I have studied the java in app billing code snippet at
https://developers.google.com/in-app-payments/docs/tutorial
and I am unable to use it to make my application capable of doing in app payments.
My first question is how do I set up a servlet to handle payment requests. Do I put the getJWT() method in the servlet and call it from the doPost() method?
My second question is what do I do with the String that getJWT() returns? It should be the json object that holds the purchasing information, but I don't know how the jsp file I have should process it.
I have searched for example code using java servlets and jsps to study but found none. I have found python code, but I can't translate python into java yet. If anyone knows of an example (complete) of google in app billing using java servlets and jsps I would appreciate it if you could post a link also.
Thank you.
On the server you need an HttpServlet derived class that takes the order request (in doPost()), calls the JWT libraries together with the Seller Secret to generate the signed JWT string, then returns the result in the response.
On the client side in the HTML page you can use a templating system (e.g. AppEngine + JSPs) or Ajax calls to your servlet to get the generated JWT.
The generated JWT is one of the paramenters to the goog.payments.inapp.buy() JavaScript API.
Below is a simple AppEngine Python implementation of In-App Payments. You can re-use the client-side code and replace the server-side with the Java implementation:
https://code.google.com/p/iap-python/
Related
I know what I am asking is somehow weird. There is a web application (which we don't have access to its source code), and we want to expose a few of its features as web services.
I was thinking to use something like Selenium WebDriver, so I simulate web clicks on the application according to the web service request.
I want to know whether this is a better solution or pattern to do this.
I shall mention that the application is written using Java, Spring MVC (it is not SPA) and Spring Security. And there is a CAS server providing SSO.
There are multiple ways to implement it. In my opinion Selenium/PhantomJS is not the best option as if the web is properly designed, you can interact with it only using the provided HTML or even some API rather than needing all the CSS, and execute the javascript async requests. As your page is not SPA it's quite likely that an "API" already exists in form of GET/POST requests and you might be lucky enough that there's no CSRF protection.
First of all, you need to solve the authentication against the CAS. There are multiple types of authentication in oAuth, but you should get an API token that enables you access to the application. This token should be added in form of HTTP Header or Cookie in every single request. Ideally this token shouldn't expire, otherwise you'll need to implement a re-authentication logic in your app.
Once the authentication part is resolved, you'll need quite a lot of patience, open the target website with the web inspector of your preferred web browser and go to the Network panel and execute the actions that you want to run programmatically. There you'll find your request with all the headers and content and the response.
That's what you need to code. There are plenty of libraries to achieve that in Java. You can have a look at Jsop if you need to parse HTML, but to run plain GET/POST requests, go for RestTemplate (in Spring) or JAX-RS/Jersey 2 Client.
You might consider implementing a cache layer to increase performance if the result of the query is maintained over the time, or you can assume that in, let's say 5 minutes, the response will be the same to the same query.
You can create your app in your favourite language/framework. I'd recommend to start with SpringBoot + MVC + DevTools. That'd contain all you need + Jsoup if you need to parse some HTML. Later on you can add the cache provider if needed.
We do something similar to access web banking on behalf of a user, scrape his account data and obtain a credit score. In most cases, we have managed to reverse-engineer mobile apps and sniff traffic to use undocumented APIs. In others, we have to fall back to web scraping.
You can have two other types of applications to scrape:
Data is essentially the same for any user, like product listings in Amazon
Data is specific to each user, like in a banking app.
In the firs case, you could have your scraper running and populating a local database and use your local data to provide the web service. In the later case, you cannot do that and you need to scrape the site on user's request.
I understand from your explanation that you are in this later case.
When web scraping you can find really difficult web apps:
Some may require you to send data from previous requests to the next
Others render most data on the client with JavaScript
If any of these two is your case, Selenium will make your implementation easier though not performant.
Implementing the first without selenium will require you to do lots of trial an error to get the thing working because you will be simulating the requests and you will need to know what data is expected from the client. Whereas if you use selenium you will be executing the same interactions that you do with the browser and hence sending the expected data.
Implementing the second case requires your scraper to support JavaScript. AFAIK best support is provided by selenium. HtmlUnit claims to provide fair support, and I think JSoup provides no support to JavaScript.
Finally, if your solution takes too much time you can mitigate the problem providing your web service with a notification mechanism, similar to Webhooks or Resthooks:
A client of your web service would make a request for data providing a URI they would like to get notified when the results are ready.
Your service would respond immediatly with an id of the request and start scraping the necessary info in the background.
If you use skinny payload model, when the scraping is done, you store the response in your data store with an id identifying the original request. This response will be exposed as a resource.
You would execute an HTTPPOST on the URI provided by the client. In the body of the request you would add the URI of the response resource.
The client can now GET the response resource and because the request and response have the same id, the client can correlate both.
Selenium isn't a best way to consume webservices. Selenium is preferably an automation tool largely used for testing the applications.
Assuming the services are already developed, the first thing we need to do is authenticate user request.
This can be done by adding a HttpHeader with key as "Authorization" and value as "Basic "+ Base64Encode(username+":"+password)
If the user is valid (Users login credentials match with credentials in server) then generate a unique token, store the token in server by mapping with the user Id and
set the same token in the response header or create a cookie containing token.
By doing this we can avoid validating credentials for the following requests form the same user by just looking for the token in the response header or cookie.
If the services are designed to chcek login every time the "Authorization" header needs to be set in request every time when the request is made.
I think it is a lot of overhead using a webdriver but it depends on what you really want to achieve. With the info you provided I would rather go with a restTemplate implementation sending the appropriate http messages to the existing webapp, wrap it with a nice #service layer and build your web service (rest or soap) on top of it.
The authentication is a matter of configuration, you can pack this in a microservice with #EnableOAuth2Sso and your restTemplate bean, thanks to spring boot, will handle the underlining auth part for you.
May be overkill..... But RPA? http://windowsitpro.com/scripting/review-automation-anywhere-enterprise
I need to upload a file to a sharepoint online repository (Office 365). I need to do this in java and the sharepoint online site uses ADFS for single sign-on.
So far, all of the examples, sample-code, etc I've works for most of those requirements, but fails at one critical part (e.g.: java file upload with sso for a local sharepoint 2013 site, or java file upload to sharepoint online, but without the ADFS part). Authentication against ADFS seems to be one of the big sticking points.
Does anyone have an example of this working that meets all of those requirements?
edit-to-add: and, naturally, I've got no budget to do things like buy a commercial library that might do this quick-and-easy. :\
The below are the steps you need to execute.
Since you are trying to upload from JAVA, the only option SharePoint gives is REST API - I guess you are clear on this part.
O365 identifies you(Java call) only if you send the auth token(SAML token) along with the Request body of your REST API call
So you have to get the SAML token first and pass it with your REST Api call
Check out these links which explain the authentication process to O365 with ADFS.
Other thread in Stackoverflow
Claim auth from ADFS
A blog post about getting auth in a windows 8 app. https://blogs.msdn.microsoft.com/omarv/2012/11/15/developing-windows-8-store-apps-for-sharepoint-online-with-sso-single-sign-on/
Only thing you have to do is, replace the C# parts with equivalent Java API calls.
I have two different spring web applications with authentication,
My first application has to get some responses from second application in order to show the required details to the user. Now the problem is, Since the second app also secured I'm unable to get responses from it. Suggest me how can I authenticate second app from server code at first app.
Note: I tried to use CAS server, It returned me the login page's html text when I made a request.
Refer to this https://stackoverflow.com/a/24486898/3487801. Services could be secured using CAS. All you need to do is to add restlet module on your cas server and build a simple Java client to get the ticket and authenticate to your service.
Some says, there is no working Java client for headless CAS. But groovy example on the CAS restful API https://wiki.jasig.org/display/casum/restful+api is actually working. You need to get it modified just a little bit to get it work.
I'm running a webapp that checks if a user is logged in with UserService, then shows them their homepage if they are, or redirects them to a login screen if not. Once on the page, I would like to be able to update specific portions using AJAX when they click certain elements. Now, I have already written a REST API in the same GAE project using Cloud Endpoints that gets all the information I want, and so in the spirit of DRY I would rather use my own API than write new servlets to handle these requests.
The problem is that I need to generate an OAuth token in order to access the API. I can easily do this from the Google API JavaScript Client Library, but then my user needs to re-authenticate for the rest API, which is not only bad from a UX perspective, but more importantly exposes my client id in the page's javascript and passes a token through HTTP (non-SSL) headers.
The only option I see is to write a servlet for each request and have duplicate work. But conceptually, I'm already logged in to Google, so I should just be able to access the API. How does one usually go about this? Am I thinking about it all wrong?
UserService and OAuth are two different authentication (and authorisation) mechanisms and you can not combine them.
If you do need OAuth to access some of the APIs than also use server side OAuth. This way you can access APIs and replace UserService all in one go.
I have a web PHP web application that has a link to a java web application. The php application has a login page, and a link to the the java application, but not every user has permission to access the java web application. What I was trying to do is send user credentials from the php application to the java application, and then the java application checks the credentials and if correct logs in the user. I was thinking of using http headers to do this.
So my question is what is how to send user credentials from a PHP application to a java application?
If it helps I am using a Java web framework called Vaadin.
Do a normal POST request from the PHP application to the java application. This can be done as simply as having a normal HTML form in the PHP application, set the form's method to "POST" and action to the java application's URL. If you want to catch HTTP parameters in a Vaadin application, you can do it by using request handlers (https://vaadin.com/book/vaadin7/-/page/advanced.requesthandler.html).
Then a few words of advice or something to at least consider. If your login page is in the PHP application and your "admin" application is the Vaadin application, then I discourage you from doing the credential checking in the Vaadin application. This is because when you enter the Vaadin application, a new application instance is created. This means that your UI will be initialized and whatever else you do in the UI's init method. What you probably want to do, is to hinder the user from entering the Vaadin application unless she is logged in - which means that you need to do the credential checking somewhere else - for example, have a separate servlet whose only responsibility is to log in the user. If login is granted, then give access to the Vaadin application, if access is denied, forward the user to the PHP login screen. The next question is, how do you hinder the user from accessing the Vaadin application until she is logged in? Typically, this is done using servlet filters.
I highly encourage you to use a 3rd party framework for doing the authentication and authorization. Take a look at http://shiro.apache.org/, it's easy to install and seems to work nicely together with Vaadin. All you need to do is to configure it and implement a login screen, the framework will take care of the rest.
If I understood your question, you want to be able to provide an "auto-login-link" to some specific users that are logged in to the PHP application. This link should automatically login the user to the java application, right?
Without knowing any details about this case, like are both apps running on the same domain or do they use the same database (same user credentials in both apps), etc., I would propose the following solution:
Create an action (link) on the java application, which receives the necessary parameters (as GET) needed for creating the session (probably userId is sufficient), timestamp and a signature of all parameters. For example:
http://javaapp.example.com/autologin?userId=123&timeStamp=123456789&sign=hj23kh4j234jk324h
Where the signature is calculated with some strong encryption algorithm. Then you verify that the signature is correct at the receiving end (java app). If it is correct, you create the session. Signature calculation could be something like:
$signature = sha1($userId . $timeStamp . 'some salt' . $sharedSecretBetweenBothApps);
With the timeStamp you are able to check that an old link is not used. For example not allow older than 15 min old links and store used links in the java app to make sure they are never re-used. You do not have to keep history of links older than the expiration time.
Another idea, as discussed in the comments, is creating an API on the java side, which is able to provide a one-time link.
The sha1 algorithm is probably not strong enough, but shows the idea and is simple to implement.
Does this answer your question?