I have added a sample custom module in Magento 2. I have two controller function for admin panel page,
http://127.0.0.1/magento2/admin_magento2/sample/index/index/
http://127.0.0.1/magento2/admin_magento2/sample/sampletwo/index/
First url only display page. The second one displays 404 or redirecting to dashboard.
Please help me someone to solve this.
Note
I have added admin panel menu for first url only.
When attempting to access modules/functionality in the backend (Adminhtml), Magento checks for the presence of the secret Form Keys, and if/when someone does attempt to access an action and doesn't supply a valid FormKey and/or supplies an Invalid FormKey - the Adminhtml AbstractAction (Magento\Backend\App\AbstractAction) will route the user Admin UIX defined Startup page (which is usually the Dashboard page)
[This mechanism serves a "security checkpoint" to prevent users from accessing portions of the Backend that they don't have access to]
To prevent the check for FormKey you have two options:
(a) Turn off FormKey Validation
Navigation: Stores -> Settings : Configuration -> Advanced : Admin -> Security -> Setup "Add Secret Key to URLs" to "No"
It's very important to remember that doing so will turn off Secret Key Validation, and therefore may make your application vulnerable.
(b) Turn off FormKey Validation for your controller
Specify the action(s) you wish to exempt, from the FormKey check, in the "$_publicActions" attribute of your Admin Controller.
protected $_publicActions = ['ENTER_NAME_OF_ACTION'];
Code Example:
class Index extends \Magento\Backend\App\Action
{
protected $_publicActions = ['index'];
public function execute()
{
echo "My Hello World! Controller";
}
}
When accessing options from the Admin UIX Menu - Magento will automatically add the FormKey for you. That is why you are able to access the first URL v/s not able to access the second URL.
Related
I have a situation where during login, after a user has entered their username/password, they would get transferred to an additional page where they would have to enter an additional field (or select something from a select box)
Today, I use a simple session id over a cookie. When a user enters their credentials I create a session, and after they had entered the field in the additional page, I update the session.
I was wondering what would be the best way to achieve something like that in Keycloak. I would also like to include that additional field in the token.
I guess the obvious way would be to keep my login frontend as it is now and use the direct credentials grant API that Keycloak provides, but I would rather avoid that.
Please advise.
Clarifications: Each user in the system can belong to multiple organizations. That additional field corresponds to the organization that the user logs in to. All applications that interact with the token have to be aware of that organization field
According to your requirements i would suggest following:
Continue with UserStorageProvider implementation. Refer to following docs. Your implementation should also provide list of available companies for every user. You can expose this list as an UserModel attribute.
Implement custom required action (components like that runs after successfully passed credential challenges) that will get list of available companies from UserModel object of authenticated user. Offer this list to user as separate login form, so after user submits his choice it will be persisted in user session note. As example check out implementation for UpdateUserLocaleAction and javadoc for RequiredActionProvider. Here is example of logic for storing selected company:
#Override
public void requiredActionChallenge(RequiredActionContext context) {
List<String> availableCompanies = context.getUser().getAttribute("companies");
... // form rendering
}
#Override
public void processAction(RequiredActionContext context) {
String company = context.getHttpRequest().getFormParameters().getFirst("selected_company");
context.getAuthenticationSession().setUserSessionNote("company", company);
}
Add UserSessionNote oidc mapper to required client (or to shared client scope), so it will extract 'company' note saved by required action implementation from step 2
???
Profit
I am using Kyecloak:4.8.0, and have enabled Brute force attack for my realm.
Now whenever user provides wrong credentials for 3 times user will be locked temporarily.
But still user will see "Invalid username/password".
According to this thread Keycloak have done this intentionally:
https://issues.jboss.org/browse/KEYCLOAK-5284
But still i want to show user that his account has been locked.
Is there any way to customize this message?
I tried doing this by adding message in custom keycloak theme as below:
location: themes\adminlte\login\messages\messages_en.properties
accountTemporarilyDisabledMessage=Account is temporarily disabled, contact admin or try again later.
This change is not working.
After going through Keycloak base code what i found is: Keycloak uses Messages.INVALID_USER (invalidUserMessage) from properties which is written in AbstractFormAuthenticator class.
This class is at the end extended by UsernamePasswordForm now to change this to custom message i Wrote Custom Authenticator (Keycloak SPI) like below
public class CustomUsernameFormAuthenticator extends UsernamePasswordForm {
#Override
protected String tempDisabledError() {
return Messages.ACCOUNT_TEMPORARILY_DISABLED;
}
}
After this deploy spi Jar in keycloak and enable it in your realm.
And we are done :)
I want to make a custom login page using auth0 (where I can modify the default fields required for login)
and validate the credential by requesting a rest API.
I was working on auth0 and found a fix.
Note: this may not be the exact method to make a custom login page but it worked for me.
Here are the steps to be followed to design a custom login in auth0.
Step 1: If you need to change some fields required during login, Go to Hosted Pages in auth0 console. Otherwise, directly go to Step 4.
Step 2: Under the login tab, switch to Customize Login Page and then set Custom Login Form from the Default Templates dropdown.
Step 3: Here you need to edit the code to modify the fields.
After editing in the script, make sure to set the databaseConnection name to your custom Connection you are using.
// var databaseConnection = 'Username-Password-Authentication';
// change this to
var databaseConnection = 'your-connection-name';
Step 4: After doing this, head over to your custom database connection in the auth0 console. Go under Custom Database tab and switch to Use my own database.
Step 5: Under the login tab, select Request with basic Auth in the Templates dropdown.
Step 6: Now you can edit the login function and request the rest API.
I was being searching to password protect apiglity admin ui without using htpasswd, but i did not got any information about. Can anybody help me out with this?
Thanks in advance
You don't need password protection for ApiGility UI. Access should only be allowed in the Dev environment.
php public/index.php development enable <- to enable the UI
php public/index.php development disable <- to disable the UI
If you consist of having password protection for it. Then you can add an event to the Application Module.php that check if the identified user is allowed to access that resource.
Edit - If you do want to protect something by password
The following code should be placed in the Module.php file. (In many cases under the Application module).
It call the event manager and attach action to the Dispatch event.
Every time the application reach the dispatch phase it will fire this event.
The action is passed as a call back so you can attach function, classes ans etc. In this example I passed a new class that have access to the MvcEvent ($e).
For example, that class can check if a user is logged in. If it is not then redirect him to /login.
public function onBootstrap(MvcEvent $e)
{
$eventManager = $e->getApplication()->getEventManager();
$eventManager->attach(MvcEvent::EVENT_DISPATCH, array(new UserAccessChecker($e), 'getResponse'));
}
For the purpose of auth You should further investigate ACL & RABC
Problem:
I have a webforms app where every page inherits from BasePage.cs
I also have another class AuthenticatedBasePage.cs which inherits from BasePage.cs
BasePage.cs has some code which finds out if a Forms Authentication cookie is set, and if so, sets a IsAuthenticated boolean flag and a MyAppUser object (only has properties such as name, age, gendery) which means every page on the site can see if the user viewing the page is logged in or not, and if so, read the values of MyAppUser.
AuthenticatedBasePage has an additional feature where if anyone tries to browse to a page inheriting from this class are not authenticated, they are redirected to the login page with a 'returnurl' querystring variable set.
I would to have a similar setup in my MVC2 app. I've done a fair bit of reading that says I shouldn't reference HttpContext in my BaseController.cs (which all my controllers inherit from) as that means I can't unit test it. My first question is, how can I make the IsAuthenticated and MyAppUser objects available to every page? Secondly, how do I create pages which only authenticated users can access, and if they are not authenticated, they get redirected to the login page with the returnurl querystring variable set?
Many thanks,
A.
P.S. I'm not using the MembershipSchema, I'm only using the FormsAuthentication.SetCookie method.
What you want is the Authorize attribute. This article has a great explanation of how to use it with forms authentication.