Two-Factor authentication

Hi

I have followed the example as described in post Two-factor authentication - CUBA.Platform and have got the sample app working fine.

I am trying to implement the same logic within my existing project (although changed doLogin(String login, String password, Locale locale) to doLogin(Credentials cred)) and everything seems to work with the exception of the following code within the doLogin function:

ExtUser user = dataManager.load(LoadContext.create(ExtUser.class)
        .setQuery(
                new LoadContext.Query("select u from sec$User u where u.loginLowerCase = :login")
                        .setParameter("login", ((LoginPasswordCredentials) cred).getLogin().toLowerCase())
        )
        .setView(View.LOCAL)
);

This always returns a ‘user’ value of null within the ext-login screen. I have tried the code under a different page within the project on a button click and it returns the value as I would have expected. I have also tried a different (working) loadcontext.query for a different entity and this also returns null within the doLogin function of the ext-login screen.

Is there something I am missing with the ext-login screen to enable this query to work.

Thanks in advance

David

Hi,

If a user is not logged in system uses anonymous session with very limited permissions. If you want to load data on login window you should grant permissions on required entities to Anonymous role.

Hi,

According to your description it seems that you might need to include proper authentication, something like:

    authentication.begin();
    try {

        // your code here

    } finally {
        authentication.end();
    }

I’m not sure that it would work as I’m unaware if it is on UI or middleware.

Authentication bean works only on middleware, not in UI.

The code could then be placed in a login service bean right? In that way it would be on the middleware.

Yes, the right place for custom authentication is AuthenticationProvider, but sometimes we need additional logic in UI (for instance for social networks)

Thanks both for your super quick responses.

I’ve managed to get it working with allowing anonymous permissions against the entity.

Yuriy - Please can I just check that i’ve done this the correct way by:

  • Login to cuba App
  • Go to Roles
  • Select Anonymous
  • Under Entities Tab. Add read access to the Ext$User entity

It works so assume I’ve done correctly but would be nice to get some reassurance that this is the correct way.

Thanks in advance.

David

Yes, that is the correct way to set permissions. Do not forget to include them (SQL inserts for Anonymous role) into 30.create-db.sql script, in case you create DB from scratch.

It is a very practical solution but undermines the change that was made in one of the latest platform updates to prevent the anonymous user from misuse in retrieving information from the backend. Don’t know if that’s of any concern but as you aim for 2FA I do think it is something to consider.

Correct Yuriy?

It is not the case for Web Client, all the code still executed on server side and if you do not show data in UI then it is not sent to web browser.