I have managed to integrate spring security to my GWT application using the following approach:
http://technowobble.blogspot.com/2010_05_01_archive.html
Note that I used the gwtrpcspring library for basic spring integration with GWT and it works well (non-invasive and efficient).
My question for which I can't seem to find the answer for is how do I use spring security in my GWT widgets based on Authorization - for example, I wouldn't want to show a menu item or a save option to a user who doesn't have the authority for these. Of course, my methods are protected at the server side, but I wouldn't want a user to click on something only then to find out they have no access to it. I don't want to litter my presentation logic with security related code (if-else blocks) if possible.
Is there something equivalent of the spring security jsp tag library that can be used within GWT client code? Or do we have to build up something on our own?
No - there is no equivalentand what I have done is setup a user role profile and passed this over at login which is in then published to the presenters that handle accordingly..
Ian
Everything you need is just to add Spring Security framework into your project.
You can ask server using RPC call at application start (after successful login) which user is current user and which roles he has.
I offer you to use my project hosted on https://code.google.com/p/gspring for simple and clear GWT and Spring integration.
Related
I would like to develop a new web-app in node.js (using express). I am relatively new to node.js world, so I assume there are frameworks that I am not familiar with.
Is there any framework (like Spring for Java) that manages authentication (and save the trouble from the developer)? Or each developer has to write this code over and over again?
Login/Logout is not all. There are other flows:
registration (create account),
forgot-password (and then set new password),
locking/unlocking an account,
change password
and I think I have covered all flows.
I know that each application has its own UI, forms, maybe with its logo, but the flow itself is similar for most applications.
In addition, I know that it is not that hard to implement, but it could be great to have some kind of tool / framework / infrastructure which implements the flows.
Is there such a tool/framework which helps applications' developers and implements these flows?
I've searched this issue but could not find anything.
Thanks!
Long ago I have developed authentication-flows for Java over Spring, and recently I wrote authentication-flows-js.
It is a module that answers most flows - authentication, registration, forgot-password, change password etc., and it is secured enough so applications can use it without the fear that it will be easily hacked.
It is for node.js applications (written in TypeScript) that use express. It is an open source (in GitHub). A release version is on npm, so you can use it as a dependency in your package.json.
In its README (and of course in the npm page) there are detailed explanations for everything and if something is missing - please let me know. An article will be published soon (I will add a link as a comment).
You can find here an example for a hosting application.
NOTE: I have heard comments like "It's not so difficult to implement". True.
But you have to make sure you take care of all cases. For example,
what happens if a user tries to create account that is already exists?
what happens if a user tries to create account that is already exists
but inactive? what about the policy of the password? (too long/too
short/how many capital etc.) what about sending the email with the
activation link to the user? how you create this link? should you
encrypt it? what about the controller that will receive the click on
the link and activate the account? and more...
I have a Grails application where we use the Grails Spring Security plugin to allow an admin to easily switch (or assume) another user. This has proven to be very useful for admins to debug user issues and for our testers to jump between roles.
Is there an easy solution available for Node.js that is similar to this Spring Security feature? Note that we're using JWT to auth every request, so not using server based token like Spring Security would.
No, but only because there is no equivalent security plugin for Node in the first place. There are popular projects such as http://passportjs.org/ that can provide functionality in this category, and each offers varying levels of support for what you're asking. But your request isn't relevant to NodeJS Core. User authentication and authorization are not core modules of that project.
Currently, I am working on a web project using JSF 2.0, Tomcat 7 and MongoDB. I have a big question of how to handle the session management and authentication/authorization with users in a database.
The structure I want is as follows: only logged in users can create events and everyone can see the created events.
create.xhtml --> only for logged in users.
events.xhtml --> public for everyone.
The basic structure I'm planning is:
Check if the page requires logged in user (e.g. create.xhtml)
If yes, check if user is logged in
If user is not logged in, go to login.xhtml
If successfully logged in, come back to requested page
Keep the "User is logged in" information unless user clicks log out
button. (there I guess #SessionScoped gets into play)
The question is:
What is the less complicated way of doing this?
Where should I use the #SessionScoped annotation? In Create.java or
LoginManager.java?
Spring security looks kind of complicated for my issue, do I really
need it? if yes, can you explain a little bit of how the implementation works together with JSF 2.0 and Mongo DB?
There are several options. Which to choose is fully up to you. Just objectively weigh the concrete advantages and disadvantages conform your own situation.
1. Use Java EE provided container managed authentication
Just declare a <security-constraint> in web.xml which refers a security realm which is configured in servletcontainer. You can for your webapp specify URL pattern(s) which should be checked for login and/or role(s), e.g. /secured/*, /app/*, /private/*, etc.
Before Java EE 8, you unfortunately still need to configure a security realm in a servletcontainer-specific way. It's usually described in servletconainer-specific documentation. In case of Tomcat 8, that's the Realm HOW-TO. For example, a database based realm based on users/roles tables is described in section "JDBCRealm".
Since Java EE 8, there will finally be a standard API based on JSR-375.
Advantages:
Relatively quick and easy to setup and use.
Since Java EE 8 there's finally a robust and flexible standard API.
Disadvantages:
Before Java EE 8, realm configuration is container-specific. In Java EE 8, the new JSR-375 Security Spec should solve that with help of JASPIC.
Before Java EE 8, , there is no fine grained control.
Before Java EE 8, it's very spartan; no "remember me", poor error handling, no permission based restriction.
See also:
Performing user authentication in Java EE / JSF using j_security_check - contains complete code examples
Java EE kickoff application - example web application (developed by me) which also demonstrates Java EE 8 authentication with Soteria (the JSR-375 RI).
2. Homegrow a servlet filter
This allows for much more fine grained control, but you're going to need to write all the code yourself and you should really know/understand how you should implement such a filter to avoid potential security holes. In JSF side, you could for example just put the logged-in user as a session attribute by sessionMap.put("user", user) and check in the filter if session.getAttribute("user") is not null.
Advantages:
Fine grained control.
Completely container independent.
Disadvantages:
Reinvention of the wheel; new features require a lot of code.
As starter, you're never sure if your code is 100% robust.
See also:
Is there any easy way to preprocess and redirect GET requests? - contains introducory explanation and kickoff example for authentication
Authorization redirect on session expiration does not work on submitting a JSF form, page stays the same - contains more extended kickoff example for authentication which also covers ajax requests
How control access and rights in JSF? - contains kickoff example for authorization
3. Adapt a 3rd party framework
For example, Apache Shiro, Spring Security, etc. This offers usually much more fine grained configuration options than standard container managed authentication and you don't need to write any code for this yourself, expect of the login page and some (XML) configuration of course.
Advantages:
Fine grained control.
Completely container independent.
No reinvention of the wheel; minimum of own code.
Thoroughly developed and tested by lot of users, so most likely 100% robust.
Disadvantages:
Some learning curve.
See also:
JSF2 - Shiro tutorial - an extensive tutorial on integrating Shiro in JSF2 webapp
I am trying to follow http://liferaysatish.blogspot.de/2011/11/permissionchecker.html (which is basically a repost of another blog post).
I need to implement my own PermissionChecker to be able to support an SSO server (check if the user has been authenticated). However, there article mentions com.liferay.portal.security.permission.PermissionCheckerImpl, but there is no such class in whatever jars I was looking for it.
What I am trying to achive is to tie liferay's internal security to an external SSO Server (wso2). If there is another way to achieve this, I would love to try it.
I was trying with AdvancedPermissionChecker and SimplePermissionChecker, but I become endless redirects using them.
regards and thanks
Leon
I need to implement my own PermissionChecker
I don't believe so. At least you can make your life easier if you integrate your SSO just like any of the already integrated 6 (or so) SSO systems, authenticating the current user to Liferay and then leaving the actual permission check to Liferay.
SSO is typically used for making sure the user is who they are, then redirecting to the application they're providing their services to. If you want to maintain permissions externally to Liferay, you're best of to use an LDAP and group your users there. On the Liferay side, map those LDAP users/groups to Lifeary-usergroup-memberships. Provide the required permissions/memberships for those usergroups and you're set. Implementing your own permission checking (which will also be used internal to Liferay) is one of the least maintainable ideas that I've ever heard of.
I believe the latest Liferay does not have this file anymore. You should search for it in the 5.0 version. And the JAR itself is in \ROOT\WEB-INF\lib\portal-impl.jar
http://docs.liferay.com/portal/5.0/javadocs/portal-impl/com/liferay/portal/security/permission/PermissionCheckerImpl.java.html
I am working on a web app which uses JSF. I would like to know that What are best practices and available tools for performing a load test on it.
Application is hosted on glassfish server 3.1.2.2
Depends somewhat on the site you want to test. At work we have a complex RIA, and to test it we have to reproduce user interaction. We use jMeter for this.
It's kind of messy to set up (look at the guides they have) but once this is done it's very flexible and allows you to configure and tweak many things. I particularly like its "proxy" feature where you can proxy your app through jMeter and it records everything so you can play it back later on. Note that for JSF you have to do some tricks with the ViewStateId, so google a "jmeter JSF" guide for how to set this up.
In a previous project I have used RadView WebLOAD to test a JSF site, it enable recording the user scenario and handles correlating the dynamic values.