Following is the code i'm using for prog login for my application.
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(userName, passWord);
token.setDetails(new WebAuthenticationDetails(request));
authentication = authenticationManager.authenticate(token);
LOGGER.debug("Logging in with [{}]"+ authentication.getPrincipal());
SecurityContextHolder.getContext().setAuthentication(authentication);
after this a model is returned (without changing URL, i can see usename n role here). on that view, there is a form. which submits to another link with role permission same as of current user.
but when user submits the form then spring redirects it to login page and invalidate the session.
I have checked and found that jsession is is appended with .undefined (mS5YoJL3YfznQNuItNUeiLd6.undefined) and i suspect that this must be the problem.
I've checked it, and undefined was coming because of Jboss AS 7.1 and this whole issue was coming because I was not creating session while auto login. I have changed the code and its running perfectly. Thanks for your response. –
Related
I'm currently troubleshooting a login issue for a deployed Moodle. Login page uses an alternate page which I have managed to identify. The alternate page considers everything except successful login as invalid or expired login or password.
Since some correct login and password are also getting the same issue.I am trying to restore the Moodle instance to use its default login page but did not find any $CFG->alternateloginurl configuration set in moodle.php. Kindly please provide any pointers you can think of on where to look next to restore the login page.
PS: I've also searched within the active theme, and there has not been any code changes. Uses a variant of Moove
Thank you
Rest assured that its a common issue
https://docs.moodle.org/401/en/Managing_authentication#Alternate_login_URL
There is an entry in the database
SELECT *
FROM mdl_config
WHERE name = 'alternateloginurl'
Note the value, just in case, then blank it out
UPDATE mdl_config
SET value = ''
WHERE name = 'alternateloginurl'
Then purge the cache to update Moodle
php admin/cli/purge_caches.php
When you do manage to log in, check which other authentication methods are active via
Site administration > Plugins > Authentication > Manage authentication
https://docs.moodle.org/401/en/Managing_authentication
The default methods are manual and email self registration
Although self registration is disabled by default in the settings on the same page (registerauth)
Trying to retrofit an old webforms application.
Got my configuration working so that it's prompting for login and successfully redirecting back to the application. The folks that manage the IP can see the response is generated.
However in the callback to my application the User is null. I'm told if it's configured correctly it should be populated.
We have a custom IHttpModule and that is where I can see getting hit with the call to /Saml2/Acs with the User not populated. I think this may be expected as the handler for that is supposed to populate the User, I think? However the following call (the returnUrl configured in sustainsys.Saml2) still has no User and I don't see any sort of error or anything.
Anyone with experience have an idea how to debug this?
The call to /Saml2/Acs should be taken care of by the Sustainsys.Saml2.HttpModule. It will process the response and then call the SessionAuthenticationModule to set a cookie that preservers the User across calls.
To get some more information about what's happening in the library, you can assign an implementation of ILoggerAdapter to Sustainsys.Saml2.Configuration.Options.FromConfiguration.SPOPtions.Logger to get some logging output from the library.
My issue turned out to be that I had another authentication module loaded before SessionAuthenticationModule and Saml2AuthenticationModule in the web config.
The comment in the example was
Add these modules below any existing. The SessionAuthenticatioModule
must be loaded before the Saml2AuthenticationModule
However in my case with I had another authentication module involved that needed to go last.
Once again I created my own authentication service. This is registered and is also called. After submitting the login form (EXT:felogin) you get back to the same page - but Felogin continues to show the login form. After a page reload, the logged-in state is recognized correctly and the status display is displayed.
The same form works correctly with a normal, local FE user.
When debugging authUser() correctly returns 200.
What could that be?
Besides returning 200 by authUser(), having a valid FE-User (at least with uid, pid, username, usergroup) is necessary. My FE-User was broken.
TYPO Documentation - Authentication services:
One important thing to know is that the TYPO3 CMS authentication process needs to have users inside database records (“fe_users” or “be_users”).
I've extended the User model in my loopback application, and added phone number as a login method, I use the username field to do this, the only deal is that on login I get the 'email not verified' error, I have my own phoneNumberVerified field, and have overwritten the confirm method to validate the token against the emailVerificationToken and against the phoneNumberVerificationToken and update the corresponding flag, I thought of overwriting the original login method to not allow login only if both emailVerified and phoneNumberVerified fields are false (not just the email) but I don't know how to actually do the login the way loopback does it (I believe it creates an AccessToken or something), and I'm asking for some help on how to do this, thanks XD. I can do the overwriting and validations myself I just need to know how to do the actual login without using the original login method, since I'll be rewriting it.
So I figured out that I actually don't need email or phone number verified validation at all on login (later on the workflow will be required, but that'll be another use case, so it's irrelevant on login to me now XD). So when I was looking on how to overwrite the login method I realized that all the models code it's on the node_modules folder xD
node_modules/loopback/common/models/user.js
And found there in the login method a flag that validates if should check email verified or not, so on my startup script I just put this:
app.models.MyUser.settings.emailVerificationRequired = false;
That stops the email verified validation on login.
And maybe if some of you would like to override the login method I believe copying the whole method from the original user model up there and attaching it to your model and doing some modifications might work xD, it invokes the createAccessToken from the user model (itself) and that's what I believe creates the 'login', what I came to understand is that there is no "session" data, it creates an accesstoken when you successfully login, and as I've been doing just sending the token id to every request 'authenticates' your logged user.
Thanks for reading, have a nice day :)
I'm using the Grails Spring Security Core plugin and now adding in Facebook authentication via the Facebook Authentication for Spring Security Core plugin. I'm able to authenticate with Facebook, however it's always redirecting back to an incorrect URL. I want to redirect to localhost:8080/rar/user/home, however after login I'm redirected to localhost:8080/rar/#_=_. When logging in through a standard login form I am redirected properly to localhost:8080/rar/user/home.
My FB app settings has http://localhost:8080/rar/ for the Site URL. I'm using these plugins:
compile ':spring-security-core:2.0-RC2'
compile ":spring-security-ui:1.0-RC1"
compile ":spring-security-facebook:0.15.2-CORE2"
And have these config settings:
grails.plugin.springsecurity.successHandler.defaultTargetUrl = '/user/home'
grails.plugin.springsecurity.facebook.filter.type='redirect'
grails.plugin.springsecurity.facebook.domain.classname='mvp.FacebookUser'
grails.plugin.springsecurity.facebook.domain.appUserConnectionPropertyName='user'
grails.plugin.springsecurity.facebook.appId='<APPID>'
grails.plugin.springsecurity.facebook.secret='<SECRET>'
grails.plugin.springsecurity.facebook.filter.redirect.failureHandler='redirectFailureHandlerExample'
grails.plugin.springsecurity.facebook.autoCreate.roles=['ROLE_USER', 'ROLE_FACEBOOK']
I don't think it matters for this problem, but I have a FacebookAuthService that implements create() to search for existing users with the same email address as the Facebook user, and merges the accounts if it finds one. Currently my redirectFailureHandlerExample does nothing but log a message, which is never hit.
Any help greatly appreciated!
You should set the following setting too at config.groovy
grails.plugin.springsecurity.facebook.filter.redirect.successHandler='redirectSuccessHandlerExample'
And at the resources.groovy:
beans = {
redirectSuccessHandlerExample(org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler) {
defaultTargetUrl = '/rar/user/home'
}
}