I am involved in development of a portal style application. The diagram above shows the core UI wireframe of the application. There is one main application mainApp which acts as the portal application. It contains a sidebar menu which provides "entry points" to launch various other web applications (App1, App2... AppN) which are independent, separately packaged and deployed war files, running in same Tomcat server as mainApp.
All applications are Spring (3.2.x) based and have spring-security (3.2.x) integrated. User only logs into mainApp using spring security's standard login form mechanism. Obvious expectation is that the user does not have to login to each individual application they launch from sidebar menu. Same user should be logged into each of the launched application automatically.
App1, App2,... AppN are loaded via their respective URLs in an iFrame within the mainApp's page as illustrated in the diagram as well.
As a very rudimentary first iteration, I have implemented a filter extending Spring's AbstractPreAuthenticatedProcessingFilter in each of the portal applications. The filter looks for a URL parameter authToken and automatically logs the user in, if the parameter is found and is Base64 (I know, very weak!) decoded to be the user name. If token is not found, user might see a spring security login screen inside iFrame (ugly).
Questions:
Is there a better, more secure way compared to query parameter, to pass the authentication token or ticket to the application being launched inside the iFrame? I presume I can not use request headers as there is no way to pass them when main portal app sets the URL in iFrame? Or is there a way? Or any other mechanism?
When the user logs out of the mainApp, how do I log the user out of each of the App1, App2...AppN that user has launched and got pre-authenticated into? Programatically hit the spring security /logout endpoint in each application when logout occurs in main portal app?
Thanks!
I have an idea:
You can set spring security login page to another page which redirect parent to login page:
spring security config:
formLogin().loginPage("/redirect_login.jsp")
redirect_login.jsp:
window.parent.location.href="./login.jsp"
Related
I have implemented a Vaadin (23) app using Spring Boot (2.6). To access the app, users need to be logged in. To manage the login flow, I use the LoginForm of Vaadin. How can I redirect authenticated users to a defined view after login?
I would recommend you to download starter app via https://start.vaadin.com/ select few views to app with different access levels etc. This application will use VaadinWebSecurity / VaadinWebSecurityConfigurerAdapter that extends the regular Spring Security conf. It will use request cache to store original request and use stored path after login to redirect to view (the mechanism is built-in this helper class and you do not need to implement yourself). See also the documentation:
https://vaadin.com/docs/latest/security/enabling-security
We are developing an TYPO3 extension that is in charge of managing the social network profiles. We used the extension "ps_social" as a guide for understand the social media network APIs could work with TYPO3 through Adapter Pattern.
I have the proof of concept of the implementation to authenticate a profile and publish in it but through only in PHP, now we want to take it to the TYPO3 extension.
My question is about the callback when authenticating a profile. Our extension sends us to the social network and when we return to our web page, with the token in the url, this does not change and shows the same screen of the plugin before redirect to the authentication in the social network. The callback url in manage app in Twitter has the id of our plugin's page. I check url for change the plugin action but doesn't work.
We see that this step is fundamental to be able to later make publications to the authenticated profiles in the application.
The problem could be that your authentication service is not triggered when returning to the TYPO3 site. Whether or not your service will trigger depends on several configuration options. By default, your service will only trigger when a POST login action is taking place - but there are options to define that, for example, the authentication service must always attempt to fetch (and thus authenticate) the user even if there is no POST login data (instead, GET parameters may be used to determine if authentication should be attempted).
There is also a caveat if you intend to log in BE users using this method. I've noticed that if you attempt to log in a BE user in the FE, then no action or configuration will be respected unless an existing BE user cookie exists (which it will if you've ever been logged into the BE). If you use the authentication service to log in to the BE normally there isn't this problem - it only applies if you try to do it in FE.
TL;DR: I'm guessing you need to configure the "always auth user" setting for the targeted BE/FE context, using parameters described in the "advanced" section of this link: https://docs.typo3.org/typo3cms/Typo3ServicesReference/Authentication/Index.html
The problem was resolved creating a new plugin. In the configuration of application in Twitter I can not set parameters as controller and actions, for example; only the page id. I had to create a plugin in my TYPO3 extension that execute in one page the action for get information of callback, process and return the page with the list of social profiles. This We did it in each one social networks (Facebook, Google+ and Instagram) for their callback URL to be correct.
Bottom line, I want to create a new provider for logging in to my web.
The big picture.
We are developing hybrid mobile application using ASP.Net MVC5 (with angular on front).
The entire application is based on web view except of the log in page.
The user can log in using his Facebook and Google account. This is done 100% by the native application (we have to do that way in order to invoke the mobile app and not the browser i.e open the Facebook/Google mobile application).
After the native application get the confirmation from the external provider it should log in to my website.
I had 2 ideas of doing it. The first was that the native application will send me(the ASP web application) the user email address (using Restful service) and some encrypted data, I will decode and validate it and if everything alright I'll sign in the user and return the authentication cookie.
The second idea was to do it in 2 steps, the native app will send the username and a token, then I (the ASP web application) will send back the token and receive an answer if the token is genuine and valid. If it is, then I will log in the user and return an authentication cookie.
In both ways I have 2 problems:
I don't know how to sign in a user with no username/password or Facebook/Google. How do I do it?
I don't know how to manually return authentication cookie.
The real problem is that until now I've only used the identity feature in the classic way.
Thanks from advance,
Shaul
I have legacy database for my app and I have to add app to common sign in where the user table related to sign in is not accessible, but I have access to app which gives JSON output for login authentication.
For this I'm trying to use spring security plugin but I am not able to figure out the entry point of url and how to redirect input from login page to url.
Thank you all above answers helped me alot along with objectpartners.com to customize spring security plugin
https://objectpartners.com/2013/07/11/custom-authentication-with-the-grails-spring-security-core-plugin/
https://github.com/JacobASeverson/smart-notes
I have installed rubycas-server on my server. I have a ruby app that supports CAS on mysite.com. I would like to have the rubycas-server login page at login.mysite.com.
I have followed the instructions at http://code.google.com/p/rubycas-server/wiki/HowToConfigure and configured my config.yml file.
I have started the rubycas-server but I don't see a login form at login.mysite.com. There isn't anything on login.mysite.com. I have setup the uri_path to login.mysite.com. I thought that it would display the login form when I start the rubycas-server but it doesn't. I guess I am still missing something. What am I suppose to put on login.mysite.com in order for the login page to display? Is there suppose to be another ruby app?
Sorry, I am new to this.
Remember that the CAS is a single sign-on app and the CAS login page is meant to be central to all of your applications. So a typical usage would be that you have your CAS server running on one machine, and the login will be at somedomain.com/cas. Then you have a bunch of applications that want to authenticate, at mysite1.com, mysite2.com, etc. If you try to browse to a CAS-protected page in one of those applications, you'll be redirected to somedomain.com/cas, where you'll sign in, and then CAS will redirect you back to the page you wanted on, say, mysite2.com.
Out of the box, you should see the login by going to the domain that rubycas-client is installed on and going to /cas.
Basically, it sounds like you're expecting the login page to be part of your application, and with CAS, it's not.