From Dynamic Selection Of JsonView in Spring MVC Controller, I understand that you can annotate controllers using #JsonView(...) and also return MappingJacksonValue with the serialization view specified from within the method. Is there a way to globally & dynamically select the serialization view based on the currently logged-in principal? I couldn't use the solution from the linked article because the object, that I wanted to serialized with dynamically different views, is nested inside a list.
To be a little more specific, my use case is: a logged-in user can view other user account details, but cannot view specific attributes like e-mail, circle of friends, etc. unless they are viewing their own account or are already friends with that user. I want to globally be sure that the currently logged-in user cannot view attributes that they are not entitled to by the other user.
Thank you in advance!
Related
Hi good morning to everyone
currently I am working in spring. I am searching long time to work with session but somebody told use Model And View instead of session which is right way for maintain user status and give some referral link for session tracking.
There is no relation between (Model & view) and session, Both are two different things.
Model and view is used to pass data from controller to view(interaction between controller and view). we need to create different model and view objects for different operations (CRUD operations) in a web application.
In case of session if we wanted to store any object, object type,variables and want to use those for entire application for that particular session. Then we can go for session. This can be done by using annotation of #Scope("session") or we can configure in spring configuration file.
If you want to maintain user details for a particular session you can use session. If your requirement is to show the user details from database in view then you can use Model and view in controller.
I am using Okta C# sdk for development. I have created some custom user profile attributes in the Okta. I am able to create user and save values in custom attributes.
But as I saw that when you update profile data you have to provide all the details again. If you provide specific attributes value then sets null for other attributes. So how can I update only one or two attributes so that other should not change.
Dinesh.
You can use a POST /users/:id if you want to make a partial update. Make sure not to use a PUT for this operation else you will wipe out the remaining values that are not in the Request
I have been looking at BreezeJS and I want to try it but I searched a lot and still cannot understand how security is handled while using Breeze. Here is what I know:
According to a post on IdeaBlade forums (creators of BreezeJS), we only need a single Api Controller for all of our entities. The Api controller will contain one MetaData method, one Get method for each entity, one Save method, one Delete method. So this way we only need one EntityManager on client side configured with one service endpoint.
My questions:
My understanding of "single controller for all entities" is correct?
If my understanding is correct then how can we apply security on our controller? If I want a user with certain role to access only certain entities, I obviously cannot put an Authorize filter on my controller or method. May be I want a certain user to have read-only access while other users having read-write access on a certain entity. May be I only want to return aggregated data to user while restricting access to full details.
Please help. Thanks.
I have a site with a page that contains some tabs and when selecting one, its content is retrieved from the server using an AJAX call. Every tab is loaded through a different controller. For example, I have a Customer page which contains Products and Clients tabs.
The site has different types of users with different permission levels.
What I want to do is to protect the controllers, and show the content of the tabs only if the logged in user has permission. So if a user without permission enters the url of the controller, it should redirect to the login page. The url is like this:
http://localhost/MyApp/Products/1
where 1 is the database ID of the product.
I can implement these 2 solutions but none of them is optimal:
Use the ChildOnlyAction attribute. I would mark the actions of the Product controller with this attribute and render the tabs from the main view using RenderAction. But it would mean that all the tabs on the page would have to be rendered, which is not optimal because I only want to load the data when the user clicks on the tab.
On every request to the Product controller, I would make a database query using the ID of the record to check if the user has permission to access it. But this means that for every request I would have to run an extra query.
I'm wondering if there is a better approach to this.
Similar to what Romias has suggested. You can combine the Authorize meta-attribute with a custom IAuthorizationFilter filter.
When you implement the Authorize meta-attribute you specify a list of users or roles that should have permission to that action. This lacks the ability to use a database to specify which ID's a user should have access to.
It is this ID-to-User mapping where the IAuthorizationFilter comes in to play. In the filter you can check the current user against the database.
A sample IAuthorizationFilter and its usage can be found on the following page:
http://geekswithblogs.net/brians/archive/2010/07/08/implementing-a-custom-asp.net-mvc-authorization-filter.aspx
Have you tried using Authorize filter to decorate the controllers you want to protect?
[Authorize(Roles = "UserType1")]
You could also extend the Authorize filter to add your own logic.
Here you can see an example of extending Authorize filter: https://stackoverflow.com/a/428266/7720
I'm looking at creating my first ASP.NET MVC application using MVC3.
The project template I used included some models for registering users, logging in and updating a forgotten password.
I want users to be authenticated against my own data store (probably using Entity Framework) and using google OAuth.
I assumed that I'd want a User model class that contained a few standard properties and some business logic which handled the "local" authentication and the OAuth call but the project template has confused me.
Should I be creating multiple view-models for different actions like Login, Register, etc and then using the controller to instantiate and invoke my model to perform the business logic or should I use my User model for all the different actions?
Thanks
Ben
Should I be creating multiple
view-models for different actions like
Login, Register, etc and then using
the controller to instantiate and
invoke my model to perform the
business logic or should I use my User
model for all the different actions?
View model per view. That's the rule. There might even be 2 view models per view (one for rendering data in the GET and one for receiving data from the view in the POST action). Don't be shy in creating view models. You definitely shouldn't be using a User model for all different actions, that would be catastrophic. The model should be used by your service layer. A User model will be manipulated by this layer, and never passed to a view.
You may also checkout AutoMapper for mapping between your model classes and view models. It's a great tool and comes in handy especially when the number of view models start to increase.