I'd like to embed an ajax application into a wordpress site. The ajax application will communicate with servlets running on tomcat. Now the servlets need a way to verify if a request originates from a user that is logged in to wordpress. How does this commonly get solved?
AFAIK, wordpress is stateless and does not use sessions, which makes me curious how a logged in user in wordpress can be tracked.
The second problem is, how can a servlet request wordpress to verify if a given user is still logged in?
Any advice is welcome,
Thank you.
The only thing that you can do is read the cookies. And that will work only if you are using the same domain (or subdomain and the cookies are valid for all subdomains). The session cookie might not give you sufficient information, however. You can't read a PHP session from a Java app, and generally, you can't mix two applications that way.
As a little workaround, you can check with javascript who is the currently logged user (by finding the username in the DOM), and send that with ajax, but that is not secure at all.
Related
I have a web application which requires username and password authentication to enter.
What I am doing is, authenticate a user from a stand alone Java app, which would do so by making Http request to the server using username and password. Then I would retrieve JSESSIONID cookie from response of server.
Now what I want is to use this JSESSIONID to continue session on browser i.e. to let user navigate pages of my web app which would be opened by my stand alone java app which I use for authentication.
Is this possible? Or is there any other way to do so.
Cookie can be changed using below mentioned methods.
Cookie cookie = new Cookie("JSESSIONID", NEWSESSIONID);
response.addCookie(cookie);
From your application you can send JSESSIONID as parameter while opening browser first time and reset your cookie using above method either in filter or servlet. This will reset your cookie in client side once you send response back. Next request on wards you will be able to access the session created previously.
It's possible but it's not that simple.
Since web applications don't share sessions, what you're looking for is a Single Sign On (SSO) solution, which involves an "Identity Provider" (IdM) that authenticates users for one or more "Service Providers" (SP). In this case, your servlet is the IdM and your web app is an SP.
Depending on your deployment, the following are third-party, open-source SSO libraries that you may be able to use:
Kerberos
PicketLink (for JBOSS)
OpenAM (for Tomcat)
If you don't want to use a third-party library, you may also be able to modify your servlet to be the IdM. Either way, I suggest reading a little about Security Assertion Markup Language (SAML) before deciding on a solution. SAML is a popular method that the above libraries implement.
I have developed a web application on Struts2 and used JSP. I want to develop a login system and so cookie management for my web application. Everybody can see every page and there is no authorization for my website.
My question is that what are the steps of my work.
1) Login system
2) Cookie management
3) Authorization
will be done but where I should start and is there any good documents of that steps(for every step of what should I do)?
You can implement this using Sessions, which means you won't have to work with cookies (at least directly). Also keep in mind the difference between authentication (checking identity of a user) and authorization (checking users access rights). I usually implement:
a Login action (which authenticates the user in some way, and saves something to the session which I can latter check to see if the user is logged in...eg. a User object)
an authorization interceptor (which filters each request and checks that user is logged in and has access rights for that particular request....if not forward to login form).
Also keep in mind that this is a do-it-yourself quick way to do it, if you plan anything more you are better off with a security framework/lib of some sorts.
The cookie managment in Struts2 is an orphaned feature. There are ways of reading them using the framework, but no way to write them. Since you have to go directly to the ServletResponse to write cookies, you may as well use the ServletRequest directly to read them.
Check out this: http://www.dzone.com/links/r/working_with_cookies_in_struts_2.html
In my applications I use JavaScript for handling cookies, is more practical, and works well for me.
I'm building an app to let users export data from a university system. Currently, they can log in and see the data in HTML, but I would like to let people download it as CSV.
I have an app where users supply their username and password. I would like to log in to the university system and HTML scrape the resulting page. How can I do this?
I'm building a GWT app. I could either do this in Java-transliterated-JS on the client, or Java on the server.
Update: Selenium might be nice, but it looks like overkill.
You're going to have to do this from the server unless the domains are the same. You'd need to determine what the POST transaction used by the other server for the login step looks like - parameter names etc. Then you'd perform that operation and do whatever you want with what comes back. If you need to see multiple pages, you need to maintain the appropriate session cookie too so that the server knows you're still logged in on the subsequent HTTP requests.
If you have to hit another site to validate the credentials, then I'm not so sure that people should feel comfortable providing those credentials to you. That is, if you don't have rights to check the credentials directly, why are you trustworthy to receive them? I know sometimes people need to integrate with a system they don't own, so this is just a question.
First, this has to be done server-side because of the limitations on client scripting due to the same origin policy.
The typical way of handling the "screen scraping" you mention is to treat the web page as if it was an XML service. First, examine the source code of the page, then using an internet/HTTP stack, craft a POST to the correct URL and read the response using a standard XML library. It will take some ingenuity to come up with a good way to dig into the XML to find the piece you need that will be as insulated as possible from changes to the page. Keep in mind that your system can break any time that the owners of the site change their page.
Sometimes, you can't just send the POST but have to request the blank page initially in order to get hidden form values that need to be returned in the POST. You'll have to experiment to find out what it requires.
Additionally, you probably have to handle cookies as well, since they usually are an integral part of the web site's authentication and session management (though you might get lucky that the session doesn't matter between the initial POST and the first response).
Last, you may be unlucky enough that the site uses javascript to do part of the authentication work, which may require additional digging to understand how the credentials are posted to the site.
There are other potential barriers such as the site checking to see that the referrer is their own site, possible use of SSL (HTTPS) and so on.
I'm pretty sure that the protection against cross-site scripting in web browsers will mean that you can't log in to the university's app using javascript running in the web browser. So the part of your program that fetches data from the university will need to run on your server. Once you have the data, you can process it either on your server or in javascript in the browser, but I think it would be easier to do it on the server.
See http://en.wikipedia.org/wiki/Same_origin_policy
I'm not too sure about GWT, but in general, you would take the form data submitted by the user, check it against a database of username and hashed passwords. If the database checks out, set a session cookie that says the user is logged in.
In your pages, check if the session cookie say the user is logged in. If not, redirect to login page, otherwise allow them to view the pagfe.
I want to use a Java EE application server (GlassFish 3) as SSO service for both Java applications and PHP applications. If a user gets authenticated by GlassFish he should also be logged into the PHP applications.
Is there a best practise to share the Servlet session (more precise: authentication status) with PHP?
Have a look at PHP / Java Integration. You can either integrate PHP into a servlet environment or have PHP call Java. Now I'm not 100% sure this will specifically solve your problem and the integration is deemed experimental.
What you're probably better off doing is using something else to share session data. Something like memcache. Both Java and PHP can freely talk to memcache. That will be a far more robust solution.
I have no experience with connecting PHP and a Java app server, but on integration in general:
A common way to do a single sign on is reading a session ID (e.g. a cookie set by the Java Server) in the PHP script, passing it to the app server internally (e.g. through the command line, by making a HTTP call or a shared cache instance) and getting back the authentication status.
If this is not possible, e.g. because the services are running on different domains, you would pass your app server's session ID to the PHP application the first time it gets called. The PHP app will then create a session of its own, and store the session ID from the app server in it. The internal verification of the app server's session would work as outlined above.
If you need to exchange more than just a "logged in / not logged in" flag, you could also look into replacing PHP's standard session handling using session_set_save_handler(). Your custom session function would, instead of storing the session data to a file, get its data from your app server, which can pre-fill session data with things like authentication status, user name, and so on. This would allow for some amount of easy inter-application communication as well.
Of course, first check whether the built-in Java/PHP integration functions mentioned by cletus don't already do the trick.
i dont know about best practice... but usually if it works and is not ridiculously expensive and does not compromise security, it can be an acceptable practice.
when the user visits a php page without having a php session, that php page redirect to a specific jsp page. the jsp page will see if the user has an active session. if not the jsp page will allow the user to log in. the jsp page will redirect to a specific php page, passing it things like authentication tokens and so on, as well as the url of the original page. the php page creates the php session and redirects to the original page requested. these pages could be in different domains and running on different servers. this can also be replicated and implemented across different servers running java or php or anything else.
acc.intt/page.php -> sso.intt/cosession.jsp -> acc.intt/cosession.php -> acc.intt/page.php
I'm using gwt on my glassfish server, and I'm attempting to make some of my RPC calls authenticated via cookies. Is this possible? Are there any examples out there of how to code it?
Depending only on the cookie for authentication will make your website/services vulnerable to Cross-Site Request Forging/XSRF/CSRF attacks - read more on that in Security for GWT Applications.
The best way would be to double check the value you get from the cookie and with the one that's been transported to the server by some other means - as part of the request (header, a custom field, etc).
Other than that, there are many tutorials covering the subject - just search for Java (servlet) authentication - it doesn't have to be GWT-specific. The Google Web Toolkit Group also has many threads about the subject.
I assume that you use GWT's RPC servlet for handling requests made by the client.
One option that comes to my mind is to write and configure a ServletFilter which can examine the cookie, before the request reaches GWT's servlet.
You might rethink using cookies as it is a potencial security hole.
Why not put your communication to HTTPS?
Can you not just use the standard 'session' scope, i.e.
request.getSession()
A pattern I use in GWT apps is to have a separate 'old fashioned' login form which sets up the session. The GWT app's host page is then displayed after they have successfully logged in.
If the necessary values aren't in the session, then the user isn't logged in. Your service should return an exception, maybe, which instructs the GWT app to redirect to the login page, or display an error.