Is it possible to control interface rendering using JAAS? - authentication

I need something to do a role based permission when rendering elements on a page exactly like implemented in JBoss Seam where you have the rendered tag while declaring the page elements. My doubt is if it is possible to do that using standard JAAS?
The container(weblogic) is connected to the LDAP server where the user is associated with a bunch of groups/roles and I would like to use some declarative approach to render menu elements based on the groups the user logged in belongs. That would be exactly like the Roles/rendered implemented in JBoss Seam 2. Is it possible to do that or something similar with standard J2EE? If not, Is there some Open Source API who would do the job?
Thanks in advance.

after some days of research what I did was configured weblogic realm to connect to the LDAP and than using a standard form login:
<form method="POST" action="j_security_check">
<p>Username: <input type="text" name="j_username"/></p>
<p>Password: <input type="password" name="j_password"/></p>
<input type="submit" value="Login"/>
</form>
After that I had my interface rendering using:
if(request.isUserInRole("ROLE_NAME"));
to check if the logged in user should be presented with a specific interface fragment. It worked.

Related

Using cookie authentication and POST in an iFrame (iFrame content is ASP MVC Core, parent site 3rd party)

I have read through many answers on this topic but none seem to apply to what I am trying to do (or I am misunderstanding the problem entirely). Where a lot of my confusion lies is around whether it's the parent window or the iFrame that needs settings changed.
We have a small portal that allows users of our customers (asp mvc core 6 multi tenant app) to login and view their data. So far it works great, all but 1 of our customers do not iFrame the portal, we are trying to make it so they can frame our portal. They have their own domain.
Our authentication is the regular ASP Identity using cookies that is built in to the framework.
I've recreated a similar setup, I have a simple parent site that has this (the sub domain is their own sub domain to our site and if you go there you get the regular portal).
<div class="text-center">
<iframe src="https://sub.ourdomain.com" width="525" height="800" name="b3iframe"></iframe>
So far anything I do other than link to a new page fails within the iFrame. I can't POST a form, use AJAX, etc. Another problem is even if try to log them in (without POSTING a form, just hardcoded login for testing) the cookie does not set and the portal returns to the login page.
I have tried setting 'same-site=none' on both the parent and the framed site. (like what this describes).
I have tested simple things like making a fetch request and that fails (I get a 302)
All POST calls fail (even ones that don't require authentication, just test pages fail with a 400). When I get the 400 response code it is displayed within the frame.
I am aware and have used the ability to pass messages between the parent and iFrame but I don't think that can solve the cookie/POST problem.
I have tried using the 'target' attribute on the form to point to the iFrame but it appears that is for situations where the form is not inside the frame
The iFrame code can be just a simple login form:
<form method="post" id="loginForm">
<div class="form-group">
<label>Email Address</label>
<div>
<input asp-for="UserName" class="form-control" />
</div>
</div>
<div class="form-group">
<label>Password</label>
<div>
<input asp-for="Password" type="password" class="form-control" />
</div>
</div>
<div class="mt-5">
<button type="submit" style="width:100%" class="btn btn-primary tenant-custom-button">Log in</button>
</div></form>
What's frustrating is even in a mock parent website that I made and have full control of I can't seem to set it up so that the iFrame can use cookies or POST/GET (the test parent website is also ASP MVC CORE). The only thing I can do is have links to other pages without auth or POSTS.
Thanks for your time,
Brian

How to make a Input field in AEM/CRX required?

since our AEM guy is out of office at the moment, i need to fix something in our CRX. I have a form with a checkbox in my website, where authors can set a text next to it. Now i am trying to add the functionality to set this checkbox to be required from the authoring dialog.
I was able to find a textfield which has this property in authoring, but in the html in CRX i only see the code required=${required}, where other fields like label are shown like ${properties.label} and have a corresponding node in CRX. I don't understand how the required is implemented and need help here.
I already tried to add required=${required} to my checkbox input markup, but this did not work, since in the authoring dialog there still was no checkbox/switch to make the field required (which was kinda expected).
this is the line in the markup which should be required if the author sets it to required in the authoring dialog:
<input required="${required}" type="checkbox" name="campaignform-termsofservice"/>
this is the whole html of the checkbox i want to be able to make required:
<div data-sly-test="${!empty}" class="form__text">
<label class="maut-checkbox--container">
<input required="${required}" type="checkbox" name="campaignform-termsofservice"/>
<span class="maut-checkbox--checkmark"></span>
<span>${properties.checkboxtext #context='html'}</span>
<div>${properties.tncText}</div>
<div style="color:white;" class="authoring-error" data-sly-test="${wcmmode.edit && !tncDate.tncLinkActivationDate}">${'b2x.maut.campaignform.dialog.tos.activationmessage' # i18n, source='user'}</div>
<input type="hidden" name="maut.field.tnc" value="${tncDate.tncLinkActivationDate}" />
</label>
</div>
Now i only need to figure out how i can show the option to set it to required in the authoring dialog.
Thanks in advance
If you want to know how the required=${required} is implemented then first of all in html of the component look for something like data-sly-use.required. This will have a expression like =com.project.yourProject.className or some js file.
Lets discuss about the java case which is the most common way. What data-sly-use does is that it creates an object of the class that you gave in the expression. In your case your object is required. Then you need to check the java class that the expression evaluates to. Commonly all the backend logic code will be their and if some manipulations or validations are required to be done with the data that the author enters in the dialog will be their. This class will also contain annotations that maps the class variables with the property value of the dialog.
Hope this explains from where this ${required} came from. It will be more clear to you if you look into the java class that is referred to by the data-sly-use expression.

why use asp-controller and asp-action if it is not compulsory

#model Task3.Models.NewUser
<form action="" method="post">
<label>first Name </label>
<input type="text" placeholder="enter name" name="firstName"/>
<input type="text" placeholder="enter last name" name="lastName"/>
<button type="submit">Submit</button>
</form>
This code works even without asp-controller and asp-action. Why should I use those then?
The tag helpers asp-controller and asp-action can be used to automatically generate a target URL but you don’t have to use them. All they do is automatically generate the href attribute for links and action attributes for forms. If you want to fill in thos values manually, there is nothing that’s stopping you from doing that.
However, using the tag helpers has a clear benefit: The actual URL that you have to use depends on various things that affect your application’s routing. So if you use manual values, you have to take that into account. And if your routing changes (for whatever reason), you have to manually update the URLs throughout your templates.
By using the tag helpers, you are attaching the target location to something that is usually rather static: A controller action. So that way, you decouple the template from your routing configuration.
One more note for form actions specifically: If you do not specify a form action, the browser will automatically post to the current URL. So if you have a POST handler on the same route as the form, then you can totally omit the action and depend on that behavior.

Work around to POST requirement

I need to be able give users a link to my site with a parameter that will control their experience on the destination page, but, of course, Moqui does not allow parameters to be passed as a GET transaction. What are ways that I can work around that? It needs to be something that can be sent in an email, via sms and audibly.
An error message would be helpful know exactly what you are running into, but it sounds like the constraint to mitigate XSRF attacks.
The error message for this situation explains the issue and the recommended solution: "Cannot run screen transition with actions from non-secure request or with URL parameters for security reasons (they are not encrypted and need to be for data protection and source validation). Change the link this came from to be a form with hidden input fields instead."
You can pass URL parameters to screens to be used in code that prepares data for presentation, but not to transitions for code that processes input. The solution is to use a hidden form with a link or button to submit the form (that can be styled as a link or button or however you want). This is slightly more HTML than a plain hyperlink with URL parameters, but not a lot more and there are examples in various places in the Moqui itself.
If you are using an XML Screen/Form you can use the link element to do this with the #link-type attribute set to "hidden-form" or "hidden-form-link" (which just uses a hyperlink styled widget instead of a button styled one). If the #link-type attribute is set to "auto" (which is the default) it will use a hidden-form automatically if link goes to a transition with actions.
In plain HTML one possible approach looks something like this:
<button type="submit" form="UserGroupMemberList_removeLink_0">Remove</button>
<form method="post" action=".../EditUserGroups/removeGroup" name="UserGroupMemberList_removeLink_0">
<input type="hidden" name="partyId" value="EX_JOHN_DOE">
<input type="hidden" name="userGroupId" value="ADMIN">
</form>
Note that the button element refers to the form to submit, so can be placed anywhere in the HTML file and the form element can be placed at the end or anywhere that is out of the way (to avoid issues with nested forms which are not allowed in HTML).

webdriver how to focus on the password (Security controls)

in a login page, i want to use sendKeys to password input
but the "sendkeys" doesn't work;
how should i do?
here is html
<fieldset class="txt" id="psd">
<label>password:</label>
<script type="text/javascript">
IntPassGuardCtrl("logpswd", "2", "chklogon()",Ipsdstyle");</script>
<span id="logpswd_pgc">
<embed id="logpswd" type="application/x-pass-guard" input0="0" class="psdstyle"></span>
<input name="LOG_PSWD" type="hidden" id="LOG_PSWD"> </fieldset>
someone said can use JNA ,but the partial i do not know much.
the password control can use mouse click,then focus on; and use the
keybord input infomation;
so i want to use mouse click the control,but use webdriver actions
doesn't work, do you have some ways to solve the problem?
Looks like your application uses an embeded object to capture the password field. Unfortunately, the web browser (and thus WebDriver) doesn't know how to interact with the field since its not standard.
However, there might be a chance to do what you need to do. It looks like your HTML includes a hidden input field that might be tied to the embeded object. The embeded object might just set the value of the (encrypted?) password in the input#LOG_PSWD element. If this is the case, you can use WebDriver's executeScript method to inject the value of the password.
I don't know what language bindings you use, but this is how you would write it in Ruby:
password = "some$3cretP#ssword"
hidden_password = #driver.find_element(:id => "LOG_PSWD")
#driver.execute_script("arguments[0].setAttribute(arguments[1], arguments[2])", hidden_password, "value", password)
Then try to login from there. More than likely the password text will not show up in the control itself since you are injecting it directly to the hidden input.
Give that a shot and let us know what happens. If you can give us more information about the embeded object, we might be able to find some other workarounds if this one doesn't work.