I'm currently building a web shop (which is supposed to support multi tenancy).
So my approach is to have a url setup like
appName/shops/shop1/controller/action
appName/shops/shop2/controller/action
Depending on the shop (shop1 or shop2) I have a different assortment. Then I have a list with items and a button to add them to the shopping cart. This action is secured an only accessible for logged in users.
My Problem is the following:
Default behaviour when clicking the "secured" button is to get redirected to appName/login/auth. This way I'm losing context of the shop that the user was browsing. I'm not sure if I can provide the context/shop to the auth process in a way that I can redirect to the respective shop after a successfull log in.
Another approach would be to provide a custom button instead that redirects to the login page if the user is not logged in which provides the context/shop name.
You can use the following scheme for the urls instead:
shop1.appName/controller/action, shop2.appName/controller/action. The login urls for each of the subdomains (shop1, shop2) will be: shop1.appName/login/auth, shop2.appName/login/auth. This way the context will never be lost. In case, you want the logged in user also is able to access appname/otherController/action as well (without logging in again), you may need to do something like this: http://www.intelligrape.com/blog/2012/03/21/sharing-http-session-between-subdomains/
Related
I am calling a webpage from an external webpage and I am passing a user id with the call (http://localhost:54697/?position='position'&user='user'). What I want to do is I want to put the user into an authentication process using the request variable.
It is a good place to do it at global.asax.cs/Application_Start() ? If so, is there any way to pass a request variable into it?
Or is there any suggestion?
UPDATE:
The external site has the credential info that is needed for my site's authorization. Shortly, I have a system on which I can go through several other websites via menus. One menu link will go to this (http://localhost:54697/?position='position'&user='user') Asp.Net MVC web site. Whenever the user clicks to the link, a userid will be sent through the link. Based on the userid I will go through an authorization
process on which I will check the userid and show menus based on the roles associated with the userid. In the controller I can get the userid
however, I do not want to check the roles in every controller. Whenever the link is clicked I want the system to go through a role provider and assign the roles associated with the userid and place role annotators to the controllers. As stated above I am not sure if it is a good place to do it at global.asax.cs/Application_Start() ? If so, is there any way to pass a request variable into it? Or Can I use the constructor of the controller for this purpose?
My question is about the MVC Antiforgery system (described here).
Consider a simple app which posts todos to /Todo/Create. The corresponding action method has the ValidateAntiForgeryToken attribute. Consider the following client workflow:
User A logs on and goes to the page to create a todo, but doesn't do it yet.
User B (physically on the same computer) opens a new tab in the same browser, logs out of User A's account, logs in as User B. The browser then gets User B's validation cookie.
Some time later, User A switches back to their original tab and hits 'create' on the todo they were making.
In this scenario, the Antiforgery verification will not pass because the form token was meant for User A, while the validation cookie is for User B.
I'm sure there are valid security reasons for this behavior (e.g. a script on another site that manages to login as malicious user so that the 'todo' data is posted to their account instead), but it doesn't stop the above scenario happening for my legitimate users sometimes.
My questions are:
Is there a 'best practices' way to handle this scenario? Is it usually just a case of showing a custom error, telling them to reload the page and/or login again etc?
Is there any way to know when the out-of-the-box MVC Antiforgery system runs into this error? It seems to only ever throw the same kind of Exception (HttpAntiForgeryException). Would I need to revert to using/modifying their source?
I see two ways of handling it:
Use Javascript callback to the server before hitting a button to detect if the user is still logged in. If not - display him a message. It should be relatively easy to do this. But it requires one additional call, and little bit more time to execute your request.
One solution to avoid callbacks could be using html 5 localStorage (and you can support that on other browsers using modernizr, for example). It is shared between tabs. But I'm not sure if this approach is good. Additional research required.
Catch HttpAntiForgeryException on the server, check if the user is logged in. If the user is not logged in, display him a message.
Usually approach (1) is used. On banking websites they detect with JavaScript when you logged out in other browser tab.
I've been unable to find any example of how actually to use zfcuser to authenticate users and prevent access to a website or routes.
My website successfully works when I access /user/login, but this is useless in a real application.
What I really need is:
1) If user is not logged in to the website, it needs to be forwarded to the login page
2) Attempting to access pages on any route will display the login page
How do I do this in my modules?
Take a look in the wiki. It tells you how to check if the user is authenticated, both in view and controller.
Also for access control, take a look at the following modules: BjyAuthorize, ZfcRbac, Eye4webAbac
We have some shopping cart pages which work with both guest and user paths. We want to allow a user to login at any time during the process but don't really want to create yet another login page. I'd prefer that we can simply redirect the user to the existing login and tell Spring Security what URL to come back to.
I know this happens automatically when sessions timeout and/or protected pages are requested without a session, but is there a way I can give the URL to Spring Security myself?
If you just need a simple return-to URL to retrieve the cart, then you are probably best to implement that yourself in an AuthenticationSuccessHandler. You can look at the source for SimpleUrlAuthenticationSuccessHandler and its parent for inspiration.
The default login mechanism uses the RequestCache and a SavedRequest, but that is intended to actually replay a request which would not otherwise be authorised. That's probably overkill in your case.
I know that I can use annotation or Request mapping to restrict access to an ACTION by some specific ROLES. But now I have a different circumstance.
My scenario is: every user of my site can create posts, and they can make their own post public, private, or only share to some other users. I implement sharing post by a database table PERMISSION, which specify if a user have the right to view a post or not.
The problem arises here is that when a customer access a post through a direct link, how can I determine he/she have the privilege to view it? There's 3 circumstances:
The post is public, so it can be viewed by anyone (include not-login
user)
The post is private, so only the login-owner can view it
The post is sharing, it means only the login-user that is shared and the
owner can view it.
I want to process like this:
If the requested post is public: ok.
If the requested post is private/sharing: I want to redirect
the customer to the login page; after
logging in, the user will be re-direct
to the page he wants to see.
The problem here is that I can redirect the user to login controller/ auth action, but after that I don't know how to redirect it back. The link to every post is different by post_id, so I can't use SpringSecurityUtils.securityConfig.successHandler.defaultTargetUrl
Could anyone know a way to do this?
Dunno about grails, but spring security has a spring-security-redirect parameter which can be used to redirect the user to the specified url on successful authentication.
I think you could add your own filter that will be executed before the action is called and do the verification of the post permissions there. You can find more information about Grails Filters here.
Have you looked at the Grails Spring Security ACL plugin? I don't know it very well, but it's designed to restrict access to particular instances:
http://grails.org/plugin/spring-security-acl
I have found a quick workaround for this problem:
If the user is logged in: check the user's privilege, and return the appropriate result.
If the user is not logged in: At view action, set the post_id by:
session.post_id = 8
Redirect the user to the Login Controller/ Auth action.
At checkrole action(which is my grails.plugins.springsecurity.successHandler.defaultTargetUrl in Config.groovy), if session.post_id exists, use it to build the link for re-directing to the view action. Before redirecting, clear the session.post_id.