I am doing an incremental JSP --> Wicket migration. I had kept the JSP appliation and doing page by page migration. I gan go and return from JSP <--> wicket pages.But my problem is in JSP my logged in user credentials are stored in a Bean (UserBean,scope:session) and in JSP on each page I check logged in user from that bean.
But how can I get these informations in wicket? so that from my JSP page if a User is logged in, on wicket page load it can read that and set suer info so that my wicket log in page does not come.
my wicket page uses wicket-auth-role and checks with:
#AuthorizeInstantiation("ADMIN") public class HomePage extends BasePage {.....}
I have my own UserDetailsServcice and MyAuthenticationWebSession in wicket.
After some attempts and help from Don Roby, here I got userID from session in wicket:
final RequestCycle requestCycle = RequestCycle.get();
WebRequest wr=(WebRequest)requestCycle.getRequest();
HttpServletRequest hsr= wr.getHttpServletRequest();
AuthenticatedWebSession session = OrbitWebSession.get();
String username = (String)hsr.getSession().getAttribute("SessionUser");
Now,exactly where can I set username,password and call authenticate so that my page does not redirects to login page? Who calls authenticate() methods and how? I have tried onBeforeRender() method on my secured page,but it does not work. :(
More code specifically around the login process might help us make a more complete answer, but basically you have to get access to the normal servlet container session and thus to that bean from somewhere in wicket. Likely the best place to put that logic is somewhere in your MyAuthenticationWebSession, so that it knows the user is logged in.
To get at the servlet container session from wicket code, you can use
httpSession =
((WebRequest)request).getHttpServletRequest().getSession();
If at the point you're putting this in your wicket code you don't already have this WebRequest object (which is likely a ServletWebRequest object), you can get it from the RequestCycle:
RequestCycle requestCycle = RequestCycle.get();
Request request = requestCycle.getRequest();
authenticate is called by AuthenticatedWebSession during the login process. Unfortunately for you, most methods in the aforementioned class are marked final so it's a bit hard to customize.
What I think you should be able to do is to use the protected method signIn(boolean value) in the constructor of your own session. You get a Request there, from that you should hopefully be able to get your "SessionUser", then extract your User via your UserDetailsService, call signIn(true) and initialize the correct roles for that user. If signIn(true) is called, you shouldn't get a redirect to login.
Related
I have created a simple login page which in turn redirects to the list of file contents. I do have three separate servlets. LoginServlet, LogoutServlet and FileUploadServlet. Where the Login and Logoutservlet redirects to the main page. But the FileUploadServlet will display the page with the two text fields along with a file upload. When the user type the url with the FileUploadServlet name directly the page loads without logging in. How to restrict accessing this. Please help me.
You could use AuthenticationFilters in web.xml. Please add a filter and write a method to authenticate every request whether it is valid or not.
The session Attributes can be used for validation. Like, during login, the session attributes can be set if credentials are valid, and so when the next request is made, the session attributes can be sent along with the request, which can be used for authenticating it. If the request doesn't have that session attribute, you could just scrap that request.
I have created a basic spring security authentication using UserDetailsService and now I am able to validate user. However, I don't understand how to achieve below things:
Once a user is logged in, when next request comes how and where do I check if the request is coming from the same logged in user or other logged in user?
I know the concept of Spring interceptors where I can intercept all incoming request. But is there something in spring security that does this?
How can I start a session after logging in and store values in session for that user?
I browsed through existing answers but most of examples are for logging in.
I would appreciate if someone can give me examples.
EDIT:
I think I should use session scoped beans in order to maintain user's session contents rather than manipulating httpsession directly.
I think you really need to spend some time reading the Spring security documentation and over all JSP, servlet and MVC architecture. You have several misunderstandings,
After authentication, you don't need to start a session it was already there when the request came. Remember request.getSession()we get the session from the request and I am really NOT aware of any other way i.e. instantiating session object and assigning it to request/response. After successful authentication spring automatically sets a SPRING_SECURITY_CONTEXT attribute in session and this variable is later used to determine whether user is already authenticated or not (Spring does that for you, you don't need to use this attribute).
In spring security we set an authentication entry point which has information about login page url and FORM_LOGIN_FILTER which has information about login processing url, login success url and login failure url among few other things.Every request whose session doesn't have SPRING_SECURITY_CONTEXT and auth attribute gets redirected to login page url.
I could give the code directly but it would be great if you read at least few pages of Spring documentation here. Once you understand the concepts and are still not able to solve the problem. Edit your question with detailed problem and we will try to fix it.
At first you need to create an Authentication object using current HttpRequest as below:
public class SessionService{
public Authentication getSession(HttpServletRequest request) {
HttpSession session=request.getSession();
SecurityContext ctx= (SecurityContext) session.getAttribute("SPRING_SECURITY_CONTEXT");
Authentication auth=ctx.getAuthentication();
return auth;
}
}
Then, you can retrieve the session details from this Authentication object by passing the current HttpRequest as follows:
Authentication auth = sessionService.getSession(request);
The above auth object contains the details that you need.
I'm trying to set up access to a static HTML page - lets call it search.html.
I understand I can use cookies for this task, but is it possible with servlet sessions?
What options are there so access is only provided once a user is logged in? I have a login servlet that forwards to search.html however I only want this to be access once a user is logged in and a session is created.
Thanks
When the user logs in you store something in the Session indicating that. This can be as simple as a boolean flag or a full User object with roles etc. Then you write a filter which checks the presence of this flag or the roles of the user etc. Depending on the outcome you either let the reqest through or deny it with 403 Forbidden. Filters can be configured to paths in the web.xml.
Hey guys i'm working on admin module for my project. When a person logs-in, a request is sent to login servlet. When it further ask for some other report by clicking other options a request for the report is sent to other servlet which gives the result on the page which is shown at the time of user which is of normal type. The session is lost between two servlets.
I am trying to navigate the generated report on some other page but for that i need to know user type in second servlet. This can be done by fetching value of user_type from login module bean class.
How to handle this situation? thanks
My login servlet is :
LoginService user = new LoginService();
user.setUserName(request.getParameter("username"));
user.setPassword(request.getParameter("password"));
user = UserDAO.login(user);
if (user.isValid())
{
HttpSession session = request.getSession(true);
session.setAttribute("currentSessionUser",user);
if(user.getUser_type().equalsIgnoreCase("admin")){
response.sendRedirect("administrator/homepage.jsp");
}else{
response.sendRedirect("homepage.jsp"); //logged-in page
}
}
else
response.sendRedirect("invalidlogin.jsp"); //error page
}
i tried using this in second servlet:-
LoginService session = (LoginService)request.getAttribute("currentSessionUser");
String drake = session.getUser_type();
System.out.println("usertype = " +drake);
Here LoginService is the bean class of login module. i'm get a nullpointer exception here.
I think you're trying to do stuff that your web container should handle for you... A session should automatically be maintained over the course of multiple servlet calls from the same client session. Methods from HttpServlet are given a HttpServletRequest. You can obtain the corresponding HttpSession using one of the getSession methods of that class.
You can bind stuff to the HttpSession using setAttribute and getAttribute.
EDIT: I'm taking this from the Servlet spec 2.5:
A servlet can bind an object attribute into an HttpSession implementation by name.
Any object bound into a session is available to any other servlet that belongs to the
same ServletContext and handles a request identified as being a part of the same
session.
I think you're better off getting the HttpSession object from the HttpServletRequest (at least assuming it's a HttpServlet) and setting/getting attributes through that. If you choose a proper name (it follows the same convention as Java package naming) for your attribute, you can be sure the returned object, as long as it's not null, can be cast to whatever type you put in there. Setting and getting attributes on the request itself isn't gonna help, I don't think stuff will get carried over from one servlet call to the next unless you call one servlet from the other with a RequestDispatcher, but that's not what you're after here.
So in your second code sample, do (LoginService)request.getSession().getAttribute("currentSessionUser");, that ought to work. Make sure to check for nulls and maybe choose an attribute name that uses your project's package name convention (like com.mycompany...).
I wouldn't mind a second opinion here since I'm not much of an EE/web developer.
I'm a novice at JSF and I got a couple of questions concerning organizing user authentication there.
1) How can i redirect the registered user to a welcome page (for example welcome.xhtml)? I heard about using Filter or navigation-rule tag, but i didn't found a full-blown tutorial of how it works.
2) How can i tell the server that unauthorized users can access not only the login page but also the registration page? Is there an analog for ASP.NET web.config tag or something like this?
The solution for requirement 1) is already achieved by the solution for requirement 2). You just let the user go to that URL directly. If the user is after all not logged in, then redirect them to the register/login page. That's how it normally works.
You need to implement a Filter which listens on an url-pattern matching the secured pages. E.g. /secured/*, /protected/*, etc. In the doFilter() method you just check for the presence of the logged in User in the current session and handle accordingly. Here's a basic kickoff example:
if (((HttpServletRequest) request).getSession().getAttribute("user") == null) {
// Not logged in, redirect to login page.
response.sendRedirect("login.jsf");
} else {
// Logged in, just continue with request.
chain.doFilter(request, response);
}
To get it to work with JSF, just know the fact that JSF stores session scoped managed beans as attributes of the HttpSession with the managed bean name as key.