I am developing my first application using the Composite C1 CMS as the core system. I am currently working my way through the documentation and learning about data structuring, etc. I see that there is a paid Extranet package which can be purchased but I would prefer to develop my own Membership system within the site.
What would be the best way for me to allow users to register on the front end of my Composite C1 website and then to allow them access to a password protected area once they have registered and logged in?
I am a fairly experienced .net developer but Composite C1 is very new to me (at first impressions I like it a lot!)
Thanks
Like the commercial Extranet package you can write a RenderingResponseHandler plugin and register it it the ~/App_Data/Composite/Composite.config file.
Check the guide "How can I validate users before a page or media file is being served?"
RenderingResponseHandler plugins are tasked with approving page and media requests and they can either let the request pass or redirect the request to a new URL.
You would need to take care of the user data base and login page yourself. Also some mechanism that would allow a user of the cms to mark pages as protected/public might make sense.
There is relevant pointers on the CodePlex thread "Restricting access to MediaArchive files"
Related
I'm designing the architecture for a Microsoft Teams app.
This app is an integration to a multitenancy platform that the customer can set up their own URL to access the system, i.e: https://app.customer.com/
I was wondering if there is a standard way to have a step on the app installation to set up the instance URL.
I understand I could design an app generator that would reside inside each customer instance and then deliver the manifest.zip to the customer to install it, but I feel we would lose all marketing and partnership opportunities that having it on the store would provide.
I couldn't find a standard way so I designed a proposed solution and wanted to validate it with the community.
I came with a list of issues and workarounds to work with a single app for the multiple instances based on what we've seen so far on Microsoft Teams documentation.
Issue 1: Accessible domains should be explicitly set on the manifest.json
Workaround: have a middleware in a fixed URL that handles all requests made by the app and route to the customer site
Issue 2: There is no standard step on an app installation to set up the instance URL
Workaround: Design a static tab that would handle the configuration, so in that tab, the admin would need to set up any
configuration like instance URL
Issue 3: After installation, the feature will be available for the users even before admin did the setup to define the customer instance URL to be used.
Workaround: Make all designed interactions (i.e.: Tabs configuration page, bot response, actions, cards, etc... ) have a
response to the user saying there are pending configurations in case
the admin did not set the URL yet
I am developing a structure in Google developer console to create projectsnd configure a OAuth 2.0 client IDs for our company websites. These we use to integrate Google login to the website.
We have around 50 websites now, where some are "company websites", then we have "product websites", etc. such groups.
For example group of company websites - those websites have exactly the same design, the same purpose, but are country specific, thus:
- differ in country prefix, e.g. countryA.companyxy.com, countryB.companyxy.com
- differ in content (types of content are the same, but the ontent itself is connected to the country, thus local)
- the language can be different (although mostly it's english)
I am seeking a recommendation as I cannot decide what is better:
1) Create one project per website and then different Client IDs for environments (prod, staging, dev) - this would be 50 projects, each with 3 Client IDs
2) Create one project per a group - e.g. company websites would have one project and I would create new Client ID for each country and each environment. This way I would have maybe 5-6 projects, each with 10-20 Client IDs.
Can those company websites all use the same application, or they should not?
If I've understood you correctly, this is a fairly standard multi-tenant application where a single app (from Google's perspective) lives at multiple domains. You can use a single Project and a single Client-ID, since in both cases, the ID relates to the app, not to the domain the app lives at.
So, when you start the OAuth dance, you always specify the same redirect URL, which handles OAuth for all domains. The trick is that you include a state parameter at the start of the dance which indicates which country/site your OAuth code should redirect to once the dance is finished.
So, roughly something like this:-
user visits countryA.companyxy.com and requests Oauth (eg. clicks a signin button)
You redirect to accounts.google.com?redirect_uri=common.companyfoo.com/oauth&state=countryA.companyxy
After auth, google will redirect back to common.companyfoo.com/oauth?state=countryA.companyxy
Your oauth handler does its thing, then parses the state param and redirects back to countryA.companyxy.com
Of course there might be administrative reasons for your company to prefer multiple projects and/or client IDs depending on your enthusiasm for admin, and how you wish to segment your data. To explain this last point using Drive as an example, if all companies have the same project, then the drive.file scope would give them all access to the files created by the app. However, if you have a project for each company, then Google sees these as created by different apps, so the are not visible using the drive.file scope.
I am seeking a recommendation as I cannot decide what is better:
I would align the Folder/Projects in the same structure as the company organization with a preference towards more projects (separation) instead of consolidation. Try to think of the chain of command and the distribution of resources. Factor in how you want security to separate resources. This might help figure out what should go where. Do separate development from production resources (separate projects).
Can those company websites all use the same application, or they
should not?
The answer is "it depends". If they all share a common domain name root, and they authenticate at the root, very easy to implement. The authentication cookies can be shared across domains. Otherwise, you will need to use multiple redirect_urls so that auth on one site completes on the same site. I am not sure what the limit is for Redirect URLs per Client ID.
To the second part of your question "or they should not". If the websites are designed to look like the same company then customers will expect to only authenticate once and be authorized across all sites. Is this a good idea, Yes. Is it the correct idea, this depends on your security requirements, isolation needs, etc. No simple answer here.
Im new to Umbraco development, but im plenty familiar with ASP.Net & MVC etc. So Im getting to grips with the object model and terminology used, but Im not sure where to start. I need to use windows authentication on my Umbraco site, which will be for internal use only.
What I envision:
- When a domain user hits any area of the website, grab the user identity
- Lookup to see if matching user(or member) exists and if not create it
- Login this user to Umbraco
- By default all new visitors, if their user identity doesnt match a current member, then create that member and log them in.
Sounds like I need to create my own controller that overrides the base controller (RenderMvcController ?) and check the user identity on each and every request? Maybe do this by overriding the Index action method? Or could I do this with a macro - or as ive seen mentioned, are macros loosing favor with the new version of Umbraco?
Also, Im not sure how to deal with members vs users? As I understand it, members are who have access to the front part of the website, whereas users are those that have access to the back office area and can create/manage content.
Are all users also members?
There will be some that I want to give access to create/manage content, so when Im auto-creating users, its actually members that I need to create, not users?
[ update ]
Actually, I think I will need to create my own membership provider if I want every request routed through the check for a valid domain user? In my research, I keep coming across this example http://thegrayzone.co.uk/blog/2012/07/combined-authentication-with-umbraco/
I have overridden the default RenderMvcController in numerous projects with success, you could of course use the built in Umbraco auth to redirect to an authentication page for users that do not have a valid Umbraco Auth token and set it only only on that page based on their windows identity.
RE: Are users also members?
No. Users & Members are entirely independent of one another; users being back office users & members being front end users. You will need to create 2 accounts.
I am using vaadin 7, and jboss 7.1.1. There is a business requirement for very granular ui access. There will be parent windows per business function, and in that window functions relative to it. Business requires enabling and disabling those functions within, per user, so as an example, a parent window that represents employees, and when you click that you enter the child window which has functions like editing, deleting, viewing, adding,etc etc but that access must be customized to the user using it, so user x can update but not delete, as an example.
So what i came up with was to store that information in the database. In the database there will be a users table with username and a user guid. Then a parentview table and and parentchildren table and then lastly a userview table. i will store in the userview table the users guid and either the view they have access to and what type of access as in read,write,update,etc... I will on the ui login authenticate against ldap, get the users information and guid and use the guid to pull the users view access from the userview table in the database and store it in the vaadin session, and then on the ui, read that from the session and show the correct access.
I am not sure if this is the best way which is why i am asking if my solution is ok? I have been reading lots of doc's around security but non seem to achieve what i want. Another point of keeping it in the db, is that i can create a user admin ui which can edit the users access simply by updating the db, i dont want to redeploy or do anything with the webserver, I would prefer a ui user access control module and for someone with rights to it to administer that access. I would really appreciate insight and some ideas into this.
Thanks guys, I would appreciate any input.
What you want to achieve, regardless of the environment you are in and technology you are using, is fine-grained access control / authorization.
The way to do that is to use authorization frameworks. Spring Security has one for instance. I'm not sure whether Vaadin comes with anything.
In our company we use Vaadin to develop a management portal and we then use XACML to apply fine-grained decisions to the portal such as which functions to enable for which users and even which items to display in a Vaadin table.
Generally speaking you want to look at the field of attribute-based access control (NIST ABAC). ABAC lets you define authorization constraints based on different factors/parameters such as user attributes (location, department, role...) and resource attributes (where the resource can be data, widgets, functions... You name it).
I actually delivered a webinar yesterday on the topic of fine-grained authorization for Java MVC apps. I think it could prove useful for you.
If you go down the XACML path, you do not need to create a custom database with the information inside as you have done. All you need to do is write authorization policies e.g. a user in purchasing can use the purchasing functions.
There are several open source XACML implementations as well as vendor solutions such as the one I work for, Axiomatics.
I hope this helps. I've also written a lengthier answer here which covers the broader field of authorization.
what is use of soap/xml-RPC-user and soap/xml-RPC-roles?
in system menu there is one menu item web services contains 4-5 options like soap/xml-RPC-user and soap/xml-RPC-roles.
what is use of it? how to use that?
The original Magento API was implemented both in SOAP and XML-RPC. SOAP and XML-RPC are well known technologies for creating functions, classes, and methods client-programmers may call over HTTP. Explaining them in greater detail is beyond the scope of a Stack Overflow question.
The User and Roles menus are the for the authentication portion of the Magento API. To authenticate the API, you call a login method, passing in a username and password. You setup this user name and password in the Users menu you mentioned.
Each user you setup has access to a "role". Roles determine which API functions a user may call. You setup the roles in the Roles menu you mentioned. You assign a role to a User when you're editing it in the User section you mentioned.
In newer versions of Magento these sections are explicitly labeled with SOAP/XML-RPC to differentiate them from the newer REST APIs.
At first you'll need to know the use of web services. To acquire basic knowledge of web services,soap and xml-rpc read below url
http://nanostuffs.com/Blog/?p=1152
http://blog.manishchhabra.com/2013/04/rest-and-soap-web-services-analogy/
After getting basic knowledge of web services read how to use it in magento from below url
http://www.magentocommerce.com/wiki/5_-_modules_and_development/0_-_module_development_in_magento/introduction
http://inchoo.net/ecommerce/magento/magento-api-v2/
http://inchoo.net/ecommerce/magento/magento-v2-soap-demystified/