I am trying to implement form authentication in my ajax application.
The problem I have is that when the session expires I get 302 code which redirects me to a login page I specified in web.xml (and it messes everything up refreshing the whole app to login page).
What I want to do is to get a "not authenticated" (401) code, then display the login form in a popup window and when the login is successful continue with what I was doing.
here is a picture of what is going on:
and the docs
http://docs.oracle.com/javaee/1.4/tutorial/doc/Security5.html
basically, I want to display the popup instead of redirect to login page and then don't do the redirect to the resource but do my update in AJAX way.
From what I understand it couldn't be done only on the client side since the redirect can't be avoided (see here: redirect info), I would need to write some kind of logic on the server to prevent redirect, see here for detail about doing it in IIS: IIS implementation
P.S. So far this: http://www.oracle.com/technetwork/articles/entarch/session-lifecycle-096133.html looks like the most promising way to implement it. The class is deprecated, but I can't find the new one and think it's the only way to do it for Weblogic.
This is not an easy way but still it works
You have a form in your page which is filled by the user.
User clicks submit button.
An ajax request is sent to the server.
The server side implementation can check whether session exists or not. and accordingly you can send a response code 401..(response.setStatus());
This 401 can be checked in client side using ajax --- xhr.status
If response is 401 you can show the login form and hide the current form. using js and css.
User fills in the login details and clicks submit..
You can do the same server side check and client side check for the status of that login request.
if login is successful then you can you can submit the first form using ajax or js..
You may need to use servlet authentication filters as described in weblogic.xml Deployment Descriptor Elements
Below tutorials may help you:
oracle Servlet Authentication Filters
Using servlet filters for user authentication
Writing Servlet Filters
You could use a heartbeat checking with an ajax request to your server to any resource that needs to be authenticated to get it.. if you cannot receive this resource so means that youre not logged in.. so you could send another authentication request an go on with your rendering..
see this article.. http://ajaxpatterns.org/archive/Heartbeat.php
so your checking routine of authentication would be implemented..
You need to push to page and not poll. So you need Strophe and your session handler connected. When session expires signal is sent to Strophe instance that is running in your web app and after that it is easy to do popup or whatever.
For all real time stuff I am using Strophe!
This is book on this metter and this is link for Strophe, also this is link of php xmpp class.
It will take you couple of days to figure out this but it is couple of days well spent!
If you read carefully book and go to examples, with just basic javascript/jquery understanding you will be able to develop powerful web apps.
I know you're trying to do FORM authentication with you ajax application but is it really needed?
BASIC authentication works simpler and transparently for ajax requests as it is handled by the browser, not by your app. But I admit/understand that a popup is ugly.
Related
I'm currently playing around with a KnockoutJS SPA template in ASP.NET Core 2.1, and I managed to implement an authorization flow exactly as this one which was made in Angular:
https://fullstackmark.com/post/13/jwt-authentication-with-aspnet-core-2-web-api-angular-5-net-core-identity-and-facebook-login
As you can see in their User front-end service, basically the only check for whether the user is logged in on the client side is the check if the "auth_token" key exists in the client's local storage:
https://github.com/mmacneil/AngularASPNETCore2WebApiAuth/blob/master/src/src/app/shared/services/user.service.ts
this.loggedIn = !!localStorage.getItem('auth_token');
// ?? not sure if this the best way to broadcast the status but seems to resolve issue on page refresh where auth status is lost in
// header component resulting in authed user nav links disappearing despite the fact user is still logged in
Simply put, anyone can open up the browser local storage and insert a random string with the "auth_token" key and they'll be able to see everything admin-related in the UI (even though they will fail on API requests).
Can someone suggest a better flow for this? Or is the only option to send a "log in request" to the API, whenever an admin page is "opened"?
P.S. I am relatively new to the authentication schemes front, should JWT perhaps not be used for client-side content validation?
Considering JWT best practices, all your validations should be done in your back-end, since any validation coded in your web app could be read by any of your clients, resulting in a huge security flaw: anyone would know how to create a valid JWT for your application.
Is it a big problem to be possible to see your admin-related UI, even without any data? Considering that all of the routes which can return sensitive data are protected by JWT authorization, if a user access any pages or parts of your UI which require data, they would trigger a request to retrieve it, which would probably return a 401 (Unauthorized) HTTP status, or similar. A common front-end practice in these situations is to erase client user data, and redirect to a login page.
So, a typical flow would be:
User inserts a fake access token into their storage
User opens an admin page/ui which uses sensitive data in any way (showing, using for any internal logic, etc)
Web app does a request to the API requesting data
API returns a response which will be interpreted as an authorization error
Web app receive the API response, erase user access token and redirect them to its login page
In most cases, this entire flow will happen fast enough to block your user to further interact and explore your web app.
Would be better if you provide more information about your scenario, so anyone could understand if your worries are something that needs to be considered and truly solved. However, in most cases, the behavior above is accepted.
I've been reading up on token based authentication for a project that's part of my trainee-ship. My task is to implement some sort of user authentication and we've settled on token based authentication.
Now I get the basic principles, like passing the token in the xhr header for xhr requests. But I do not understand how you would pass the token on an initial page call.
Let's say we're working on a single page application with a navigation bar that has a login button for users that are not currently logged in, and a profile button for users that are logged in.
Seeing as that navigation bar is delivered on the initial call of the website, how do I know how to serve the right button to the user? From what I can gather I can pretty much only authenticate on xhr.
Do I have a misunderstanding about token based authentication?
A little clarification:
Assume a User already is logged in and has received a token from the Server.
He then closes the Tab and later goes to my app again.
At this point, server-side I do not know the user, as I could not have sent the token at the initial request.
A coworker suggested using AngularJS' onload to send the token after the initial page load to verify and get my JSON data from the server, which is then used to create the app with Angular
Also the point of the project is to not use an existing library like JWT, so I can actually grasp the concept and the inner workings of such mechanisms.
I want to send a request (or any response or notification) from the server side to the browser without a browser request to the server.
I use JSP and the Struts framework in my Java EE application. When some one is on my page, and when some processing in done in my action class/servlets, I want to send a notification or message or request to the browser to be appeared on the page. Here the relevant page cannot be refreshed or reloaded and it may be handled on the browser side with javascript or jquery. I use Http.
Is there a way to do this?
EDIT: Example: The application is an online inventory system. An Admin has logged in. If one of the items is out of stock, the admin should be notified saying that that particular item is out of stock without the admin searching the stores and do nothing (when he is on his account page, a pop up may be displayed to him).
I am not so sure what you meant but according to my understanding you can do this.I guess Comet is the thing you are looking for.Comet is the technique where in server pushes the data to the browser.
Try Pushlet concept which might address your requirement
http://www.javaworld.com/jw-03-2000/jw-03-pushlet.html
I want to learn what is the best practice to check login status at client side. What I am trying to do is checking user's login status and if he is not logged in open popup box (login box) using JavaScript.
I can think of 2 options
Make an AJAX call to server and get the login status.
Have a variable in your HTML page and check this variable with
JavaScript at client side. Of course I do not trust this check, I
still have all the necessary checks in my controllers at server
side.
Option 1 is good but it can add some latency/delay so it may not be the best option in terms of user experience. Or am I wrong, with a good server (I am planning to use amazon web services) this delay will be so minimum and user will not understand it (Question may look silly but this is my first web development so please be understandable :))
I can't see any problem with option 2, please correct me if I am wrong. As I said I am trying to understand the best practice.
The best way to avoid server hit/network latency as well; You can put a client variable which has the login status (as you said in your question), but main thing to avoid server hit and network latency (AJAX), You just use the same logic which is at server side to set the login status as false. Suppose say the logic is to sety login status to false after 5 minutes of inactivity, You can do the same at client side as well.
So overall I mean to say is, Implement the same logic at client end to set the login status false. and based on that you can show your login dialog immediately with any latency. And in BEST PRACTICE you should always do double verification i.e. at server end on each and every requests for authenticated stuffs you should check that the client login status matches the server login status, since the client's login status can be tampered one.
Good Luck... Happy exploring :-)
Option 1 seems the best, how can you otherwise know if the cookie you save the user id in was not tempered with?
As far as I know the best practice is to add a hash to the cookie (you can see google doing that in their cookies), and then use that to check if the data in the cookie is valid on the server side, using a secret and or salt.
http://en.wikipedia.org/wiki/Hash_function
http://en.wikipedia.org/wiki/Salt_(cryptography)
what you could do anyway though is check if a cookie exists with userid in your client side javascript, and if not, then send the user to the login page.
https://developer.mozilla.org/en-US/docs/DOM/document.cookie
that way you don't need a server round trip for obviously logged out users.
However, can't you on the first request the user makes to your serveralready do the checking? and if the user is not logged-in respond with the login page?
I'm building a Single Page Application, read that login page should not be on the same page. Should I have login as a separate html page, or can I have login also in the same page.
If I have login as a different page, depending on the first page that I load should have to redirect to the other in client side.
ie suppose I load the SPA first, and if the user is not logged in, I've to redirect to login page in client side. and suppose I load the login page first, and the user is already logged in, I've to redirect to SPA in client side.
What is the general solution for this problem?
I'd put login and verification in a separate page and then use ajax to make the calls.
User access index-file.
Index-file makes checks with server-side page to see if user is logged in or not.
Page displays content depending on if the json answer from the server-side page was true or false.
Then I'd do the same for logging in.
User provides login information
Checks with server-side file through ajax and json.
Page refreshes if succesful or throws error response if it's not.
The bottom line to my answer is that when creating single-page applications, ajax is the way to go. However, since you havent provided what language you're using, i'm unable to give you a more detailed answer.
Client side single page handling logins and content selection however is very bad practice and should be avoided all-together because of their lack of security (I cant stress this enough) since all elements will be available even to anonymous access and DOM manipulation will enable an unauthorized user to access restricted content. You'll have to use ajax to do backend serverside authorizations - as mentioned, as well as serverside code on the SPA that present different content depending on your authorization status.
The scenario you describe need to have server-side code for selecting what content to present and client-side code together with ajax for implementing features on the SPA.
What you CAN do however, is to - when for example pushing the login button - calling another file with ajax, remove the content of the wrapper div and append the ajax response to that div. Then you'll avoid client side redirections all together.