I have two separate web applications to handle a website for customers and other admin application for call center agents. Using the build script I am bundling the same model classes into both web applications.
There is a database for customers where we keep the password. If we change the password from website it should be immediately shown in the admin site. I am not using distributed cache.
Is there a simple way that I can enforce reload from database for a specific flow? So that I can reload from database if I want to get the password property.
If you don`t want using distributed cache, you could remove element from admin cache. Customers application should notify admin application about this event. Possible way to notify is simple rest call.
Related
We have a Firebase database connected with an APP which we want to convert to a website now. Laravel is nice frame work but unfortunately unable to sync the existing database to show up on the website as is. End goal is that any changes through an APP should reflect on the website and vice versa. Existing database include the product price, picture, ability for users to message each other , user authentication. In essence it is almost a complete market place.
If you want to use data from the Firebase Realtime Database in a web app/site, consider simply using its JavaScript SDK in your web application.
Doing so allows you app to directly read data from the database, instead of having to set up a web server in Laravel.
To ensure that your users only get access to data they're authorized for, you'll want to use Firebase's security rules. These are enforced on the Firebase server, so once you configure them correctly, there's no way for anyone to bypass them.
My solution directory has ASP.Net 4 web-forms project, that at present has all the development of my website.
The plan is migrate some of the existing front-end to ASP.Net5/MVC6 web application. And for that to happen, I have added ASP.NET 5 empty web application to the existing solution directory. The reason I have decided to use blank template is so that I can add all the required capabilities myself, and understand the flow better.
Capabilities like MVC, Session, Caching, Logging etc.
I have added MVC capabilities. And to add Session related capabilities I have followed the steps given in the below documentation,
https://docs.asp.net/en/latest/fundamentals/app-state.html#installing-and-configuring-session
After this, I am able to add the access the Session in my controller class. I can put some values in the session and can access it in view to verify Session is operating fine.
Both of my web applications (ASP.Net 4 and ASP.Net 5) would be running side by side, and I want to enable user to navigate back and forth with a single sign on. That effectively means, they to share same session.
And hence, I am looking for a way to access SessionID from the Session, so that I can check whether the value is same for both the websites, however there is no method that gives me SessionID...
Can someone explain why it is so and how to retrieve unique session identity?
I am using vaadin 7, and jboss 7.1.1. There is a business requirement for very granular ui access. There will be parent windows per business function, and in that window functions relative to it. Business requires enabling and disabling those functions within, per user, so as an example, a parent window that represents employees, and when you click that you enter the child window which has functions like editing, deleting, viewing, adding,etc etc but that access must be customized to the user using it, so user x can update but not delete, as an example.
So what i came up with was to store that information in the database. In the database there will be a users table with username and a user guid. Then a parentview table and and parentchildren table and then lastly a userview table. i will store in the userview table the users guid and either the view they have access to and what type of access as in read,write,update,etc... I will on the ui login authenticate against ldap, get the users information and guid and use the guid to pull the users view access from the userview table in the database and store it in the vaadin session, and then on the ui, read that from the session and show the correct access.
I am not sure if this is the best way which is why i am asking if my solution is ok? I have been reading lots of doc's around security but non seem to achieve what i want. Another point of keeping it in the db, is that i can create a user admin ui which can edit the users access simply by updating the db, i dont want to redeploy or do anything with the webserver, I would prefer a ui user access control module and for someone with rights to it to administer that access. I would really appreciate insight and some ideas into this.
Thanks guys, I would appreciate any input.
What you want to achieve, regardless of the environment you are in and technology you are using, is fine-grained access control / authorization.
The way to do that is to use authorization frameworks. Spring Security has one for instance. I'm not sure whether Vaadin comes with anything.
In our company we use Vaadin to develop a management portal and we then use XACML to apply fine-grained decisions to the portal such as which functions to enable for which users and even which items to display in a Vaadin table.
Generally speaking you want to look at the field of attribute-based access control (NIST ABAC). ABAC lets you define authorization constraints based on different factors/parameters such as user attributes (location, department, role...) and resource attributes (where the resource can be data, widgets, functions... You name it).
I actually delivered a webinar yesterday on the topic of fine-grained authorization for Java MVC apps. I think it could prove useful for you.
If you go down the XACML path, you do not need to create a custom database with the information inside as you have done. All you need to do is write authorization policies e.g. a user in purchasing can use the purchasing functions.
There are several open source XACML implementations as well as vendor solutions such as the one I work for, Axiomatics.
I hope this helps. I've also written a lengthier answer here which covers the broader field of authorization.
Here's the issue at hand: I have developed an ASP.NET MVC3 application using Razor. I have also implemented a custom membership provider and overridden the ValidateUser() method. Within, I query my db and get a lot of user information in addition to the password auth.
At the moment, I am pushing this information, i.e. companyId, to static properties of a class. This works and I can display/use this information throughout my app. The problem arises when a user closes their browser tab. Upon re-opening the app, the user is authenticated via a cookie, so they don't need to re-login; however, those static variables are blown away.
So guys and girls, how would/do you conquer this issue? Should I append the extra info to the session cookie? Or perhaps a better solution?
Use the ProfileProvider in ASP.NET.
For application level variables, they are going to be subject to application pool recycles and similar "simulated" restarts related to users starting all over. These variables should be completely independent of user usage and should be able to be recreated easily. If you have variables that are user dependent or that can't be restored easily without some sort of outside intervention then you will definitely need a different method of storage.
If the data is user specific, storing it in the session cookie is probably the best idea. If the data is user-related but branches multiple users it should be stored in a database or a flat file somewhere. If the data has nothing to do with users specifically then it should just be in a database or configuration file.
I am working on building a learners website (http:localhost:8080.xyz.com).This is being built on glassfish server using gwt.I need to integrate forums(http:localhost:8888.abc.com)into this site .The forum is built using php and is on Apache Server.
Both the websites share the same MySQL database and this database has a table named session table which has information about the user id and corresponding session id.
Now i am trying to integrate the forum into my website using an Iframe.
My first question here is,once the user logins into my website will my website and the iframe have the same session id?
If they dont have the same session id what would be the best way to implement the functionality that when user logins into my system he is also automatically logged in into the forum?
Thanks
Easy Solution:
Send the user (via iframe or ajax or whatever) to a page on domain B, providing the session ID as a get parameter (http:localhost:8888.abc.com/sso.php?sessid=the_sess_id), then create the cookie on domain B.
More complicated solution:
Setup one of the two servers as a reverse proxy so both apps share the same domain and cookies.