Can you suggest good practices for information related to validation messages in the user interface. Assuming you have a the following tables (User, Address, Email) and we use JPA to model our entities and the underlying validation provider is Hibernate.
The default messages which are throws when a value is empty or incorrect is either
validator.required=value is required
validator.notNull=may not be null
It would be ideal to provide user friendly messages like.
Enter your password here
Enter your first name
Enter the city name
City name cannot contain numerical characters
Any suggestions on web sites which already do this or a set of grammatically correct sample messages for the exisiting default keys shipped as part of hibernate validator jar will be useful.
I found this link from www.SmashingMagazine.com to be an excellent article on error messages, validation and other aspects of providing feedback to your site users.
Related
I'm building an employee self service portal via Dynamics 365, and when I use the lookup field to display my name in a form other employee names are displayed too:
I've been fiddling with the security roles for a while now and still cant seem to get it to display a single employee name.
I'm also planning to do it a different way by filling up the employee name based on the username on the upper right.
How do you guys suggest I go about this?
First things first. Portals won't use any CRM Security role concepts as it's for CRM users. Portal is built on top of Contact entity. Contact is Portal user & Web role will control his/her access.
You have to Entity Form Metadata to populate the fields per your need. The contact lookup can be filled in by current login Portal user this way. Even you can implement something like manage/restrict the Contacts only from your parent Account in that lookup easily.
I'm trying to build a multi-tenant application using Stormpath. The stack being used is Angular + Express. I'm using the 'Directory-per-Organization' strategy to organize my multi-tenant accounts. My Login form has a 'Organization ID' form field for user to specify the organization’s nameKey.
Is there a specific format in which this field needs to be passed to the stormpath-express backend? Stormpath-Angular SDK has no mention of this. Assuming there is no specific format, I tried adding a preLoginHandler on the stormpath-express side to retrieve the org Id form field mentioned above and set a {accountStore : {nameKey : myOrgNameKey }} on the request body. This however does not authenticate against the specified organization. Instead, it tries to match against all the organizations mapped to the application. I tested this my typing in invalid random strings for Org ID field.
As an aside, Stormpath’s site (api.stormpath.com/login) too does not seem to authenticate against the specified tenant Key. As long as the username and password credentials are fine, I can type in any string in the tenant field and it seems to log me in fine.
I want the username-password credentials to be checked only against the specified organization key and not against all the organizations mapped to the application. How do I go about this ?
I'm just trying to understand the "Validation" within Spring MVC. I set up a small validation form, which is working just fine. However I got a couple of questions all those Tutorials don't answer
As far as I understood the Validator just gets every form-element altered and checks if it is valid or not. What if I want a user to only be able to alter specific form-elements.
Let's say I have an Admin and a regular User on my webpage, they both are allowed to edit their profiles. The admin however is allowed to alter his username, the regular isn't allowed to do that. They both use the "edit-profile.jsp" and therefore the same Validator. I could just grey out the username field in my regular user's view, but let's assume he's not a total BDU and adds a form-field via debugger of his webbrowser, overriding the actual username input-field. He then alters his username and sends the request to MVC. The validator assumes the username altered came from the original input-field and updates the user's nickname in the db accordingly, since both, the admin and the regular user just use the same Validator and the same "updateAllAltered"-DAO method. The same goes for select option-lists. Let's say the Admin is allowed to set a status of a profile to active AND inactive. The user however is only allowed to set it's own profile to inactive but can't reactivate it by himself. I could do the same as above, just altering the option-panel in the frontend to only show "INACTIVE" in the regular user's dropdown box. But we could repeat the same scenario, where the user just adds a debug form-field containing also the option "ACTIVE". This can get out of hand if e.g. the Admin is allowed to change Roles to "admin, member, moderator", while a user, who's i.e. a moderator within a forum can change roles to "member or moderator". He could just again add another field and plugin "admin" and gain total control of the forum.
How is this handled in Spring?
Basically you have to handle by spring security for your use case, design your application security, you will find basic spring security examples easily.
Example you can block your HTML code in JSP by spring security tags by user roles.
<sec:authorize access="hasAnyRole('ROLE_ADMIN')">
Delete
</sec:authorize>
You can annotate any of your methods by roles to block access.
#Secured({ "ROLE_ADMIN" })
I want to add a feature to my spring roo project. I have an user entity that logs into the application and adds additional users.
When I add those users there is an email adress(field) on which I want to send the validation with additional link to activating the account. Also the user has a field that represents if he or she has an active profile in a way is it possible to log in or not - this field needs to change after I click the provided link in the email.
I already have an velocity templates and everything set up, I just need the process of forming that link and assuring that the user will have an active account after clicking on it.
I solved this using a REST call and Spring Security. When the user first signs up, you create the UserDetails object (mine was in a DB table), but set it as not enabled before you save it (there are 4 booleans in the UserDetails object you can manipulate to enable/disable the user in various ways that Spring Security checks). I also stored a UUID code I generated off the user id in a table, and then generated an email which included a link to the REST service to validate the account.
The REST service was simple. The user clicks the link, which would include the UUID code I generated. You could optionally require them to enter some number or do something here as another authentication step, but in my case I simply looked up the UUID to get the associated UserDetails, flipped the bit to enabled and saved it, and sent them to a page saying their account was now active. I then did something like in this post to auto-login the user.
In my application I need to register users. The users can be any of three: admin, client and general. They have different attributes (Admin may have only name, client may have company address and so on). The default MVC membership scheme is okay but how can it be extended to register more information during registration time? Or should I use custom membership?
I need to have a record of clients and general users with clientID or generalID.
The default MVC membership scheme is okay but how can it be extended
to register more information during registration time? Or should I use
custom membership?
I think too many people, yourself included, are expecting to get too much from the default ASP.NET Membership Provider. It was never designed to handle application-specific things, like what company your customer works for, your admin's name, and so on. It's main purpose is storing passwords for authentication.
Sure, the password needs to be linked to a username, so that there can be a 2-key authentication pair. Sometimes you also need the user's email address, when it is different from their username, in order to contact the user regarding their password. But don't store anything else about your users in the membership store. Store it in your application database.
In order to join data between your application and the membership provider, use the membership provider's UserName or ProviderKey as a column in one of your database tables. You end up with 2 entities which are not explicitly related. You can even have your SqlMembershipProvider implemented in a separate database from your application database. Even if they are in the same database, avoid having a foreign key between any of the provider tables and your application tables. This muddies the waters between what you own, and what you "outsource" to the membership provider.
You end up with 2 physically isolated representations of your user. One is the MembershipProvider, which contains a password for your user. The other is your application, which contains other business-specific details. The two are only logically associated within your application. After you authenticate a user with the membership API, their UserName and/pr ProviderKey become available to your application. You can then use that piece of data to query your app database and get the additional details. This is where you might put something like the clientID or generalID you mentioned.
If you look at the System.Web.Security.Member* API, this should make things clearer. It does one thing really well -- associating your users with passwords and other information related to password resetting (like the email address, question and answer, etc). So outsource just the password provider, and rely on your application to do the important stuff.
You could customise the default profile provider or create your own... Follow this reference
http://msdn.microsoft.com/en-us/library/8zs47k7y
You can add new properties to the profile for anything in the web.config too
I highly suggest creating your own membership roles. It's dead simple and nothing can beat the flexibility of having your own implementation.
Here's a video I made a while back showing you step by step how to achieve this:
http://www.youtube.com/watch?v=BsxUsyMSGeA
The gist of it is, you create your own AuthorizeAttribute and create your own roles; protecting each controller or even individual Action methods along the way.
The one drawback of this approach is that you can determine what Role a user has in your system, but not what a Role can do in your system. Does that make sense?
There are other choices if you need to edit what a role can do at runtime.