I need to solve a problem with POST redirect in Spring MVC application.
PayPal lets you to place a simple html form that can redirect to PayPal pages with post. But I need to perform some actions in application after user clicks the PayPal button, but before actual action is taken.
So i was thinking about doing it like this: place PayPal button on webpage, pointing to local controller. There i would need to make some actions like checking whether user is logged to application and if yes then put his email as custom field for PayPal request parameters. If not then log user in and do the previous. After all the information is gathered I need to make post. I know how I could make such a Post, but I need user's web browse to be redirected there. Is there any way to do this?
You canno't instruct the user's browser to do redirection and a post, but you can do that with javascript. The flow would be something like this :
User clicks the paypal button
The paypal button sends data to your controller using ajax
your controller returns a success message and any additional information needed
Java script on your page receives the message and redirects to paypal
Related
I have a web application that when user click on the a link it will generate security information and log on to an external application if the security information is authenticated.
At this point from security concern I don't want to expose the URL and request information on the web page, so instead I am seeking solutions to handle the process behind the scene
I know Apache Components can easily send post request within POJO, jersey client can do as well through web service. However the requirement here is also including to let browser automatically redirect to the 3rd app's front page if the login process succeeded.
My question is what could be the proper solution to handle the login process and go to the external application from web as well.
Say you have:
publicapp.com
secretapp.com
Set up an API in publicapp.com to POST the initial request to itself. When the user submits the initial login form it goes to say publicapp.com/login. This endpoint will pre-process the information then send a server to server request to secretapp.com/login.
If secretapp.com/login accepts the information it responds to publicapp.com with a success and publicapp.com redirects the client to secretapp.com/home, with a short term auth token encoded in a JWT. secretapp.com, swaps the short term token for a full auth token.
In the above scenario, the actual login endpoint is never made public. secretapp.com should also have IP whitelisting to only accepts login attempts from publicapp.com. You can also do a lot of filtering on publicapp.com to eliminate malicious requests without bothering secretapp.com.
Redirecting application link to Java - GWT Custom page.
Whenever user will login through my APP.
and user hit button(say add record) then redirection should happen i.e. page should redirected to GWT custom page from application link.
How to call servlet when application link hit by button?
after that How to call GWT page from called servlet.
Wants to show GWT custom page with data present in REQUEST.
Hidden fields available on UI Screen which is developed in GI .
These fields can be passed to GWT custom applications launched from the application link.
APP(UI) --> SERVLET---> GWT page(UI with data present in request i.e jsessionid,hidden fields)
what changes need to do in web.xml ?
Plz provide any helpful document,link,sample code and any idea
Hope for the best co-operation
Thanks in advance.
Do you already have a fixed login page (servlet) tah you must use? Then do this:
Window.Location.assign(loginUrl) will take you to a new page. Your GWT app will be "closed" and all state will be lost.
Your login servlet should redirect back to your GWT page when done. Usually this is done by supplying a URL parameter when invoking login page - check the login servlet. Usually something like http://yourserver.com/login?returnTo=GwtAppUrl.
At this point your user is logged in, which means that servlet has set a session cookie. From this point on (until logout or session time-out) your GWT and GWT-RPC will use this session automatically (browser sends session cookie) - you don't have to do anything.
You can pass some data back to GWT by fragment identifier http://yourserver.com/login?returnTo=GwtAppUrl#somePage/parameter1/parameter2. However better option is to just use GWT-RPC to get the data from server.
Otherwise, if you are making everything from scracth, you can use GWT do do the login: How to implement a login page in a GWT app?
I am trying to make a webapp in java that is capable of posting to a users facebook status, and I am having some problems with the authorization process. Basically, I have a struts2 action that redirects the user to the facebook login page, which then redirects back to me with a "code". I then use this code to access another facebook URL (to trade it for an access token).
The problem is, and I'm likely just missing something simple, that this second facebook url doesn't redirect to an action, it instead just returns a page with the access token on it. So, my question is, how would I access that token to put into my database, preferably without showing the access token to the end user?
TLDR; Any idea how I could call a request from an action in struts2 to an external url and parse the response without showing it to the user? Thanks!
Cheers,
Lukas Rezek
So basically you would want 3 pieces:
Interceptor
authRequest action
authResponse action
So the flow is:
Interceptor would check if current user has auth token, if not - it will redirect to authRequest action
authRequest action will fill up your app details - create url graph.facebook.com/oauth/authorize?client_id=xxx&redirect_uri=yyy etc
Please note that redirect_uri is exactly is authResponse action. so after user authorizes your app - browser willo redirect to authResponse action
authResponse action is the plave where you retreive the token, save it to DB and probably set it to session. after you done with that - you are done with login and you can redirect to your application home action
To access an external web site within a struts action you have two choices. Create a socket and connect to the external site and send your request via the socket.outputstream and parse the reponse via the socket.inputStream or use a browser emulator such as Apache HttpComponents or HTMLUnit.
I wouldn't let the user of my web-app anywhere near the Facebook site - I would have my own page that asked for the FB login and would handle the interaction with the facebook site using one of the two methods above. I would favour using HTMLUnit as that is designed to look like a browser to the remote site.
I have a java web application running on WebSphere 7. The application uses form authentication method and part of the application accesses some protected resources using ajax requests. However, when the user's session expires, I am getting the login page in place of the content that is supposed to be refreshed by the ajax request.
Is there a good way to handle this problem? WebSphere returns a response status 200 with the login page so I cannot rely on that.
Maybe there is a way to tell the server that basic authentication should be used in certain circumstances but I don't know how.
I also thought of checking first if the session is new by making a request to unprotected resources first then return a certain status but it looks like a code smell solution...
This is how I handled it in a similar situation. In our case, the AJAX response is always JSON. When the login expires, the authentication filter always sends a login form in HTML. So I check the content-type like this,
if ((this.getHeader('Content-type') || '').include('application/json'))
If it's not JSON, I simply redirect to another protected page, which will trigger a full screen login and then that page will direct user back to the AJAX page.
You can send back some unique response or some error code(make sure you wont get this error code as valid response in any case) when the user session is not there to the Ajax call from WebSphere. And in the Ajax call method, on process response, check whether its error code.If its error code, redirect him to login page or do what ever and other case will be the valid data.
To implement single sign off, i would like the user to get logged out of application B additionally when ever the user clicks logout on application A. Is it possible to implement this using some form of a POST request to application B? i.e. when the user clicks on logout:
Generate existing POST request to logout of application A
Generate additional POST request to logout of application B as well.
The cleanest way to do this is to check if your SSO provider has a single-sign-off feature.
Coding this up and deploying it would make your overall IT solution a bit brittle.
Another suggestion is to take this up with your (Enterprise) architect as SSO is usually an enterprise initiative and point her to (very cogent) arguments in this post : http://lists.danga.com/pipermail/yadis/2005-July/001085.html
Yes, how you do it depends on the programming language you are using.
For example under ASP.Net you'd use System.Net.HttpWebRequest within the handling of the Logout event of application A to make a logout request to application B
If you can post what language you're working in I can give a proper example
Depending on the implementation of your authentication system, probably you can/need to send the POST using JavaScript instead of from server-side.
Without specific information, it's hard to give a specific answer, but as you're refering to POST, I'll assume a browser is involved.
POSTs (without using Javascript or similar) occur when a form is submitted. As the form can have only one action, it can only target one server-side page.
One solution is to simply have Application A forward sign-out credentials to Application B once one action is received, which allows for more opportunities to check returns.
If, however, you're set on POST'ing to different pages, see this tutorial for one iframe-related hack - http://www.codeproject.com/KB/scripting/multiact.aspx
If your login session is stored by a cookie, and there are nothing else you need to supply to log out of application B, clearing the cookie in javascript will usually destroy the session and sign the user out.
How about making it a cookie based authentication? A same cookie authenticates a user for various applications (in your case 2 different application.) Once a user sign off from one application (app A), invalidates a cookie (by expiry date) so that whenever a user sends a POST request to rest of the application (app B) the request is not processed. A Servlet that traces each POST request to validate the cookie is required for each application.