I am developing an case management application.I have created login page and landing page other pages as well.
i have used the spring mvc 4,oracle database.
A used logged into the application and then went to admin page.copy the admin page url ,logout from the application.when the user directly copy and paste the admin page url into another user user he is able to open that page.how can i restrict the user. when user perform any crud operation how can validate user's credentials every time.
Please suggest.
If you are using Spring framework, the best practice case you can implement is to integrate Spring Security.
Regarding the session handling within your system, you might use JWT tokens which allows you to control the user flow easily. You can read this complete tutorial.
Related
I'm creating a spring mvc (spring 4) with spring security 3.2. I have a login page which works fine, with custom UserDetailsService. I want to add on website a new functionality, adding some demands. When someone add a demand, he will receive an email with a button through he can manage this demand, including the creation of a session for the website. I want to create him an account.. and give him authetincation from this button's url which will be handled by a controller. How should i do that? create an account with some hardcoded password? and how about the authentication provider? User with demand couldn't login through normal login page.
In database that type of accounts will have a different status than the normal accounts. Hope you understand what i need...
You can try creating a common user for all such use cases (called guest or similar). If you have validated a user using the trusted url which they have provided, you can query the database using the hard coded username (guest), and get the authentication details like passoword, roles etc. Then you can programatically authenticate the user. In such a way, user only has to provide you a url, and your code can fetch a real authentication detail from the db.
For the authentication part, you may refer to the below link.
stackoverflow.com/a/15119876/3981536
I'm going crazy creating a payment application. The problem of the moment is that. I set the glassfish authentication using jdbcRealms on the /secure/ directory. The user authenticate himself and enter in my application. When the user wants to pay, the application redirect him to the bank platform. After the payment the bank platform redirect the user again to my application sending some data.
The problem is that the bank platform wants to redirect the user in a page outside the /secure/ directory. It doesn't want a page under authentication. So I had to create a JSP page to grab data in an insecure directory. From the JSP I pass data to a Bean to write them in a db. But everyone can call the page and trying to passing it data. It's very dangerous. Is there a way to avoid that? Can I maintain the authentication state after the redirection?
We are using Spring Security and it is working fine in the single web application. Now, I need to create another Web application with Spring security. In the first application the user can sell his/her stuff (e.g. EBay). The second app which I am creating now, it is for general users where he can save his general preferences, searches, save some items he looked at etc. He may/may not be the existing user. So the difference between the two users are:
User 1 (existing user): Can post his stuff for sale.
User 2: He/she should be able to login. Save his general activities etc. & if he/she wants to sell his/her item, he/she needs to go thru the additional steps for verification.
All this cannot be done in just one application due to some reasons. My question is on how to handle the security? Should I create separate security filters for each applications or is there a way to use common security implementation who can manager both of these application. Please provide your feedback, I would really appreciate it.
if you wrap both components in two different webapps, each will have his own spring security web filter infrastructure.
So in principle there will be a security session for each web application, to be backed by whatever authentication system you use.
If you use JDBC then the user would have to login twice.
If you want your customers to only login once, you can for example use a token based system.
When you cross link from webapp 1 to webapp 2, you could hook the links up to a redirect servlet.
The servlet then generates a token, persists it in a database and forwards the user with the token in the url to the other webapp.
In spring security you can then implement your own PRE_AUTH_FILTER which reads out the token, verifies if it is persisted in the Database.
For security reasons you should make these tokens only one use.
I'm writing web app using JSF2 and primefaces with Glassfish 3.1.2. I want to start with login/logout mechanism but i'm not sure about solution.
What I want to achieve:
Three main goals:
web application in JSF 2.1
this application will use many databases (but every db will have the same user, password and "security table" with application login and password). So user during authentication must give database name, user and password.
I want to be able to logout and login on different user without closing browser.
What authentication method will be the best in that case ? I cannot just create a new Realm with database name because it is not const in my situation.
I thought about web-services, which will take db_name, app_login and app_password as parameters and return whether it is ok or not.. And then create a simple managed bean, which will tell me whether user is logged. But i want to totally separate login logic from other stuff.. and I want to check whether user is logged before I view every page in application.
Thanks for your tips,
Regards
I don't know if you already have taken a look at the Seam Security functionalities, but I think it may fit your needs considering the Identity Manager:
http://docs.jboss.com/seam/2.1.1.GA/reference/en-US/html/security.html#d0e8804
We are using Spring 3 framework and we have a SSO (Single sign on) provider which redirects to our app passing special tokens in the request to indicate the user is authenticated.
I would like to use Spring security to handle stuff like denying access to pages unless the user is authenticated, but I'd also like to be able to bypass this on my local machine while developing the application.
So in the production scenario, I expect the SSO to redirect to our app, specifically to a "/login.html" target which is supposed to somehow trigger a custom class I write to pull the expected login info from request and load up the user's info from our database and put it in session for the rest of the app to use.
Then in the development scenario I need to bypass SSO by just being able to create a session using a custom login page and then load the user's info from database just as above.
I am trying to figure out how to do it myself but I can't seem to wrap my head around all of it.
Any info on how to accomplish this even just high level kind of road map would be a huge help
If you write a custom AuthenticationProvider for Spring Security to authenticate with your SSO provider, then you could have two Spring Security configurations, one that wires up your custom AuthenticationProvider for production and one for development that uses a standard authentication provider.