Is it possible to allow users to access a specific page in Alfresco Share? Which user or user group can access to which page for example.
Not really, unless you can map your users to the fixed set of (site independent) roles (none, guest, user, admin) baked into spring surf.
These roles are wired into various classes (i.e. org.springframework.extensions.surf.mvc.PageView,org.springframework.extensions.webscripts.connector.User,org.springframework.extensions.webscripts.Description).
If you can map your users to these roles, just set the authentication value accordingly in the pages xml descriptor.
For example:
To see the document-library, share requires you to be logged in, and hence, in site-data/pages/documentlibrary.xml it reads <authentication>user</authentication>.
If you cannot map your users in this way, things can get a bit messy.
Related
I am working on an application with several roles. Changing this role to admin user should log out the target user.
My first lead was to set up data tables to retrieve the list of active tokens by taking an example from this site:
https://javadeveloperzone.com/spring-boot/spring-boot-oauth2-jdbc-token-store-example/#3_Source_Code
Except that at the connection, the data information is not saved in my tables.
Is it possible to log out a user "by force"?
Yes, there are several ways how you do it.
At the end of the day it invalidates the Authentication object in Spring's security context.
I have a question about changing role dynamically in runtime. Suppose that we have a social network application (like Facebook) and we are using Spring security for authentication/authorization purpose.
When a person open his Homepage this person has the ADMIN role and can do everything with his Homepage. However, when he is visiting another friend's Homepage he should only have the role USER which can only do some restricted actions (he cannot delete posts in the Homepage of his friend, for example).
If we use AuthenticationManagerBuilder then we can only set one fixed role for each user.
Can anyone help me with this question?
Thank you.
I think you should overthink your concept. Users are always users.
Users with homepages are userWithHomepage
and real admins are admins.
You need to check on the page, whether the currentUser is privileged for the current page - and give him his roles on this site.
So "UserWithHomepage" comes to his own Homepage, you check: is this user privileged on this site? If yes: activate admin things on this site. If you add a role to his userContext, he could get access as this role to other sites, too. I think, this is a security flaw.
So simply set a marker on your controller or check each time, something happens (instantiation, button click etc.) if the user has the privilege to do so.
You shouldn't change your user roles based on what page they are visiting. In your case, when visiting the homepage, you should check if the user is the owner of the homepage, and if so, give him the option to edit/delete and if not, just don't give them the option (don't show the links for editing/deletion, throw an exception if they try to execute that request anyway).
Thanks all, actually checking if the user is the owner of the Homepage is exactly what we need to do!
first post here, hope im doing right.
In a project, we have a scenario where we have a single web application with multiple entities. Currently, the login is managed via default JDBC Spring Security provider, working fine.
For a new requirement, we need that each entity can have their own login method (currently 2 methods would be available, the JDBC one, which is the current one, and the second method would be authentication via SAML, with each entity defining their own IdP, but this is another story)
I need some guidelines on how this can be achieved, I have done some search and I have found providers for different URL's, etc... But not different login methods for the same app and url's depending on the user type or entity.
Is a good approach to have a custom single entry point where we can check the entity user and then use the suitable authentication provider?
Kind regards,
Alex
As each of your users might be using a different IDP you will in any case need to determine the username before proceeding with initialization of the authentication process - but you already know this.
One approach to take (similar to what Microsoft is using with the Office 365 for corporate users) is:
display a login page with fields for standard username + password
once user enters username and blurs the input field, you make an AJAX call (to your custom API made for this purpose) and fetch information about authentication type + IDP to use for this user
in case the type is password you simply let user continue with filling in the password field and POST to the same place as you're used to for processing with the JDBC provider
in case the type is federated authentication you initialize authentication with the correct IDP by redirecting to /saml/login?idp=xyz and continue with the SAML flow
It's possible to avoid any APIs by submitting the form once user enters the username, or let user click a "Continue" button. It would then make sense to use a custom EntryPoint which:
redirects user to the main login page in case it wasn't provided with a username
displays either login page with username/password or redirects to the correct IDP, once username was provided
Precedent
In GAE, when we use the built-in Users Service to log in a user, GAE automagically sets the HttpServletRequest so that:
getUserPrincipal() returns the user name or null if no user is logged in
isUserInRole() verifies if the user meets a role
My question
I am now implementing an independent login mechanism for which I need to track whether the user is logged-in through the duration of the session.
I see that many of people use HttpServletRequest's getSession.setAttribute with custom parameters as the mean to store login data for the session.
However, I wonder if there is a way of leveraging the built-in functions getUserPrincipal and isUserInRolethe same way that GAE uses them. Or is this functionality reserved by GAE for their internal Users Service and not accessible to us users?
Current approach in my Java SE app is to (once authenticated) store only the username as a system property, which I understand may have security implications
Whenever an action is attempted to be performed that requires a certain role, this username is used to make a call to the database to check whether the given user has the role.
I would prefer to load all the roles up front - then to check against some "User" object whether they were permitted for access. All of this needs to be done in a very controlled way, though.
Is there a standard approach / framework for this? Bare in mind I have already authenticated, and just want to store the user's details. Would storing the currently logged in user as a Singleton be a sensible way to approach this?
You could use JAAS for authentication and authorization in your application. This framework is applicable for all java applications (Web,Standalone, Java EE etc)
Another option could be Spring Security. In Spring Security there is class SecurityContextHolder where you can store the authentication status (Roles) once the user is authenticated. Later this could be use to verify user role when trying to access any operation. This should not be web application , you can use it in java SE.
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add(new RestUserAuthrity("ROLE_USER"));
CustomAuthenticationToken authenticationToken = new CustomAuthenticationToken(authorities);
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
During the method call or where you want to check the role. Just get the role from SecurityContextHolder and verify appropriate role.
I suggest you to use spring framework for session management as well as spring give you currently logged in users list then you can stored logged in users.