I run into problem with login screen in netbeans rcp.
server side : glassfish v 3.1 , ejb and HessianServlet with basic auth in web.xml
client side : netebeans rcp 7.0 and server side Api.
on the server used custom realm and client provides UserName and Password after splash screen, in custom login panel runing on top of DialogDescriptor
login panel code:
public class Installer extends ModuleInstall {
...
#Override
public void restored() {
DialogDescriptor loginDialog = new DialogDescriptor(panel, "Login Dialog");
loginDialog.setModal(true);
loginDialog.setClosingOptions(new Object[]{});
loginDialog.setOptions(new Object[]{});
loginDialog.setButtonListener(al);
loginDialog.addPropertyChangeListener(new PropertyChangeListener() {
#Override
public void propertyChange(PropertyChangeEvent evt) {
if (NotifyDescriptor.CLOSED_OPTION.equals(evt.getNewValue())) {
LifecycleManager.getDefault().exit();
}
}
});
DialogDisplayer.getDefault().notifyLater(loginDialog);
...
}
this login panel simply invokes one secured method on server side and if exception do not happend and
returned String[] contains user Name and Surname, then login screen disposes and rcp shown to client.
in login panel :
HessianProxyFactory proxy= new HessianProxyFactory();
proxy.setUser(user);
proxy.setPassword(password);
LoginObject loginObject = xxx.create(LoginObject .class, "<a href="http://localhost:port/trali/vali">http://localhost:port/trali/vali");
String[] value=loginObject .isAppUser("login name");
if(value==null){
//message login failed
}else {
//dispose login screen and show main app
}
everything is OK till client provides correct user name and password, but if login faild on
server Netbeans RCP pop ups Authentication Requires Dialog like in web browser
basic auth dialog.
How to disable this dialog?
thanks in advance!
Tools > Options > General
Proxy Settings: No Proxy
[OK]
That will stop the Proxy Authentication (FTP/SFTP) popup. Or set your proxy settings to something that works.
You can override this dialog with the method Authenticator.setDefault(Authenticator).
If you do attempt to disable the authentication, by overriding the default authenticator, you will need to take that into consideration in your client code... since you may get a stream of 'Unauthorized' responses.
disable your proxy configuration by going to tools->option->general->no proxy
Related
I would like to implement this authentication flow in Keycloak:
A user creates an account by typing only his email
The user is logged in and can access my service
2'. At the same time, an email is sent to him, allowing him to "finalize" his account
The user leaves his session -> to reuse my service, he must click in the received email
By clicking in the received email, the user defines his first password
The user is then logged in automatically (without going through a login page).
The objective of this flow is to be the simplest, to hook users who are not used to webapps.
The implementation I would do:
Create an account without password request: I customize the Keycloak Registration flow by disabling the Password Validation and Profile Validation rules
Programmatically, in my webapp, at the first connection of a user, via the REST Admin API, I trigger the email action UPDATE_PASSWORD
I get something that works, but:
A. The link received by email redirects to an intermediary page confirming the execution of actions ("Perform the following action (s)") - (similar to Keycloak Implement Reset password flow same as forgot password flow)
B. The user is then redirected to a login page, and not directly connected to the application.
When, as a normal user, I trigger a reset password request (through 'forget password' feature), the process is the one I want: by clicking on the email link, I go directly to the page allowing me to enter and confirm a new password, then I'm authenticated.
My question: Do you see a way to implement this 'simplified' flow?
My keycloak version : 11.0.2
Thank you !
I could remove the "info.ftl" page display, customizing the "ExecuteActionsActionTokenHandler", as explained here :
action-token-spi
You have to create a file :
src/main/resources/META-INF/services/org.keycloak.authentication.actiontoken.ActionTokenHandlerFactory
containing the name of the class you want to use instead :
com.example.ExecuteActionTokenHandlerFactory
Then you create that class com.example.ExecuteActionTokenHandlerFactory with the following code :
public class ExecuteActionTokenHandlerFactory extends ExecuteActionsActionTokenHandler {
#Override
public Response handleToken(ExecuteActionsActionToken token, ActionTokenContext<ExecuteActionsActionToken> tokenContext) {
AuthenticationSessionModel authSession = tokenContext.getAuthenticationSession();
String redirectUri = RedirectUtils.verifyRedirectUri(tokenContext.getUriInfo(), token.getRedirectUri(),
tokenContext.getRealm(), authSession.getClient());
if (redirectUri != null) {
authSession.setAuthNote(AuthenticationManager.SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS, "true");
authSession.setRedirectUri(redirectUri);
authSession.setClientNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUri);
}
token.getRequiredActions().stream().forEach(authSession::addRequiredAction);
UserModel user = tokenContext.getAuthenticationSession().getAuthenticatedUser();
// verify user email as we know it is valid as this entry point would never have gotten here.
user.setEmailVerified(true);
String nextAction = AuthenticationManager.nextRequiredAction(tokenContext.getSession(), authSession, tokenContext.getClientConnection(), tokenContext.getRequest(), tokenContext.getUriInfo(), tokenContext.getEvent());
return AuthenticationManager.redirectToRequiredActions(tokenContext.getSession(), tokenContext.getRealm(), authSession, tokenContext.getUriInfo(), nextAction);
}
}
Actually it is the same implementation as the upper class, except we removed the following part :
if (tokenContext.isAuthenticationSessionFresh()) {
...
}
which means that if the user did not have a session, which happens when the user is reseting his password, he is redirected to that "info.ftl" page.
As a workaround for problem A, I customize info.ftl template page. I add an ugly inline script to click on the link, redirecting automatically to the update password page.
<#import "template.ftl" as layout>
(...)
<#elseif actionUri?has_content>
<p><a id="yolo" href="${actionUri}">${kcSanitize(msg("proceedWithAction"))?no_esc}</a></p>
<script>document.getElementById('yolo').click()</script>
(...)
It'll do the job until I found a cleaner solution.
At the moment, B problem remains.
Let's say I have three pages in my application: SignInPage, HomePage and AnotherPage.
When I open the application for the first time it shows me SignInPage. After authorization it redirects me at HomePage. After that, I manually open AnotherPage, restart the servlet container, and press F5 button. And wicket redirects me at HomePage again, not in AnotherPage. Why is this happens and how to avoid that?
--
All pages mounted with mountPage method. Each page is statefull and has #AuthorizeInstantiation annotation. The application class extends AuthenticatedWebApplication and overrides methods like this:
#Override
protected Class<? extends WebPage> getSignInPageClass() {
return SignInPage.class;
}
#Override
public Class<? extends Page> getHomePage() {
return HomePage.class;
}
Also, in the config I have the following row:
getApplicationSettings().setPageExpiredErrorPage(ErrorSessionExpiredPage.class);
(But I've never seen this page open)
Update:
The solution is to add the following code to the SignInPage class:
#Override
protected void onBeforeRender() {
if (((AuthenticatedWebSession)Session.get()).isSignedIn()) {
continueToOriginalDestination();
setResponsePage(Application.get().getHomePage());
}
super.onBeforeRender();
}
When you restart the servlet container it looses all its sessions. On the next request Wicket detects that this is a new http session and should redirect you to the SignInPage, not directly to the HomePage. Only after successful authentication you should see the HomePage.
If you use Component#redirectToInterceptPage(Page) + Component.continueToOriginalDestination() then you can land at AnotherPage after successful authentication. See Component.continueToOriginalDestination()'s javadoc for more information.
restarting the servlet container gives you new session without information which pages expired so that's why you are redirected to HomePage.
Please check this: https://users.wicket.apache.narkive.com/3OtYz8xj/pageexpiredexception-not-working-on-session-expired-wicket-1-5-11
I'm working on a wicket legacy-project and i'm trying to fix a bug with the session time-out.
Basically I'd like to have a redirect to a customed error page after session times out.
This is what I did:
web.xml :
<session-config>
<session-timeout>1</session-timeout>
</session-config>
in the application class:
#Override
public void init() {
super.init();
getApplicationSettings().setPageExpiredErrorPage(ErrorMessagePage.class);
This is not working. I mean after session time out, nothing happens.
What am I doing wrong?
EDIT 04.05.20
Based on the feedback from Martin I tried to implement a session validaty checker:
public class SessionValidityChecker implements IRequestCycleListener {
#Override
public void onBeginRequest(RequestCycle cycle) {
HttpServletRequest request = (HttpServletRequest) cycle.getRequest().getContainerRequest();
boolean sessionValid = request.isRequestedSessionIdValid();
if (!sessionValid) {
cycle.setResponsePage(SessionExpiredPage.class);
}
}
}
and in Application.class
public void init() {
super.init();
getRequestCycleListeners().add(new SessionValidityChecker());
}
Also what I may should have specified in my first post is that I use the wicket SignInPanel for authentification. After timeout, I'd like the user to be logged out and redirected to a specific page.
This is what I've tried with the above code, but after session time out, no redirect happens. Even worst, the user is still signed in. What am I missing?
You are mistaking page expiration with session expiration.
Stateful pages are stored in a PageStore (disk) and the store may grow up to some predefined size. Once this size is reached the oldest page is removed to make room for the newest one.
If your user uses the browser Back button many times at some point Wicket will throw PageExpiredException for the deleted page.
In your case when the session expires usually the web server (e.g. Tomcat) will just create a new one. If your application has authentication enabled then it will detect that there is no authenticated user in the new http session and most probably will redirect the user to the login page.
If there is no authentication in place then Wicket will create a new instance of the requested page and render it. You can change this by changing PageSettings#recreateBookmarkablePagesAfterExpiry to false
(see https://github.com/apache/wicket/blob/79f63f66eb588a5d69e9feff7066f1244f61f387/wicket-core/src/main/java/org/apache/wicket/settings/PageSettings.java#L46)
You may use javax/servlet/http/HttpServletRequest.html#isRequestedSessionIdValid() method to find whether the the request came with an expired JSESSIONID cookie/url. If it is false then the web server just created a new HttpSession. You can do the check in Wicket's IRequestCycleListener#onBeginRequest()
We have run into a problem using aspnet core 2.2 with Facebook WebView (https://developers.facebook.com/docs/messenger-platform/webview/).
The issue occurs only in desktop browsers using chat function in messenger.com or facebook.com.
We have developed a chatbot and there are buttons in the conversation. When the user click that button a WebView shows our webpage.
This webapplication is an aspnet core mvc webapp (hosten in Azure App Service) where a controller action at server side creates a cookie and writes it into the Response.
var cookieOptions = new CookieOptions()
{
IsEssential = true,
Expires = DateTime.UtcNow.AddYears(1),
};
Response.Cookies.Append("COOKIE_NAME", "cookievalue", cookieOptions);
When this page loaded from a Facebook WebView (from a FB chatbot) the cookie created above (on server side) is missing.
In the aspnet core web project Startup.cs cookie middleware is configured like this:
public void ConfigureServices(IServiceCollection services)
{
...
services.Configure<CookiePolicyOptions>(options =>
{
options.CheckConsentNeeded = context => false;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
...
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
...
app.UseCookiePolicy();
...
}
What I've tried:
if the same cookie inserted from client side javascript, the cookie is available in Facebook webview.
document.cookie = "COOKIE_NAME=cookievalue";
Same scenario works correctly using asp.net fwk 4.7.2 and Facebook webview.
from a mobile app (messenger) it works as I expected, cookie available
I think the problem source could be in the WebView, because the page works perfectly when loaded from a normal browser – not from WebView (Chrome, IE, Edge, FF, Safari, etc), both cookie (server and client side created) are available.
What could be the problem with scenario using aspnet core 2.2 and Facebook WebView?
Thanks for helping!
At the end I found the problem. The chrome's cookie policy settings changed: https://www.google.com/chrome/privacy/
Thats why I run into the problem above.
Solution:
I have to change these cookies samesite settings to 'SameSiteMode.None'.
var cookieOptions = new CookieOptions()
{
Secure = true,
SameSite = SameSiteMode.None,
IsEssential = true,
Expires = DateTime.UtcNow.AddYears(1),
};
I am using Liferay 6.1 version .
Once a User enters http:localhost , i am displaying my Web Page called "/ravi" which consists of my Custom Portal as shown
I have configured this below properties under portal-ext.properties as shown
auth.forward.by.last.path=true
default.landing.page.path=/web/guest/ravi
Please see the screen shot of my Custom Portlet shown when the users enters http:localhost
Now my requirement is that i need to show another page ("/web/guest/test") if he enters valid crendentails .
In my processAction class , i am doing this way
public class ValidateUser extends MVCPortlet {
public void processAction(ActionRequest request, ActionResponse response) {
String userName = (String) request.getParameter("userName");
String password = (String) request.getParameter("password");
try {
// Contatcs DB and validates the credentials here
// Please let me know how can i show the Configured Page if his credentials are valid ??
}
catch (Exception e) {
}
}
}
Edited Part
Thank you very much for the answer with respect to the default login.events.post .
I am new to Liferay , so i may be doing a mistake here , so please help me if i was doing anything wrong .
I followed these steps :
Created a New Portlet named "MyLogon" Portlet and in its view.jsp created a form with two text fields (Login and Password ) and a submit button .
On click of that Submit Button , i was actually calling my processAction Method and making a DB call to validate Users from mysql db .
2.Then i created a page inside /web/guest/ravi and added this "MyLogon" Portlet to this new page /web/guest/ravi
Then configured this below properties under portal-ext.properties
auth.forward.by.last.path=true
default.landing.page.path=/web/guest/ravi
This is what i did .
And when entering http:localhost:8080 , it displayed taht page .
Please tell me if i am doing anything wrong
Edited 2nd Part
I have understood some part of your answer and i have these questions .
Could you please help
I need to validate Users based on the Data present inside my DataBase , so for this i need to do the below thins .
I need to create a Hook , to overdide this property
login.events.pre=com.LoginAction
public class LoginAction extends Action {
public void run(HttpServletRequest req, HttpServletResponse res) {
// Here i need to make a Database call to validate User Credentials and then do redirect him to the page i wanted ??
}
}
You need to create a Hook and override the default login.events.post
Below code for your reference,
public class LandingPageAction extends Action {
public LandingPageAction()
{
}
public void run(HttpServletRequest request, HttpServletResponse response) throws ActionException
{
try
{
doRun(request, response);
}
catch(Exception e)
{
throw new ActionException(e);
}
}
protected void doRun(HttpServletRequest request, HttpServletResponse response) throws Exception
{
String homeRedirect="/web/guest/test";
LastPath lastPath = new LastPath(StringPool.BLANK, homeRedirect);
session.setAttribute("LAST_PATH", lastPath);
}
}
There are few things which I don't understand here. You are hitting localhost:8080, but screen shot shows that you are already logged in (there is a SignOut link and user Ravi Kiran is already logged in), but still there is a login page shown.
default.landing.page.path comes into picture when you are loggedin user. Are you hitting localhost:8080 or localhost/web/guest/Ravi ? You are not logged in yet, so it should not redirect to /web/guest/Ravi.
You could reuse the default Authentication code in Liferay. Not sure why you are taking User credentials from request parameters and making DB call yourself.
Edited as per the update in the question
1. The default Login Page of Liferay (the one that you see when you freshly download and hit localhost:8080 comes from this path
..\default\deploy\ROOT.war\html\portlet\login.
There is a login.jsp in this path which you can edit and give your own look and feel.
You can find below entry in this login.jsp page
<portlet:param name="struts_action" value="/login/login" />
This has a corresponding entry in ../deploy/ROOT.war/WEB-INF/struts-config.xml
<action path="/login/login" type="com.liferay.portlet.login.action.LoginAction">
<forward name="portlet.login.login" path="portlet.login.login" />
</action>
You can open up the source code and look into com.liferay.portlet.login.action.LoginAction method.
This performs a basic Authentication as per your passwords.encryption.algorithm= and passwords.digest.encoding=
configuration in portal-ext.properties file. LoginAction will perform basic authentication and will redirect all
users as per path mentioned in default.landing.page.path=
If you want (some) Users to redirect to (some) other path(conditionally), you can use the code I have mentioned above by writing a Hook.
2. Once authenticated, you can login and create a Page (in your case its "ravi"). You can add your custom Portlet to this Page. You should not write a cutom portlet which will do authentication once you are already logged in