For one of our FBA enabled SharePoint site, we need to access various web services. I know that we need to invoke Authentication.asmx before we make any other SP web service call.
How do I get the currently logged in user's username & password to pass to the Authentication.asmx service?
Thanks.
Update: I tried Marek's solution with a known username and password and got a 401 for Authentication.asmx. So probably some settings are off. The admin is looking into it.
MembershipUser user = Membership.GetUser();
string username = user.UserName;
string password = user.GetPassword();
Authentication auth = new Authentication();
auth.CookieContainer = new CookieContainer();
LoginResult result = auth.Login(username, password);
if (result.ErrorCode == LoginErrorCode.NoError)
{
CookieCollection cookies = auth.CookieContainer.GetCookies(new Uri(auth.Url));
Cookie authCookie = cookies[result.CookieName];
Lists lists = new Lists();
lists.CookieContainer = new CookieContainer();
lists.CookieContainer.Add(authCookie);
lists.GetListCollection();
}
However, depending on the settings of the membership provider (is password stored in plain text, encrypted or hashed? is it required to pass the security answer to get the password?) retrieving the password may be more difficult or even impossible and you will need to ask the user for it.
Related
I'm trying to create a user using Googles Directory API and a service account. However I'm getting the error
googleapiclient.errors.HttpError: <HttpError 403 when requesting https://admin.googleapis.com/admin/directory/v1/users?alt=json returned "Not Authorized to access this resource/api". Details: "Not Authorized to access this resource/api">
I've created a service account on the Google Console and allowed Domain wide delegation. It also says the Admin SDK API is enabled for my project. However I can't seem to create a user. The documentation is confusing me slightly. Here is my implementation
def create_googleuser(content, randpass):
''' This function creates a Google Apps account for a user passing webhook contents and password as arguments '''
# Get User info from Webhook and store them in variables
firstname = get_firstname(content)
secondname = get_secondname(content)
emailaddress = firstname + "." + secondname + "#example.com"
# Connect to google API
userscope = ['https://www.googleapis.com/auth/admin.directory.user']
service_account_credentials = ('serviceaccountcredentials.json')
credentials = service_account.Credentials.from_service_account_file(service_account_credentials, scopes=userscope)
userservice = googleapiclient.discovery.build('admin', 'directory_v1', credentials=credentials)
# Create a user dictionary with user details
userinfo = {"primaryEmail": emailaddress,"name":{"givenName":firstname,"familyName":secondname},"password":randpass}
print (emailaddress)
# Create user through googleAPI
userservice.users().insert(body = userinfo).execute()
I'm thinking that my implementation is wrong rather than the permissions as the serviceaccountcredentials.json should have the correct permissions. Any suggestions?
There are two possibilities for getting this error.
If the API method requires an impersonated user to be used.
If the impersonated user has not the relevant service enabled.
Solution for case 1:
Follow the documentation to impersonate a user account.
Solution for case 2:
In the Admin console, open user information and check that the user is not suspended.
Open the "Apps" panel and check that the relevant service is "On".
May be caused by a user not having a license which allows access to the service (Cloud Identity instead of Google Workspace), or a user being in an organizational unit which has the service disabled.
Also this link might be helpful.
Thanks for the input. You were both correct to a point. Basically there were two issues. The service account user needs to be delegated domain administrator privileges that require domain admin actions, domain wide delegation isn't enough. Also the domain scope needed to be broader in the Admin console and the scope definition within the code. There is github issue open which helped here:
https://github.com/googleapis/google-api-nodejs-client/issues/1884
My working code looks like this
def create_googleuser(content, randpass):
''' This function creates a Google Apps account for a user passing webhook contents and password as arguments '''
# Get User info from Webhook and store them in variables
username = get_username(content)
firstname = get_firstname(content)
secondname = get_secondname(content)
emailaddress = firstname + "." + secondname + "#example.com"
# Connect to google API
userscope = ['https://www.googleapis.com/auth/admin.directory.user', 'https://www.googleapis.com/auth/admin.directory.user.security']
service_account_credentials = ('serviceaccountcredentials.json')
credentials = service_account.Credentials.from_service_account_file(service_account_credentials, scopes=userscope)
delegated_credentials = credentials.with_subject('domain.admin#example.com')
userservice = googleapiclient.discovery.build('admin', 'directory_v1', credentials=delegated_credentials)
# Create a user dictionary with user details
userinfo = {"primaryEmail": emailaddress,"name":{"givenName":firstname,"familyName":secondname},"password":randpass}
# Create user through googleAPI
userservice.users().insert(body = userinfo).execute()
I'm using WSO2 5.10.0 and I configured it in order to use a JDBC User Store. The RDBMS is PostgreSQL.
I noticed that WSO2 IS is using a case-insensitive username strategy to let the access to the resources. Basically I can user my username all in uppercase or lowercase and I'll always be able in get the access. I need strongly to avoid this. I tried what there is written here https://is.docs.wso2.com/en/latest/setup/configuring-the-authorization-manager/#configuring-the-authorization-manager_1 but I can always get the access by using case-insensitive usernames
Is there any configuration I'm missing? Or is this the only way to get the access?
Angelo
EDIT
As suggested i changed my user store as I show:
#COME PRIMARY STORE USO IL DB POSTGRESQL
[user_store]
type = "database_unique_id"
url = "jdbc:postgresql://XXXX:YYYY/wso2is_primary_user_store"
username = "user"
password = "pwd"
driver = "org.postgresql.Driver"
properties.CaseInsensitiveUsername = false
I tried to access with an user both by using username in lower case and in upper case.
EDIT 2
I changed the deoplyment.toml in this way:
#COME PRIMARY STORE USO IL DB POSTGRESQL
[user_store]
type = "database_unique_id"
properties.CaseInsensitiveUsername=false
[database.user]
url = "jdbc:postgresql://xxx:yyy/wso2is_primary_user_store"
username = "username"
password = "password"
driver = "org.postgresql.Driver"
[realm_manager]
data_source = "WSO2USER_DB"
In this way for new users usernames are case sensitive. For old users usernames seem to remain case insensitive. I need to deeply investigate.
By default in WSO2 Identity Sever the Case Insensitive Username configuration is in active state. You can deactivate that configuration by adding the following configuration to the deployement.toml file located in IS-HOME/repository/conf/deployement.toml location.
[user_store]
properties.CaseInsensitiveUsername = false
Also if you need to change the configurations for a JDBC User Store please refer https://is.docs.wso2.com/en/latest/setup/configuring-a-jdbc-user-store/
I need to validate user credentials from external service, therefore I'm using the VirtualUser authentication.
BuildVirtualUser, checking for the roles to set to him, saving the user Profile and then login with that name.
I'm facing a problem, that everyday that i login, with the same credentials Sitecore creates a new user in Experience Profile.
What i need to change in my code to assure that, with virtual user login, Sitecore gets the old experience profile of the user?
I was thinking in creating the user in sitecore with same generic password. Instead of using the virtual user, and authenticate directly with sitecore. Is that correct?
Here's my code:
Sitecore.Security.Accounts.User user = Sitecore.Security.Authentication.AuthenticationManager.BuildVirtualUser(sitecoreUser, true);
string roleName = #"newRole\User";
Sitecore.Security.Accounts.Role demoRole = Sitecore.Security.Accounts.Role.FromName(roleName);
if (Sitecore.Security.Accounts.Role.Exists(roleName) && !demoRole.IsMember(user, true, false))
{
user.Roles.Add(Sitecore.Security.Accounts.Role.FromName(roleName));
}
user.Profile.Name = name;
user.Profile.Email = email;
user.Profile.FullName = fullname;
user.Profile.Save();
Sitecore.Security.Authentication.AuthenticationManager.Login(user.Name);
Tracker.Initialize();
Code looks fine, but you miss one important thing: to identify your user/contact.
You need to add next line of code:
Tracker.Current.Session.Identify(email);
Please check next link to find more information about how to identify contacts:
https://doc.sitecore.net/sitecore_experience_platform/setting_up__maintaining/xdb/contacts/identifying_contacts
I have this shiro.ini:
[main]
ds = org.apache.shiro.jndi.JndiObjectFactory
ds.requiredType = javax.sql.DataSource
ds.resourceName = java:/comp/env/jdbc/myDS
# JDBC realm config
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.authenticationQuery = "SELECT password FROM user WHERE username = ?"
jdbcRealm.dataSource = $ds
credentialsMatcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
# base64 encoding, not hex in this example:
credentialsMatcher.storedCredentialsHexEncoded = false
credentialsMatcher.hashIterations = 1024
jdbcRealm.credentialsMatcher = $credentialsMatcher
[urls]
/logout = logout
/** = authcBasic
Im debbuging JndiRealm in doGetAuthenticationInfo. I get an exception when shiro try to execute my authenticationQuery in getPasswordForUser method. Those are the lines that execute the select:
ps = conn.prepareStatement(authenticationQuery);
ps.setString(1, username);
My atuthenticationQuery is "SELECT password FROM user WHERE username = ?" so trying to access position 1 is invalid since it starts from position 0. Is that a bug on JndiRealm from apache shiro or i wrote my sql wrong?
Looks like you have a simple mock implementation of a realm.
For logging in to work, you needs 2 steps:
authentication (is the username/password correct)
authorization (what is the user allowed to do)
Looks like you have only created the first step, but you are just giving back the password in the return statement.
Shiro will hash the password that was entered by the user. You should have the same hash stored somewhere in your database. In the doGetAuthenticationInfo you should do a lookup based on the username that was entered and retrieve the hash (either from the db, or disk or whatever you prefer), that is what you should put in the SimpleAuthenticationInfo object and return, shiro will do the user password hashing and comparison for you.
For the second step, override the method doGetAuthorizationInfo. You could let it return an instance of SimpleAuthorixationInfo containg a set of permissions, the simplest being "*", when it has access to everything.
Creating such a method can be as simple as:
#Override
public AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//here you can create custom permissions based on the principal
//that has been authenticated using your own logic
info.addStringPermission("*");
return info;
}
I would like the feature for the sign in box to have the username and password automatically filled in if the user has previously been on the site and logged in successfully before. I see this implemented on many sites so I figured theres a way to do this without creating a security risk.
EDIT: According to a post this is a browser feature and should not be implemented in code because its never safe to store password anywhere.
Edited the code to reflect a new direction where Im only storing the username. However, Im not sure what to look for to see if its working. I tried to login then logout, then go to login screen again but username box still blank when the view loads in. Not sure if its the code or Im testing it the wrong way.
Login POST:
[HttpPost]
public ActionResult Login(LoginModel model)
{
if (ModelState.IsValid)
{
if (Membership.ValidateUser(model.UserName, model.Password))
{
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
return Json(new { ok = true, message = "Login successful." });
}
}
return Json(new { ok = false, message = "The username or password you entered is invalid. Please try again." });
}
Login GET:
[HttpGet]
public ActionResult Login(string path)
{
LoginModel model = new LoginModel();
HttpCookie authCookie = System.Web.HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName.ToString()];
if (authCookie != null)
{
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
if (authTicket != null & !authTicket.Expired)
{
model.UserName = authTicket.UserData;
}
}
return PartialView(path, model);
}
There are couple of issues with your code. The first one is that you are adding the cookie to the Request object instead of adding it to the Response => Response.Cookies.Add(authCookie);.
The second issue is that you are creating a non-persistent cookie meaning that it will only live through the browser session. Once the user closes the browser it will be gone forever because it was never stored on the client computer. In order to create a persistent cookie you need to specify an expiration date for it which will obviously correspond for how long this cookie will be persisted on the client computer. For example if you wanted to remember for 5 days:
HttpCookie authCookie = new HttpCookie("authCookie", "cookieValue")
{
Expires = DateTime.Now.AddDays(5)
};
Another issue is that you are storing only the MD5 hash of the password inside the cookie and you expect to be able to decrypt it later with FormsAuthentication.Decrypt which is not possible. This method can decrypt values that were encrypted with the Encrypt method.
And the biggest problem of them all is the security: you should never be storing any password related stuff anywhere. The username should suffice. Browsers offer the possibility to remember passwords for given site. I would recommend you using this functionality instead of doing what you are doing.
Another possibility is to emit a persistent authentication cookie when the user logs in, so that even if he closes the browser he will be remembered as authenticated for the validity period you specified in this authentication cookie.
you don't need the actual password for the user to make sure he logged in previously. You shouldn't even save the actual password in the database. You usually only save a salted hash of that password. When the user logs in, you create a hash for that password and compare it with the hash stored in the database. If they match, he entered the correct password.
As for storing login information in a cookie, i'd then store a salted hash of that password hash in the cookie. Upon GET, you just create a salted hash of the stored password hash and compare it with the one from the cookie. If they match, the login cookie is valid. That way you never actually store any user password anywhere.
To make this more secure, the login page should be secured by SSL, otherwise the password would at least once be transmitted unencrypted.
If you're using SQL, you can generate a random number when the user first logs on. Store this number in the Users table, and also as a cookie on the user's machine. The user can then authenticate by comparing the random number with that stored on the server.
It's a good idea to timestamp the login though, so it expires after a set period of time.