I have trouble with restricting user access to some pages. I send an ajax request to servlet. In ajax success I want to redirect a page to another page based on condition. But i set a servlet constraint in web xml, so redirection results in error with 403 code. response.sendredirect also does't work as it is an ajax request.
Any ideas? please, help me to do this redirection with relevant restrictions.
There is a very easy solution for your problem.
That's to put the jsp files(which you don't want to be accessed by users directly) inside WEB-INF folder. The reason? Well,everything inside WEB-INF folder is by default private members of the whole application. That means that, these files can only be accessed by programs i.e. servlets.
So if any user try to directly access the jsp pages, he/she will get "Http 404" error.
In this way you may restrict user access to specific files.
Related
I have read articles that give various ways to do "URL masking" so that the browser's URL bar does not show the actual location of the content. Such methods include setting up an .htaccess file, showing content in an iframe, or loading content from another source with javascript.
The problem with all of these methods is that the URL shown in the browser can actually be used to view the content I want to protect, even though it's coming from another location.
I need a way to have the browser display protected content while the URL bar displays a URL that will NOT show that content, because I don't want a person who has been given access to the content to be able to share access to that content by giving the URL away to others.
Is this possible?
Maybe you could use something like a randomly re-generated URI. Every time the link is consumed through an authorized channel, the route is invalidated on the server, and a new one takes its place.
Note:
The safest way to prevent unauthorized access to a URL may be to add authentication (user/pass or otherwise) to your content.
In OmniFaces, the FullAjaxExceptionHandler, after having found the right error page to use, calls the JSF runtime to build the view and render it instead of the page that includes the AJAX call.
Why this? IMHO it would be simpler to just perform a ExternalContext#redirect()? Are there specific reasons to do this?
We are writing our own ExceptionHandler based on FullAjaxExceptionHandler and wanted to understand the reason behind this design.
The primary goal of the FullAjaxExceptionHandler is to let exceptions during ajax requests to behave exactly the same as exceptions during non-ajax requests. The developer must be able to reuse the error pages across both conditions without worrying about the condition while implementing the error pages.
A redirect isn't part of the normal flow during non-ajax requests. The default <error-page> mechanism in web.xml performs a forward to display the error page, not a redirect. If a redirect was performed, all error page request attributes such as javax.servlet.error.exception would get lost and render as null. Moreover, normal practice is to place error pages in /WEB-INF to prevent endusers from being able to directly access (and bookmark and share) them. A redirect would require them to be publicly accessible, which indicates a major design problem (is the intented target page actually a real error page?).
If you really need to perform a redirect to/from your error page, either homegrow a custom exception handler which explicitly invokes ExternalContext#redirect() and doesn't utilize web.xml <error-page> mechanism, or add a <meta http-equiv="refresh" ...> to the HTML head of the error page in question (example here).
In case you actually intended to redirect to some login page when a ViewExpiredException occurs, then you should realize that there's a big difference between the cases of "User is not logged in" and "Session/view is expired". For the former, you should not be catching ViewExpiredException at all, but use a simple servlet filter which checks if the user is logged in and redirect accordingly, long before the FacesServlet is invoked. A normal authentication framework (JAAS, Shiro, Spring Security, etc) also works that way.
See also:
What is the good approach to forward the exception from servlets to a jsp page?
What is the difference between redirect and navigation/forward and when to use what?
Why use a JSF ExceptionHandlerFactory instead of <error-page> redirection?
Check if session exists JSF
Authorization redirect on session expiration does not work on submitting a JSF form, page stays the same
I have found really lot of examples, how to make spring security custom logging page and how to configure redirect to it if authorization is needed.
But I can’t find how to make logging form inside another page, for example inside home.html.
I can imagine I will use Thymeleaf fragments to insert custom logging page inside home page. But I don’t know how to connect it to authentication process (also without any redirection to home.html)
Thank you for replies
Petr
I started integrating SecureSocial in my play/scala app, but I don't really like all the redirects it does between it's different views.
example - try to login from it's default login page and if you put in a wrong pass you will be redirected to a different page (url) but with the same login form. the only thing that is different is that there is an error message...
I want a simple login form (user/password provider) at the corner of my main page that submits it's data using ajax, this data is validated on the server and a response is made to either display error message/s or change the window.location.
Next to this form I will put a link to go to a more advanced login page that adds the option to use other providers like fb/twitter etc..
But from that page I also want to use ajax to submit the details and get the response.
I tried to browse into the SecureSocial source but got a little lost in there.
Can any one give me an idea how to use SecureSocial's but without using any of it's views?
NOTE: I'm not interested in customizing their views, It's not just a CSS/design issue, I want to handle the login details Ajaxly and not with normal form submission followed by redirects...
After some more rummaging around in SecureSocial code I got a better understanding of how it operates.
You can use any of the providers you listed in the play.plugins file seperatly to authenthicate the user's info from your own login/auth code. just make sure you send the right parameters that the provider needs.
I liked the way SecureSocial's ProviderController class dynamically decided what provider to use, based on a parameter. But I didn't like the responses it made - redirect.. I wanted to respond to an ajax request with some data and let the client side js handle it.
This is my solution:
pretty much copy all of ProviderController code to my own Auth.scala file (a Controller).
Changed the redirects related to "case ex, case _", kept the redirect on successful auth as it adds the SecureSocial session key related to the user.
Removed all the SecureSocial related routes from my routes file.
Put an additional hidden field with the logintype (userpass/google/fb/etc...) and configured my login ajax post to sent this along with the post to my Auth controller.
If you need more info comment here and I'll edit the answer.
I am aiming to create a payment module. Its users shall be redirected away from the site's URL in order for the transaction to be processed by a third party at a different URL. I would then like customers to be redirected back to a generic 'success' page that notifies them the order was a success. I have tried redirecting to the default success page (checkout.thankyou.php), but I get lots of errors; all the constants etc. that the application requires have obviously been lost during the redirect.
I would like to be able to retrieve the theme currently enabled in the configuration and use it to insert some basic HTML into the view. I would also like to access the database to perform some queries.
Can anybody advise? I am very stuck, and cannot find anything useful in the documentation! Thank you.
Can you be more specific about what type of information you want in your success page? If you just want basic HTML, then there's no reason you can't just write a basic Joomla article and redirect to that instead of trying to redirect to a VM partial. Again, if it's just basic HTML (no data from the transaction), then you can simply use a code inspector (like FireFox Inspect Element) to track down the CSS classes you like from the template and simply use them in your Joomla article to make it look like the VM template. You can find most of them in components/com_virtuemart/themes/default/themes.css.
If you need to display actual transaction data in your Thank You message, be prepared for a bit more work. You're probably going to have to write a cookie containing the record data BEFORE it gets sent offsite, and then read the cookie just prior to rendering the Thank You page.