to the Register feature, and as such, they shall be defined in the same Register.feature SpecFlow Feature File, right?
Ok, you have a couple of questions, so I'll work through them:
Then, using the [BeforeScenario("myTag")] should do the trick.
The BeforeScenario hook attribute is used to run some code before the scenario executes. It's often used to set-up the environment for the scenario (e.g. populate the test database with pertinent data); if used for this purpose, then the use of AfterScenario can also be used to clean-up the result of BeforeScenario.
The hooks allows for the execution of a subset of the tests to be
executed following certain rules. So, a When method could then be
executed with a predefined context
If I understand you correctly, you want to be able to use a tag to control when a step within the scenario can be run/not-run. This is not possible with SpecFlow's hook attributes; there is a BeforeStep hook but this only enables you to execute code before the step is run, it doesn't allow the step to be ignored.
Are all the "too short password", "no credentials provided" considered
different usage scenarios, or are they something else which could only
fit somewhere else in the code, like the unit tests themselves?
In your example, yes these are different scenarios for your "Register a new user" feature. If you are taking a strict BDD approach to your development, then with your "outside-in inside-out" development approach you will also implement unit tests (by falling back to TDD as part of the BDD process) which will also cover the "too short password" and "no credentials provided" validation.
As for your scenario:
When I have entered my desired username "UserName" and password "password"
Instead of using this, use:
When I enter my username "UserName"
And I enter my password "password"
By doing this you will be able to re-use "When I enter my password" in "Register a user using a password that is too short". This leads me onto:
And I have provided a password that is too short "allo"
There is no need to have a separate step which states the password is too short. Just re-use:
When I enter my password "allo"
For the same reason, don't use:
When I click on the Register button with no credentials entered
just reuse:
When I click on the Register button
I have a Ektron client with Ektron installed. They would like to add the functionality to change a password to something they want. Do I need to be concerned with the ektron part or just go ahead and make my edit?
Is there an easy way to do that? Any links to information would be greatly appreciated.
If you're talking about Ektron CMS400 Membership Users, you can use the Web Service Method:
User.ResetMembershipUserPassword
If you're trying to set it for regular CMS400 users, you're out of luck. The administrator will need to reset their password (if they've forgotten it) and the user will need to log back in to the workarea and change their password there.
UPDATE
That method resets the password to a random value. To set the password to a desired value, you'll have to use:
Ektron.Cms.BusinessApi.dll
Ektron.Cms.UserAPI.ResetMembershipUserPassword(string Username,
string oldPassword,
string newPassword)