I'd like to perform some operations after receiving LOGON message and then decide if LOGON failed or not (for example check username and password) but...
Immediately after receiving LOGON message QuickFIX/J resends:
8=FIX.4.4|9=74|35=A|34=13|49=FIXserver|52=20110831-09:27:41.847|56=localhost|98=0|108=10|10=131|
8=FIX.4.4|9=71|35=2|34=14|49=FIXserver|52=20110831-09:27:41.855|56=localhost|7=1|16=0|10=213|
How to disable this functionality?
Second question. If LOGON failed, should I resend LOGOUT message or something else?
Call you required methods which do your logon checkins and other checks in onLogon. You can disable sending messages in toAdmin. Entry points for messages is fromAdmin and sending point is toAdmin.
No need to send logout message as logon didn't happen. You logout out of a session only if you have logged in.
Related
I am using AWS Cognito for user management in my application. The userpool is configured that the users login with a unique username and a password, and that multiple users can have the same email addess. I am using Amplify built-in components for authentification.
The problem I can't seem to resolve, are double verification mesages upon updating user email. When an an email is chaged CustomMessage_UpdateUserAttribute is triggered, and when user wants to verify the changed email CustomMessage_VerifyUserAttribute is triggered. I have a custom lambda function that listens for these triggers among others and sends corresponding emails based on the action user is trying to perform: login, verify email, reset password etc.
So if a user modifies his email address, CustomMessage_UpdateUserAttribute is triggered and the user recieves an email with the following (default) message "Please verify your account and enter the following verification code to reset your password: xxxxxx". However, when this user loggs in, amplify recognises that the user is in the "verifyContact" state, and displays the screen you can see below.
The user has two options:
to skip the verification, or
to select the only attribute that awaits verification and click on "verify" button.
Clicking on the "verify" button triggers CustomMessage_VerifyUserAttribute and sends yet another email to the user. The user is redirected to the following screen.
The second screen shows where user is supposed to input newly sent code (from the second email). So the user has absolutely no need for the first email (and code) that is sent automatically when the email is updated. I have tried to find a way to avoid sending the email, but have not found a good solution. Congito won't let you override the message in lambda without sending the confirmation code in it, which is completely unnecessary since there is no place where user can input it. I don't want to disable email verification, or set email_verified to true upon updating.
Do you have any suggestions what I could do?
If anybody is facing the same problem, a workaround is to update email_verified field twice. When updating the email, set email_verified to true. This will prevent Cognito from sending and email on CustomMessage_UpdateUserAttribute. Then in a separate user attribute update request update only email_verified field to false. This will set the user to "verifyContact" state and request email verification on login.
On my keycloak server, when i go to page "reset password" and i enter a bad username, the return message say "You should receive an email shortly with further instructions." But, i want to send a message like "username not found"
On the console log i see the error "user_not_found" and i don't understand why i don't see the same thing on server.
WARN [org.keycloak.events] (default task-31) type=RESET_PASSWORD_ERROR, realmId=XXX, clientId=XXX, userId=XXX, ipAddress=127.0.0.1, error=user_not_found, auth_method=XXX, redirect_uri=http://localhost/, code_id=XX, username=test
My keycloak server is on 3.4
Thanks
Forgot password has default implementation. If you want to change it you have to:
1. create your own provider for "Choose User";
2. create a new FLOW with it.
3. change bidings for Reset Credentials with new FLOW.
More information you can find on:
http://www.keycloak.org/docs/latest/server_development/index.html
I have set 2FA up with spring security. The problem is, at the moment the 2FA code must be entered in the same form as the username/password. Is there a way to ask for the username and password first, and then, if they are valid, ask for the 2FA code?
I have done the same in angularJs.
The logic:
When the user has 2FA enabled, on form submit with only username and password, instead of returning a bad credentials response (401) or a success response, I return a Status code (403) indicating the server understood the request but refused to fulfill it.
When angular receives this 403 status it hides the username and password field and shows the OTP field. At this point the username and password are still present as angular objects but only hidden.
When the user enters the OTP and clicks submit, I again make a post call and this time pass the username, password and OTP.
After registration, system send a verification mail to subscriber's mail id.
When user once clicks on verification link, the token must be expired.
I want to display the link expired message from next time click?
How to do it?
You may override VerifyEmailAddressAction.java action class, and set custom error message in SessionErrors and display it in Email Verification screen.
I'm building a web application, where a user can send a HTTP request to upload a file. I need to redirect the user to the login page in my servlet and if the authentication is successful, I need to process the request. What's the best option to do this? Here's what I'm thinking of doing:
Save the request URL and the HTTPServletRequest object in a cache(some in-memory cache like JCS) with a specific request ID(some GUID).
Redirect the user to the login page along with the request ID.
When the user logs in, the request id is also passed to the servlet.
If the login is successful, retrieve the HTTPServletRequest object from the cache and start processing it.
Another option I read about was using the HTTPReferrer, but this wouldn't get me the request parameters(it is a post operation).
Is my approach above right? Is there a better way to handle this?
Thanks in advance!
Here is one way this can be accomplished.
Cookie+Filter Approach:
You receive a request from user,
Check if the user is logged in in the filter (You can do this by checking any cookie that you are setting for logged in user or valid session object),
If the user is not logged in, redirect the user to the login page AND set a cookie (with a name say redirect ) with the current request URL.
User sees the login page, enters credentials,
Servlet receives the login request, it validates the users, if login is correct, it checks for the redirect cookie, retrieves the URL, deletes the redirect cookie and redirects the user to that URL.