I have a pretty basic Grails 4 application that uses the Spring Security plugin. I'm not understanding how to let the user change his username and then reauthenticate. In my application the username is the email address. All the security is working fine. But let's say the user wants to update his email address in my application.
Currently the user can update his password and that works fine. After the new password value is set (and of course validated, checked, matched, all that stuff) and saved, then I call
springSecurityService.reauthenticate user.username
When updating the username, however, I cannot simply change the username on the user object and then call
springSecurityService.reauthenticate user.username
because the user has not yet been authenticated with the new username so the reauthenticate method fails saying it can't find the user.
I think I'm probably missing something basic in my process flow or something and would love some direction.
Related
I am using AWS Cognito for user management in my application. The userpool is configured that the users login with a unique username and a password, and that multiple users can have the same email addess. I am using Amplify built-in components for authentification.
The problem I can't seem to resolve, are double verification mesages upon updating user email. When an an email is chaged CustomMessage_UpdateUserAttribute is triggered, and when user wants to verify the changed email CustomMessage_VerifyUserAttribute is triggered. I have a custom lambda function that listens for these triggers among others and sends corresponding emails based on the action user is trying to perform: login, verify email, reset password etc.
So if a user modifies his email address, CustomMessage_UpdateUserAttribute is triggered and the user recieves an email with the following (default) message "Please verify your account and enter the following verification code to reset your password: xxxxxx". However, when this user loggs in, amplify recognises that the user is in the "verifyContact" state, and displays the screen you can see below.
The user has two options:
to skip the verification, or
to select the only attribute that awaits verification and click on "verify" button.
Clicking on the "verify" button triggers CustomMessage_VerifyUserAttribute and sends yet another email to the user. The user is redirected to the following screen.
The second screen shows where user is supposed to input newly sent code (from the second email). So the user has absolutely no need for the first email (and code) that is sent automatically when the email is updated. I have tried to find a way to avoid sending the email, but have not found a good solution. Congito won't let you override the message in lambda without sending the confirmation code in it, which is completely unnecessary since there is no place where user can input it. I don't want to disable email verification, or set email_verified to true upon updating.
Do you have any suggestions what I could do?
If anybody is facing the same problem, a workaround is to update email_verified field twice. When updating the email, set email_verified to true. This will prevent Cognito from sending and email on CustomMessage_UpdateUserAttribute. Then in a separate user attribute update request update only email_verified field to false. This will set the user to "verifyContact" state and request email verification on login.
I am designing an application where once user logged in, he can change the password.
For changing password, I need 3 details:
Old Password
New Password
Confirm Password
In servlet layer I am setting
user.setPassword(oldPassword);
method I am implementing in DAO layer
changePassword(User user, String newPassword)
The problem I am facing is that I am not able to validate old password.
Whatever the old password is, I am able to change to a new one.
I think what the problem might be is that it is taking the old password directly from the
session. Any suggestion would be very helpful. Thankyou..!!
Use the same method or make a similar one to the method you use for logging in...
On android client, I create Credentials, then choose account using AccountPicker and set the account name. On GAE, I have User parameter in every endpoint method. (I described it here)
Android Client ID, Web client ID and audiences are configured correctly.
On endpoint, the user is not null and has correct email set. But when I call user.getUserId() I get null. Is this user authenticated or not?... It really makes me nervous not to know that...
What you describe is odd, and I don't know why you get null when you call getUserId(), but never-the-less I would say, Yes, you are authenticated.
If you want to be sure, then you could try using that authentication from a web client - I read that once you have authenticated an Android user you are automatically given minimal account authentication for web too. So create a minimal servlet that includes the following code:
UserService userService = UserServiceFactory.getUserService();
User user = userService.getCurrentUser();
Load the page while signed in with the same account you authenticated from Android and see whether it acts like it already knows you, or whether it prompts the user as it would for a different, un-authenticated user.
This is a bug on google's side.
There seems to be a clunky workaround: save User to datastore and read it back.
I have created a web service that uses HTTP Basic. I am developing an Android application that will present the user a login screen with a textfield for username and another for password. When correct username and password is provided the user will see a new screen.
How can I validate on login that the username and password is correct? Since the dashboard screen that the is taken to after successful login does not by itself needs data from the webservice I can't check if it fails.
Do I have to check against a URL in my application (sending a HEAD request) and see if it fails? Are there any conventions here?
Check the response String and look here HTTP status codes
You can also use for example a mozilla add-on like Poster to check the server response.
Ok i guess you need to apply validations on username and password.
Validation are decided by the server end i.e. how username and password should be
for instance USERNAME.
1) Should not be less than 2 characters and max. length is decided.
2) If Email is to be used as Username then validation for email i.e. mus contains #,. etc.
for Password
1) Length of password should not be less than 6 or no to be greater than 20.
2) May or may not contain special characters.
Ask your server end that how they like to receive the username and password and check if user supplied inputs are valid or not , if valid only then make a HTTP call otherwise show user his respective error validation message.
you can send your username and passwords using http get/post method and can validate this at srver side
I am using spring Security of login and its working fine.
I have field in database in user entity
boolean confirmed
I want
If confirmed field is set to false ,
then comes the authentication error
and tells user that email is
registered but not confirmed and
should allow the user to resend the
activation link again
Create a ROLE_CONFIRMED and have most of your pages set to access="ROLE_CONFIRMED".
Then create a AuthenticationSuccessHandler and, if the user does not have ROLE_CONFIRMED redirect to the page that tells them that "email is registered but not confirmed and should allow the user to resend the activation link again".
When the user does confirm their email give them ROLE_CONFIRMED.