I am a beginner of CAS. I want to reset Principal attributeMap after loging successfully, and no solution in similar questions. Can anyone help me? Thanks for your advice!
CAS Version:6.1.6
I want to reset Principal attributeMap after logging successfully, and no solution in similar questions.
The reason you can't "find solution in similar questions" is because,
It cannot be done without a great deal of coding.
It's a bad idea. You cannot change the verified subject identify after it has been verified. Once the credentials are verified and the attributes are collected, that collection is final.
Rather than asking what is possible, it would be best if you described why you want to do this, and then folks can help you with alternatives once your use case and objectives are clearer.
We are going to use KeyCloak in one of our enterprise solutions. I would like to understand if KeyCloak is fully FIPS 140-2 compliant since we have compliance needs. There is very limited amount of information that I could find regarding this online. For example:-
http://lists.jboss.org/pipermail/keycloak-user/2015-October/003177.html
This is a pretty old link, so might not be updated with latest details.
If this is a wrong place to ask this question, kindly suggest the right one, if any. Thanks in advance!
After researching, It does appear that in the past year there is a FIPS validated cryptographic module that can be used in KeyCloak (called bouncy castle).
One of the issues is that there is no FIPS 140-2 compliant MFA option for Keycloak. It only supports Google authenticator and Free OTP apps).
Now i have to accomplish the java interface (controller).
But i don not know to use param (the ticket) and get info from
the param.The ticket is secret key produced by center authentication server.
thanks a lot!
The similar question is already been answered in stack overflow check the below link
How to integrate two applications using single sign on. hope this will give some hints to you.
I have a lot of accounts from an older version of a website that I need to migrate to a new version. Passwords are encrypted with bcrypt and I don't know what the salt was, what library, or anything like that. I only have the data from the database. What would be the best way to allow people to still use those accounts? One thought was the first time they try to login, send them an email getting them to update their password. Any other thoughts would be greatly appreciated. Project is running on MEAN stack if that matters.
UPDATE:
Is there a chance that it will just work? I tried an account that I knew the password for, and it seems to just work. Does bcrypt do some magic I am unaware of?
So reading the following question's answer I learned how bcrypt works and since I am using the same algorithm ie. "2a" and the same power ie. "10" it just works since the salt is stored in the data. I also got two of the passwords for the accounts, and tested them. They both worked perfectly.
How can bcrypt have built-in salts?
I am building an iPhone app, and I currently need to encrypt a string, store it in a file and be able to decrypt it later. As I understand, I can use symmetric encryption to do this but my key for encryption/decryption can be reversed-engineered. Assymetric encryption can solve this problem but it seems I would need a server to send the data to decrypt with the private key. Does anyone know of a way I can encrypt/decrypt the string securely in a stand-alone app?
Thanks!
As with all matters concerning security, the question is: who are you defending against?
If you are trying to prevent the casual thief (or script kiddie) from reading an encrypted string, using the built-in iOS cryptographic services, such as the Keychain, can provide adequate-to-good security. Obviously the strength of the security will hinge in part on various factors beyond your control (notably, what sort of password lock, if any, the user has configured for the device).
The next level up would be symmetric encryption using a symmetrically encrypted key (i.e. one protected by a user passphrase). As #lukas noted, of course in principle this can be cracked, but from a practical standpoint if the user chooses a sufficiently strong passphrase for a sufficiently large key, a casual to intermediate-level attacker will be effectively thwarted.
If, on the other hand, you need to keep secrets, as Bruce Schneier would say, not from your kid sister but from major world governments, these approaches are likely to be insufficient, and you will have to explore other options, including but not limited to storing the string in multiple locations, using multiple keys, and multiple factors of authentication.
The lead Apple reference for all this (save the last option) is the Secure Coding Guide, which has references at the end of the opening page to the other more specific programming guides (covering, e.g., the Keychain and Cryptographic Services). I also heartily recommend Graham Lee's Professional Cocoa Application Security. If you want a theoretical foundation, the gold standard is Schneier's Applied Cryptography.
This basic question is asked pretty constantly on Stackoverflow. The answer is that you cannot obfuscate yourself to security against your own customers, and you should never spend excessive money trying. I recommend the following links to find the many previous discussions:
Best practices for iOS applications security
Secure https encryption for iPhone app to webpage
From the above you will find several more links. But the final answer is that you are likely trying to solve the wrong problem, and the problem you think you want to solve is unsolvable.
Does anyone know of a way I can encrypt/decrypt the string securely in a stand-alone app?
No. If someone have the physical access to the data it can be cracked. Make a webservice to solve the problem.
Have you considered using Keychain Services?