I'm building a single-page web application with integrated login/logout features. The back-end is powered by Grails 3 and Spring Security 3.0.3.
From Spring Securiy doc:
LoginController has JSON-generating methods ajaxSuccess(), ajaxDenied(), and authfail() that generate JSON that the login Javascript code can use to appropriately display success or error messages.
Ajax requests are identified by default by the X-Requested-With request header.
What about Ajax logout functionality though? As far as I could understand there's no built-in support to do that, so I'm looking for advice about the easiest way to achieve this.
At the moment, with the default Spring Security configuration, the logout works as expected (i.e. users are able to logout successfully), but of course what I get from the back-end is the login page's HTML.
Thanks in advance!
Just ran into the same problem myself.
Didn't find a way to skip the redirect but by adding my own logout controller, I could at least provide an json response instead of the login page.
Add this to application.groovy
grails.plugin.springsecurity.logout.afterLogoutUrl="/ajaxLogout"
And this is my controller
#Secured('permitAll')
class AjaxLogoutController {
def index() {
def data = [:]
data.success = true
render data as JSON
}
}
There's a whole section on Ajax in the docs.
Related
I am using ASP.NET Core MVC. In my project I use Ajax in order to get some JSON data from an action on my controller. It requests data from the database, then return it as json. It works well.
I want to use role-based authentication in my ASP.NET Core MVC project.
This is my question: if I use a controller action restriction by something like [Authorize(Roles = "Admin")], will it allow anyone whose role is "Admin" to call this method? (I mean will it work without any other trouble just by logging in as Admin)
And will it disable accessing those data when the role is not "Admin"`?
I have not still add Identification to my new project and I'm new to using Ajax.
I have just tested it and it does as desired. It return 401 Unauthorized status code when the user is not authorized and 200 OK success status response code. Thanks guys for your responses.
Let's say when you send a request to this url: ...?query=something&filter=another_thing, I am returning a web page with model attribute let's say model.addAttribute('result', resultList) then just for loop the result and print the values. (Template resolver could be jsp or thymeleaf, but there is no option to load resultList without model fashion - I mean there is no ajax request - )
What I want to do:
before loading the result (or loading the page), I just want to load google recaptcha.js first and
recaptcha will return a token,
then I will send token to the backend via ajax request.
After all if request is not bot, I will print the resultList
Is this requirement possible to implement inside the Spring boot application itself?
NOTE: I could not find anyway to do this. I just though that I could intercept the original get url then redirect to the another page, and this page will load recaptcha and send the token to my backend. If it is not bot then redirect to the original get url. However I do not know how to preserve original request
You're framing it slightly wrong, which may make all the difference.
When making a request, you want to make sure that request is authorized, before you handle
it.
That is where a recaptcha comes in.
To prevent unauthorized access, look into spring-security and recaptcha for that.
Once sufficient authentication has been achieved, your request will then enter your controller, and you can serve the page.
(of course, you could look into it doing it dynamically, but that will be a bit harder)
We have an existing spring-boot application that supports basic Authentication with spring-security. this application uses spring templating so it accepts form data as input and saves sessions by doing authentication.
the login page is at /login after successful login it redirects to the home page of the website.
in the same spring boot service, we want to start supporting JSON based API which would be used by the Mobile app.
we were thinking of adding login API at /api/login which will be served for mobile devices.
is there a way where we can say
for /login use default authentication class and for /api/login use some other custom class which will read JSON data and will do Authentication.
we also want to use different page for unAuthorized access. as existing one renders custom HTML page. but with API we want to send JSON response with HTTP code.
Not a Java person, but generally speaking this can be done by creating a different controller that would handle the /api/login route.
Here's snippet below that might help :
[Source : https://spring.io/guides/gs/spring-boot/]
package com.example.springboot;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.bind.annotation.RequestMapping;
#RestController
public class HelloController {
#RequestMapping("/api/login")
public String LoginAPI() {
// handle your authentication logic here.
}
}
I would strongly recommend against using the session based authentication. It's simply not designed for modern applications. If the option is open, you can take a upgrade to token based authentication (jwt.io), that would make your life much much easier.
If you must implement the session based authentication for mobile app as well. here's what you need to do
create the session on server
set the session key as a part of cookies in the response header
store the cookies in your app.
Include the cookies in request header in subsequent API calls from mobile app.
Again, not a Java person. Just hoping to help.
My application will be:
- Single Page App (say in angular/backbone)
- Spring MVC based Server.
I find many examples about using Spring-Security where the login page, logout page etc.. are all HTMLs. And Spring Security directs to appropriate pages based on Session State.
But in my case the login/logout page will be in JavaScript - All interaction with the server for login/logout is over HTTP(REST style URLs), and response JSON. There is no HTML in play here.
Question
How can i use Spring Security in this case? In other words - How can i expose login/logout behavior as a API?
Since the front end is Browser based app... i guess usual cookies etc. should still work for identifying session.
Yes Cookies still work in your cases. But you need to tap on the ajax urls instead of normal urls. I had an experience with a mobile based - single page application and I managed to do it with a grails backend. When logging in tap on /j_spring_security_check?ajax=true if http response is 302 and it redirects you to /login/ajaxSuccess it means that you have logged in successfully. Otherwise you failed to login.
At my project I use Spring Security and GWT with url-like internationalization (http://....html?locale=en). Login and logout functions work very well, but here is another hitch: when user login he got localization-like URL (for example http://localhost:8000/Admin/app/Admin.html?locale=en) but after he close window (without logout) and coming back at URL http://localhost:8000/Admin/ he take authorization by Spring Security with session and login at system without "?locale=" param, so he got default language.
The main question is - how can I interrupt between two process (after Spring say - "Ok! it a good user - comin!" and before he throw user a link to coming) so that I can add locale to his URL ?
Thanks.
You can implement a custom AuthenticationSuccessHandler to add parameters to the request on authentication success. See this question.