I use an npa#****.onmicrosoft.com like azure AD account to send emails on my Java application.
However, it seems that if the password of the account is not changed periodically, an email authentication error will occur.
How can I work around this issue without having to periodically update the password on my Java application?
You are facing this issue due to the password expiry policy.
You can Set an individual user's password to never expire. You can follow the Microsoft Document which helps you in fixing the issue.
Related
I am trying to use java code mention on link: http://www.nexttutorial.com/faq/azureAD/1/Azure-active-directory-graph-api-user-authentication-in-java - but I get below error:
java.util.concurrent.ExecutionException: com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS50055: Force Change Password.\r\nTrace ID: 7596cf92-f3d6-4baf-a0c9-d166a92d1500\r\nCorrelation ID: 8cccb074-4ae4-4c9b-932b-1f4ddcb514cb\r\nTimestamp: 2017-05-05 08:20:28Z","error":"user_password_expired"}
I haven't used the Java APIs, but I can tell you two things that are the core of the problem:
The user's password has expired
You are using Resource Owner Password Grant flow
You need to change the application to instead show a browser window so the user can reset their password. If you just want to test the code as is, you can open a new Incognito/private/InPrivate window and sign in to e.g. portal.azure.com with the user. That will allow you to make sure they have a working password.
But I would advise against using that sign in flow because of potential problems like this one.
The reason you get the error is that the user needs to set a new password, but the flow you are using cannot support that scenario. It also cannot support the scenario where the user account has MFA enabled/is a Microsoft account etc.
And by the way, if this app is intended not to be used by a user, but just run as is, I would suggest making it a daemon with application permissions on the necessary APIs and then use client credentials flow for authentication. No user account needed then, since the app has the needed rights.
My employer has setup round-robin LDAP load balancing. This is causing issues with my web application (Java / Spring) that do user creation / maintenance. For example, when a user registers, we will assign a temporary password and send them an email. If they are quick to login with their temporary password, the new user may not have synced to the other LDAP servers. This usually isn't an issue as the sync is faster than email and we can always add a delay before sending the email. What is the most troubling is when they login with their temporary password.
Here is how the application handles the temp password login:
User logs in with the temp password.
Spring's AccountStatusUserDetailsChecker throws a CredentialsExpiredException which we catch in our UsernamePasswordAuthenticationFilter. We send them to a password setting page prompting them for their new password. When they submit, we fire of the password change to LDAP and then attempt to reauthenticate them with their new password (we don't prompt them to reauthenticate, we just reuse the password they just submitted). However, it is quite likely that the password change has not propagated to all the LDAP nodes behind the load balancer. So, we go into a loop with a delay and retry the authentication. Normally this works just fine but when the synchronization between the servers is bogged down, we can actually end up locking them out of their accounts.
Has anyone ran into this issue? Any elegant workarounds (oxymoron?) that maintains the integrity of Spring Security (e.g. we don't want to totally hack the AccountStatusUserDetailsChecker to allow a user with expired credentials to get a valid Principal).
The guys who setup the company's LDAP infrastructure just suggested that we maintain our LDAP connection throughout the password change flow but they don't understand that doing something like this in a web app isn't advisable as you're just asking for connection leaks.
I'm not sure about this issue I have, so maybe you can help me.
I have build a 2-Step Verification for an android app.
User sends his phone number from the app to the server via https
Server sends authentication code back to user via SMS (based on
Twilio/PHP)
User receives the code and can authenticate himself on
the server
At that point I can be sure that the user is the authenticated owner of the smartphone where the code has been sent.
If the user now restarts his phone and his app afterwards, how can I ensure that this user is still the same authenticated user?
Do I have to send some kind of credentials to the server each time based on the authentication code? Is this a safe and proper way to do this?
Thank you and best regards!
Dopser
A token number can be generated (similar to a cookie) which is stored both on the phone as well as the server database. The token number can be the verification code too, if you want to reduce the hassle of keeping track of another number.
You can store this token on your device using sharedpreferences or sqlite database, etc
Storage options on Android
On every onCreate() instance you can check if both the tokens match.
This way you can solve your issue.
You can do the same for all consequent activities.
The user should send the access token on each request.
You might need to consider the OAuth flow because your flow can be map to an OAuth token authentication. See here http://oauth.net/2/
You need to think about token/code validity in time as well.
Hope this helps.
As per this SO answer and other google search results, it seems that twitter has stopped supporting username and password based authentication to post updates. However to my surprise, when I downloaded this app, it amazed me as it simply allows me to send tweets using my username and password only, requiring no consumer key and consumer secrets. So how is that possible?
All the tutorial I went through after googling suggested that I need to register my app and use the access token for posting. This also requires entering some PIN if I use it in my app. What I want is that my app must allow the client to enter only username and password to post tweets. So how should I do that in java?
I would even welcome a solution which utilizes the above app only to post tweets.(e.g. using Runtime.getRuntime())
Also refer this unanswered SO question. This is similar to what I want to do. Only that I want to do it using desktop application.
Problem Description
I am writing application which must connect to the server and download some data from the server. The URL of the file witch must be downloaded is formatted as follow:
http://www.myserver.com/file.xml?username=xxx&password=xxx
Question
URL and password are not provided by the user, I simply keep them in the code and add to the URL where I need. My question is how can I keep securely password and username on the Android device.
I would advise against keeping any kind of credential (username) and authenticator (password) stored on your device, as well as transmitting them around; this is often considered a security flaw, since middle-man attacks can intercept the HTTP traffic and easily identify both.
I would recommend instead the creation a token engine that would associate temporary identifiers to users and devices. For example:
User ID 100 receives a temporary token, code A1S2D3F4 (randomly generated.)
The code is associated with the device ID AND200.
Whenever device AND200 tries to access the server, it would generate the following URL:
http://www.myserver.com/file.xml?t=A1S2D3F4
Notice that there is no content identifying the user, nor its credentials or passwords. You may check if the device generating the URL is the one the token was originally associated with. Adittional controls may be implemented to detect tokens being used out of their lifespan, and help identify malicious users.
In Android you can use Md5 encoding method for password encoding and if you need to save those user details then it store in the shared preference
Did you see if you can use Google OAuth2: http://developer.android.com/training/id-auth/authenticate.html
If not, do not send user name and password in the URL but in a HTTPS POST and the correct way is using SOAP web services.
Just as a hint there is a good talk on google io conference about security of android apps.
Link
They don't cover secure server communication explicitly but give some hints about it and provide an encryption library to simplify any encryption tasks.