UI page custom login and redirect

Go to solution
Bernie
Giga Contributor

‎05-28-2022 12:43 PM

Hi, i am working on configuring a ui page as a custom login into our application and am struggling for results. My ui page loads ,accepts data, and then only refreshes. I grab the input data and store it with my client script, then call a script include in order to decrypt the password and then id like to just check that decrypted pass is the same as input pass and finally redirect to our page if it is confirmed, however i seem to be having trouble with the script include. I cannot even verify that the script include is being called or run as no matter what i try i do not have access to anything within the class at any point it seems. html is onclick=validate()

most of the elements work, im just running into problems with the script include and I have tried a wide variety of random solutions to try to get it to work and none of them have even been consistently failing right

not yet concerned about the redirect, just struggling mostly on getting pass decrypted through include

 

script includefind_real_file.png

client script

find_real_file.png

 

Preview file
54 KB
Preview file
40 KB
Preview file
60 KB
0 Helpfuls
  • 3,320 Views
1 ACCEPTED SOLUTION

Go to solution
Markus Kraus
Kilo Sage

‎05-29-2022 05:26 AM

I am not 100% sure what you are trying to achieve, but if you want to make this page public (accessible by not-logged-in users) you have to make the following adjustments:

  • Add the UI Page to the public pages (sys_public.list)
  • Add the following to your script include
    isPublic: function (} {
  return true;
},​
  • The GlideRecord calls in the Client Script will afaik not work if you try this for an unauthenticated (not logged in) user. 

Instead, consider doing the whole authentication check inside your script include (adjust credentialTable/userNameField/passwordField in the initialize according to your needs):

var passwordDecryptor = Class.create();
passwordDecryptor.prototype = Object.extendsObject(global.AbstractAjaxProcessor, {
	
	initialize: function(request, responseXML, gc) {
		global.AbstractAjaxProcessor.prototype.initialize.apply(this, arguments);

		this.credentialTable = 'x_772220_mcp_porta_sla_user';
		this.userNameField = 'username';
		this.passwordField = 'password';
	},
	
	validate: function () {
		var credGr = new GlideRecord(this.credentialTable);
		credGr.addQuery(this.userNameField, this.getParameter('user_name'));
		credGr.setLimit(1);
		credGr.query();
		if (credGr.next()) {
			var password = this.getParameter('password') || '';
			if (credGr[this.passwordField].getDecryptedValue() == password) {
				return JSON.stringify({ success: true });
			}
			
			return JSON.stringify({
				success: false,
				message: 'Invalid password'
			});
		}
		
		return JSON.stringify({
			success: false,
			message: 'Unknown user'
		});
	},
	
	isPublic: function () {
		return true;
	},

    type: 'passwordDecryptor'
});

And this is the client script in the UI Page (replace user_name and password with user/pass - just according to your needs):

function validate() {
	var ga = new GlideAjax('passwordDecryptor');
	ga.addParam('sysparm_name', 'validate');
	ga.addParam('user_name', gel('user').value);
	ga.addParam('password', gel('pass').value);
	ga.getXMLAnswer(function (response) {
		response = JSON.parse(response);
		if (response.success) {
			alert('User name and password are valid!');
		} else {
			alert(response.message);
		}
	});
}

Im not a crypto expert, but please consider this Challenge-response-authentication to safely transmit passwords (and this only requires you to store a hash of the password).

 

View solution in original post

15 REPLIES 15

Go to solution
Bernie
Giga Contributor

‎05-28-2022 02:05 PM

note: normally i try to run an alert for decryptedpassword that returns null 1 out of every 100 times otherwise just a page refresh

0 Helpfuls

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron

‎05-28-2022 10:37 PM

Hi,

script include is server side so you cannot use alert() there to debug

replace alert() with gs.info() to confirm if script include is being called or not

Regards
Ankur

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

Go to solution
Bernie
Giga Contributor
In response to Ankur Bawiskar

‎05-29-2022 12:30 PM

thank you for this. however running gs.info returns no results, at this point I seem to be unable to confirm the script include is being called at all, if you have any debugging suggestions id be greatly appreciative

0 Helpfuls

Go to solution
Markus Kraus
Kilo Sage

‎05-29-2022 05:26 AM

I am not 100% sure what you are trying to achieve, but if you want to make this page public (accessible by not-logged-in users) you have to make the following adjustments:

  • Add the UI Page to the public pages (sys_public.list)
  • Add the following to your script include
    isPublic: function (} {
  return true;
},​
  • The GlideRecord calls in the Client Script will afaik not work if you try this for an unauthenticated (not logged in) user. 

Instead, consider doing the whole authentication check inside your script include (adjust credentialTable/userNameField/passwordField in the initialize according to your needs):

var passwordDecryptor = Class.create();
passwordDecryptor.prototype = Object.extendsObject(global.AbstractAjaxProcessor, {
	
	initialize: function(request, responseXML, gc) {
		global.AbstractAjaxProcessor.prototype.initialize.apply(this, arguments);

		this.credentialTable = 'x_772220_mcp_porta_sla_user';
		this.userNameField = 'username';
		this.passwordField = 'password';
	},
	
	validate: function () {
		var credGr = new GlideRecord(this.credentialTable);
		credGr.addQuery(this.userNameField, this.getParameter('user_name'));
		credGr.setLimit(1);
		credGr.query();
		if (credGr.next()) {
			var password = this.getParameter('password') || '';
			if (credGr[this.passwordField].getDecryptedValue() == password) {
				return JSON.stringify({ success: true });
			}
			
			return JSON.stringify({
				success: false,
				message: 'Invalid password'
			});
		}
		
		return JSON.stringify({
			success: false,
			message: 'Unknown user'
		});
	},
	
	isPublic: function () {
		return true;
	},

    type: 'passwordDecryptor'
});

And this is the client script in the UI Page (replace user_name and password with user/pass - just according to your needs):

function validate() {
	var ga = new GlideAjax('passwordDecryptor');
	ga.addParam('sysparm_name', 'validate');
	ga.addParam('user_name', gel('user').value);
	ga.addParam('password', gel('pass').value);
	ga.getXMLAnswer(function (response) {
		response = JSON.parse(response);
		if (response.success) {
			alert('User name and password are valid!');
		} else {
			alert(response.message);
		}
	});
}

Im not a crypto expert, but please consider this Challenge-response-authentication to safely transmit passwords (and this only requires you to store a hash of the password).