I am working on a Perl Dancer web application that needs to accomplish two things in terms of authentication:
authenticate users based on Active Directory for access to the application
authenticate as the user to access a couple of .NET web services.
The application is being hosted as a CGI application by Apache on a Linux box, and I do not have much control over Apache's configuration.
Below is the workflow of the currently working application:
Display a login page to the user
When the user submits the form, use Authen::Simple::ActiveDirectory to verify the account is valid
Store the user's credentials using Dancer::Session::Cookie (encrypted cookies)
Display a search form to the user
When the user submits this form, use Authen::NTLM and SOAP::Lite to access the .NET services (similar to the example here) to perform a search
Display the results to the user
The handling of user credentials here concerns me, but I am generally new to web applications and authentication. For a small internal application, is this okay? If not, how do you suggest I improve this process? Like I said, the application as outlined above works, but I feel like it could/should be improved.
One (part of a) solution could be that you let your apache webserver handle the
authentication. You could use Kerberos for this.
So only permitted users can access your application. In that
case $ENV{REMOTE_USER} contains the username (e.g. foo.bar#MY.DOMAIN.COM).
If you need more information about the current user you can query your LDAP (containd in your Domain). I use a common (LDAP) user to get more information about the current user foo.bar#MY.DOMAIN.COM.
I know that this is only the fist part. I do not have experience useing/passing Kerberos tickets by SOAP. But if you mange to handle this, you have a clean SSO solution.
HTH
We do this in the Apache config. It requires something like the below. You'll need a read only password-less user to bind to Active Directory.
AuthName "Active Directory"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl ldap://server:389/OU=COMPANY,DC=COMPANY,DC=com?sAMAccountName,mail,name,extensionAttribute2,memberOf?base?(objectClass=user)
AuthzLDAPAuthoritative on
AuthLDAPBindDN "CN=ReadOnlyUser,OU=ServiceAccounts,OU=Users,OU=XXX,OU=COMPANY,DC=COMPANY,DC=com"
AuthLDAPGroupAttributeIsDN on
require valid-user
Related
I would like to have only one login screen, registration, profile and password recovery for all projects in my company. Basically a unified login or SSO.
So I made these screens using AWS Cognito and hosted them on the sso.mycompany.com domain and it's working fine.
But now I need to implement these screens in my other projects. How can I do this? I can't just copy the files, as this was done in Vue.js, and I would like to put these screens in projects done in Laravel, Wordpress, React, etc;
I thought of using an iframe loading sso.mycompany.com, but how do I return user data after login to the app that opened the iframe?
Basically that's it, I have authentication screens hosted on the sso.mycompany.com domain and I would like to use them on projectx.com, projecty.com, mycompany.com, etc.
Here is one solution that might work for you and might give you some ideas on how you could put together a solution. Unfortunately, Cognito out of the box doesn't come with a unified/universal login experience that you require. It also doesn't come with a lot of other features you might see from the big IdP platforms, but that is another discussion for another time :) The whole foundation of this solution is based off of a single domain, cookies and JWTs(access token, id token and a refresh token). It will still work for your apps on other domains, but the experience for your end users will be a bit sub optimal compared to if all your apps were on the same domain.
Because an app like projectx.com sits on a different domain then sso.mycompany.com, you have to somehow get a access token over to projectx.com after the user logs in through mycompany.com. You can simply just pass the access token through as a query param when you redirect the user back to projectx.com after a successful login on sso.mycompany.com.
I had a much longer answer with details, but stackoverflow won't let me post because it thinks my answer is spam??? Check my profile on how to contact me if you want the longer version with details.
According to the Cypress best practices, I should avoid using my login UI before each test. I'm struggling to do this using Oracle APEX because it appears the login process requires a lot more than just username and password.
I have used chrome's tamper data tool and Jmeter to inspect the mechanics of the Oracle APEX login process and, essentially, the login process has 2 steps:
(1) the login page redirects to a login page with a valid session id in the URL, seeded with dozens of time-sensitive unique ids.
(2) Upon submitting your username and password, a POST request is made to /ords/wwv_flow.accept with the username, the password and several other time-sensitive unique identifiers.
It appears that APEX requires something similar to following for a successful login:
p_json : {"salt":"108222855956905007172773085768141257328","pageItems":{"itemsToSubmit":[{"n":"P101_USERNAME","v":"jsmith"},{"n":"P101_PASSWORD","v":"Password123"}],"protected":"unDCYO1qmj_OAwtyYNo_yA","rowVersion":""}},
p_flow_id : 4000250,
p_flow_step_id: 101,
p_instance: 6589106753596,
p_page_submission_id: 108222855…,
p_request : LOGIN,
p_reload_on_submit : A
All of these variables (besides the username and password) are available in the login page but to get them I'd have to visit the login UI, which is what I'm trying to avoid. Am I thinking about this the wrong way?
I believe this is the wrong approach. As for Unit testing you have to accept some degree of variability in terms of production vs. pre-production.
Saying the above I think you need to consider some more "normal" approach such as:
Change passwords in Pre-Prod.
Alternate Authentication Scheme.
Alternate Build Option(s) based on your needs.
I am not sure about these best practices you mention, but the session information you might pass along you testing must be created by APEX engine on the server-side.
There is no such way to bypass the login by just passing some parameters to the server other than a proper credentials information. What you can do, however, is implementing a custom authentication schema in APEX that would authenticate (and would create your session) by using some token or some other custom way, for i.e., checking the browser agent, IP address, environment, I don't know.
This custom authentication schema isn't related to unit-testing though.
So, I'm adding on another app to a webapp that I'm building for my company, this one involving bill creation for invoices. Unless one has a specific account with my website, they should not be allowed to access this specific app.
I am using Django's built-in authentication system. My LOGIN_REDIRECT_URI is set to redirect to one of my apps. However, I would like for the login redirect to send the user to the app that they were previously in after login. How might I accomplish this?
Thank you in advance!
when user logs in to his desktop windows os authenticates him against Active Directory Server.
so Whenever he accesses a web page he should not be thrown a login page for entering his userid or password.Instead, his userid and domain need to be captured from his desktop and passed to the web server.(let him enter password after that)
Is this possible in python to get username and domain of of client?
win32api.GetUserName() gives the username of the server side.
Thanks in advance
Hmm... what you probably want to do is use Django's RemoteUserMiddleware and leave user authentication to the Web Server which can then be configured to handle it. The solution from Ntlm/Kerberos authentication in Django should work, but as mentioned it's a bit quirky - not all browsers support it correctly, and you have to modify browser settings for it to work.
What you want to do is called Single sign on (SSO) and it's much easier to implement on actual web server than Django.
So, you should check how to do SSO on Apache/Nginx/whateverYouAreUsing, then the web server will forward the authenticated username to your django app.
This sounds like a javascript question to me. I think you'll have to add javascript to your login page that attempts to access the details and returns them to the server.
I would have thought that there would be security measures to prevent this, however this question suggests others have managed something similar.
UPDATE
It looks like there might be some useful information in the django docs
I have requirement like, each user of the site
will be mailing any other user and I have rules for that communication
(let them aside for now). So user1 will be picking an email id like:
mypickeduser1n...#sitedomain.com and will be sending an email to
user2, whose email id will be like:
mypickeduser2n...#sitedomain.com. Like that any number of users will
be sending emails to any numbers of users. And any outsider should be
able to send an email to mypickeduser2n...#sitedomain.com. My question
is,So in this context, do I need to build my own smtp(setup mailing)
servers. I am totally a newbie in the smtp arena. Can I achieve the
email communication between the users without "mailing server"
configurations?
Can this be achievable?
You need a mail server. Even if local email is just directly deposited into a mail directory or database somewhere, something has to be responsible for accepting email from the outside world. I recommend postfix - it's powerful but easy to set up, and the config files don't look like Klingon.
If you want users to be able to create e-mail accounts in Django, you need Django, your MTA and your IMAP/POP server to use the same user account database.
I've successfully used the following setup:
PostgreSQL as the user database
Postfix as the MTA
Dovecot as the IMAP server
a custom Django app as the user account management front-end
virtual mail user accounts (not using Unix accounts)
I've only used the Django admin interface to let administrators manage the mail accounts, but a management UI for users is trivial to implement as well.
Some tips and sources of information for such a setup:
Design your database schema carefully. I based mine on howtos mentioned below with modifications for easier Django integration.
Take care that all components use the same encryption for user passwords.
two howtos (first, second) describing how Dovecot and Postfix can authenticate users using PAM and PostgreSQL as backend
a howto in German for Dovecot/Postfix/PostgreSQL
a howto for gluing together virtual user/domain support for Debian, Postfix 2 with SMTP AUTH, SASL2 with libpam-pgsql for Postfix, PostgreSQL and Dovecot
the Postfix PostgreSQL howto
You might also want to check out the Virtual Mail Manager command line tool for managing domains, accounts and aliases with a Dovecot/Postfix/PostgreSQL setup.
There are a few django apps out there to handle messaging between users, but the only one that seems to be active is:
django-messages
This gives you all the functionality you asked for, except for outsiders being able to send mail in to users.
This is a much harder problem and will certainly require a mail server and much custom code on your part.