I have a Java Spring REST back-end (#RestController) and using as security option Json Web Tokens(no session). At the front-end I want to use JavaScript (jQuery to send requests to back-end), Html.
So after login I save a JWT in browser and send it back in header with every request I make to #RestController.
My question is: How to navigate between pages (that are accessible only for authenticated users) from js? How #RestController will work in this case?
The #RestController handle the requests containing a path (the path of the request is not necessary to be the same with the path(URL) from front-end)
Solution (if you have a front-end server): When you try to reach a front-end URL you make a call to the server-side; if the response status is 200 the page can be displayed(with the body of the response if you send information); if the response is not you will stay on the home page, or you can redirect the user to login page...
Also check this : http://www.studytrails.com/frameworks/spring/spring-security-method-level/
Related
I would like to redirect from POST method to frontend page with HTTP status code 303.
Expected result is that browser after making POST request redirects to page specified in Location header.
Currently I am getting CORS failed error message and browser does not redirect to frontend page.
A redirect does not mean "Load this URL in the browser window". It means "You can get whatever you asked for here".
When you make an Ajax request using JavaScript, the response is provided to JavaScript.
If the response is a redirect, then the browser follows it automatically and provides the response to the redirect to JavaScript.
The URL you redirect to needs permission from CORS in order for the JavaScript to read the response.
Do not attempt to mix web services and regular page navigation
If you want to submit some data and load a new page: Use a form submission.
If you want to submit some data and handle the response with JS: Use Ajax.
I'm looking into what it would take to create a Single Sign On application that can be used for apps that consist of static clients paired with separate APIs.
My (probably incorrect) understanding is that the flow of such a service works something like this:
1
A user asks for a static HTML / JavaScript resource from domain A
2
As the browser loads the static resource (an HTML page with inline JavaScript), An XHR request is made to Server B. Server B is an authentication server - it will look for a cookie in the request from the HTML page (origin A), and if it doesn't find one / or if the cookie does not contain a valid token, then it will send back an error
3
The JavaScript on the HTML page will see either success or error. If an error, the user will be redirected to a login page associated with server B, and with a URL param redirect that will allow the login page on server B to redirect back to server A on successful login: server-b/login?redirect=server-a
4
Then once a user has logged into server B, the JavaScript on the login page for server B will trigger a redirect back to server A (and the same static website will be returned as a result).
Then, as the HTML page returned from server A is loaded again, the XHR request to server B will be redone, but with a successful authentication message this time.
Using this approach. I don't see how I can access the authentication token provided by a cookie for the domain server B from a resource served by server A. This means that making XHR requests to my API from my static web page that I can't pass the authentication result of my interaction with server B.
But I COULD give the static page (served from server A) access to the cookie if that cookie were present in the URL as a param when the redirection from server B occurs.
Is this an acceptable way of implementing SSO?
I use a JWT-token for authentication of users in my ASP.NET Core Web App.
The process of authentication has following steps:
Client send an ajax request to the server url with params login/password to get access token
Server get request and send a response with access token and token type
Client get server response and save token in a session storage to use token for requests later
When client has a token he should add token type and token to header of every request like the following sample (jQuery.ajax() headers section):
headers: { 'Authorization' : tokenType + ' ' + token }
Client redirects user from login page to main page. In JavaScript I can make it with the following code:
Code:
window.location.replace('[URL_TO_MAIN_PAGE_HERE]');
or
window.location.href = [URL_TO_MAIN_PAGE_HERE];
However I has a problem that I can't set a header for the request above.
How can I redirect user to main page after login if I use access token for authentication?
Additional info:
App is not SPA.
Once you save the token in browser's session/local storage, it will be available for any further "API" requests to the server. When you request for a page, by doing a server.transfer / request.redirect / location.href etc, you cannot provide custom headers of anytype.
So what's the available options.
Lets say post login, you redirect user to a page (using any of methods), which lists out some entities. The listing page does (or should do) an ajax request to the server (upon load, in the header script) to fetch the data. At this step, you can read the auth token and include in the request; which the server can validate.
Any subsequent requests will be done in same manner, whenever you request any resource, include the token in the http request.
If your API can return processed html, then you can do a GET request to that and pass the auth token, retrieve the html and include it within your page...
I have a cms, where am using laravel as web api, angularjs for requests.
I have an iframe where I call to services with a direct link and put it usig trusted src function.
The main problem is, I can not use a normal http post request and hide parameters, because using http request will return data, not file, and the report api returns in headers, an html file, pdf ... etc) so when i get result to the success of my http request, it won't download pdf file, it will show special chars
in the i frame am calling the api like this :
"localhost/api/getreportService/"+$scope.brandid+"&"+$scope.customerid"
but that's cannot be secure, is there any way to hide the request here from users?
ok, I found a solution, I called the api via http post request then I used $sce tustAsHtml for the response, with a ng-bind-html in my template and the result is good now, the report is showing in the div,
Now all is safe, the user needs a token to access the report, and that's impossible without a login.
I know this has been asked countless times, but none of the answers I found described the actual connection to backend.
I have a one-page JS app that communicates with small backend (Django) API. I use session based authentication. User info is cached on first load. If session expires, I need to change page header and flush user info from cache. However, most of my API resources are public and return always 200. Several other resources are private and return 403 if user isn't logged in, which is great as this gives me excatly the information I need. The problem is, some pages access public resources only. In case session is suddenly deleted on backend and user navigates to url that accesses only public resources, user info isn't flushed and I have an UX problem.
My initial idea was to request private user resource (let's call it /users/self/) on every url change which returns 200 in case user is authenticated and 403 in case they aren't. This however requires 1 extra request before every other request for each url change, which isn't really ideal.
Are there any easier techniques I could use in this case? I don't mind even switching to other type of authentication if that would solve the problem.
What i have done and seen for such scenarios is to use some type of http interceptor that intercept all http requests done by Angular and if it finds a response status of 401, such interceptors raise an event using $rootScope.
See one library here https://github.com/witoldsz/angular-http-auth
To use it, one needs to subscribe to the events raise using some type of root controller, which can redirect the user to login page.
See an example here https://medium.com/opinionated-angularjs/7bbf0346acec
Instead of sending a additional auth request, just check in your backend in every request, if the session didnt expire. If the user is not auth, then return a status code.
In angularjs we used a httpResponse interceptor, who intercepts every response and checks against this status code.
Your backend could add a header to the response if the user is still logged in, regardless if the requested resource is public or not. The client can then check the presence of that header and act accordingly.
On both sides this is done with some kind of filter or interceptor. In angular this would be a $http interceptor.
We at work do what others have already told you: use an HttpInterceptor.
We have every response sent from our backend structured in the same way: an object with two fields: a responseCode and the actual response. We vary the responseCode according to what happened in the backend, being success, security alert, or authentication required for that given action the most common cases.
Then the interceptor reacts in the appropriate way according to each responseCode we have defined. In the case of an authentication required, we redirect to the login page, you could do whatever you need. It's working great for us.