Considering authentication when using Ajax with Spring MVC - ajax

I am trying to use ajax in my spring mvc application. When I try a url (post/get) which is secured and needs authentication, the response is the html of login page as it is redirected behind the scenes.
What is the best approach to overcome this issue?

First, I would avoid displaying Ajax links to URLs needing authentication if the user is not authenticated, if possible.
If not always possible, your login page could be returned with a specific HTTP response code, (or any other way to distinguish it from a normal response) and your JavaScript callback could replace the entire body of the current page with the HTML received if this response code is received. Most AJAX libraries come with a way to define a handler to all the AJAX requests. Such a global handler could be used here.
The login page could also be adapted to only return a status code in case of an AJAX request, and the JavaScript code would then redirect to the login page (without using AJAX) if this status code is received.

I may not have explained the issue well. So I did not get the right response. However the response from JB Nizet contained some other points. So thank you.
I could solve the issue after coming back to this issue after some time, so
I posted about this on my blog.
I hope it is useful.

Related

URL redirect in spring mvc

Hi guys I want that I have a post method in spring controller
But user hits url request directly from a browser then user gets nothing.
So how can I redirect this to login page in spring mvc.
As per your description
But user hits url request directly from a browser then user gets
nothing
When user hitting a URLfrom browser, it should be a GET request but you said you have POST request there. That's why nothing happens(should give
GET not supported
in browser though).
POST method requests server to process submitted form data.
To achieve that, you have to declare a GET method for that URL in your controller side and return your resource(view) to the user and then user will get that after hitting that URL. After that you can perform POST request from user side(i.e. form data submission).
In one line: Your POST request will be GET in controller side if you want to just what you want.
Please let me know if I can assist more.
probably you should look for security instead of look for "redirects", you can cool at this question for reference :
link to similar question
It is NOT possible to make POST request from the browser.
You can find some other approaches fire-http-post-requests-with-firefox-or-chrome

NancyFx. Forms authorization. Ajax and unauthorized response

I use wcf-hosted NancyFx with forms authorization with redirection enabled (DisableRedirect = false).
I would like in case of unsuccesfull authorization attempt handle it and signal to user (show some tooltip that user name or password is wrong). How can I do it with FormAuth?
Another approach is to use Ajax post request, but because of redirection I can't get 401 code. If I turn off redirection it works (I can get 401 in ajax post request). But I want to use redirection facilities in my application...
I never work before with FormAuth, so what is my options here?
Thanks in advance!
Well, actually there were obvious solution based on parsing returned querystring (smth like login?error=true&username=a, as in examples for Nancy forms auth app). On document load parse this query string and show tooltip... Another question whether it is standart (good) practise?..

Different behavior in GET vs. POST Ajax request

We have an MVC app that uses controllers for AJAX endpoints, and FormsAuth for authentication.
I've run into an interesting scenario where a GET request will behave differently than a POST request (both for an unauthorized user).
In this particular case, our custom ControllerFactory runs the following code trying to access this controller:
FormsAuthentication.SignOut();
requestContext.HttpContext.Response.Redirect(FormsAuthentication.LoginUrl);
throw new UnauthorizedAccessException();
(I realize that redirecting inside an AJAX request makes no sense, but bear with me).
When I do a GET request (AJAX) to this controller, the client receives a 401 - Unauthorized exception, which I can trap on the client side and redirect the user to the login page.
When I do a POST request (AJAX) to this controller, I'm getting a 302, and my request got redirected to my login page.
Why do the GET and POST requests act differently?
So I took Darin's advice and did some refactoring, and I no longer run into this problem. :) I discovered the root of my problem, which was that we had a attribute for MVC error handling that did not have the IExceptionFilter attribute, so some stuff was happening in non-determinate orders. Thanks for the helpful kick in the butt. ;)

CSRF and Ajax: Do I need protection?

Do I need to use csrf tokens in my ajax requests?
I think that someone tricking my users to execute malicious ajax requests from another site, to my site, will fail because of the origin policy, which is handled by the browser, am I right?
I don't care about duplicated requests when using ajax, I'm only asking about the attacks.
Am I at risk if I don't use csrf in my ajax requests?
As per my research,
We can reduce the vulnerability by using POST request(for the request which will take side affect). But thing is that we can forge the POST request as well with form submission, cause same origin policy will not applies plain html for submissions. But it applies to request which are getting generated with JS.
So if you use ajax POST request and you are safe if you are using JSON payload.
Cause url encoded payload(POST request) can be forged with form submission from other sites.
If you use JSON, as it is not possible to send plain text pay load(with out urlform encoded) with html form submission you are safe. Because with ajax POST request if you use urlform encoded data payload it can be forged with POST form submission.
This is how we solved the problem with CSRF token in Ajax requests
http://mylifewithjava.blogspot.com/2010/11/implicit-csrf-protection-of-ajax_22.html
The fact that you are using Ajax doesn't mean that others have to as well. Your server won't be able to distinguish a request made by XHR from one made by <form> submission. (Yes XHR usually adds a header identifying itself, but this is not hard to spoof.)
So yes, you do need to consider CSRF attacks.
Edit
Django have a POC, which is why they and Ruby on Rails now implement CSRF protection on AJAX requests.
Once again, please check your facts before downvoting, and explain what the downvote is for.

Sending login information via AJAX

Im using jQuery validate plugin and every form has multiple validation levels.
level is by validate plugin
level is:
data is submitted to site
I get a reply
if everything is ok -> JS redirects to url
if there is an error, it shows warnings
Now I wonder, is it safe to send login info via ajax? I know that with addons like firebug, I am also able to get all POST parameters with normal submit. But can somebody else interfere with ajax login request and steal precious data?
is it safe to send login info via ajax
You do use HTTPS, do you? If you do it's as safe as form submit.
Are you issuing requests over HTTPS?
If you mean someone else on the network, then see the earlier comments about HTTPs.
If you mean "can someone inject something into a page and steal the data", the answer is yes. As you've observed, the user can install plugins which could do this; it's also possible that your page could be inadvertently be the target of injection via cross-site scripting or some other flaw.

Resources