We are currently using version 7.0 of the kentico API to authenticate users into our system.
The following code is used to gain user details from the database and authenticate users.
UserInfo objUserInfo = AuthenticationHelper.AuthenticateUser(username.ToLower(), password.ToLower(), CMSContext.CurrentSiteName);
This has primarily been working correctly, but we are having issues with usernames and passwords that contain any of the following characters.
" ! # ' / \ > < * -
Is there any settings that I need to be aware of (web.config or otherwise) that would stop the API from accessing an account where a username or password contained special characters?
Looks like there is according to the documentation. Check into this web.config key:
<add key="CMSUserValidationRegEx" value="([A-Za-z0-9-]+)" />
Sets custom regular expression used for user name validation (used when new accounts are created or when existing usernames are modified).
The default value is "^[a-zA-Z0-9_\-\.#]+$".
If the CMSEnsureSafeUserNames key is set to false, the following regular expression is used by default: "^[a-zA-Z0-9_\-\.\\#]+$".
The only thing I can't tell for 100% is if it is purely for the AD Import of users or ALL users. It looks to be used on any call to ValidationHelper.IsUserName, so it is pretty safe to assume it is in play everywhere.
Source: http://devnet.kentico.com/docs/7_0/devguide/index.html?web_config_parameters.htm#forbidden_chars_users
Also the internal message when you try to create a user with those characters complains too. SO this would tell me that it is in play everywhere.
Related
I'm new to Realm Sync (and Realm). I'm trying to convert a REST / SQL Server system to Realm Sync (to avoid having to write my own local-device caching code).
I got a simple configuration working, with a single API-key user and the null partition, read and write permissions just set to true.
But for my more complex application, I want smaller sub-partitions to reduce the amount of data that needs to be cached on local devices, and I want the sub-partitions to be able to be created dynamically by the client. Ideally, I would like to allow an API-key user to connect to any partition whose name starts with their user id (or some other known string, e.g. the profile name). But I can't find a way to get a "starts with" condition into the permissions.
My best attempt was to try setting Read and Write sync permissions to:
{
"%%partition": {
"$regex": "^%%user.id"
}
}
but my client just fails to connect, saying Permission denied (BIND, REFRESH). (Yes, I tried using "$regex": /^%%user.id/ but the Realm UI rejected that syntax.) The Realm Sync log says "user does not have permission to sync on partition (ProtocolErrorCode=206)".
As you can see in the log image, the partition name was equal to the user id for this test.
Is what I'm trying to do possible? If so, how do I set up the Sync Permissions to make it work?
This can be done using a function. If, like me, you're new to Realm Sync and not fluent in Javascript, don't worry - it turns out to be not too hard to do, after all. (Thanks Jay for encouraging me to try it!)
I followed the instructions on the Define a Function page to create my userCanAccessPartition function like this:
exports = function(partition){
return partition.startsWith(context.user.id);
};
Then I set my sync permissions to:
{
"%%true": {
"%function": {
"name": "userCanAccessPartition",
"arguments": ["%%partition"]
}
}
}
I am trying to use Pgina-fork to modify windows logon. Instead of using username and password, I want to login user with a single field authentication that doesn't use a password . I am done with custom plugin modifications and building procedures but am not able to find a way to modify the logon UI. I need to hide the password field and modify other info that is not useful to me. If anyone knows how to do that in the Credential provider source code of Pgina-fork ?
You need to modify pGina Fork source Code for that.
pGina src have a folder named CredentialProvider.. that is what you need
In file credential.cpp
you can use this code
//hide password
m_fields->fields[m_fields->passwordFieldIdx].fieldStatePair.fieldState = CPFS_HIDDEN;
if (m_usageScenario == CPUS_CHANGE_PASSWORD) {
m_fields->fields[CredProv::CPUIFI_NEW_PASSWORD].fieldStatePair.fieldState = CPFS_HIDDEN;
m_fields->fields[CredProv::CPUIFI_CONFIRM_NEW_PASSWORD].fieldStatePair.fieldState = CPFS_HIDDEN;
}
This is the block of code which main pGina provides.
I have requirement to append USERNAME to the URL in server side using URL Rewrite module.
Why?:
I have website site1, when USER logs in to site1, he will see a link to site2., This link is URL or reports. (Tableau).
Authenticated ticket has been created using FormAuthentication in site1.
When USER clicks the link, authenticated username should be passed to site2.
I could append username from client side, but due to security issues I have to append username to URL in server side before it gets executed.
So I have decided to use URL rewrite provider, which grabs the username by decrypting the cookie value as shown below
namespace PlatformAnalysisUrlProvider.PlatformAnalysisProvider
{
class AnalysisRewriteProvider: IRewriteProvider, IProviderDescriptor
{
public void Initialize(IDictionary<string, string> settings,
IRewriteContext rewriteContext)
{
}
public string Rewrite(string value)
{
string[] cookievalues = value.Spli('=');
FormAuthentication ticket = FormAuthentication.Decrypt(cookievalues[1]);
//Decrypt throws error as shown below
}
}
}
Cookie Values
cookievalues [0] = has the key
cookievalues [1] = has the value
Example:
233AWJDKSHFHFDSHFJKDFDKJFHDKJFKDJFHDHFDHFKJHDFKJHDFJHDKJFHDSKJFHDF
It's a cookie value. But decrypt is not happening
I am getting following error
Unable to validate data.
at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(
Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start,
Int32 length, IVType ivType, Boolean useValidationSymAlgo,
Boolean signData)
Here is my settings in IIS for URL Rewrite
Requested URL: Matches the Patterns
Using: Regular Expression
Ignore Case - Checked
Conditions -
Input : {HTTP_COOKIE}
Type : Matches the Pattern
Pattern : .*
Action Type - Rewrite
Rewrite URL - http://11.155.011.123{HTTP_URL}&USERNAME={PlatformAnalysisUrlProvider:{C:0}}
I have also set up MACHINE KEY as suggested by this forum
I have referred this post for development
One of the stack overflow post suggested that it might be firewall or antivirus issue. But I do not have antivirus installed or firwall enabled.
It really helps if someone direct me to code sample where web site hosted in IIS and URL Rewrite provider is used.
Updating Error Log
MODULE_SET_RESPONSE_ERROR_STATUS
Notification - "PRE_BEGIN_REQUEST"
HttpReason - "URL Rewrite Module Error"
Updating post with Machine Key Info
<MachineKey Description="AES" validation="SHA1"
descriptionKey="******"
validationKey="******" CompatibilityMode="Framework20SP2">
Reason May be - The website where cookie getting created is developed using .NET Framework 4.5. The provider where we reading the cookie is Framework 3.5. Is this may be the cause? OR Do we need config file for Provider project?
Updates - I have added machine key to Machine.config , but it still did not work :(
Alternative Solution
Add App.config to class Library
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<!-- ... -->
<add key="SecurityKey" value="somevalue"/>
<!-- ... -->
</appSettings>
</configuration>
Copy config to GAC
Follow this blog - http://techphile.blogspot.in/2007/02/2.html
Encrypt the value (refer here) and create custom cookie during Login
Use the Decrption logic inside custom rewrite provider
The good thing about this is that the error is a general decryption error and not one with URL Rewrite itself, so that gives you a wider area to search for help. The mechanics of URL Rewrite seem to be right.
Decrypting means that it must be encrypted by the same method as you're decrypting it. So it has to be the right cookie and the right decryption method.
Since you're not checking which cookie that you're reading from, you could get unexpected results if the wrong cookie is first in the list of cookies.
Here are some steps that I recommend to troubleshoot this:
Create a simple URL Rewrite rule that will give you the value of your cookie. I created a rule to do that in my example below. You can test it by going to yoursite.com/getcookie. It should redirect to yoursite.com/?Cookie={cookievalue}
Then you can test your code outside of the URL Rewrite provider. You can create a simple console app or winforms app to test the rest of the code.
I recommend adding a check for the existence of the cookie and then a check again for the 2nd value. For example: if (cookievalues[1] != null).
When developing the decryption method, you don't have to worry about URL Rewrite. As long as it works in a test app in .NET then you should be set.
<rule name="Get cookie value" stopProcessing="true">
<match url="^getcookie" />
<action type="Redirect" url="/?Cookie={HTTP_COOKIE}" appendQueryString="false" redirectType="Found" />
</rule>
I can trying to set an authentication value just for testing purposes.
I am not using basic authentication but just a String
VC.Request.Headers.Authorization = new AuthenticationHeaderValue("Secret Password");
It gives me this error that is making me pulling my hair off:
The format of value 'Secret Password' is invalid.
Again I don't want to use basic authentication and I don't know whats wrong, help?
The class is "documented" as:
Represents authentication information in Authorization, ProxyAuthorization, WWW-Authneticate[sic], and Proxy-Authenticate header values.
By calling the constructor with one parameter, you're using "Secret Password" as scheme, which can only contain tokens (i.e. no spaces). See RFC 2617 for specification.
You might want to call the other constructor overload:
new AuthenticationHeaderValue("MySuperAuthScheme", "Secret Password");
I think basic authentication generally uses a username:password syntax, so the client-side code might be pre-validating it to stop you sending "bad" data mistakenly to the server, even though that's what you're intentionally trying to do. Try adding a : and see if that helps.
I have a web portal on which I have applied Url rewritting using rewriteModule.dll.
I have define a rule like
<rule source="Voices" destination="Others/MyVoices.aspx"/>
It runs successfully.
But In my admin login I have a page named DefineVoices.aspx [In admin login I have not applied rewritting], when i have called DefineVoices.aspx then Url is converted into
/Admin/DefineOthers/MyVoices.aspx.aspx
Please give me a solution without chage in my current url rule...
You have to change your url replace algorithm because you might be using direct string replace. Which causing the url
/Admin/DefineVoices.aspx
to
/Admin/DefineOthers/MyVoices.aspx.aspx
In your rule you have specified a rule that replaces the word Voices to Others/MyVoices.aspx.
I would recommend to update your replace alogirthm and use Regular expression properly and only replace part of url not words.
e.g. exact word /voices to /Others/MyVoices.aspx