Is there a way to make Firefox or any other browsers remember values in ajax login forms?
I suggest checking that you dont have password remember settings for the site in question set to "never". Some sites also disallow remembering passwords explicitly in their form tags. In such cases, if you really want the form to remember the login (Such as if you are testing the site and regularly log in using the same credentials), It may be possible to write a bookmarklet to remember the details for you. (You could save the bookmarklet in your bookmarklets toolbar)
Related
I am writing a simple web page, which shows some widgets based on user permission. If user has EDIT permission, the page renders EDIT widget else EDIT widget doesn't shows up.
What is the best way to achieve this?
I, first called a service to get logged in user's permission and then set visibility: none or block based on the permission. But, I see that user can "inspect element" on browser and set visibility accordingly. However, on server-side, I am using #PreAuthorize annotation on DAO to control the user actions.
How to control visibility of UI widgets without user being able to make changes, maybe from server side?
Update : I am looking for JSTL equivalent in GWT
AFAIK there is no JSTL equivalent for GWT.
However there are some 3rd party (i.e. ArcIS) libraries that make display/hiding UI elements based on user permissions more convenient.
However no matter whether you do it manually or using a library you should make sure that you properly secure your backend side (as far as I can tell you are doing that by using method level security).
One important thing to remember when dealing with client side permissions/security:
You should never trust input/actions from the client/browser, because you are not in control of it. So you must always do security on the backend
In my opinion, it really does not matter if the user could theoratically inspect the edit button for example using Browser Dev Tools and make it visible, as long as the the edit action on the backend is properly secured. If you are really that concerned you can remove the elements (i.e edit button) from the DOM instead of hiding it, but it won't make it more secure.
I, first called a service to get logged in user's permission and then
set visibility: none or block based on the permission.
Well instead of setting the visibility none or block, assuming you are using JSP, use JSTL tag
<c:if test="${if the user has permission}">Show widget UI code</c:if>
If the page has n widgets for which the user doesn't has permission, why would you load the code for all the n widgets. It's non performant.
write a panel that shows it's contents based on security settings in the client code
add the widgets to be controlled inside the security panel
the panel will now control the appearance of the children based on security in your client code
As has been mentioned before, and has been recognized by you, client security is only visibility control and thus not sufficient to protect the app.
I'm making a site in django which has profiles for users and companies with text fields, photos, choices, etc., and I want them to look the same while viewing or editing them (in case of the owner of the profile). Basically the user must click somewhere and all the information becomes editable, without having to go into other "profile editing" page.
The only way of doing this that I can think of is by making to different pages, one for only "viewing" the data, and other for editing it, and try to make them look the same anyhow..
I wonder, if there is an elegant and simple way of integrating this two functionalities in django?
Thanks.
You're talking about manipulating the DOM without page loads. You're going to use AJAX to retrieve your form. I would recommend using Tastypie to create REST endpoints. Then you'll need to do AJAX calls to get your form. I would recommend using jQuery.
If you would prefer something simplier. You could always user a hidden form field and then manipulate the DOM with jQuery.
We have a requirement where support for different users in different tabs of a browser window. How can we achieve this in Spring 2.5? The application is based on Users, where users will have their own agents and articles. An internal user should be able to login to different user accounts in different tabs at same time and manipulate their data. Any help is much appreciated.
A browser's cookie store does not distinguish between different windows or tabs when deciding what cookies to send. So a cookie based approach won't help.
My suggestion for an alternative would be to have a hidden "userName" parameter that is passed back and forth as a URL query parameter for all requests from a given tab or window. You could finesse the setting of the parameter in browser requests by using some Javascript to add a hidden parameter to each of the HTML forms in the page just loaded. The parameter value would be snarffed from the query string of the current page URL. You'd just need to make sure that all pages included stuff in the header to load the JS and run it when the page load completed.
Generally speaking, no, because all of the tabs within the browser window share the same cookies.
One way to do it would be use multiple domain names all pointing at the same app. Each domain name would have its own set of cookies. You would need to have some way of switching to a new domain name after you open a new tab.
How about, have a set of bookmark toolbar bookmarks, each corresponding to a different domain name. Control-click on the bookmark and it opens in a new tab. You could provide the users links in your navigation to the different domains that they can drag onto their toolbar.
Depending on what browsers your users are using you could get even slicker - in some browsers Javascript window.open() opens a new tab. You could have the JS compute the new domain name before the window.open().
My website uses ajax.
I've got a user list page which list users in an ajax table (with paging and more information stuff...).
The url of this page is :
/user-list
User list is created by ajax. When the user click on one user, he is redirected to a page which url is : /member/memberName
So we can see here that ajax is used to generate content and not to manage navigation (with the # character).
I want to detect bot to index all pages.
So, in ajax I want to display an ajax table with paging and cool ajax effetcs (more info...) and when I detect a bot I want to display all users (without paging) with a link to the member page like this :
JohnBob...
Do you think I can be black listed with this technique ? If you think so, could you please provide an alternative solution by keeping these clean urls and without redeveloping the user-list (without ajax) ?
Google support a specification to make AJAX crawlable:
http://code.google.com/web/ajaxcrawling/docs/specification.html
I did an experiment and it works:
http://seo-website-designer.com/SEO-Ajax-Google-Solution
As this is a Google specification, you won't get penalised (unless you abuse it).
Saying that, only Google support it at the moment (AFAIK).
Also, I believe following the concept of Progressive Enhancement is a better approach. That is, create a working html website then make the JavaScript enhance it
Maybe use the urls with an onclick to trigger your AJAX scripting? Like
Some URL
I don't think Google would punish you for this, you primarily use JScript, but you do provide a fall back for their bot, so your site doesn't get any less accessible.
EDIT
Ok, I misunderstood. Then my guess would be you basically have two options:
1. Write a different part of your site where bots end up, or,
2. Rewrite your current site to for example always give a 'full' page, with an option to only get, say, the content div. Then you can get only the content with JavaScript, but bots will always get a nice page.
Is there any way I can change the URL or add more history to the "back button" without having to refresh the entire page?
My application is AJAX based and I'd like to add some "undo" events to history so that the user can simply hit back and retain the old values.
What's possible today? I hear some of this may be in HTML5 but haven't checked whats supported in current browsers.
I think you can use window.location.hash to track the #part of the page, in your case, #state1, #state2 and so on.
window.location.hash = '#state' + (++ stateN) to set and
stateN = parseInt(window.location.hash.match(/\d+$/)[0])
See On - window.location.hash - Change? for more details about how to detect location hash changes.
You could use 301 redirection. Personally, I would use cookies on the client side, or sessions in your back end, to store the breadcrumbs. Storing state information in the URL is a bad idea for AJAX applications, because people might return to a url that the server side is not in the right state to respond to.
Another option would be to provide your own Back button that knows which page to go back to.
The answer for this question will be more or less the same as my answers for these questions:
How to show Ajax requests in URL?
How does Gmail handle back/forward in rich JavaScript?
In summary, two projects that you'll probably want to look at which explain the whole hashchange process and using it with ajax are:
jQuery History (using hashes to manage your pages state and bind to changes to update your page).
jQuery Ajaxy (ajax extension for jQuery History, to allow for complete ajax websites while being completely unobtrusive and gracefully degradable).
It is possible to use ASP.NET's built in Script Manager to update the browser's history. A full how-to to do this is located here:
http://www.asp.net/aspnet-in-net-35-sp1/videos/introduction-to-aspnet-ajax-history