Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I want to create a login page via webapi with this situations .
i dont want to use token and.. but the views should be secure (not direct called in URL).
If the user is Admin load view_x.
If the user is Employee load view_y.
If the user is Student load view_z.
please give me suggestion
I believe you have a front end website which leverages this web API as you are talking about loading of views. Firstly you might want to define roles in your back-end of your web API for various types of users. For e.g. every user will belong to exactly one of the defined roles in your DB like Student, Admin, Employee etc. The action method which is called when your website gets launched will call your web API to validate the authenticity of the user who is trying to login. After the login is successfull it should also fetch the role information of the logged in user from the web API. When you have role information with you then simply use a switch clause as shown below to redirect to appropriate view:
public ActionResult Login()
{
//call web api to validate the user credentials
var role = <call the web api to get the role of the user>;
switch (role)
{
case "Admin" :
return View("Admin");
case "Student" :
return View("Student");
case "Employee" :
return View("Employee");
case "Others" :
return View("Others");
}
}
Hope this helps!
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 months ago.
Improve this question
So basically I understand REST API is basically stateless and we should not use session based authentication of API Routes. However, let's say if my application already has a session based authentication because it is a SPA. So I have a few questions.
How do we actually protect these api routes without using session, so that we can actually test these api routes on Postman etc ?
How can we achieve this without effecting the existing authentication system ?
Do we need to use Passport or Sanctum to achieve this?
Thank you.
If your SPA and API are on the same domain, you likely want Sanctum which uses sessions via cookies or tokens to manage authentication. Based on your question it seems like Sanctum would be the best fit for integrating with your existing authentication workflow.
If your SPA is not on the same domain as your API you’ll want to use either Fortify or Passport.
I would avoid Passport unless you require an OAuth workflow.
Either you can create a your custom authentication using JWT token in laravel to authenticate the API. For that you can use tymondesigns/jwt-auth a third-party jwt-auth library.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 months ago.
Improve this question
I have an application with
Front end Angular Component
Login service - validates username and password and provides JWT token(Service A)
Book Tickets service - Save/retrieve data about ticket bookings
Note:
Login and Booking service has its own DB.
Not using an API gateway
Flow:
Front End <-> /authenticate(ServiceA) <-> validate creds on login DB and return JWT token.
After this call, I would require the Book Tickets service to be authenticated by passing the JWT that was created in the previous step. But how can I do this without connecting the LoginDB to the Book Tickets Service?
What I was hoping to do (But unsure if they are good practices) :
Create an endpoint in LoginService "/isValidUser" and call this endpoint from Book Tickets service every time.
Route all Book tickets service endpoint through Login service so JWT is validated and the request is forwarded.
Let Book Ticket Service access the Login DB and implement JWT validation in this service itself.
Really appreciate you suggestions.
In Microservices architecture mostly one service talk to another service using standard interface or say web api.
In your case, you are right that you need LoginService and it has following responsibilities.
Validate Crendential ( Username , Password) and return JWT Token.
Now this token will be used by Frontend to communicate with Backend or other services like Book Ticket Service etc.
IsTokenValid
Now Book Ticket Service has following responsibility.
Booking Ticket.
Possible flow of Booking Ticket is like.
/bookingservice/BookTicket ( with all data)
Also JWT Token pass in header.
BookTicket service will receive request and it also extract token from header.
It will pass token to Login Service to validate that token is valid or not.
If it is valid then you can perform book ticket.
If you allow Book Ticket Service to access Db of Login Service, overall purpose of Microservices will not be there. Because as soon as there is some change in Login Service DB, you also have to change Book Ticket Service.
For small project like once you are creating and then you are not going to change for long time then it may be ok but in that Microservices purpose is not there.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I am new to spring MVC . I want to show a register button in login page only if user is not registered
I don't know whether you stored registered user data somewhere or not, though I assume that you store it to database and try to give this answer, may this will help to you.
First of all pull out all registered user data list from database while login & check whether user login credential is present in this list or not. If present then don't show registered button otherwise show it.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I am writing a Springboot application that needs to authenticate users to an OAuth2 client provided by another group. The OAuth2 client provides two authentication schemes: form and sso. The application I am building needs to use the sso scheme because the application has no option to redirect the user to a login form.
Spring security contains an enum that provides the security.oauth2.client.client-authentication-scheme options that can be used, sso is not one provided so I need to be able to somehow extend this or provide a custom option.
Ultimately the application needs to generate a GET request that will take this form: https://iapi.mycompany.com/authentication-service/v2/authorize?response_type=code&client_id=myClientIdHere&redirect_uri=https:/myclient.mycompany.com/redirect&state=someStateString&login_method=sso
As far as I can tell it's really only the login_method=sso part which is the custom part that needs producing. Any ideas on how I can convince Spring security to do this for me?
Turns out the solution is to comment out the security.oauth2.client.client-authentication-scheme property in application.properties and to append ?login-method=sso to the security.oauth2.client.user-authorization-uri property.
Final property looks like this:
security.oauth2.client.user-authorization-uri=https://iapi.mycompany.com/authentication-service/v2/authorize?login_method=sso
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I have a web application (JSP) and i need to limit the access, so only the logged in users see the application. I looked it and i found many diferrent approaches. Some say to use cookies, sessions or frameworks such as Spring Security. What should i use? So far i have a medium experience in java and jsp programming, so what do you recommend me to to do?thank you a lot!
Instead of preparing home made version of Spring Security I propose to use it directly. Consider following advantages:
In the future if you need some new security features then you can just turn them on instead of developing them from zero (for example LDAP authentication, SSO, ...)
There are chances that new developer is already familiar with your security framework (on the other side it is sure that it will be not familiar with your home made labrary)
Most of them have good documentation so learning cuve is small when we talk about basic URL authorization (do you have enough time to prepare the same level of documentation for your home made library?).
They have built-in support against attacks like session fixation, etc.
They have multiple extension points, so you will be not limited by framework (you will be able to add / modify necessary functionality).
They have moduled structure, you do not need to load all modules / know about them. Use only what you need.
It may be useful for you to check Apache Shiro and Spring Security.
In a case of Spring Security if you start reading official documentation from here then you can prepare all conf for basic URL authorization (with hard coded users in the conf) in less than 30 minutes. Then you need to include corresponding jars in your classpath (for Spring and Spring Security) and that's all. Turn on debug logging for org.springframework.security to see what's going on.
Consider the use of a servlet filter. Store the logged-in user in the session and configure a filter to check the user is logged when he/she attempts to access the secure directories of your site (via url-pattern).
Basic info here http://www.tutorialspoint.com/jsp/jsp_writing_filters.htm.
But here's something more specific to get you started.
Create a class that implements javax.servlet.Filter, override the doFilter method and check that the user is logged in and configure the urlPatterns using annotations.
The annotation on the filter would be something like this:
#WebFilter(filterName="LoggingFilter", urlPatterns={"/secured/*"})
the directory that you wish to protect is called 'secured'.
In the class override the doFilter() method and check that the user is logged in:
User user = session.getAttribute("user");
if (user != null) {
chain.doFilter(request, response); // User is logged in so forward response.
} else {
response.sendRedirect("login"); // User not logged in so redirect to login page.
}
This is an effective way to restrict a logged in user to specified parts of the site. This simple example can be extended to restrict access to different parts of the site based on user type or some other criteria.