Enabling Remember me on CAS 3.4.2 with default implementation - single-sign-on

i have deployed my cas.war file.
Default login is working fine.
For enabling Remember me, i followed.
https://wiki.jasig.org/display/CASUM/Remember+Me
but still when i do login selecting remember me option.
It simply logs me in without remembering.
So each time i have to enter username :test & password: test while accessing:
localhost:8080/cas/login
i want it to once allowed login to remember, so that for next hit on
localhost:8080/cas/login identify me from cookies generated in remember me option
Any help from techno legends on this will be appreciated.

Where you are selecting remember me option, whenever you enter any username and password almost all browsers will ask Remember me option, if you are using the browser level option check the browser cache and auto-fill passwords are enabled or not (example- in Google chrome use ctrl+h),
If you are using CAS application level Remember-me, that behavior is different, when you use first time, in CAS data base your username and password along with you IP address will store, next time when you enter your username immediately from database your password will come.

Related

How to make ATG dynamo admin server password not expire

I've seen various posts that help you reset the password when it expires (using various means ACC, DB update etc). But, is there a way you can make the admin password never expire? We have lot of automation built around this admin interface and it is turning out to be a hassle every time this password had to be changed. It would be nice if we can make the password never expire.
Set the enabled property on /atg/dynamo/security/passwordchecker/ExpiredPasswordAdminService/ to false.
Below is a sample ExpiredPasswordAdminService.properties file. You will need to create this in the appropriate configuration layer:
$class=atg.security.ExpiredPasswordAdminService
# Enable/Disable the password expiration service
enabled=false

How to get two factor authentication when resetting password and no devices configured for two factor

I recently wanted to use one of my old project specific GitHub account, where the two factor authentication was enabled. Since I was not able to remember the password I used the option Forgot password and reset the password.
However after successfully changing the credentials, GitHub is as usual expecting the two way authentication key, since I was not having the same device now, I don't have the GitHub configured to get the Two way authentication, neither I have any more information about the account, rather than my login credentials.
Is there any way I could get the two - way refactor working. Or I could login?
If have the credential of the GitHub account, you can login to said account, and enable 2FA
Then you can generate a PAT (Personal Access Token) in order to use that as a password (and bypass the 2fa step when pushing in command-line).
Personal access tokens are useful when it's too cumbersome to provide a client/secret pair for a full application, such as when authenticating to GitHub from Git using HTTPS, or within a command line utility or script.
Later I reset my password , and I was't having the device which i had configured my DuO Mobile. How could I login now. It is asking for 2FA and I don't have any way to provide the key.
Then you would need to follow "Recovering your account if you lost your 2FA credentials"
Having access to your recovery codes in a secure place, or establishing a secondary mobile phone number for recovery, will get you back into your account.

LDAP Authentication CGI

I have a simple webpage deployed to tomcat which runs certain shell scripts based on user selection. The pages are written in html and cgi/perl.
We already have a working ldap server and directory. I need to be able to add security to the web page I created so a user is asked to login using their ldap account when trying to access the home page or any off the sub pages.
How do I add ldap authentication to my web page?
Please be very specific as I am new to all of this. Step by step instructions including code would be greatly appreciated. Thank You
I did a lot of research on google, but all of the solutions are generic, and I don't know where to start.
This is a good article, but I'm not sure where do I put my connection to ldap and the binding (which of my pages)? How do I make sure the authentication will apply to the sub pages as well, or any other one created in the future?
http://www.perlmonks.org/?node_id=32196
Cheers
This is a good article, but I'm not sure where do I put my connection
to ldap and the binding (which of my pages)? How do I make sure the
authentication will apply to the sub pages as well, or any other one
created in the future?
You're now adding state to your app. You might initially think about implementing your authentication (authn) and authorization (authz) in tomcat, and not in your app.
If you decide not to implement in tomcat, and choose to implement in perl, then you've just decided to add state to your application, which means you need to add some kind of session handling. Look at CGI::Session, there are many other session handling modules on CPAN. Avoid Apache::Session. Its lock handling can cause lots of pain if transactions run long. Use a session key in a cookie. Send everything over SSL. if you don't use SSL, then crackers can intercept your session keys, and then hijack the sessions.
Once you have your session infrastructure set up, you need to create a login mechanism, usually a form with username and password. when that form is submitted, the CGI behind it does its magic crypto on the password and then does the LDAP dance:
connect to the directory server is no connection already exists.
2a. bind to the server anonymously or as an application user, search for the user by CN, bind as the user using DN and password
OR
2b. compute the DN form the username, bind with the DN and the crypto's password.
Often, step 3 is to check the user's record for some authorization indicator, it could be a yes/no access indicator, or it could be a list of roles or privileges.
If the user is successfully authenticated, and authorized, then write some authorization info into the user's session.
Each subsequent page of your app will then check to see if the user is logged in and/or has the proper authz to use that page. If unauthorized, you can either send them back to the post-login landing page, or to the login page if they aren't logged in.
Basically, you just replacing the usual "query the user table of the database" with a query to an LDAP to a directory server.

Tomcat 6 Ssl and Form authentication side by side

Is it possible to use two authentications methods side by side in Tomcat 6.xxx?
Story:Right now my app runs on ports 80 and 443. In 443 connector there is clientAuth="want" parameter.
If client is coming over 80, no cert is required. But when client is coming over 443 and client has smart card in reader, the cert is automatically asked, even if the client don't wan't to log in.
For login with user-cert, i have FormFallBack authenticator, which means that if client doesn't send certificate (he has not smart card in reader) or certification fails in authenticator, authenticator directs to form, where he can login with password and username.
My english isn't very good, so here is better overview of similar system : http://wiki.apache.org/tomcat/SSLWithFORMFallback
But the process of asking user-cert is annoying for user if browser multiple times asks for cert, if user don't want use smart card for login(but he has it in reader), instead he want's to login with username and password.
So is there option for following:
I have login page where are username and password field and login button. If user presses login button, he will be logged in with username and password(directed to form authenicator).
But in the same page there is button "Login with smartcard". If he presses this button, the server asks for user-cert and gives it to authenticator.
Hope you understand the problem.
I believe you will have to write your own Tomcat authenticator that understands these requirements.
It may not actually be possible because AFAICT you are asking to be able to reconfigure the behavior of the SSL connector on a per-user basis, and you can't configure the connector for the user before the SSL negotiation has taken place.
If you keep the authenticated state with the servlet session, you can offer to log on via either a form or client-certificates by providing two distinct buttons (or links) indeed.
I'm assuming here that you can have paths like /login/form for the form and /login/cert for authentication via a client-cert.
You can trigger client-certificate authentication on demand, when visiting /login/cert using SSL/TLS renegotiation. To do this, use clientAuth="false" in the connector configuration, but put a security constraint on that path in the webapp, using <auth-method>CLIENT-CERT</auth-method>: this will trigger renegotiation when required.
For this to work, you'll need a version of the JRE that supports RFC 5746 (Oracle Java 6 r22 or later), and your clients should support it too. Modern versions of browsers/OSes should support this by now.
See the AuthenticRoast project in Google Code. It does exactly this and more.

Login to a website from iphone application

I am working on iPhone application which have login form to access application functionality same as website. now i want to add one button in iphone application that redirects user in to website in safari browser with successfully login.
After success login in to iPhone application, user want to check website in browser so i just need to add functionality that user can directly login in his account and redirect on particular page.
i have some basic idea for that we can do with encrypted username and password with url.
like http://xyz.com/login/username=abc&password=abc
but i know that its not secure way to pass username and password with url.
So please suggest me any other way if possible.
Any idea or alternative that how to implement this.
Thanks in advance.
There are a few ways to do it.
Any time you send password information over the Internet you want it to be encrypted over SSL. This will require an SSL Certificate for your web server though and it's not always possible.
You can also encrypt the username and password yourself in a way that only your web server will know how to decrypt. So the username "foo" could be turned into "oof" and the password "bar" could be turned into "rab". That way if someone intercepted your requests, they couldn't know what the username and password were without knowing how you changed them.
Why not pass the session id?
Here's what I mean: When you log in to a web site, typically you're assigned (or already have) a "session cookie" which essentially tells the server "This visitor has session ID 'XYZ'", and allows it to retrieve the server side information stored for that user (like who they are, that they authenticated, or whatever else you store in the session store.
One of the easier ways of moving to/from applications is to make sure that all logins generate a server side session, and provide a script which will overwrite the user's session cookie and redirect them to the proper page.
session_restore.php?sessionId=12345&redirect=HOME
The doubters here will argue that providing such a script is tenement to a security breach, but I would argue that all of this information is stored client side already, and can be accomplished without the server's intervention anyway. (session hijacking plugins for popular web sites exist for firefox that will grab session IDs from wireless networks - no technical skill needed)
Doing it this way just makes the process friendlier to the user, and if your site provides SSH access (which you really should be doing anyway) then the risk is very minimal.