When I created a WebAPI project, and then a MVC project. In MVC project, I run a sever https://localhost:44303/ which has a page. In this page I created a button for ajax call. I call to my WebAPI project https://localhost:44369/ (different origin), and of course I get CORS policy. I cannot get any data. But when I change the ajax call to a fake API like on the internet https://jsonplaceholder.typicode.com/todos/1, I can get data. I think the fake API and the MVC project have different origin, so CORS should prevent the ajax call. Why can I still get the data from that fake API?
They are simply accepting request from all ip
Related
I am using ASP.NET Core MVC. In my project I use Ajax in order to get some JSON data from an action on my controller. It requests data from the database, then return it as json. It works well.
I want to use role-based authentication in my ASP.NET Core MVC project.
This is my question: if I use a controller action restriction by something like [Authorize(Roles = "Admin")], will it allow anyone whose role is "Admin" to call this method? (I mean will it work without any other trouble just by logging in as Admin)
And will it disable accessing those data when the role is not "Admin"`?
I have not still add Identification to my new project and I'm new to using Ajax.
I have just tested it and it does as desired. It return 401 Unauthorized status code when the user is not authorized and 200 OK success status response code. Thanks guys for your responses.
Let's say when you send a request to this url: ...?query=something&filter=another_thing, I am returning a web page with model attribute let's say model.addAttribute('result', resultList) then just for loop the result and print the values. (Template resolver could be jsp or thymeleaf, but there is no option to load resultList without model fashion - I mean there is no ajax request - )
What I want to do:
before loading the result (or loading the page), I just want to load google recaptcha.js first and
recaptcha will return a token,
then I will send token to the backend via ajax request.
After all if request is not bot, I will print the resultList
Is this requirement possible to implement inside the Spring boot application itself?
NOTE: I could not find anyway to do this. I just though that I could intercept the original get url then redirect to the another page, and this page will load recaptcha and send the token to my backend. If it is not bot then redirect to the original get url. However I do not know how to preserve original request
You're framing it slightly wrong, which may make all the difference.
When making a request, you want to make sure that request is authorized, before you handle
it.
That is where a recaptcha comes in.
To prevent unauthorized access, look into spring-security and recaptcha for that.
Once sufficient authentication has been achieved, your request will then enter your controller, and you can serve the page.
(of course, you could look into it doing it dynamically, but that will be a bit harder)
I am curious if anyone has a solution to this unique situation as I have a solution currently, though I feel it is not the most optimal.
The Situation.
I have built an MVC style web application that talks to a web API through http (authenticating via JWT). My web application is secured by appending authorization to its view controllers and redirecting to a Microsoft login endpoint - then directing back to the view where whichever given controller/function handles the request, connects to the API, appends data to the view, etc.
Preferably I would like to use JQuery/Ajax to submit http requests client-side and update a given view with whatever data the user may wish to see relative to the webpage they're on. This way I could control exactly what the user should see landing on the page any which way and submitting requests from web app to API. Also would enable better continuity between requests as there isn't actually a full refresh of the view. All in all it is my line of thought that this execution would lead to a nice user experience.
The Problem.
So the big issue that I have had to circumvent is CORS Policy. I initially attempted to use JS just as I said above but requests would be redirected to the login endpoint and blocked due to there being no CORS header appended to the request.
'So include a policy in your application and append an authorized header to your Ajax outgoing request' you might say, well... you cannot override CORS security around Microsoft's login endpoint.
My Solution.
What I have done simply instead is create HTML Forms around fields the user would pick and chose to specify what data they wanted from the API. Then carry over input data to the returned view via 'ViewData'
and using razor pages of course I can actually initialize JS variables via C# input.
Side Note
I use JS to transform the API data into graphs for the user to see. I am doing this with a JavaScript Library.
My Question to you.
This all leads me to ask then, is there a way to dynamically update a view without using JS? I require a method that can hit the login redirect without being blocked because the request initiated client-side.
Every solution I am aware in some way, shape, or form utilizes JS to make the request. So I am at a loss for how to truly get the functionality I am after without having my requests get blocked due to CORS Policy.
Thanks in advance y'all.
Maybe this is not possible...
I have one site, we'll call it club.com
And I have another site called store.com
I have control of both domains. club.com is powered by a Django project, and store.com is a shopify site.
If you're a member of club.com, you get a discount on store.com
We want to do it so that integration is seamless. No need to enter your club.com credentials to store.com, we want the page to do that for you.
How do I implement this?
I already tried simply putting an ajax call on store.com pointing to club.com, and it seems to work with one exception: The browser is not sending the proper cookies along with the request, so when club.com gets this ajax request it can't authenticate it.
You should consider OAuth2 to achieve what you need.
I'm trying to implement an online application (single page) with angularjs in forntpage and wordpress + woocommerce plugin in backend.
For this purpose I'm installed WP RESTful API and activated woocommerce self api. and using angularjs resource for ajax calls with server.
The woocommerce API is protected by oAuth 1.0a protocol.
As I figured out in this answer, the right way to request a protected API is just server side calls. So I created a new file in my server named "ApiCall.php" and wrote the whole secure communication stuffs in that.
Now my requests first send to "ApiCall.php" then the server communicate with woocommerce API (which is in the same server!) and the response will redirect to my angular code!
After all , now I'm confusing with this flow and security. When someone can request to woocommerce API, so he can request to "ApiCall.php" too! then the same security calculations will proceed for that person and result will returned to him!
On the other side, WP RESTful API have no security contraptions, and data are available with direct ajax calls.
I'm looking the best approach for this type of communications which a single page application want to get and set data to its backend.