I have a web service that is being invoked by an ajax call in the JavaScript of my page, but when users view the source, they can see the path to the ASMX file, which they can type into the address bar. I want users to be restricted in viewing and/or accessing the methods of this web service. I want only the JavaScript file to be able to use those methods. Is this possible? These users are not behind any log in.
Thanks in advance!
You can't.
You shouldn't be worried about users knowing your webservices URL, but you should protect what you return with a logged in key or something provided by your website.
The rule is: you don't want people to do something? Check that before on the server side and then return "you are not authorized" or another access error. Even if you try to do a very good job in your JS, it is very easy to monitor what you are accessing with the browser debug features: press F12.
Related
I want to make a web app where the only cost to me is serving the webpage to the user, and all their data is saved to their Google Drive so I don't have to pay for storage or bandwidth.
Is this possible using Google Drive?
I can't see how:
If I want to save something directly from the browser, it needs my application's API key, and I can't put that in the HTML as it is non-secure.
If I try to do anything where the webpage calls my server, the file will have to pass through my server to get to Google.
If I want to save something directly from the browser, it needs my application's API key, and I can't put that in the HTML as it is non-secure.
You need client credentials, api key will only give you access to public data and wont give you the ability to write anything. Web credentials if configured properly are bound to the domain that they are intended to be use for there for they are considered secure.
If I try to do anything where the webpage calls my server, the file will have to pass through my server to get to Google.
Well this is true considering that your server is running the code. There is no way to route directly from the client to the user. Unless you did this with javascript in which case the code is running client sided and running in the users browser.
I have a single page application with some user-related calendars. The task is to write integration with the google calendar. A user should be able to click on 'integrate with google calendar', select his google account, give read+write access to the calendar, and then the application should be able to do a number of things within the user google calendar like creating a new calendar and sync all events inside it with the application data.
I started with this example, https://developers.google.com/calendar/quickstart/js
It works, but as I understand it's for online front end work only. Is it possible to retrieve authentication from this front end and send it to the back end? I want back end to operate server-to-server mode, while the user is offline.
I have checked the other, back end gapi integrations, but they do not look so cool, there're some redirects. I want to keep everything inside a single page with ajax and popups.
In order to access a users data when the user is off line you need something called offline access. When you authecate the user you will need to request offline access then the server will return to you a refresh token.
A refresh token is long lived you will be able to use your refresh token at anytime to request a new access token which will allow you to access the users data.
You cant use offline access with JavaScript you will need to use a server sided language like say node.js, php, phython .... you will not be able to use gapi
I am wanting to build an admin tool where I can "impersonate" users of my site, without having to lose my session as an admin.
I would like to be able to open an iframe that will view the website "as the user", without changing the state of the page that opened the iframe.
Is that possible? Is there a better way to do this?
It's possible, but there's a bit "but" :)
Just a couple options to start with:
Use URL-based session tokens (as Java Servlets do when you have cookies disabled)
Use different domains for "normal" site and admin interface
iframe itself won't help you much: it will always share its cookies with the browser. So in order to avoid that, you can use either of the above options—but that does not depend on the iframe.
What language? My answer is based on the assumption that PHP is your chosen language.
Firstly, I would say you have planned your application wrong if session impersonation is the only way you can view your site as another user while still keeping your admin login intact.
One way you could do it, and again this is assuming that you are using PHP as well as the default session management functions within and you do not have a custom session handler would be to load the iframe url with the ?PHPSESSID=sessionidhere parameter.
A better way to do this is to create your site and authenticate users via a user object of sorts and then add some sort of url parameter such as ?userbrowseid=123
Then when you load the page, your code will only check if the parameter exists if you are already logged in as an admin. The page would then overwrite your current user object with the user object of the user with the id 123. Steps should be taken to make sure your session cookies are not overwridden with the impersonated user object. As this would be in an iframe, your site will work as an admin and the iframe will be loaded as the user object.
I need to write events to the external database when users logging into SharePoint - username and datetime nothing else.
I use Claims authentication(Windows and forms) and standard login page.
I need to retrieve IIS logs or is there any easier way?
Thanks in advance, Chris
I would create my own login page. There is a good article here that describes how to do this. Include a method in your custom page to override the submit event for the page. You will have to handle the authentication logic, but once the user is authenticated, you can call your external system to log the information.
Note that the custom login page is defined for the entire web application. Any other site collections on this web application will get this same login when authenticating.
All,
Is there a way to log all clicks(like hyperlinks,buttons,.....) performed by the user on the client on any webpage and send it to server for logging purpose.If so please direct me to a sample code for it.
Thanks......
You can include the Google Analytics script in your file and reap its benefits.
Unless you are going to build a extension (or some greasemonkey script) for some browser you won't be able to do that for any web page the user visits.
Assuming that all clicks result in a server request, then why not just scan the access logs of the web server?
You can add a uniquely identifying id in each url in order to distinguish between users.