We are doing university project in JSF 2.2 with primeface framework. We want to develop the application which is hosted on live server but the request needs to be sent on local machine from which user is accessing application. This might be stupid question but I would like to know if there is any possibility where we can do such implementation.
For example: We will host application 'www.somesite.com' on server, in this application we will have multiple forms, but we want this forms to be submitted to user local machine where we will deploy required component/service which will take the input from user and also send required response to user. It means, the view will be render from host server but data will be bind from local machine.
One way to do this is, when user submit form, we will send the request to host server and from server we will send data to user local machine where we will deploy required component/service which will be listening to server request/response, but we want to eliminate this layer and want to send direct request to user local machine as soon as user submit form
I would appreciate if you can help us....
If I understood well your request you need to change the action of the form to be able to send the request to a localhost.
I think the only way to do so is to use a pure html form and not a h:form. With an html form you can set the action attribute to a localhost.
JSF form with URL action?
But in this case you can have problem to use the jsf component, you will have a jsf warning (with javax.faces.PROJECT_STAGE set to Development)
The form component needs to have a UIForm in its ancestry. Suggestion:
enclose the necessary components within
see here for BalusC explanation
Related
I'm searching a notifications system where my webservice REST can notify my JSF WebApp and reload some data and display them dynamicaly.
For more precisions,
I have a entity SANDWICH_SHOP, and user can add a COMMAND for a SANDWICH_SHOP with his mobile (on an native application)
If the sandwich shop is connected on the WebApp, he can see all commands of his SandwichShop, and i would like that datatable where all command are display automaticaly reload and display the news datas.
I tried a system with a servlet in my webapp, when the POST is done on the webservice, a request is made to my servlet, and i found the bean with the session and reload data. But it doesnt work cause HttpSession wasnt the same so i couldnt get my bean in my servlet (my bean was SessionScoped)
What's the best system i can use for this problem ? JMS ? WebSocket ? Thanks
If you're looking for (near) realtime updates to any (or all) connected clients, then WebSockets would be a good solution to this (assuming the clients are web based). You can push a notification from the server out to any connected web browser client.
I am developing a java application having front end in html5 and dojo. I am using SOAP as well as REST services tomake service calls to get data from downstream system. What I found is a potential threat in the application. Users are able to access the URL of the application and they are able to edit the URL.e.g. IF the user is viewing his profile and if he knews name of some other user then he can edit the URL to change the user name from his name to someother name and can change some other fields and hit the url. Likewise user can edit some sensitive data and get access to confidential information.
My question is How can i prevent the user from editing the parameters in the application url?
What URL a user chooses to access is client side and can't necessarily be controlled. Anybody can easily open a new tab and type in whatever URL they want to.
I would instead suggest protecting your REST endpoints with some sort of server side security framework instead. If you're using Java on your server side, you could look into something like http://shiro.apache.org/ for security which would not allow any user to access data that they shouldn't have access to.
Another solution would be to just have a single REST endpoint that can access whatever profile the user's session currently refers to.
I have a web PHP web application that has a link to a java web application. The php application has a login page, and a link to the the java application, but not every user has permission to access the java web application. What I was trying to do is send user credentials from the php application to the java application, and then the java application checks the credentials and if correct logs in the user. I was thinking of using http headers to do this.
So my question is what is how to send user credentials from a PHP application to a java application?
If it helps I am using a Java web framework called Vaadin.
Do a normal POST request from the PHP application to the java application. This can be done as simply as having a normal HTML form in the PHP application, set the form's method to "POST" and action to the java application's URL. If you want to catch HTTP parameters in a Vaadin application, you can do it by using request handlers (https://vaadin.com/book/vaadin7/-/page/advanced.requesthandler.html).
Then a few words of advice or something to at least consider. If your login page is in the PHP application and your "admin" application is the Vaadin application, then I discourage you from doing the credential checking in the Vaadin application. This is because when you enter the Vaadin application, a new application instance is created. This means that your UI will be initialized and whatever else you do in the UI's init method. What you probably want to do, is to hinder the user from entering the Vaadin application unless she is logged in - which means that you need to do the credential checking somewhere else - for example, have a separate servlet whose only responsibility is to log in the user. If login is granted, then give access to the Vaadin application, if access is denied, forward the user to the PHP login screen. The next question is, how do you hinder the user from accessing the Vaadin application until she is logged in? Typically, this is done using servlet filters.
I highly encourage you to use a 3rd party framework for doing the authentication and authorization. Take a look at http://shiro.apache.org/, it's easy to install and seems to work nicely together with Vaadin. All you need to do is to configure it and implement a login screen, the framework will take care of the rest.
If I understood your question, you want to be able to provide an "auto-login-link" to some specific users that are logged in to the PHP application. This link should automatically login the user to the java application, right?
Without knowing any details about this case, like are both apps running on the same domain or do they use the same database (same user credentials in both apps), etc., I would propose the following solution:
Create an action (link) on the java application, which receives the necessary parameters (as GET) needed for creating the session (probably userId is sufficient), timestamp and a signature of all parameters. For example:
http://javaapp.example.com/autologin?userId=123&timeStamp=123456789&sign=hj23kh4j234jk324h
Where the signature is calculated with some strong encryption algorithm. Then you verify that the signature is correct at the receiving end (java app). If it is correct, you create the session. Signature calculation could be something like:
$signature = sha1($userId . $timeStamp . 'some salt' . $sharedSecretBetweenBothApps);
With the timeStamp you are able to check that an old link is not used. For example not allow older than 15 min old links and store used links in the java app to make sure they are never re-used. You do not have to keep history of links older than the expiration time.
Another idea, as discussed in the comments, is creating an API on the java side, which is able to provide a one-time link.
The sha1 algorithm is probably not strong enough, but shows the idea and is simple to implement.
Does this answer your question?
We have a Tomcat server for a web shop, and we need to transfer the user to another (secure) server when he/she logs in. Here's a detailed explanation:
1) We have two Tomcat servers: one 'regular' (HTTP) and one secure (HTTPS)
2) Users initially visit the regular server
3) When they log in, we need to get their log in data, as well as the information about what page they were currently on (or were trying to see), pass it to the secure server and do the actual login; for instance, a non-logged in user sees a list of products, clicks 'BUY' and a popup is displayed, asking the user to log in; the user enters his/hers credentials and these, as well as the information about what product he wants to buy, are passed to the secure server; the secure server receives these, performs the login and displays the requested product to the user
How could this be done? Please note the following:
1) We've tried doing it with cookies, but we've decided not to go that way
2) Persisting the session to a database and then having the secure server fetch it is also not an option
Are there any other ways? We were thinking about creating an object and then passing it as a HTTP POST parameter, but I'm not sure how this could be done (I've been given the task to finish it).
For what it's worth, the technologies we use are Tomcat server, Wicket, Spring, iBatis and MySQL.
Thanks in advance :)
If you want to share the session between different Tomcat instances, you could configure them to work as a cluster with session replication: http://tomcat.apache.org/tomcat-7.0-doc/cluster-howto.html
Then, you could configure an Apache HTTP Server to work as a load balancer, making sure that HTTP requests go to server 1 and HTTPS requests go to server 2.
But, you could also have only one Tomcat instance (or N identical instances) configured to handle both HTTP and HTTPS, and ensure the secure access with standard (...<transport-guarantee>CONFIDENTIAL</transport-guarantee>... in web.xml) or framework-specific configuration.
Not sure if I'm getting the gist of what you want but you could have the "pop-up" be a page served from the secure application to a protected URL. That would cause the authentication to occur at the secure server and you could go from there. For example, if the unsecured product page is on www.domain.com/browse/id1, then the "buy" button would open a pop-up to secure.domain.com/buy/id1, causing the authentication while transmitting the product id on the URL.
I want to use a Java EE application server (GlassFish 3) as SSO service for both Java applications and PHP applications. If a user gets authenticated by GlassFish he should also be logged into the PHP applications.
Is there a best practise to share the Servlet session (more precise: authentication status) with PHP?
Have a look at PHP / Java Integration. You can either integrate PHP into a servlet environment or have PHP call Java. Now I'm not 100% sure this will specifically solve your problem and the integration is deemed experimental.
What you're probably better off doing is using something else to share session data. Something like memcache. Both Java and PHP can freely talk to memcache. That will be a far more robust solution.
I have no experience with connecting PHP and a Java app server, but on integration in general:
A common way to do a single sign on is reading a session ID (e.g. a cookie set by the Java Server) in the PHP script, passing it to the app server internally (e.g. through the command line, by making a HTTP call or a shared cache instance) and getting back the authentication status.
If this is not possible, e.g. because the services are running on different domains, you would pass your app server's session ID to the PHP application the first time it gets called. The PHP app will then create a session of its own, and store the session ID from the app server in it. The internal verification of the app server's session would work as outlined above.
If you need to exchange more than just a "logged in / not logged in" flag, you could also look into replacing PHP's standard session handling using session_set_save_handler(). Your custom session function would, instead of storing the session data to a file, get its data from your app server, which can pre-fill session data with things like authentication status, user name, and so on. This would allow for some amount of easy inter-application communication as well.
Of course, first check whether the built-in Java/PHP integration functions mentioned by cletus don't already do the trick.
i dont know about best practice... but usually if it works and is not ridiculously expensive and does not compromise security, it can be an acceptable practice.
when the user visits a php page without having a php session, that php page redirect to a specific jsp page. the jsp page will see if the user has an active session. if not the jsp page will allow the user to log in. the jsp page will redirect to a specific php page, passing it things like authentication tokens and so on, as well as the url of the original page. the php page creates the php session and redirects to the original page requested. these pages could be in different domains and running on different servers. this can also be replicated and implemented across different servers running java or php or anything else.
acc.intt/page.php -> sso.intt/cosession.jsp -> acc.intt/cosession.php -> acc.intt/page.php