I'm pretty new to Angular and jsp and I have a question about general architecture of a single-page system.
I understand that jsp mvc has it's own security features that some of course related to conditionally delivering static/dynamic pages to the clients.
How can that feature work with Angular? Obviously in a single page application, working with partials, the server does not need to pass pages to the client.
My specific question is about the login page. Do I need to separate my login html from my main 'single-page' index.html with all my routes?
Will I have a 'login.jsp' file which is a stand-alone file handled by jsp and only after login routing to the single-page part of the application?
Thanks!!!
Regarding the login part:
My recommendation is that as an application developer you should not be thinking in how to implement your login page. This would bind your application to a specific authentication mechanism, and its a sign of getting into troubles (implementing the whole app security by your own)
It is preferable that this binding is performed in a pluggable (declarative) way, like it is done in JEE by the container or in Spring security by a dedicated framework.
So answering your question: you should no have a login.jsp at all, this page would be automatically generated once you have properly configured your application security with a 'login form' authentication mechanism. (Both JEE and Spring provide also mechanisms for customizing this pages).
The framework/container would intercept the request to your web app, identify if the user is authenticated, redirect to the login page and finally redirect to the original url, if authentication succeeds.
Cheers,
Nacho
Related
Background: Our current technology architecture includes Tomcat Servlets that do backend activities and Codeigniter PHP which handles the presentation layer. So when a particular page is loaded, the Codeigniter View invokes the Controller which constructs the servlet URL with necessary input parameters and invokes the URL and gets the response and passes it back to the View so that the page is rendered.
Issue: User information and login credentials are stored in database and is validated by PHP front end. There is no authentication for the Tomcat servlets and in cases where we need user information in the backend, the user id is passed as a parameter to the backend.
Currently Tomcat and PHP resides on the same server and we have used firewall port based restrictions to ensure that servlets can be invoked only from within the server to secure the servlets.
Help required : We are looking to implement token based authentication and authorization mechanism for the servlets. If we can get some sort of existing library that we can easily plug-in to our servlets, that would be ideal. Otherwise please guide what would be the best solution to implement without too much code changes but would effectively secure the backend servlets.
Cássio Mazzochi Molin have a nice articel about the topic : Token-based authentication with JAX-RS 2.0
i am new to web services using java. i am working on an application that has login page coded using JAASLoginModule. from there it navigates to pages in the application which are rest-based. when i copy the URL of rest page in another browser, it doesn't ask for credentials.need to implement SSO between these two. could anybody provide pointers for the same as in what method and what all configurations need to be changed?
I have the following architecture:
front-end = AngularJS
back-end = Java EE7/REST-API
Both are deployed on Wildfly 8.2 using Undertow as application server.
My first question is regarding the authentication mechanism:
Should I use form based authentication and having a web.xml that protect my pages with security constraint ? same for REST-API, they will be protected by a security constraint.
I can have then a j_security_check with j_username and j_password on a simple login page.
On server side, I can do a JAAS login then.
Should I use JSON token authentication, so login and logout will use REST web services and generate some access token, those tokens will be saved into a database with a specific time-limit.
That is all regarding security.
Now I am talking about the $scope object in Angular, as you know it will disappear on Angular 2.0, so I am trying to avoid it as much as possible but then how to replace these:
$scope.$apply()
$rootScope
$broadcast
I know that Angular 2.0 encourage web components development with directives as controllers but I have no idea how to replace these specific objets.
Thank you for your help !
Security:
Let me ask you this in a different way. Is your back end going to be
a) Web layer for all the front end applications
b) API layer that has consumers outside of web pages.
If you answered a) Then you may probably go for form based/container based security.
If you answered b) Then you may think of token based authentication
Angular $scope
Try to follow some common style guide like https://github.com/johnpapa/angular-styleguide#controllers. This might not be a complete solution but will help you avoid $scope.
BTW: Here is my generator that is based on the style-guide that can help you getting the code cleaner and have best practices. http://reflexdemon.github.io/slush-angular-gulp/
I was following this tutorial to create form-based authentication in for my jboss java EE 6 application.
However it has no code for the login servlet. After searching other resources I found that the login servlet code is not mentioned anywhere.
Where can I find the code for the login servlet? Maybe its very basic, but I am new to Java and I can't write it myself.
The tutorial doesn't have servlet code because the security is provided by the container itself and container security is configured using the deployment descriptor.
You may read this article for further information and decide whether you use the container security or a custom implementation.
At Stormpath, we have a ready-to-use login Servlet that you could use. The only caveat is that it requires Servlet 3.0 or later and it is coupled to our own User Management service.
Our Login Servlet will automate all user registration, login, authentication and authorization workloads.
Take a look at this one page long quickstart: https://docs.stormpath.com/java/servlet-plugin/quickstart.html. It will describe the few steps that you need to carry out to integrate it into your app.
BTW, the Servlet Plugin is completely open source; the code is here in case you want to take a look at it.
I have application which is divided into 2 parts: GUI is in address localhost:8080/simple-gui and backend localhost:8080/simple-backend. In backend I have defined simple spring security (details are here: Validate test user with spring security against database) Problem is this security protects all pages in simple-backend. How to protect also simple-gui and redirect all unauthorized users to login page: localhost:8080/simple-gui/login.html
Simple gui has nothing to do with java. It is just html so I cant create spring security there.
As per the question, both application seems to be separate wars when deployed in tomcat. So if you are thinking that adding configurations for simple-gui in simple-backend will also secure simple-gui, that I guess will not happen.
Either, you can have separate configurations for simple-gui in that project itself or What you need to study about is SSO or OAUTH, if you want to perform something like this.