Handling page refresh in backbone + spring rest component based application - spring

I have tow applications deployed on 2 different tomcat servers.
first application completely consists of .js and .css code prepared using backbone.js and application 2 consists of a Spring MVC,Rest application which handles the rest calls made by the backbone application
I am facing a problem in this scenario, which is at the time of login when a request is send to app-2 , response is send consisting of all the login session related details in a Json object. After the response is recieved, all the received details is stored in backbone model object and a view called Welcome is rendered accordingly.
But what if i do a page refresh on welcome page, will the details in the model persist. If yes then no issue but if no then what should be done ???

No, the JavaScript models will not persist after a page refresh. Generally, the way I've seen it resolved is having two authentication calls in app-2: One to log in, and another to check if logged in. This way, when the page loads, you can quickly make a request to check if the user has already logged in. If so, then forward to the app. If not, let the user log in.

Related

Is it possible to protect Get Requests in Spring Boot MVC with Recaptcha (inside the Spring Boot Application)

Let's say when you send a request to this url: ...?query=something&filter=another_thing, I am returning a web page with model attribute let's say model.addAttribute('result', resultList) then just for loop the result and print the values. (Template resolver could be jsp or thymeleaf, but there is no option to load resultList without model fashion - I mean there is no ajax request - )
What I want to do:
before loading the result (or loading the page), I just want to load google recaptcha.js first and
recaptcha will return a token,
then I will send token to the backend via ajax request.
After all if request is not bot, I will print the resultList
Is this requirement possible to implement inside the Spring boot application itself?
NOTE: I could not find anyway to do this. I just though that I could intercept the original get url then redirect to the another page, and this page will load recaptcha and send the token to my backend. If it is not bot then redirect to the original get url. However I do not know how to preserve original request
You're framing it slightly wrong, which may make all the difference.
When making a request, you want to make sure that request is authorized, before you handle
it.
That is where a recaptcha comes in.
To prevent unauthorized access, look into spring-security and recaptcha for that.
Once sufficient authentication has been achieved, your request will then enter your controller, and you can serve the page.
(of course, you could look into it doing it dynamically, but that will be a bit harder)

Dynamically Update Page in Application Requiring Authentication Via Azure AD

I am curious if anyone has a solution to this unique situation as I have a solution currently, though I feel it is not the most optimal.
The Situation.
I have built an MVC style web application that talks to a web API through http (authenticating via JWT). My web application is secured by appending authorization to its view controllers and redirecting to a Microsoft login endpoint - then directing back to the view where whichever given controller/function handles the request, connects to the API, appends data to the view, etc.
Preferably I would like to use JQuery/Ajax to submit http requests client-side and update a given view with whatever data the user may wish to see relative to the webpage they're on. This way I could control exactly what the user should see landing on the page any which way and submitting requests from web app to API. Also would enable better continuity between requests as there isn't actually a full refresh of the view. All in all it is my line of thought that this execution would lead to a nice user experience.
The Problem.
So the big issue that I have had to circumvent is CORS Policy. I initially attempted to use JS just as I said above but requests would be redirected to the login endpoint and blocked due to there being no CORS header appended to the request.
'So include a policy in your application and append an authorized header to your Ajax outgoing request' you might say, well... you cannot override CORS security around Microsoft's login endpoint.
My Solution.
What I have done simply instead is create HTML Forms around fields the user would pick and chose to specify what data they wanted from the API. Then carry over input data to the returned view via 'ViewData'
and using razor pages of course I can actually initialize JS variables via C# input.
Side Note
I use JS to transform the API data into graphs for the user to see. I am doing this with a JavaScript Library.
My Question to you.
This all leads me to ask then, is there a way to dynamically update a view without using JS? I require a method that can hit the login redirect without being blocked because the request initiated client-side.
Every solution I am aware in some way, shape, or form utilizes JS to make the request. So I am at a loss for how to truly get the functionality I am after without having my requests get blocked due to CORS Policy.
Thanks in advance y'all.

using authenticated session/user for REST API in eXist-db

I have a public website running from an eXist app. I am now developing an interface for logged in users to edit certain documents through HTML forms and AJAX. I've set up a module in eXist to receive AJAX POST requests through the eXist REST interface (ie. http://www.example.com/exist/rest/db/myapp/api/myxquery.xql). However this module does not seem to be aware of the fact that the user is already logged in!
How do I get the REST module to use the session/authentication of the logged in user?
Am I required to store the user/password in the browser to pass with each REST API request?
If this is not the preferred model for passing data from the browser under user/password, what is eXist's recommended solution?
Many thanks in advance.
(A variation on this question was asked two years ago but received no solutions.)
In order to use the REST-API from existdb you can only authenticate each request using HTTP Basic Authentication. Also mentioned in the question you referenced.
If you decide to handle AJAX request in your app's controller.xql you will need to:
Add routes for your AJAX requests to the controller
Make sure you call login:set-user for the user session to be picked up
Make sure the AJAX request sends the cookie:
For instance, the fetch function will send the authorisation cookie
only if send-authorization is true.
Look at the output-method and serialization settings, since you will likely want to respond in JSON-format. useful blog post about this

How to prevent SpringSecurity remembering Ajax urls in a Grails app

I've had some odd issues lately where after logging in to my application, rather than seeing the expected page, I get a json response rendered in the browser.
What's happening is I have a javascript routine on every page of the application that polls via ajax for new messages for the user.
There is a point when the user has signed out manually.. or is logged out when this ajax call is made and spring security is remembering this URL as the URL to redirect to again when logged in. So when the user signs in again, instead of being redirected to their dashboard, they are presented with the JSON response.
I need to prevent Spring Security from remembering Ajax called URLS, can anyone tell me if this can be done?

Spring Security and Single Page Applications

My application will be:
- Single Page App (say in angular/backbone)
- Spring MVC based Server.
I find many examples about using Spring-Security where the login page, logout page etc.. are all HTMLs. And Spring Security directs to appropriate pages based on Session State.
But in my case the login/logout page will be in JavaScript - All interaction with the server for login/logout is over HTTP(REST style URLs), and response JSON. There is no HTML in play here.
Question
How can i use Spring Security in this case? In other words - How can i expose login/logout behavior as a API?
Since the front end is Browser based app... i guess usual cookies etc. should still work for identifying session.
Yes Cookies still work in your cases. But you need to tap on the ajax urls instead of normal urls. I had an experience with a mobile based - single page application and I managed to do it with a grails backend. When logging in tap on /j_spring_security_check?ajax=true if http response is 302 and it redirects you to /login/ajaxSuccess it means that you have logged in successfully. Otherwise you failed to login.

Resources