I have to make an application after a login, take you to a window with a few options, which change according to the type of user you been logged (administrator, manager, normal user), I've created the login dialog and connected to the database, but do not know how to do that: 1.Java distinguish a user is admin, manager or normal. 2.You take a different window by type .. If you could help me would be very grateful, as I'm quite lost ... Thank you!
Okey, as you don't tell the application base (if web application, desktop application, used framework etc) then I will need to be very simple in my answer.
Install your database
Install your logintable and your data (e.g. admin / adminpwd; user / userpwd etc)
If Swing:
Create a login-window that asks for username and password
If admin then load admin-frame, if user load user-frame otherwise show error.
If Web application:
Create a simple login html form, asking for username and password
Do a user check in your Jsp/Servlet, put user-info in session and redirect to user-page if user, to admin-page if admin, otherwise error-page (you could make a simple check in pages to verify that user-info exists in session, in case of...)
This is a very very basic flow, you could of course make a group/role table/column that connects each user to a group. Which makes it easier when you have plenty of users.
There are many frameworks out there that makes this easier, but the basics are the same! ;)
Related
I am trying to use java code mention on link: http://www.nexttutorial.com/faq/azureAD/1/Azure-active-directory-graph-api-user-authentication-in-java - but I get below error:
java.util.concurrent.ExecutionException: com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS50055: Force Change Password.\r\nTrace ID: 7596cf92-f3d6-4baf-a0c9-d166a92d1500\r\nCorrelation ID: 8cccb074-4ae4-4c9b-932b-1f4ddcb514cb\r\nTimestamp: 2017-05-05 08:20:28Z","error":"user_password_expired"}
I haven't used the Java APIs, but I can tell you two things that are the core of the problem:
The user's password has expired
You are using Resource Owner Password Grant flow
You need to change the application to instead show a browser window so the user can reset their password. If you just want to test the code as is, you can open a new Incognito/private/InPrivate window and sign in to e.g. portal.azure.com with the user. That will allow you to make sure they have a working password.
But I would advise against using that sign in flow because of potential problems like this one.
The reason you get the error is that the user needs to set a new password, but the flow you are using cannot support that scenario. It also cannot support the scenario where the user account has MFA enabled/is a Microsoft account etc.
And by the way, if this app is intended not to be used by a user, but just run as is, I would suggest making it a daemon with application permissions on the necessary APIs and then use client credentials flow for authentication. No user account needed then, since the app has the needed rights.
Hi i have created my web application in java to authenticate my application i can check the credentials in active directory. If user typed his user name and password means it works fine.
My question is, if the user already logged in his personal computer which is present in the domain by using his username and password. If the user open my web application means i need to go inside the home page without typed the username and password in the login page. How can i do this? Thanks in Advance.
Once the user is logged in successfully you can store some attributes in the session. You can then check on each page load whether the session is valid before allowing access. At a more comprehensive level this can be done using a Filter. Read a little bit on sessions here https://docs.oracle.com/cd/E19644-01/817-5451/dwsessn.html
If you want to read credentials from a user's browser, as someone suggested search Single Sign-on (SSO). There are a number of ways SSO can be implemented by your application, Kerberos-SPNEGO might be most suited for your requirement. But you can make a call once you have better understanding of SSO concepts.
I need to develop a web application for the Intranet users. I don't want them to enter the login credentials each time they visit the site. It should be automatically loaded from the System Username and Password.
I have successfully implemented functionality which prompt user name and password registered with active directory and validate against LDAP. I need some tips to login directly from intranet website without prompt username & password.
Here is my queries, please let me know your suggestion.
Is it compulsory to set SPN?
Do we need to create separate keytab file for each client? In my organization, there is around 800 people are working so should I need to add all client principal in keytab file & copy to client machine to perform autologin.
I have tried many API's like JESSO, Waffle, Spring Kerberos, SPNGO but failed to implement auto login.
If you want to use Kerberos/SPNEGO (which would be my recommendation) you do have to set up SPN. And you only need one keytab for AD domain. Are you running your Java program on some app server, like Weblogic, or as a standalone program? Servers do have security framework that you could use, while for standalone program you'd have to do a bunch of stuff manually.
I've found that the easiest way to do this is to use Atlassian's Crowd (https://www.atlassian.com/software/crowd/overview) instead of implementing it yourself. It's a commercial product, but last time I checked, it was dirt cheap, and it just works.
I have a java application with GWT frontend, that do some stuff.
Now I want to implement users and their registrations, things like "forgot password", logging in and out.
My problem is - it is a thing, that almost everyone does at their application, but there are many things to do wrong (hashing passwords, somebody faking "forgot password", and so on), so there has to be some general solution or library.
And what I mean by that is both some GUI widget on client side and something for the server side, that would handle the user logins and save their passwords.
Does something like that exist?
Look here
It describes several things:
How to Create a 'login' page that is based on user/password authentication.
How to Store this data in a secure fashion on your server.
Allow users to 'remain logged in' for as long as you want so they don't have to
enter their user name and password every time.
and much more.
We have a web application where users can login.
Now what we want is that the same user should not be able to login using different browsers.
Basically currently a user using two different browsers (IE and FF) can log in to the same account at the same time. When you hit the login button, is it possible to invalidate all other logins for that account.
What is the best possible approach to do this?
PS: We are using Struts, Spring and Hibernate in our web application.
Thanks !
Doing this on server-side is your best bet. You can keep tract of logged-in users in your application context.
Well, a little hint. Make use of a Servlet Filter, say AuthFilter, and make validation, may be isAlreadyLoggedIn(), over there beside other validations like username/password etc.. Now after having this check in place, you either -- that it depends what you want to do with the user trying to log in, show the message that "user already logged-in", or you can let the user log-in and invalidate the previous session. As discussed here.
You can store the logged in user information in database or you can get it from Application context. and if the user is logged in already don't allow to make him another session.
Google uses some ip address mechanism to logout the user logged in another computer,instead of logging off in the same browser or tab.
May be we can use geoip database Geolitecity to save the user's ip + Balusc answer of storing session using user as the key and the ip address for the solution .
Have a column isLoggedIn in database. Set to Y , if it logged, if the same user log's in from the another computer or brower, invalidate the session. Mind to set it to N ,if session expires.
* For Best Read the Balusc's answer *
prevent-multiple-login-using-the-same-user-name-and-password using HttpSessionBindingListener.