I know there are a lot of other question about this topic but I haven't found the right solution for my case.
The landscape is like that:
Backend runs on a tomcat and provides some services. Amongst others there is UserService.login().
The Frontend (JSF 2.0, Spring 3, OpenFaces or Primefaces) which i should implement runs on a different tomcat. I need to implement the security level in the frontend. For sure I'm searching for the best framework (seam, spring security, jaas). And if you know a good tutorial it would be great if you let me know. i can send username/password to the backend and receive a User with id, username and role.
I found lots of tutorials, but i didn't get it work properly. Can anyone help me?
I probably can't explain the whole thing. But you can follow these links and should get you want you need.
First setup basic JSF-Spring Security application like in this link . Here the author did hard code the user details in the applicationContext itself for simplicity. But for your requirement you need to implement a custom UserDetailsService and which is the authentication provider where it loads the user details from the backend. You can take a look at this link.
Related
I have an application with (nuxt js using nuxt-auth) with local authentication so far (later I want to add git and google auth).
Now I need to add authentication to invoke other services / API (like google cloud rest API, payment system, youtube API, etc...)
The question is: the user is authenticated only once (during login to the application.) but each of these 3rd party APIs has its own authentication.
How to implement multiple authentications. (I read the documentation and google for the entire day but there is no clear answer).
As of today, it looks like it is not doable (people are needed on this module): https://github.com/nuxt-community/auth-module/issues/889
So, you would need to make it manually by plugging the APIs yourself.
Answer to your latest question~comment
Nuxt is indeed nice with some of it's modules (but you can totally dislike it, no problem :D).
First thing that you need to know, is that this project (nuxt-auth) is not the biggest one, #pooya is doing his best but he is on a lot of projects, so he cannot give all of his love to it. Then, you also need to understand that it's working great but it's still in a decent beta state with a lot of missing features, needed documentation and a lot of small things to make it an all rounded solid top notch solution.
That do not mean that you should not use it, I'm just saying that this module do have some limitations. Hence, the fact that it is not supporting a whole lot of OAuth solutions in a clear + simple + flexible way. And some breaking changes may be introduced in future updates.
The module is aimed towards having an OAuth solution to block the content of your website behind it (in my opinion). It means that you will usually use a single login solution and then, being able to have access to your app. I don't think that it's a viable multi-OAuth solution (yet).
Some services don't even need to use a solution like this. Stripe for example, should not be handled on the frontend but communicate with a backend for sensitive variables and just send minimal info thanks to Stripe Elements.
That said, the most common solution is JWT or OAuth2, and you could totally have a backend service or service like Okta, Auth0 or alike, do the heavy lifting by allowing simple logins to providers (Github, Google etc...).
To sum up, you do connect to this backend/service thanks to nuxt-auth, the service itself does the provider connection and you get the best of both worlds while still connected in a secure way through your initial nuxt-auth entry point login.
Or you could try to reach the community on Discord, see if somebody knows how to do it. Or even try to read the source code to see if it is currently feasable.
And that's my 2cts.
I am new to API's. I want to create one in grails.
I believe that another application website etc. would just post to a URL in my web-app and it will start a method.
Where is a good place to start my research into this. Any help would be grateful.Thanks.
it's my first answer but I hope it'll be useful for you :)
Here are some resources you should look into before making your own API:
REST - it's the theory about the whole concept of api you're building. Please find it on Wikipedia. I can't post link because of 2 links limit for new accounts here :)
http://en.wikipedia.org/wiki/SOAP - this is protocol supported by W3C for exchanging messages. Using standard should help your clients to adopt your api.
http://en.wikipedia.org/wiki/Oauth - obviously you should authenticate your users somehow. You can do it with Oauth - it's widely open and easy to implement. Again, your clients will have easy time connecting to it.
You will find implementations of all those technologies in Java or as Grails plugin itself.
Twitter offers 'web intents' that are an alternative to OAuth access to their API. Basically, this provides a less feature rich experience, but can still be quite handy. User clicks on 3rd parts websites can create popup windows that check whether the user is logged in to twitter and if they are, allows them to us some Twitter features such as tweeting, retweeting, or following users.
My question is, how could I go about implementing an API like this? Are there tutorials or libraries? I'm not sure what technologie(s) power web intents or where I should start searching.
Thanks.
You can read more about web intents at webintents.org and read the W3C's draft spec. As far as I know, web intents are still somewhat of a new beast on the web and they have not been standardized.
Still, you may want to read this blog which contains a few examples of registering web intents and check out Paul Kinlan's git repo https://github.com/PaulKinlan/WebIntents
Hope that helps you get started.
I've been working on a web app in Clojure as a side project, and I'm trying to figure out how to do user authentication and autherization. From the googling I've done, I heard about sandbar, but after reading the two blogposts on sandbar (Part 1, Part 2), I left with more questions than answers. I've looked at the source code for 4clojure, and from what I can tell, they roll their own, the problem is that the code's not commented very well, if at all. I'm thinking I need to roll my own system and use either sandbar or noir.session to pass user information around. Could someone please point me in the right direction? I feel like I'm missing something simple.
Chas Emerick's Friend library is now available. It's still relatively new, but looks promising and quite well documented.
I had a look at the 4clojure login code and I think it is pretty clear how the implementation works. Basically it is the traditional HTTP authentication. Post user/pwd in form to a URL, check username and password and update the session with the user info that can be used for further requests to check whether this session is for a valid logged in user.
This is how most of the web app authentication works. Now this is "what to do" part of the situation, for "how to do" you can implement it your self using "primitive" features provided by the web framework or probably use some middle-ware that does this for you along with providing some hooks to customize the implementation a bit.
For authentication, apart from the obvious "rolling your own", I found https://github.com/mattrepl/clj-oauth to work well if you want to use OAUTH (e.g. via Twitter). Once you've acquired user information, storing it in some sort of session object (via ring-middleware-session or similar abstractions) seems to be the obvious thing to do.
For authorization, the way described in the blog post you linked to - wrapping certain routes with an authorization middleware (or whatever abstraction your preferred web stack offers - e.g. pre-route in Noir) works well.
There's also an alternative to Friend called Buddy.
What is the difference with Friend?
Buddy authorization/authentication facilities are more low level and less opinionated that friend and allow build over them easy other high level abstractions. Technically, friend abstraction can be build on top of buddy
So I am working on an iPad app that needs to talk to our company server to pull in some XML. In a browser, when the user tries to first navigate to the site, they are redirected to an SSO form that generates a cookie that is saved.
Now my application may need to replicate this behavior and generate the cookie so we can pull xml data off various parts of the site. I have never done anything like this before and there is very little documentation on the web so I am really looking for some general guidance. So far I have tried doing something like this, here.
That works to return the web form, but where to go from there eludes me. Does anyone have any ideas they would like to throw out? Essentially all that I need to do right now is authenticate the user's credentials, and save that verification. If there is an easier way to do that based on this template, I would definitely be open to suggestions. Any help at all would be greatly appreciated.
What i use for a lot of my networking is ASIHTTPRequest it is an API that is available, instead of trying to use low level sockets or the Apple APIs, with a decent guide and an active Google Group for questions. It can certainly handle xml requests as well as authentication. Here is a link to the site, ASIHTTPRequest