I have created an application using spring boot that uses angular for the front end and is a basic login portal with encrypted credentials and click verification, what I want to do is have like when someone visits the IP of the server it gets the angular portal, when it's a domain name, it actually pulls up that website. I want to program this to happen either in java or angular to request the resource from java. How would one go about implementing this? I know how to have java handle http requests and actually get the html to the browser... What I don't know is how to do that while using the angular front end to act as my control panel.
Here is my goal, user types in the Servers IP, which could be changed, "0.0.0.0" to the port that I specify which would be 8080 it brings them to my login page which is the angular front end. once they are authenticated it goes into the dashboard Control Panel to Manage the server, Ip's, etc. However if a user types in "Example.com", even if they type in port 8080 I want it to pull up the Index.hmtl File of "Example.com" not the Angular Cpanel. this would be an actual website with many pages and so on. the Angular portion is really just for server management changing files, updating Emails, and so on. Not sure this has ever been done before in the likes of java, I really just need to have the java App do one thing if its the IP and another if It's a Domain Name.
Update 03/24/22:
Ok after further Research I am trying to achieve something like a Webmin, Plesk, cPanel esk type application. A user could make their website and such with the control panel which I was going to Use Angular combined with Spring boot. those applications will only bring up the login screen if you type in the IP and the specified port, else they are going to load the records and the sites that are required based on what the User has typed in, I don't know if this needs to be Angular passing a String to the Backend with a URL if the URL does not meet the criteria for the login screen to appear, or if there needs to be a different approach here.
Ok, so I have found the answer I am looking for is through a proxy, you can get the domain name from the answer in this solution. It seems that what I was looking for in this case is a proxy which is defined in Angular's Documentation here. Once you have these two put together, you can then pass the base URL or really the Entire URL Back to the Spring Boot backend to request the requested resource, however by using the proxy it seems this would not be needed and would just need the Backend to be able to handle requests as they are redirected to the Backend, which would then be passed back to the front end to put together for the client. building an httpserver is done by using this class and can be combined with some others to actually give the requests back to the angular application to then give back to the client.
Related
what I want to do is to build a web application(proxy) that user use to request the webpage he want and
my application forward the request to the main server,
modify HTML code,
send to the client the modified one.
The question now is
How to keep my application between the client and main serevr
(for example when the user click any link inside the modified page-
ajax request - submit forms - and so on)
in another words
How to grantee that any request (after the first URL request) from the client sent to my proxy and any response come first to my proxy
The question is: Why do you need a proxy? Why do you want to build it - why not use already existing one like HAProxy ?
EDIT: sorry, I didn't read your whole post correctly. You can start with:
http://www.jtmelton.com/2007/11/27/a-simple-multi-threaded-java-http-proxy-server/
If the user is willing to, or can be forced1 to configure his clients (e.g. web browser) to use a web proxy, then your problem is already solved. Another way to do this (assuming that the user is cooperative) is to get them to install a trusted browser plugin that dynamically routes selected URLs through your proxy. But you can't do this using an untrusted webapp: the Browser sandbox won't (shouldn't) let you.
Doing it without the user's knowledge and consent requires some kind of interference at the network level. For example, a "smart" switch could recognizes TCP/IP packets on port 80 and deliberately route them to your proxy instead of the IP address that the client's browser specifies. This kind of thing is known as "deep packet inspection". It would be very difficult to implement yourself, and it requires significant compute power in your network switch if you are going to achieve high network rates through the switch.
The second problem is that making meaningful on-the-fly modifications to arbitrary HTML + Javascript responses is a really difficult problem.
The final problem is that this is only going to work with HTTP. HTTPS protects against "man in the middle" attacks ... such as this ... that monitor or interfere with the requests and responses. The best you could hope to do would be to capture the encrypted traffic between the client and the server.
1 - The normal way to force a user to do this is to implement a firewall that blocks all outgoing HTTP connections apart from those made via your proxy.
UPDATE
The problem now what should I change in the html code to enforce client to request any thing from my app --- for example for link href attribute may be www.aaaa.com?url=www.google.com but for ajax and form what I should do?
Like I said, it is a difficult task. You have to deal with the following problems:
Finding and updating absolute URLs in the HTML. (Not hard)
Finding and dealing with the base URL (if any). (Not hard)
Dealing with the URLs that you don't want to change; e.g. links to CSS, javascript (maybe), etc. (Harder ...)
Dealing with HTML that is syntactically invalid ... but not to the extent that the browser can't cope. (Hard)
Dealing with cross-site issues. (Uncertain ...)
Dealing with URLs in requests being made by javascript embedded in / called from the page. This is extremely difficult, given the myriad ways that javascript could assemble the URL.
Dealing with HTTPS. (Impossible to do securely; i.e. without the user not trusting the proxy to see private info such as passwords, credit card numbers, etc that are normally sent securely.)
and so on.
I have a web app which uses spring security basic authentication .
So now if i hit the url.. server sends a 401 and my browser show the username/password popup.
Every thing is fine.
But now i want that a user can login and can change the access as anonymous i.e.
If now user hit the url he/she will be directly able to see the content without 401 or a redirect
How to do that since xml is hardcoded ?
Not sure if I got it right but what you want can be done with separating your "dynamic part" into some URL subtree (i.e. "/dynamic/**") and permitting everyone to access this part with single filter rule.
I have an application deployed on a Weblogic domain which gets a request from the browser for login.
The actual login process occurs on a SECOND Weblogic domain which resides on the same machine.
I need the following:
- Identify on the first domain that a call was made for login.
- Forward the login request to the second domain.
- Send the response from the second domain to the first one so it will continue the process; e.g. if the user was authenticated successfully, then need to open a session for him, return a response to the browser etc.
NOTES
- I assume that I should use filter in web.xml for identifying that a login request has arrived and if I'm right I would like to hear how it connects to the call to the second server.
- I'm interested in how to implement the communication between the 2 domains.
- How would you prevent fake "successful authentication" calls to the first domain; i.e. I want to make sure that if my first domain got a successful authentication call then I want to be sure that the call indeed passed through the authentication server, (i.e. the second domain).
I would appreciate any idea or help on this, Thanks !!!
Well,I have two ideas,just for your own consideration!
First,just use digital certificate to sign the request,for webserivce https is the option,this is the common way to deal with fabrication problem.
Second,Implement your custom security provider is a more standard way than do it in the filter,it's typcially a JAAS LoginModule implementation,which call the webservice on the second domain for authentication.By this way ,authentication is delegated to weblogic server and the application for on first domain has loosely coupled with the second domain.
By the way, check the weblogic documentation for detail of how to implement a custom provider,this is for weblogic version 10.3.2
Developing Security Providers
I am building a web application using Spring framework that requires users to make a payment. When the user posts a form, it redirects to Hp's payment website and processes the payments there before returning to my application. This method however leaves my applications vulnerable to security threats and form manipulations.
I now want to post the form to my server, validate users inputs and if necessary post data to hp's web server. I have already written a java code for posting a form from my code and getting the response back into a file from hp's site but am unable to figure out how to redirect the user to the hp website using the java form post. Can someone please help? I am new to Spring so am open to suggestions that would help me accomplish this task either using this method or another way to do so.
Thanks
Obviously you need to perform the redirect on the server side, not on the client side. Redirection is basically returning HTTP 302 with Location header pointing to new location. When browser receives such response it opens the URL in question rather than rendering the response like it is with 200.
If you can receive and validate your form all you have to do is send the redirect back to the browser. I don't know which web framework do you use. In servlets you simply say:
response.sendRedirect("http://www.example.com/payment/...");
In spring-mvc return the following string from your controller as opposed to a view name:
return "redirect:http://www.example.com/payment/...";
I have a design like that:
There is a core part runs Spring on it with REST.
There is another part which has a Tomcat Server and has just HTML files(not jsp or anything else.) So if I want to change a page at tomcat side there is no need to restart application also design and code part separated. Let's accept that I am listing users at my web side(tomcat side). Then my web side makes a GET request and response comes as JSON. PUT, DELETE and POST happens with same methodology.
I have 2 security problem at this point.
First, When a user wants to see an URL at server side how I will check authorization and authentication? And how can I limit an authorized person to get my web page with a too wget?
Second, How can I hide my REST URLs. For example if a user debugs my JavaScript code he/she will see that I am making a DELETE request to an URL with some parameters so he/she will try to do the same(or can make thousands of GET request to my core server if learns the URL)
Thanks for advices.
Firstly, why do you use Tomcat to serve static files ?
The approach I would take is this one:
use a static server to serve static files (apache, lighttpd, nginx).
This server will do authN and authZ (using an LDAP directory e.g. or any other suitable auth backend).
AuthN is done using scheme like Http Basic + SSL, Http Digest, WebID, ...
This is a solution to your 1st problem
Configure the static server to reverse proxy your app server and use the same auth rules.
URI are not "hidden", but they are no more accessible to anyone. Since the user is already authenticated to the static page, no auth should be necessary to request "rest uri".