I'm building a REST back end based on spring and i'm using spring security to secure the requests. But i'm lookin for an issue to login by sending parameters in json rather than defaults parameters sent by the default login page of spring security.
I'm working with spring security 4.0.1 and spring 4.1
Any issue please?
If you're using just username and password, you can simply add a new filter to the stack, akin to the existing UsernamePasswordAuthenticationFilter, that would react to a specific URL only (just like the default one reacts to j_spring_security_check only), parse the JSON and create the very same UsernamePasswordAuthenticationToken that the default filter creates. This leaves the auth provider the same as the token didn't change.
If you need more fields in addition to username and password, either create a new token type (or use existing one if it makes sense) and a new auth provider that can deal with that token type. You can also just cram extra fields into UsernamePasswordAuthenticationToken using setDetails(), but this is a bit hacky.
Related
I started using SpringBoot and like it a lot. I see that #RestController automatically serializes POJOs to json. I like that functioonality, but would like to use it outside of a web server context.
Basically I'd like to have all the part of SpringBoot until the point where the response is in JSON format, but then I don't want to deliver it via a web server, but rather my own implementation.
Is there an interface I have to implement in order to get SpringBoot to accept non-web-requests and return non-web-responses.
An example to make clear what I want:
Right now I can access localhost:8080/hello and SpringBoot will return "world".
Is there a way to make this work on console. E.g. I enter "hello" on console and press enter and I get "world" delivered to console by SpringBoot.
So instead of a web interface via tomcat I'd like to implement a console interface but with the same SpringBoot functionality.
UPDATE: The console application was probably not the right example. I am looking for a more general approach. So let's say instead of a console interface I want an Arduino to be able to send "hello" to SpringBoot via a serial bluetooth connection and SpringBoot should return "world" on that same bluetooth serial connection. My question is, whether there is an interface I need to implement in order to tell SpringBoot how to accept REST requests and how to send responses. And I don't want to focus on a particular implementation (like console or BT serial), but instead, once the SpringBoot application is created, I'd like to just replace the tomcat web interface by a BT serial interface or a console interface or any other interface I want to implement, but keep all of the logic (Controllers, Models etc).
Thanks.
Sure! You can create a console application.
You will need to create a class that implements ConsoleRunner. Please find a tutorial here:
https://www.baeldung.com/spring-boot-console-app
If it is the JSON de/serialization that interests you.
You can use Jackson's ObjectMapper .
You don't need the whole spring-boot web stuff.
You can ommit the starter-web dependency and use CommandLineRunner and jackson to have a console application that de/serializes your responses/requests to json.
I'm using an HTML client, and have the following situation:
Using Embarcadero's RAD Server's built-in method for authentication, I have successfully logged in a user and would like to now pass the session token back and forth in such a fashion that the connection is RESTful. The problem lies in the fact that for some reason, I have no clue as to how to track said session token within RAD Server. Embarcadero themselves have been secretive, telling our company that we can do it with Sencha/ExtJS, but we'd prefer not to have to buy even more software. The overall structure is as follows:
Login POSTs username and password (working) to RAD Server (still working) and receives response complete with session token. At this point, I want to open up another HTML file and maintain that session token AS I show data, such that with every JSON request, I send that session token. But in RAD Studio, as far as I can tell, I cannot manually add JSON data to an already-constructed JSON object to feed to the FDBatchMoveJsonWriter component. Any suggestions/examples anyone has done regarding this, if it is even possible?
I've not yet used RAD Server, but post to many REST services. Might RAD Server support Authentication additions in the header? I connect a THTTPBasicAuthenticator to my TRESTClient and in the OnAuthenticate event add token data.
procedure TCLTSProcessor.RESTAuthenticatorAuthenticate(ARequest: TCustomRESTRequest; var ADone: Boolean);
begin
ARequest.AddAuthParameter('token', userToken, pkHTTPHEADER);
end;
Another method I use is connecting a TOAuth2Authenticator to the REST client and set the TokenType to ttBEARER and set the AccessToken property.
Hi I am new for nopcommerce 3.5. I need to write a restful web service api to third party(for eg mobile) access the service. I know that we can access through Nop.Plugin.Misc.WebServices . I had enable the service from administrator site.
But now is my question. How can i call the web service for eg GetPaymentMethod , product list and etc
And if I want to write my custom web service by using web api. what is step to create? I cant find any documentation about the web service. Please guide me some example
Thanks
If you want a really quick start in writing a web service in NopCommerce, you can follow the MVC architecture and:
Create an Action method inside a Controller that you find appropriate for your purpose. For example, if you want access to a product list, you might create an Action inside CatalogController that follows the logic of the existing ProductList action.
Set up a Route in RouteProvider.cs to point to the Action you created. Based on this route you can deduce the URL of your service.
Do the processing that you need inside the Action. If this Action/service is to be called with parameters (in query string format: param=value¶m2=value2), you can just put these parameters in the Action's header:
public ActionResult QuickService(int param, string param2) { ... and .NET will take care of having them initialized.
Store results in an object (can also be an anonymous object) and at the end of your action, return it as Json: return Json(resultsObject); Again, ASP.NET takes care of the JSON serialization and automatically sets the Content-Type HTTP response header to "application/json".
You can consume the service calling the URL that corresponds to the route of your Action.
If you want users to be able to log in, by using the above method, it gets a little bit trickier. You need the webservice client to be able to accept and send cookies, as well as make appropriate services for Login, Logout, Register,...
However, in this case, you might be better off with a mobile version of the site.
Final note: If you don't want to alter base NopCommerce code, you can apply the steps above to a plugin. The majority of NopCommerce plugins follow the MVC architecture, so you can apply the steps above.
I got a (Flask) backend powering an API that serves JSON to an Angular app.
I love the fact that my backend (algorithms, database) is totally disconnected from my frontend (design, UI) as it could literally run from two distinct servers. However since the view is entirely generated client side everyone can access the JSON data obviously. Say the application is a simple list of things (the things are stored in a JSON file).
In order to prevent direct access to my database through JSON in the browser console I found these options :
Encrypting the data (weak since the decrypting function will be freely visible in the javascript, but not so easy when dealing with minified files)
Instead of $http.get the whole database then filtering with angular, $http.get many times (as the user is scrolling a list for example) so that it is programmatically harder to crawl
I believe my options are still weak. How could I make it harder for a hacker to crawl the whole database ? Any ideas ?
As I understand this question - the user should be permitted to access all of the data via your UI, but you do not want them to access the API directly. As you have figured out, any data accessed by the client cannot be secured but we can make accessing it a little more of PITA.
One common way of doing this is to check the HTTP referer. When you make a call from the UI the server will be given the page the request is coming from. This is typically used to prevent people creating mashups that use your data without permission. As with all the HTTP request headers, you are relying on the caller to be truthful. This will not protect you from console hacking or someone writing a scraper in some other language. #see CSRF
Another idea is to embed a variable token in the html source that bootstraps your app. You can specify this as an angular constant or a global variable and include it in all of your $http requests. The token itself could be unique for each session or be a encrypted expiration date that only the server can process. However, this method is flawed as well as someone could parse the html source, get the code, and then make a request.
So really, you can make it harder for someone, but it is hardly foolproof.
If users should only be able to access some of the data, you can try something like firebase. It allows you to define rules for who can access what.
Security Considerations When designing web applications, consider
security threats from:
JSON vulnerability XSRF Both server and the client must cooperate in
order to eliminate these threats. Angular comes pre-configured with
strategies that address these issues, but for this to work backend
server cooperation is required.
JSON Vulnerability Protection A JSON vulnerability allows third party
website to turn your JSON resource URL into JSONP request under some
conditions. To counter this your server can prefix all JSON requests
with following string ")]}',\n". Angular will automatically strip the
prefix before processing it as JSON.
For example if your server needs to return:
['one','two'] which is vulnerable to attack, your server can return:
)]}', ['one','two'] Angular will strip the prefix, before processing
the JSON.
Cross Site Request Forgery (XSRF) Protection XSRF is a technique by
which an unauthorized site can gain your user's private data. Angular
provides a mechanism to counter XSRF. When performing XHR requests,
the $http service reads a token from a cookie (by default, XSRF-TOKEN)
and sets it as an HTTP header (X-XSRF-TOKEN). Since only JavaScript
that runs on your domain could read the cookie, your server can be
assured that the XHR came from JavaScript running on your domain. The
header will not be set for cross-domain requests.
To take advantage of this, your server needs to set a token in a
JavaScript readable session cookie called XSRF-TOKEN on the first HTTP
GET request. On subsequent XHR requests the server can verify that the
cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that
only JavaScript running on your domain could have sent the request.
The token must be unique for each user and must be verifiable by the
server (to prevent the JavaScript from making up its own tokens). We
recommend that the token is a digest of your site's authentication
cookie with a salt for added security.
The name of the headers can be specified using the xsrfHeaderName and
xsrfCookieName properties of either $httpProvider.defaults at
config-time, $http.defaults at run-time, or the per-request config
object.
Please Kindly refer the below link,
https://docs.angularjs.org/api/ng/service/$http
From AngularJS DOCs
JSON Vulnerability Protection
A JSON vulnerability allows third party website to turn your JSON resource URL into JSONP request under some conditions. To counter this your server can prefix all JSON requests with following string ")]}',\n". Angular will automatically strip the prefix before processing it as JSON.
There are other techniques like XSRF protection and Transformations which will further add security to your JSON communications. more on this can be found in AngularJS Docs https://docs.angularjs.org/api/ng/service/$http
You might want to consider using JSON Web Tokens for this. I'm not sure how to implement this in Flask but here is a decent example of how it can be done with a Nodejs backend. This example at least shows how you can implement it in Angularjs.
http://www.kdelemme.com/2014/03/09/authentication-with-angularjs-and-a-node-js-rest-api/
Update: JWT for Flask:
https://github.com/mattupstate/flask-jwt
I'm trying to communicate with SalesForce from Biztalk.
To make a POC where I just login I tried the following:
Visual Studio:
Generate schema from SalesForce partner wsdl
Biztalk:
I made a receive location which reads a login.xml message containing username and password. Then imported the SforceService.BindingInfo.xml to make my sendport and setup filters on it.
When I run the example i get the following exception:
WcfSendPort_SforceService_Soap
https://login.salesforce.com/services/Soap/u/24.0
System.InvalidOperationException: An action mapping was defined but BTS.Operation
was not found in the message context.
at Microsoft.BizTalk.Adapter.Wcf.Runtime.WcfClient
I want to invoke the following operation on the SalesForce webservice:
<Operation Name="login" Action="" />
Any ideas on how to call login without using orchestrations ?
From http://msdn.microsoft.com/en-us/library/bb743856.aspx
Specifying action mapping for WCF.Action in an Expression shape is not supported. You need to specify the action mapping in the WCF transport properties dialog box. Then the WCF adapter will look up the SOAP action by using the BTS.Operation context property, which the orchestration sets to the name of the operation on the port where the message is sent.
If outgoing messages are routed with content-based routing (CBR) where the http://schemas.microsoft.com/BizTalk/2003/system-properties#Operation property is not set, WCF send adapters will set the whole action mapping string to the action of the outgoing WCF messages. To work around this, you can do one of the following:
Set the action field on the send port to http://MyService/IMyContract/MyAction1.
Set the BTS.Operation context property in a pipeline. For example, set the value of http://schemas.microsoft.com/BizTalk/2003/system-properties#Operation to Operation1.
Leave the action field blank and use the action from the incoming message instead.
You can also use the BizTalk WCF Service Consuming Wizard to consume the WCF services with single action or action mapping. For more details, see How to Use the BizTalk WCF Service Consuming Wizard to Consume a WCF Service.