I have a search controller which lists search results for users. For anonymous users (not logged in) I want to display the page as http.
For logged in users (authenticated) I want to display the page as https. The reason being is authenticated users will see an additional link in their search results. The link pops up a modal dialog form that needs to send a secure form.
I'm using grails 2.2 and spring security plugin 2.0. I haven't found anything in the spring security config files. It looks like a page can be https or http, but not rendered either way depending on some condition.
I prefer not to do all https for performance reasons. How could I do this, with some type of filter?
Related
I am preparing to work on a project where I need to display a dashboard from an online application. Unfortunately, the use of an API is currently not possible. The dashboard can be embedded in an iFrame. However, when it is displayed it will prompt the user viewing the dashboard to login to an account.
I have one paid account to this service. Are there any rails gems to login to the service before the iFrame is processed?
Or would a proxy within my rails app be a better route to go?
Any pointers are appreciated!
Neither a Rails gems nor a proxy within your rails will work and they same have the same limitation.
They are both running on the back-end, server side.
The authentication you need is client side.
Unless you mean proxy the ENTIRE thing, the auth request and all subsequent requests and user interactions with this dashboard. That should work but (see below)
The way authentication works (pretty much universally) is: once you log in to any system, it stores a cookie on your browser and then the browser sends that cookie for every subsequent request.
If you authenticate on the backend, that cookie will be sent to your rails code and will die there, and the users browser will never know about it.
Also - it is not possible to do the auth server side and capture the cookie and then have the user browse the site with their browser directly, for two reasons:
Sometimes auth cookies use information about the browser or HTTP client to encrypt the cookie, so sending the same cookie from a different client wont work
You can not tell a browser to send a cookie to a domain different than your own.
So your options are, off the top of my head right now:
If there is a login page that accepts form submissions from other domains, you could try to simulate a form submission directly to that sites "after login" page. (The page the user gets directed to once they fill up the login form). Any modern web framework as XSRF protection (Cross Site Request Forgery protection) and will disallow this approach for security reasons.
See if the auth this site uses has any kind of OAUTH, Single Sign On (SSO) or similar type of authentication integration that you can do. (Similar to an API, so you may have already explored this option)
Proxy all requests to this site through your server. You will have to rewrite the entire HTML so that all images, CSS, stylesheets, and all other assets are also routed through the proxy or else the URLs are rewritten in the HTML to not be relative. You might hit various walls if a site wasn't designed for this use case. From things like the site using relative URL's for assets that you aren't proxying, the site referencing non-relative URL's causing cross-domain errors, etc. Note its really hard to re-write every single last assets reference, its not only the HTML you're worried about, Javascript can have URL's in it too, and CSS can as well.
You could write a bookmarklet or a browser extension that logs the user into the site.
Have everyone install Lastpass
Have everyone install the TamperMonkey browser extension (and others like it for other browser), and write a small User Script to run custom javascript automatically to log the user in on that site
Scrape that site for the info you need and serve it on your own site.
OK I'm out of ideas. :)
I'm using Grails and Spring Security. Some methods of the controller are annotated with #Secured and when the logged in user doesn't have the necessary roles I want him to be redirected to the last visited page instead of to /login/denied.
I guess that the real question is how to get the last page visited so that I can redirect him accordingly from the denied method?
There is a way to do this in JavaScript, using back button, but I am looking for a way to achieve this on the server side.
maybe you could use an interceptor to store the history of you views and then with an accessDeniedHandler redirect to the previous one
I have an application that is wired with Spring 3.1 authentication. I have some pages which makes AJAX requests to show some information on the dialog. Now, if the user's session has timed out, the Spring redirects to the login page. I don't want an AJAX based login page. I would like the user to be navigated to the login page entirely, by canceling current operation. Once user logs in, navigate user back to the last page where he was (from where the AJAX request was made).
The redirection stuff works fine if the request is made from a page.
The class which performs the redirect to the login page is the LoginUrlAuthenticationEntryPoint. I would write a customized AuthenticationEntryPoint implementation which detects the Ajax request (for example, by looking at the Accept header), and sends an error code instead of performing a redirect.
You'll still have to detect this on the client side though. There's not much Spring Security can do there, but you should be able to reload the current page from Javascript, which will force a login, followed by a redirect to the original page (default Spring Security behaviour).
I'm using PrettyFaces 3.3.3. I have a requirement that if a user tries to view a page, but is not logged in, they are sent to the login page, and then redirected to the original page they wanted to view. Just wondering what would be the best approach for this.
You probably want a security framework here. The basic idea is that you'd want to intercept the requested URL in your security filter, save it into the user's session, then once authentication is complete (e.g. user has submitted the form with their credentials, or whatever mechanism you're using) you retrieve the saved URL from the user's session and perform a 302 Redirect to it.
This is not something PrettyFaces will help you with directly, except that you can use it to capture the URL more easily using PrettyContext.getCurrentInstance(request).getRequestURL();
There is an article about this here: http://ocpsoft.org/java/jsf-java/spring-security-what-happens-after-you-log-in/
Using OCPsoft Rewrite (core of PrettyFaces 4) you can do this programatically as well, and even do the authentication directly in your security rules or annotation config: https://github.com/ocpsoft/prettyfaces/blob/master/annotations/src/test/java/org/ocpsoft/prettyfaces/annotation/jaas/JaasRolesBean.java
This is an upcoming feature but is not yet complete - we would love feedback.
I'm using Spring Security 3 to protect access to a Spring-based Java Web application. The security mechanism is all configured through a standard Spring Security bean definition file, using the "security" schema. By default the user can access any URL and those that require a login are listed in the “http” element of the Spring configuration file. The system is configured so that a user who has not performed a login will be redirected to a login form before they can access such a URL.
The problem that I have is that certain URLs in the system are intended for programmatic access and return XML rather than HTML. For such URLs I need to be able to return a “user not logged in” XML instead of forcing a redirect to a login form. How can I reconfigure my “http” element (and its associated elements in the configuration file) to allow me to have one set of controlled URLs that will redirect to a login form when the user isn't logged in and another set that will return an error?
Cheers, Adam.
Maybe an authentication filter helps you. Inside the doFilter() method of Spring's AbstractAuthenticationProcessingFilter you could check whether a XML file is requested. If yes, you interrupt the chain and return an error XML file if there's no active user session. See here for more details:
http://mark.koli.ch/2010/07/spring-3-and-spring-security-setting-your-own-custom-j-spring-security-check-filter-processes-url.html