In our app (service provider), there is a security filter to prevent viewing certain pages. For example a user can view a.xhtml but not b.xhtml. The user can login to view a.xhtml. And if he type in the URL to b.xhtml, the security filter will redirect himi to an error page.
Using josso, before login, user may type the url to b.xhtml and would be redirected to josso login page. After successful login, user will be redirected to the "back_to" page, which will be b.xhtml. In this case the security filter is not triggered, the use can see b.xhtml!
Refresh on b.xhtml then will trigger the filter and send user to error page, but too late.
We use josso 1.8.5 and tomcat 7.0.26.
Please any guru can help?
Thanks
Related
I'm trying to use Form-Based Authentication feature of OWASP ZAP using ZAP's python API.
I noticed that while using a HTTP application (for example - http://demo.testfire.net/) it is able to spider and give additional URLs once logged in. However, when I try the same for HTTPS application it isn't fetching additional URLs once logged in.
My question here is - Does ZAP support Form-Based authentication for HTTP related web application only?
Yes, and we have a FAQ for it: https://github.com/zaproxy/zaproxy/wiki/FAQformauth
Its difficult to debug issues when just using the API, so I recommend using the UI first and once you've got that working then converting what you've done to the API.
Via the UI:
List item
Explore your app while proxying through ZAP
Login using a valid username and password
Define a Context, eg by right clicking the top node of your app in the Sites tab and selecting "Include in Context"
Find the 'Login request' in the Sites or History tab
Right click it and select "Flag as Context" / " Form-based Auth Login request"
Check that the Username and Password parameters are set correctly - they almost certainly wont be!
Find a string in a response which can be used to determine if the user is logged in or not
Highlight this string, right click and select "Flag as Context" / " Logged in/out Indicator" as relevant - you only need to set one of these, not both
Double click on the relevant Context node and navigate to the "Users" page - check the user details are correct, add any other users you want to use and enable them all
Navigate to the Context "Forced User" page and make sure the user you want to test is selected
The "Forced User Mode disabled - click to enable" button should now be enabled
Pressing this button in will cause ZAP to resend the authentication request whenever it detects that the user is no longer logged in, ie by using the 'logged in' or 'logged out' indicator.
Via the API the process is the same but using the API calls:
context/includeInContext
authentication/setAuthenticationMethod
authMethodName : formBasedAuthentication
authMethodConfigParams : loginUrl=http://example.com/login.html&loginRequestData=username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D
authentication/setLoginIndicator or setLogoutIndicator
forcedUser/setForcedUserModeEnabled
The values for authMethodConfigParams parameters must be URL encoded, in this case loginRequestData is username={%username%}&password={%password%}
I am using external providers to login to my web app. (for example Google). In my custom userservice I get to AuthenticateExternalAsync and from there I want (if need to) redirect to Angular page.
public override Task AuthenticateExternalAsync(ExternalAuthenticationContext context)
{
...
...
context.AuthenticateResult = new AuthenticateResult("~/externalregistration", user.Subject, name, identityProvider: user.Provider);
return Task.FromResult(0);
}
i have html page
at https://localhost:44300/Content/app/externalregistration.html
How do I map externalregistration to this page?
At the moment I get an error
https://localhost:44300/identity/externalregistration#
HTTP Error 404.0 - Not Found
thank you
Mark
The page for the partial login has to be with IdentityServer - see that it's looking for it at /identity/ and not /Content/app/.
If from your user service you issue a partial login, then that web page is entirely up to you to serve up from the server. If that partial login page needs to know the identity of the user, then it needs to be hosted in the same path as IdentityServer so the partial login cookie can be read on the server. If you then want that page to be a SPA, then you'd have to have some server side code issue something into the browser for your SPA to know the identity of the user. If you want that page to be a SPA and make Ajax calls back to the server, you need to include some XSRF protection.
All in all, custom partial pages are easiest implemented as standard server-rendered MVC pages.
I'd configure a oAuth connection with the official documentation. All works except getting the profile picture from facebook.
The front redirects the valid user to a custom user-bundle register (need more data)
The weird part: When I try to use "infos_url" param, it redirects the autenticated user to the original register form, not the custom one. Either use the custom FOSUserProvider that gets the data.
any ideas?
I would to change the default login page (to /content/ethz_ch/Login)
I configured tha page by the Day CQ Login Selector Authentication Handler
In ./launchpad/config/com/day/cq/auth/impl/LoginSelectorHandler.config I see
auth.loginselector.defaultloginpage="/content/ethz_ch/Login"
as expected.
I then configured a test page (/content/ethz_ch/de/auth_test.html) with a closed user group and left the login page field blank.
When accessing the test page, instead on the newly defined login page I am redirected to
https://..../system/sling/cqform/defaultlogin.html?resource=%2Fcontent%2Fethz_ch%2Fde%2Fauth_test.html&$$login$$=%24%24login%24%24
Any idea on what I am doing wrong?
In the Day CQ Login Selector Authentication Handler there is a Path Info setting which restricts the possible login pages:
A list of request extensions indicating requests for which the Login Selector Authentication Handler may request credentials. Any request whose extension is not one the listed extensions will not cause the credentials to be requested. If this list is empty the default list of html and htm is used. Note that the list entries must not have leading dots. Requests without extension or requests with trailing slashes (/) are always handled by the Login Selector Authentication Handler regardless of this configuration.
Specifying the Default Login Page with the full URL (with extension) solved the problem:
/content/ethz_ch/login.html
Omniauth branch 0-3-stable of git://github.com/intridea/omniauth.git
Rails 3.0.7
When Omniauth redirects a user to the Facebook auth dialog by making a GET call to "/auth/facebook", if that user clicks "Cancel" from the auth dialog, then we can the callback request
GET "/auth/facebook/callback?error_reason=user_denied&error=access_denied&error_description=The+user+denied+your+request."
which Omniauth immediately appears to redirect to:
GET "/auth/failure?message=invalid_credentials"
Unfortunately, when this is a response to an app. invitation generated by the FB request dialog, there is no identifying information on which user has "Canceled" out of the auth dialog. If we could send along some identifying information with the Omniauth request, we could allow ourselves to "remember" which user did the "Canceling" which would help us track explicit denials on the back end.
Is there any way to send along data with the call to "/auth/facebook" that would simply get repeated back to us in the resulting call to "/auth/facebook/callback"? This would be similar to the "data" parameter in the requests dialog documentation.
Thanks,
Wes
You can pass through a 'state' param which will be passed along to the callback url.
eg. you'd make a call to '/auth/facebook?state=SOME_INFO'
Then in the controller action that you route '/auth/facebook/callback' to, you retrieve just as you would a normal param:
info = params[:state]
The param must be named 'state'. This is mentioned in the omniauth-facebook documentation under the section 'Per-Request Options'.
https://github.com/mkdynamic/omniauth-facebook