I have an application that makes calls from the client using JQuery to a Web API controllers, but then from such controller is makes a call to another server, where another controller picks up and does all the data logic (insertions, etc..) so basically (two different solutions and totally separate, no dependencies)
Client
Web API (this live in http://localhost:5020/)
-----------------
Some Server API here (this lives in http://localhost:4566)
Data Layer
SQL
So Web API makes calles to some server and saves or retrieves data.
I need to be able to add SinalR when something is saved to one of the databases on the other server. How can I design this so I get notifications something was saved in the client side since there are no dependencies?.
Do i add the HUBs and what not on the receiving server or on the client server, a bit confuse how that would work.
I would appreciate any clarification.
I usually use the method explained in this answer.
This will allow you to have hubs which can be invoked from frontend (JS) and backend (C#) as well.
Basically for the backend (C#) calls use a hubcontext. As explained by the SignalR team here too.
Simple code (in your hub class):
public class YourHubClass: Hub
private static IHubContext hubContext = GlobalHost.ConnectionManager.GetHubContext<YourHubClass>();
// ...
public static void Send(string message) {
hubContext.Clients.All.addMessage(message);
}
}
Now you can call the static method in your controller:
YourHubClass.Send("Hello!");
And the clients will receive the message by the event addMessage(message)
Related
I have made a REST web api and I thought the application_start() event of a web api should triggered once you start the web service from IIS manager, however, what I have observed to my web api is it only triggered by the first web request which reached to the web service. I was wondering if this is supposed to be or I did it incorrectly? Thanks.
That's how it is. From the docs:
Called when the first resource (such as a page) in an ASP.NET
application is requested. TheĀ Application_Startmethod is called only
one time during the life cycle of an application. You can use this
method to perform startup tasks such as loading data into the cache
and initializing static values.
https://msdn.microsoft.com/en-us/library/ms178473.aspx
I have a Webapp that consists of a REST API, and then another app that represents a frontend of this API. Both of this apps are developed using Spring.
Currently my REST api is not secured and data can be accessed directly by calling the REST endpoint without additional security info.
My frontend does have a login form (I'm using Spring Security for that), but does not have access to a database (the only access is through the REST endpoint). So the login process is done through an extension of the AuthenticationProvider that calls the REST api with the user and password and then responds with the authentication result. No authentication/authorization is kept on the REST side since to my knowledge this protocol should be stateless.
The problem is I need to incorporate ACL into my app, so that a user can only see those resources he's authorized to see (i.e. those he created). But given that my authentication process takes place on the frontend layer (which is where I keep a session attribute with the user info), I have two main problems:
How can I secure my REST channel?
How can I know which user is making the request on every communication, without explicitly passing the userdetails in each API request? is this even possible?
Doing it stateless and making two separate web application usually is overkill.
What I usually end up doing is.
Make my RestAPI stateful, because usually scaling is not an issue and simple form authentication will suffice.
Combine a Rest API/HTML Client in one Webapplication. If you want to keep it modular, you could create a Rest API module and integrate it as a JAR file in the lib folder of your web app.
Here is also some thread which goes through different alternatives for a rest API.
How to do authentication with a REST API right? (Browser + Native clients)
I am developing chess playing server based on Java and Netty and client-application using C++.
Messaging process between client and server is based on Google Protobuf Protocol
Now I want website to act as client for application server so that it would be tightly integrated with server app
I have chosen Play 2.1(JAVA) framework for the website
1)
First i ran into trouble trying to run my Netty server instance from Play 2.1 application so I added next code to Global.java (Play framework startup file )
public void onStart(Application app) {
// ...
new Thread() {
public void run() {
new NettyServer().run();
}
}.start();
}
Does it seem to be a good idea to run my own instance of Netty this way?
2)
I am not sure how to validate data, as app server gets data to be validated from both C++ client and website by different protocols
Client sends it as binary-encoded data using protobuf protocol and website sends POST requestI want validation to be equal for both clients
For validating data sent from the website I can use Form < T > helper thought i can't use it for binary encoded protobuf data. Any ideas on how to manage validation?
3)
I use Messages.get() from i18n Play module to translate messages to user's language. Client using browser, Play determines user's language from client request headers, and chooses appropriate translations file.
But what about my client? I don't know anything about user's language so i can't send it to my app.
Moreover i didn't manage to find a way to set language manually in Messages.get()
Could use some suggestions for how best to secure an API that for the time being will remain private. The backend API has been developed and will lie on its own system. The front end consumer website will have access to this API via a private API key. This is all in server side code. However, a new requirement has been made known: our website will also need to make AJAX requests to generate the code. I don't want to expose the API calls or token in the javascript code, so I'm trying to figure out options. One would be to create a REST controller on the front-end server-side which could then be called by javascript code, but this would effectively circumvent the API key security measure and therefore is not a true solution.
So what are the general practices for this? I think ideally (and I'm moving toward this, it's just not feasible time-wise currently) I would use OAuth tokens to validate requests and have some API calls(pulling in general information) not require any form of authentication etc, but even that would have some issues given the AJAX requirements. Is there perhaps some way to have client-side javascript and associated AJAX calls which will remain secure?
All this is to say - I'm currently at a loss of what to do here.
Thanks.
Edit: Current thought is to create controllers on the front end which can be accessed via ajax, which sends non-risky fetches to the API, and for risky ones relies on current user validation (e.g. user being logged in). Furthermore, logging in will not be an AJAX style request, so logging in should be a reliable security test.
You could develop a handler to accept the AJAX requests and pass them along to the private API using the normal access-token approach you would take elsewhere in non-public facing code.
That way, you don't expose the token or the API in javascript. You can build a whitelist of API calls in your handler so that it only deals with (presumably) benign AJAX requests from the front-end. This handler is both a firewall for bad requests and a way to protect the real mechanics of the private API.
If any of the API methods are potentially dangerous or destructive to data, this can (and should) be used in conjunction with the public website's authentication mechanisms.
A mockup (in PHP):
$whitelist = array(
'SomeApiCallPublicAlias'=>'RealApiMethod',
'AnotherPublicAlias'=>'SomeSafeApiMethod'
);
$call = $_POST['call']; // <-- SomeApiCallPublicAlias
if (!array_key_exists($call, $whitelist))
die('permission denied');
$data= $_POST['data'];
// hook in to the private API, pass the data, return the response
$response = make_private_api_call($whitelist[$call], $data);
die(json_encode($response));
With SignalR, in my web app, I am invoking server-side methods from the client using JavaScript. The Hub is in a MVC3 project, and the client calls are made from a classic ASP application (since it's JS that's making the calls, it could be any other framework).
If I add the System.Web.MVC namespace and decorate my hub methods with [ValidateAntiForgeryToken], how can I use an anti-forgery token generated by the server (similar to what I did here) and pass it along with client requests?
No the 2 system don't talk to each other that way. None of the mvc pipeline runs when you call into signalr. You'll have to run do manual verification to make that work.