We have a requirement in which we have a page to show to the end user. On click of submit button on the page,an OSGI service is getting called which further calls an API.
The issue we are facing is that we are not allowed to store the API password anywhere and can only be entered by the permitted person. The challenge is:
We do not have any user interface to enable such thing.
What we could think of is getting the password entered in console during AEM startup but not aware how this is possible and everytime
any of the multiple instances is restarted, we will need to call the
permitted person to enter the password.
Can anybody provide his/her inputs on achieving this.
I would strongly suggest to question the requirement:
AEM works best with staticky rendered pages delivered from the dispatcher
personalised content requires therefore extra effort
But it can be achieved nonetheless:
you could deliver a static page and render the personalised information about the user via JavaScript and retrieve it via servlet call.
In case you need to store the password, you could create an OSGi bundle which is deployed and started when an instance is started. Usually you can achieve this by packaging it via content package and put it into an install folder: https://helpx.adobe.com/experience-manager/kb/HowToInstallPackagesUsingRepositoryInstall.html
The dispatcher must be configured to not cache this page though.
If I understand clearly then you are not permitted to store the api password in the AEM console. Can you store it in the server away from the AEM instance? If yes then you can create a file like a properties file and store it in the server and read the same file from you service before making the api call.
Related
I'm new to java and I'm trying to understand the way we identify users who uses webservices.
The program will be downloaded from my website. It needs to make a connection to my server side web service program.
I think there are 2 options for identifying the user:
Register on website and download web service. A single user id key is then generated when downloading the program. I don't know if this is possible + verification of registration can only be done by email: not 100% sure of user identity.
Download web service and log in into it.
This seems a better way, but I'm not sure this is the way to do it...
Most services use HTTP authentication because the surrounding HTTP protocol already brings all the necessary features. Actually, your web service framework comes with all the plumbing necessary to easily set this up.
Another solution is to have a method which is called login() that takes a user name and a password. All other methods return errors until login() has been called successfully once.
Note that you must use HTTPS as protocol, otherwise passwords will be transmitted either as plain text or with a trivial encryption that is easy to break. Or to put it another way: Without HTTPS anyone willing to invest a couple of minutes of time will be able to use your service.
I have the following assignment I need to program using Jetty. I've done a bit of research into how Jetty works but I can't understand how I can have two applications running at once, as below it says I need to have two forms of URL: /student and /course.
I made a very simple web server before using com.sun.net.httpserver.HttpServer to host a page with multiple contexts (different pages based on different URLs) but I'm not sure how to emulate the same behavior in Jetty. Do I want to use multiple handlers, or a single handler with multiple contexts? How do I even implement multiple handlers or contexts? Every example I've seen seems to allow only the use of one context or one handler.
I'm not worried right now about the logic of the program. I just don't understand how to separate the logic into two accessible web apps. What type of object do I need to use to host multiple apps in one program?
Write a web application using the jetty framework that implements the following functionality. Alternative web frameworks can be used with the permission of the instructor (I will provide a signed permission note, if approved).
The application should allow for the creation and editing a student profile, the URL should start with /student. Additionaly the application should allow for the display of sections that a course is taught (similar to assignment 3). This URL for courses should start with courses. These two features are independent.
The student page should provide a form to register a student, a registered student must supply their name, student number, and contact information. Contact information should include their mailing address, and email address. The page must support creation and editing of the student's profile. Once the profile is created, the system must be able to edit all the fields. You should use fake data for testing.
The student's profile must be saved to the disk. You can serialize the Java class that contains the information and write it a file. This file should be consulted with the page is loaded by a browser.
The form data for the student page should be sent to the server using JSON. The contents of the form should be fetch from the server as a JSON message.
The student form application can be implemented using only one web page with javascript handling the form data which is sent and received using JSON. Thus your assignment must contain javascript code.
The URL for this application should start with /course. The courses page should provide a form with a course text field, a number text field, and a submit button. Once submitted the server should provide a list of all the sections for that course, or an error message if the course does not exist.
In Jetty (and nearly every other servlet engine), you deploy different web archives (.war files) into the web server.
With jetty you did this by creating your two applications and name them according to your URL, e.g. student.war and course.war
These .war files will be placed in the $JETTY_HOME/webapps directory.
Btw: If you just start with JEE and servlet engines, you should start with a very simple application to become familiar with it.
I have a web PHP web application that has a link to a java web application. The php application has a login page, and a link to the the java application, but not every user has permission to access the java web application. What I was trying to do is send user credentials from the php application to the java application, and then the java application checks the credentials and if correct logs in the user. I was thinking of using http headers to do this.
So my question is what is how to send user credentials from a PHP application to a java application?
If it helps I am using a Java web framework called Vaadin.
Do a normal POST request from the PHP application to the java application. This can be done as simply as having a normal HTML form in the PHP application, set the form's method to "POST" and action to the java application's URL. If you want to catch HTTP parameters in a Vaadin application, you can do it by using request handlers (https://vaadin.com/book/vaadin7/-/page/advanced.requesthandler.html).
Then a few words of advice or something to at least consider. If your login page is in the PHP application and your "admin" application is the Vaadin application, then I discourage you from doing the credential checking in the Vaadin application. This is because when you enter the Vaadin application, a new application instance is created. This means that your UI will be initialized and whatever else you do in the UI's init method. What you probably want to do, is to hinder the user from entering the Vaadin application unless she is logged in - which means that you need to do the credential checking somewhere else - for example, have a separate servlet whose only responsibility is to log in the user. If login is granted, then give access to the Vaadin application, if access is denied, forward the user to the PHP login screen. The next question is, how do you hinder the user from accessing the Vaadin application until she is logged in? Typically, this is done using servlet filters.
I highly encourage you to use a 3rd party framework for doing the authentication and authorization. Take a look at http://shiro.apache.org/, it's easy to install and seems to work nicely together with Vaadin. All you need to do is to configure it and implement a login screen, the framework will take care of the rest.
If I understood your question, you want to be able to provide an "auto-login-link" to some specific users that are logged in to the PHP application. This link should automatically login the user to the java application, right?
Without knowing any details about this case, like are both apps running on the same domain or do they use the same database (same user credentials in both apps), etc., I would propose the following solution:
Create an action (link) on the java application, which receives the necessary parameters (as GET) needed for creating the session (probably userId is sufficient), timestamp and a signature of all parameters. For example:
http://javaapp.example.com/autologin?userId=123&timeStamp=123456789&sign=hj23kh4j234jk324h
Where the signature is calculated with some strong encryption algorithm. Then you verify that the signature is correct at the receiving end (java app). If it is correct, you create the session. Signature calculation could be something like:
$signature = sha1($userId . $timeStamp . 'some salt' . $sharedSecretBetweenBothApps);
With the timeStamp you are able to check that an old link is not used. For example not allow older than 15 min old links and store used links in the java app to make sure they are never re-used. You do not have to keep history of links older than the expiration time.
Another idea, as discussed in the comments, is creating an API on the java side, which is able to provide a one-time link.
The sha1 algorithm is probably not strong enough, but shows the idea and is simple to implement.
Does this answer your question?
I am developing a java web application using JSF and I will like to find out if it is possible for me to hold (and save) user information in an different location, say a file, and then when the user confirm their email before the date is save to the database.
I don't yet understand certain thing. What I intend to know is if it is possible to use serialization for this problem.
You need to persist the user on the database before it has confirmed its email.
You need to set him a status NOT_CONFIRMED which can be transformed to CONFIRMED.
Until he has confirmed, you should not allow the application login for users which are found, but having an illegal status like NOT_CONFIRMED.
There's no benefit in saving the user data somewhere else for most usecases.
HTML5 proposes the local storage API which permits storing data in the browser of your client. Since the user is not logged, you'll be unable to recognize him from another computer, so it's fair that the data will be available only on the browser he wrote it in.
You can then transfer the data to your server once the user is connected (htis feature is used by Google documents, offline gmail etc...). If you're using GWT, a java API is available to access the native browser API, otherwise, you'll need some js coding
Best Regards,
Zied Hamdi
http://1vu.fr
RESOLVED. This question can be deleted by moderators
I have a very simple site written using Java EE (JSPs, Java, Tomcat server). I want to implement a simple login system. I thought I got the registration and login working; however, there is a huge problem with the way I'm doing it.
Let's say Alice logs in. She is able to view her profile with her information, everything looks normal so far for Alice.
Then Eve comes around and wants to log on. She does and is taken to her profile, everything looks normal for Eve.
Then Alice reloads her profile to find that the site now has her logged in as Eve!
So to reiterate: after one person is logged in, anyone is able to go to the site and be logged on to that account. And the most recent person to log on is the active account.
How do you keep track of session information like this so that multiple different accounts can be logged on using the site at the same time?
Thanks!
EDIT:
This ended up being a very simple fix.. I just need to use setAttribute("EMAIL", userId); rather than the stupid way I did it which was just using a global String variable
Rather than try to roll your own security, use an existing framework, like Spring Security. Out of the box, it gives you basic login capabilities and handles securing pages using a role-based authentication scheme.
Reading your problem, I think that you store the last logged user's credentials in an instance variable of one of your servlets. This causes the last person to log in to overwrite everyone's credentials...
If you want a simple authentication, you can use Java EE's provided system :
http://docs.oracle.com/javaee/5/tutorial/doc/bncbx.html
Once a user logs in, put his own credentials in his Http session (request.getSession().put(username, )). Then, everyone will have a distinct profile.