I am designing an application where once user logged in, he can change the password.
For changing password, I need 3 details:
Old Password
New Password
Confirm Password
In servlet layer I am setting
user.setPassword(oldPassword);
method I am implementing in DAO layer
changePassword(User user, String newPassword)
The problem I am facing is that I am not able to validate old password.
Whatever the old password is, I am able to change to a new one.
I think what the problem might be is that it is taking the old password directly from the
session. Any suggestion would be very helpful. Thankyou..!!
Use the same method or make a similar one to the method you use for logging in...
Related
I have a pretty basic Grails 4 application that uses the Spring Security plugin. I'm not understanding how to let the user change his username and then reauthenticate. In my application the username is the email address. All the security is working fine. But let's say the user wants to update his email address in my application.
Currently the user can update his password and that works fine. After the new password value is set (and of course validated, checked, matched, all that stuff) and saved, then I call
springSecurityService.reauthenticate user.username
When updating the username, however, I cannot simply change the username on the user object and then call
springSecurityService.reauthenticate user.username
because the user has not yet been authenticated with the new username so the reauthenticate method fails saying it can't find the user.
I think I'm probably missing something basic in my process flow or something and would love some direction.
I am trying to implement a feature for a user to change their password in their settings page when they are logged in, and I require the user's old password as well as the new password when they try to change it as an extra security measure. My problem is that I cannot find a way to verify if the user's old password is correct. Is there an easy way to do this?
I receive the entered form inputs on the server so the solution would have to be on the backend (node.js)
Many thanks
Though the accepted solution works, there is also a way to verify a user's password from the backend, using the Google Identity Kit REST API's "verifyPassword" endpoint (which has recently been renamed to "signInWithPassword", but works exactly the same):
HTTP POST https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=[YOUR_FIREBASE_API_KEY]
{
email,
password,
}
If that endpoint doesn't return an error, that means the password is valid.
See this thread for more information.
You have to do it client side. This is not an operation that the admin SDK is designed to handle. You will ask the current user for the password and reauthenticate with it and then update password:
const cred = firebase.auth.EmailAuthProvider.credential(
firebase.auth().currentUser.email, oldPass);
firebase.auth().currentUser.reauthenticateWithCredential(cred)
.then(() => {
return firebase.auth().currentUser.updatePassword(newPass);
})
.catch((error) => {
// Some error.
});
I have an Ldap directory synchronised from a microsoft active directory.
This Ldap contain many account, each account have a password attribute.
I must develop a java program where a user have to log with his AD login and password, but i don't know the method employed to correctly encrypt the password typed.
I need it to compare with the ldap password.
I also need to bind new account with the same password encryption.
Anyone know how to do?
Well first of all you can use a BIND with SSL, but that's considered kind of the lame way to go about it and may be disabled on some systems. A truly secure way is using SPNEGO-GSS, and this is not trivial. You have to learn and understand about Kerberos. That's a long topic but you can start with reading and going through everything here
I've found the solution with spring,
here the method to test login/pass couple :
AndFilter filter = new AndFilter();
filter.and(new EqualsFilter("objectclass", "person")).and(new EqualsFilter("cn", login));
boolean authentifie = ldapTemplate.authenticate(DistinguishedName.EMPTY_PATH, filter.toString(), password);
Java EE.
Ok, JSP form handed to servlet username and password. Username and password is vaild.
How i can AUTHenticate the user?
Thanks for help.
Here is the tutorial:
http://download.oracle.com/javaee/6/tutorial/doc/bncas.html
Don't reinvent the wheel - especially not security, as it is hard enough to get it right even when using existing frameworks.
I don't know what exacly problem you have. Try this steps:
Submit your form in HTTP GET to your LoginServlet
Get Login
Get Password
If Login && Password are correct create some UserObject and call httpRequest.getSession() which get user http session. Then put this object to your created session.
To check if user is logged you check if userObject exists in session
If you will have problems try attached your current sources.
i want to know how to generate a url in a servlet. I have a login servlet, and every time that add a user i want to gen. a url for each user profile.
Can anyone help me please?
The easiest way is to declare a servlet mapping like the following:
<servlet-mapping>
<servlet-name>UsersSelvlet</servlet-name>
<url-pattern>/Users/*</url-pattern>
</servlet-mapping>
Now, whenever you get a request for MyApp/Users/UserId you read the request path, get the userId and check if the user exists. If not you return 'Not found'. Otherwise you return the user's page.
This is a quick and dirty implementation of a RESTful service.
I think the solution of kgiannakakis is very good. I just want to add some details, because reading the comment of Agusti-N I have the suspect that may be he is missing something.
Let's say that you have the UsersServlet described by kgiannakakis, a jsp called showUserProfile.jsp and an userBean that has all the properties of the user's profile needed to be shown in the jsp.
When a new user registers to your application, you need to do nothing more than you already do now. Just register a new user in the db, and forget the login servlet.
Now suppose that I registered to your app with my username alexmeia.
When someone digit the url yourApp/Users/alexmeia the UsersServlet is called. This servlet gets the username alexmeia from the request url, checks in the DB if
this username exists and if exist load all the properties of this user in the userBean.
After that, forward to showUserProfile.jsp, which shows the user profile reading it from the userBean.
Obviously, if the user alexmeia is not in the Db, you can redirect to a generic userNotFound.jsp, or go to home page and show a message and so on...
This works for all the registered users in the same way. You don't need to really create a real new url for every new user.
It sounds like you might want to look into REST technologies. There is a tutorial here you might want to have a look at.
Do you need URL rewriting? Something like this, perhaps, but instead of RMI generate your own user id