I have started to write a webApp in Eclipse where ECMAScript6 on the client (testing mostly on chrome on Win7) communicates with the server side written in Java7 on Jetty+GAEplugin via xmlHttpRequest (1 get request, user edits data, 1 post requests ). if it gets more I will move to webSockets).
The client code does not know anything about logins and provides neither user name nor password because as I understand, the browser and the user handle that. On the server side I response with 401 if basic authentication is missing.
But when testing, the browser does not ask the user for any password and does not send a second request (FF the same effect). No errors. Chrome development console claims that my
response.addHeader("WWW-Authenticate","Basic realm=\"bus driver\"");
did not reach it.
A subset of my targeted user baser does not have a google account nor FB nor twitter. So OpenId nor OAuth are of no use for that subset. OAuth doc says: " The user signs in using her Google account, .." . Any way I try to search, directs me to ways to store user data, but I have problems with the communication between browser and servlet.
I have read that I should edit web.xml, but I cannot see how to plug my home-built authentication into that. Web.xml would be okay for me because there will be about 3 pages sharing the same (*3roles=9pages).
My software should be up to date. Oracle claims that I should stop using Java 7, but I cannot get local GAE to run on Java 8 ...
Just testing on FF and looking for stupid errors I may have made last night. FF claims: InvalidStateError: An aatempt was made to use an object that is not, or is no longer, usable. Hmm seems that there is at least something wrong with my XMLhttpRequest (it worked in chrome at least without authentication). I could test GET with authentication but without ECMAscript... Still my main question remains, where is the example with old school authentication on the new kid, the cloud?
Logcat is empty. I have seen the logs getting filled in TomCat or for Android. I may have to dig into this.
Related
We are developing a Java application that is supposed to show models from users store.
initially, I'm trying to allow users to login using their autodesk account, and check if they are entitled to access my app.
I couldn't find any good example to show how it is done, I just want to confirm that what I will be doing is the recommended thing or if there is better options.
First, on app start, I will show an embedded webbrowser that will open
"https://developer.api.autodesk.com/authentication/v1/authorize?response_type=code&client_id=XXX&redirect_uri=XXX&scope=XXX"
the app will get the url from our server (so not saved locally) and the call back is pointing to an api on our server. then as user login and consent, will get the code from the url, close the login dialog and continue to get the bearer token using plain rest apis to /authentication/v1/gettoken.
As I said, not 100% sure if this is approved way or not or even if it is doable or not. so thought to check before we implement it.
After that I will just use rest apis to browse and get the model.
any thoughts or complains ?
Thanks in advance
Rest assured that the workflow being proposed here is actually orthodoxical and well “approved” by our official tutorials:
https://forge.autodesk.com/en/docs/oauth/v2/tutorials/get-3-legged-token/
http://learnforge.autodesk.io/#/oauth/3legged/
Unfortunaly the code sample for that bit is in node and we are still working on a Java equilvalent
Some of our endpoints require 3-legged oauth to access personal data - see here for an example and you can always refer to the authentication context section of each endpoint for the oauth flow required.
I promised to do something, but my managers want assurance that it can be done. What seems like a simple task is surprisingly hard to find example of. It consists of:
The browser asks a Java servlet for access to a remote site.
The servlet opens a HttpUrlConnection to that remote site.
The servlet sends a login request to that remote site.
The servlet receives a login form.
The servlet populates the login form from user session data, then
POSTs it.
The servlet receives the "welcome" from the remote site, complete
with headers and cookies.
The request of step 1 is finally filled by the content, headers, and cookies from step 6.
I'm having trouble getting code examples, leading me to think that what I want to do can't be accomplished. Can someone point me to an example?
Thanks,
Jerome.
The main problem is the domain of the session cookie.
More accurately, the question is what you're planning next after step 7.
Say your servlet is at "https://mycompany.com/loginServlet", and the remote site is a toy store "https://toys.com". Were you hoping that after step 7, the browser could be redirected to "https://toys.com" and get a proper service befitting a logged-in user? This won't work because when the browser received a session cookie from "mycompany.com" (in step7), this cookie will be attached to further requests for "mycompany.com" - but not to "toys.com", it's a security feature for excellent reason.
In short, this approach might work if both the servlet and the toys site are on the same domain. Though it makes me a bit uncomfortable in terms of security and password management, but never mind.
Obviously this approach would also work in the (unrealistic) case of letting your server proxy all further requests from the browser to "toys.com", but that's unrealistic for a typical commercial site (due to relative/absolute links, ajaxes etc.).
If it's different domains, then I second the wise comment made by "Rahul B" above: please look into SSO, and/or check with "toys.com" what login mechanisms they offer - maybe they already have something like "login with google" that's convenient enough.
We are trying to use pretender.io to our application which developed in AngularJS, Spring and Hibernate konnectnow.com which hosted at amazon server.
Here are the steps I followed:
Signup at prerender.io and got token: cFeRZcsv3JnAftreuhMO
Checked documentation and understood that I need to install middleware and decided to use Spring one.
In web.xml added pom added as mentioned https://github.com/greengerong/prerender-java
Added !# to the URL in all the pages.
Restarted tomcat server.
Logged into pretender.io with login details and found that nothing getting crawl.
For testing purpose the url konnectnow.com/#!/planpage changed to konnectnow.com/?_escaped_fragment_=/planpage
Nothing comes up, got error page isn’t working.
Checked Crawl Stats at pretender.io and found that as:
Status Code: 505, Cache Hit: Miss, Response Time(sec): 1.51sec, URL:
http://localhost:8080/#!/planpage
Not sure why it takes local host.
Can some one help me how to make this work.
We recommend using html5 push state instead of the #! in your URLs if possible. Html5 push state is better since nothing after a # is sent to the server, which can lead to issues for the crawlers that are checked by their user agent (Facebook, Twitter, etc).
You should set the forwardedURLHeader in order to have the Prerender Java middleware use a different host for your website instead of your proxy URL.
https://github.com/greengerong/prerender-java#forwardedurlheader
I also see that you posted your prerender token publicly so we regenerated your token to prevent someone else from using it. Please find your new token when you log into your Prerender.io account. I've also emailed you there.
I am just getting started on automation of posting messages on FB fan page on behalf of Admin(For e.g. I run a code in eclipse and It should post message on page). I read couple of similar questions on stack overflow, went through docs on FB API's but seems I am lost in this vast sea. I have few doubts.
Do I need to create an APP on Facebook that would interact with it's APIs. Can I not directly interact with them in my code(Java)?
What's flow of request to post status? My code -> My FB App -> My page or My Code -> My FB page
I see two different types of authentication, Server side and Client side. Are they both required or I can choose one of them.
Any link to some sample code for this would be extremely helpful.
I need to present this in a competition and have got only 1-2 days and figuring out stuff is taking too much time.
Any help would be appreciated.
Thanks
1 You need a Facebook application through which you're communicating with Facebook. An app can request various permissions and when granted by the user, you can access the user's data or pages. Of particular interest will be the manage_pages permission (see an overview of permissions).
2 The basic steps are: The app requests permissions to do something, the user grants them and after that you obtain an access token which you can use to interact with the API. So initially, the flow is: your code > the app (and the user) > Facebook API. After that, it's your code > Facebook API (with the access token passed as GET parameter in the URL).
The above is if you're doing user related things. For pages, it works somewhat the same but you still need a user access token. If you have manage_pages permission, you can visit /me/accounts (with the user access token) and you'll get a response that contains a page access token. That token can then be used to perform actions on the page on behalf of that user. This only works if the user is an admin of the page.
3 I have only used client side authentication so far but it's also possible to do server side only. Some access tokens live longer than others. For example, a user access token is valid as long as the user is signed into Facebook. But other access token (such as for pages) live longer. You can then store the access token and use it repeatedly.
4 At the time of writing, I'm not familiar with Java libraries for the Facebook API so I can't help you here.
I want the user to be able to Single-Sign-On, i.e. once logged on as Windows User, all services offered by my application should be accessible without further authentication.
In order to authenticate the user I'm using JAAS (Java Authentication and Authorization Services), which is integrated in Java.
The Java API ships also with a several JAAS LoginModules. One of them is called NTLoginModule, which retrieves user information about the currently logged on Windows User.
Where does NTLoginModule retrieve
its information from?
Can I use the
information returned by NTLoginModule in order to authenticate - in a safe manner -
the current user?
Are there any security issues I have to know about?
Thank you in advance!
I cannot help with JAAS, last tyime I did SSO with NTML, it was based on jCIFS.
However, I'm replying on your third point: There are security issues with NTLM
NTLM is quite weak (even v2), and you should lock accounts after a given number of login failures (to avoid brute force attack).
NTLM cannot work other a firewall.
NTLM token cannot be trusted by a third party, leading to the double-hop problem. Your application cannot take the identity of the logged in user to call another NTLM-protected server (like a web service; a RSS feed; or any web resource).
NTLM is not supported by all browsers. Internet Explorer and Chrome works natively ; Firefox needs to edit a configuration for each targeted site ; Opera, Konqueror don't support NTLM at all.
As I said in the comment to rds' answer: "I learned that NTLoginModule is quite insecure. I was able to fake the returned username by replacing the NTUserPrincipal.class file in the rt.jar package and so I was able to return a bogus user name. So it's not suitable for any kind of authentication."
Additionally, by doing some researches I found out that NTLoginModule retrieves it's information from nt.dll, which is part of the Java native libraries for Windows. nt.dll uses advapi32.dll in order to retrieve the current's user information.