I am working on the Login module of my Struts2 app. I have created the Login Page, and a home Page(which is rendered by Login.action). Now i want to add another feature, forgot password which after performing its business must call the Login.action so that the user need not have to Login explicitly. what should i code and where so that as soon as the ForgotPassword.action finishes its work it passes control to Login.action.
Encapsulate the logic for logging a user in into a separate class (e.g., UserLoginTask) and then call that class from your LoginAction and your ForgotPasswordAction.
Related
I have a controller with a custom Authroize attribute on a method:
class ItemsController
[MyAuthorize]
ActionResult MyMethod()
I also use Kendo ASP.NET MVC to create a menu. Kendo provide a great feature with Security trimming where if I try to add a menu item to MyMethod, as Kendo is building the menu, it will check if the current user will have access to the MyMethod action. I don't know how this works or is done.
The issue I am running into is that my code in MyAuthorizeAttribute.AuthorizeCore() logs when a user makes a request and is not authenticated or authorized to view the requested page. This works great except when the user doesn't have access to one of the pages in the menu. Somehow Kendo triggers the MyAuthorizeAttribute.AuthorizeCore() code for the action/controller that the menu item points to. That's all fine except I don't want to log that. The user didn't make a request to the action/controller, it is just an internal check.
So my question is, is there a way for me to determine if the call to MyAuthorizeAttribute.AuthorizeCore() is a security trimming request or an actual page request?
I am working on an IOS application that requires a user to log in. It has a Master View Controller that checks to see if the user is already logged in. If not, it segues to another view controller that displays a log in prompt. When the user logs in there, the master view controller dismisses the log in view and displays information appropriate to the user that logged in.
The application also stores user credentials in a settings plist. If that information is present, the application attempts to log in with the stored credentials. If that succeeds the Master View controller loads user-appropriate info. If not, it segues to the log in view controller.
I ended up duplicating the code in the Master View and Log in View controllers that verifies user id and password. Then, I need to pass the user instance in the prepareforsegue method to any subsequent view.
Should I implement a singleton class to keep track of the logged in user? It's tempting, because it seems like it could save a lot of work. Would it be better to delegate the user log in method I'm using in the Log In View controller back to the Master View Controller and pass the user instance in prepareforsegue each time I push a new view controller?
Should I implement a singleton class to keep track of the logged in user?
You can certainly do that. However, you could also make a stateless helper class that reads credentials from the backing store as needed, avoiding the need to create a singleton.
I ended up duplicating the code in the Master View and Log in View controllers
A stateless helper approach (i.e. a class with only class (+) methods in it) would prevent code duplication: the code that you ended up duplicating would go into the shared helper class.
The application also stores user credentials in a settings plist.
If unencrypted password is part of user credentials, this is not a secure solution. You should use keychain services to save credentials in protected storage.
I need some help. I am converting a Struts application to Grails.
There is a particular action I am trying to convert.
There is a form in a jsp that asks a user to select a customer from a dropdown list and the user clicks one of two buttons.
When the user clicks on the "View Reports" button, an onclick event calls a javascript function that issues window.open on a STRUTS action class, passing the selected customer and selected action.
In the action class the http request has some attributes set (request.setAttribute (..)) and a forward is performed to an external application. The attributes that where set are used by the application for sign on. This is done as a POST.
My problem is I am not quite sure how to wire this flow using the Grails framework. I was able to get as far as the user selecting a customer, clicking an actionSubmit button, reading the selected customer from params, adding my attributes to 'request' and then..I am stuck.
How to open a new window? (Tried javascript way as was done with Struts).
Also I am able to issue a redirect to the external site in the controller, however a redirect is done as a GET and not a POST, as well as the redirect is done in the same window. Any help in laying this out would be awesome. Thanks
You can't redirect a user from server using POST.
I can see some possible solutions:
1 . If you don't need to pass through your server to validate or request some data, you can use this:
<form action="http://someotherserver.com" method="post">
2 . Create a controller that redirect to a page in your own site and in this page make a treatment that receives the paramters and then redirect the user to another domain using ajax.
In Grails, I've used createLink, with the 'base' attribute to do this.
<g:createLink base="${params.dynamicURL}">Link</g:createLink>
I think something like this would work, but you can research it here: http://grails.org/doc/latest/ref/Tags/createLink.html
For an application, I've users which have a profile. This application is only "with invitation", and I need that the user fills its profile before doing anything else.
I've a "IsCompleted" boolean attribute on its profile, so I've no problem to know if the user has to finish its inscription or not.
But how can I create something which check, on all page that the user has to be authenticated, that the user must be completed?
I thought to create an custom AuthorizeAttribute(in fact I've already one custom, which check some roles), but I don't know if it's the right place to make this kind of controls, and how can I distinct in the HandleUnauthorizedRequest if the request has been rejected because the login wasn't valid or because the user didn't fullfilled it's informations?
You could either:
a) Put them into a 'limited' role until they enter their profile, and let the base authorisation code handle it, then add them to a 'full' role on entry of details.
b) Override the OnActionExecuting method in your controllers (or better on base controller that you use), to check to see if the user has entered their profile, before processing the rest of the action.
IF I understood what you mean then you have that, simply use the standard authentication method. Do not forget you can use groups and roles so even if a user is authenticated it can be excluded from some pages.
I am writing ASP.NET MVC application.
When the user first logs in, the application should display a page for his acceptance of the Terms of Use. If the user does not accept the terms, he will be redirected to log in page. If he accepts the Terms, then he can continue using my app.
Where is the best place in the application where I can check this condition in order to call ReddirectToAction ?
I would store the 'Accepted T&C' flag on a User object.
I would then retreive the logged in user information, check the flag, and redirect appropriately in the Controller Action.
If you have a "BaseController" type class that all other controllers inherit from, override the OnActionExecuting method and make the check there.
ETA - Obviously the controller that presents the terms page wouldn't have that behavior or you would end up in a redirect loop, so you would need to have a "BaseLoggedInController" or some such thing that all the controllers except for the one that presents the terms/login pages would inherit from.
There are plenty of sample applications out there that have authentication/authorization examples in them. Barring a better suggestion, I would take a look at how they handle access to a restricted page (i.e. if not authenticated then redirect to login, if not authorized then redirect to error, otherwise display page). Then you could use the same technique to redirect if they have not accepted your terms.
Implement an AuthorizeAttribute which checks the acceptance flag set on user and redirects if appropriated. If it is not set the user will be sent to terms of use page. If he denies, he will be redirected to "you should accept page".
Implement an Controller base class which is an AuthorizeFilter. Implement the check in the OnAuthorization method.