I am new to worklight & sencha touch. We are developing an app using sencha touch 2.
How do I handle gracious exit of my application kill or accidental close? I want to logout automatically and change status of my login in DB so that I can still login again with same credentials.
This question is not related to the framework you've chosen to develop your application with (Sencha Touch 2). Rather, it is about the authentication flow in your application's logic.
You do not mention in the question how and what you have implemented thus far... This is critical information.
Basically, what you will want to do is to protect your application with a security test.
Without knowing anything about your project, this is the best advise I find myself able to provide you.
I suggest that you will read the following training modules section and understand how Worklight's Authentication framework works.This will allow you to develop your application with authentication in mind, and thus create the flow you require - that is, display a login form on application launch.
Related:
Authentication and security
Understanding predefined Worklight authentication realms and security tests
Related
Being said that IBM Mobilefirst is very advanced tool in developing hybrid mobile applications, I am curious to know if we can develop both the mobile application and the responsive mobile application using single code base. I know that there are different environments being provided out of box by Mobilefirst i.e mobile browser, desktopBrowser, Android etc.. I feel it kind of opens an option to developer to develop both mobile and responsive web application. But following questions and functionalities makes me rethink about going forward with this approach for practical implementation.
1) How far will the MobileFirst be reusable and flexible in terms of:
* implementing session management for both applications
* Authentication and Authorisation for both applications:
- When I said Authorisation, I meant user level preferences
2) What are the steps that need to be followed to setup a project which effectively uses the all the key features of the worklight for satisfying the above mentioned requirement.
3) Post development what are the steps that need to be followed to successfully deploy mobile and web application (Both of them will be using adapters to talk to services) into production.
Very sorry for making the question so theoretical. I felt very interesting and wanted to know.
1) How far will the MobileFirst be reusable and flexible in terms of:
* implementing session management for both applications
* Authentication and Authorisation for both applications:
- When I said Authorisation, I meant user level preferences
Depends which version of MFPF you are using.
Pre-7.1, all session management is the same in the server.
7.1 forward the server is session independent and currently Mobile Web and Desktop Browser are not supported; read more about session independent in the IBM Knowledge Center
Authentication works the same for both pretty much
2) What are the steps that need to be followed to setup a project which effectively uses the all the key features of the worklight for satisfying the above mentioned requirement.
There is not feature parity between the supported mobile environment and web environment, so the answer will depend on which particular features you will end up using. The IBM Knowledge Center contains a feature parity table.
3) Post development what are the steps that need to be followed to successfully deploy mobile and web application (Both of them will be using adapters to talk to services) into production.
That's got nothing to do with any of the environment you'll choose to use. It's the same for all. Yet again, read in the IBM Knowledge Center.
I am using JBoss JSF to develop a personal project, and the website needs a user registration and login feature, as many other sites do. There are lots of tutorials on how to develop a user registration component in Java EE and JPA framework. I just happened to find the KeyCloak project. It seems that KeyCloak can be used for user registration and management purpose, especially if you use JBoss to develop the application.
My question is, do I really need to use this for user registration? It seems very heavy, and I didn't find any API docs that I can refer to integrate it into my web application.
What's the best use case of Keycloak? And how to integrate it in a Java EE application? Any quickstart or tutorial for Java application would be appreciated.
The main Keycloak project includes a adapters documentation (to be used to secure clients) examples project showing how to secure a JEE application using JEE application security.
If you use Spring, there's a Spring Security adapter that support a more very flexible security implementation as well, including examples for this as well.
I need some help with securing a single page multi-tenant saas application.
Questions:
1) What is the best way to implement it? I am trying the build the application using angularjs, spring mvc and REST.
2) Can this be done using Spring Security? Any example with creating login page and securing REST, calls will be helpful?
I have found a sample for implementing spring security with Spring JPA (http://krams915.blogspot.com/2012/01/spring-security-31-implement_3065.html) but it is not for SPA and SaaS.
I understand this a very broad question but i am new to SPA, REST and SaaS so any pointers will be helpful.
Thanks...
I have already participated in two projects with SPA and security aspects. Last of them was GWT + Spring Security. I am sure that you can use successfully Angular and Spring Security together.
Unfortunately there is no built-in config parameter 'we are in SPA mode' in Spring Security AFAIK. So some tweaking / conf from Spring Security side will be necessary. Example:
imagine that during login you call built-in into Spring Security login controller. In a case of successfull authentication by default user will be redirected to index page, where in a case of failure it will be redirected to corresponding error page. It is a normal behavior for standard web applications that will be not so useful for SPA web applications. In a case of SPA you need to detect AJAX call and print JSON with username / roles for successfull cases or send 401 code for failures (then detect 401 in JS and show corresponding error). You can use corresponding extention points from Spring Security to do so: AuthenticationSuccessHandler and AuthenticationFailureHandler.
Some another thing to tweak: by default after session expiration user will be redirected to login page (and SPA app receive login page as a response to the next AJAX call).
Looking into my personal exprience general guide will be like so: after login load list of roles into JS. Use it to show / hide corresponding components on UI side. Apply the same list of restrictions on server side too. To make sure that user do not edit JS in browser (although in a case of minified JS of some medium size app it will very complex task). On the server side you must choose between:
Secure URLs of AJAX calls
Secure some Java methods.
I prefer second one (secure business methods on services). I think it is more convinient because normally we want secure business operations, not some endpoints. As adwantage you will be able expose your business logic via some other protocol, and security will be there already. From other side I can imagine some business requirement to have different permissions for different endpoints / protocols. So it depends more on your actual situation.
Lage size JS applications must be splitted into modules. To decrease direct dependencies it may be better to use events insted of direct calls to cummunicate between modules. There are interesting thoughts of Addy Osmany about how to do security in these coditions. I did not found good link to it, maybe this or this will be helpfull (search "permission").
Feel free to post any questions. Good luck.
I'm currently planning the creation of a mobile application for ios and android.
The application will permit to the end-user to manage and see the progress of its projects. (Web creation company).
The application will have:
Project management (multiple)
View progress
View tasks
View hours
View files
View messages
Login/Logout form + Profile/Edit Profile section
Send/Reply Messages
Add comment on tasks and files
The question is: What is the best way to create an API (Restful or something else) using the Zend Framework?
This API must and will be integrated to a custom-made Projects Management System and a MySQL DB.
I just working on PHP API (no matter if API is for mobile platforms or another webs) and after realizing between SOAP and REST I chose a RESTful API and I can recommend it...
Zend Framework has components for both of mentioned approaches, but REST is easier and more understandable in comp. with SOAP...
The one thing what you have to think about is logging, you can use HTTP Auth or OAuth (HTTP autentification is easier), but better approach according to me is generate unique API KEY for your users (each user should have own KEY) and this KEY ensure you can recognize user and a security risk is minimal because user do not have to send login and password inside HTTP request (security risk) and in case of KEY is catched on WIFI or infrastructure, hacker do not get user logins to web application, only for API where propably will not be all features what main web app offer.
And if you set some time expiration for you KEYs or IP restriction for KEY, than you can make it more safe:)
Some tip for the end: Implement API as new separated ZF module.
One of the best stuffs I have noticed so far is http://getfrapi.com/
It makes use of everything from Zend to Pear. May be you should checkout the video http://www.youtube.com/watch?v=vJVQi7ZFSaQ
I am looking into option on using Single Sign On (SSO) from a SAP Portal to a Non-SAP ASP .Net application. Reading through the documents and online searches, I found there are couple of approaches
1. Use "SAPSSOEXT" to evaluate the Logon ticket in the .Net application.
2. Use "SSO22KerbMap" ISAPI module.
The .Net application is already configured to use Integrated Windows Authentication using Active Directory. But, now we need to support SSO from SAP Portal. Without SSO, if a User A signs into the .net app from a User B's system, the .net app would Windows authentication and treat the user B as the logged in User.
Option 1 involves developing new code for the .net application as it currently does not support it and it may not be possible in my case.
Option 2 sounds very promising, but I am not very clear on how this would work. It sounds like the module verifies the SAP Logon ticket and acquires a constrained kerberos ticket. But, I am confused as how would the .Net application use this constrained kerberos ticket. Is Option 2 a seamless bridge that I could just install and suddenly the .net app support SSO like Magic? I would love if it did that, but sounds too good to be true.