I have just discovered that the CSRF component is now separate from the security one and needs to be loaded separately.
I was wondering should I just load it for the entire app or only for vulnerable pages/actions.
I have an app with 6 frontend pages with a contact form and login page. Everything else is protected behind the auth component.
The purpose of components is to share functions between multiple controllers. The CSFR page also has a tidbit about how to disable CSFR for a certain action (though frowns upon it) in the beforeFilter function. This all leads me to saying that you should enable it in your AppController with your other components like the Auth component and others.
Disabling CSFR for an Action
Related
I am just looking into .Net Core's Identity system for authentication I have a home screen (a razor page with #page "/") that has a login form. I would like to use this login form to authenticate the user.
Every example I've seen seems to use Areas/Identity/Pages/Account/Login.cshtml generated from the Identity.UI package, I would like to avoid this and ideally I would like to be able to authenticate a user from a Razor component thus allowing me to authenticate from any page.
However, from what I've read for reasons I don't yet understand fully that's not possible. I'm not sure if this information is out of date.
So, is it possible to authenticate a user using _signInManager.PasswordSignInAsync from a razor page or component in .NET 5?
Is there a way to get an example of implementing the 3 legged authentication process in React without using Redux?
The boiler plate is just way complicated for the majority and I guess is good to have something more simple for "the rest of us".
EDIT
To persist Redux states I can think of two options off the top of my head:
Open a new window session for the authentication and you can close the window and notify the parent window since they'd in the same domain once the callback arrives
Or persist all essential states to localStorage/sessionStorage to load back after direction
Although we don't exactly have a React sample to generate 3 legged tokens but the that very process has no more to do with your backend - you'd not want to generate a 3 legged token in your front end for security reasons.
So far as React or any front end framework is concerned it's a matter of redirecting the user to sign in to their Autodesk account and set up the callback handler in your backend properly to receive the access code - see our official tutorial for details and there's sample code for both front (albeit in vanialla JS) and back ends
Feel free to comment if you have any specific question re this process.
In my application hitting service call on every page navigation and showing MessageDialog to user.
My problem was when I hitting service call (await) on page navigation "Page1" to "Page2" whereas service call taking certain time to complete meantime user taps back to "Page1"
In that case user seeing "Page1" and await service call completed on "Page2" and showing that service response message in "Page1".
How can I avoid MessageDialog suppose user navigates back from that page.
First of all, you should avoid using MessageDialogs for this sort of information. You should think about using a ProgressBar or ring to indicate that your app is performing a task in the background (calling your service). This way, your users won't be interrupted in their interactions with the app, yet still be aware that something is going on in the background.
If you are using an MVVM pattern, your ViewModel or Model classes should be doing the heavy lifting of talking to the service. If your app absolutely must show MessageDialogs, I'd recommend creating an event in your back-end classes that will cause the UI to show the MessageDialogs on completion of the call. That way you can subscribe to those events when you load the page, and unsubscribe from them when you navigate away. In this way you can avoid messages appearing from Page2 when you are on Page1 of your app.
I am trying to implement a small application using Swing and MVC Design Pattern with MS SQL Server as the backend.
The application starts with a simple login form. Also there are two kinds of roles for the users of the application.
Administrator: Can create, delete, modify, view all users plus all the functionality the application provides.
Application Users: Can only use the functionality the application provides.
I'm thinking to have two separate Frames i.e. UI for each role.
The main login form/GUI acts as a view, with a Login controller class which registers the view using Observer pattern. The button registers the event, which the controller listens, calls the appropriate DAO to connect to database and verify if the user can log on to the application.
The stored procedure for login returns access_role i.e. either administrator, application user, unknown user or non-authenticated user which is returned through DAO back to Login Controller.
I want to keep the coupling as low as possible, hence the separation of concerns and MVC design with Observer Pattern.
Now my questions are,
Should the Login controller decide based on the access_role returned to show either the application user UI or the Administrator UI or should it pass that information back to the Login UI which should initialize the respective GUI ?
If the Login Controller should decide which UI to initiate, then it would need to set all listeners as well for the respective GUI? Is that a good design decision or is there a better way of doing this?
If the Login Controller passes the access_control back to the Login Form, then that Login Form would have to initialize all the Listeners for the new GUI and instantiate the new GUI as well? Is this better than the controller doing the stuff?
Should the UI for Administrator and Application User be JFrame or Dialogs ?
Hoping to hear your views about it.
Best regards,
Kashif Khan
I'm not sure if I would want the Login Controller or the Login UI initialize a different part of my application. In the interest of keeping things decoupled I would want the Login stuff to handle no other function but logging in a user. It might be a good idea to have like a Application Controller that initializes the Login part of your application and when it authenticates a user pass that message back to it which will decide which GUI needs to be initialized next.
As stated in part 1, the the Login Controller should just pass a message back to the Overall Application Controller which will make a decision on which part of the Application needs to be initialized next.
It would seem out of scope of the Login Form to handle all of these actions. The Login form should merely just communicate to the Application controller whether login was successful or not and some basic information about the user so additional information can be gathered as needed from the database on during the next part of initialization.
From the JDialog Oracle Documentation "A Dialog window is an independent subwindow meant to carry temporary notice apart from the main Swing Application Window" This being said you wouldnt want to use Dialogs for your main application. You could however use a Dialog for the Login form if you chose to and that would be acceptable.
I hope this helps.
I'm playing with the idea of having a completely decoupled HTML5 frontend, but still user authentication for a web app. Is this possible or will I run into some heavy browser security issues?
The idea is to have all static content delivered through a CDN on like example.com, and having it fetch dynamic data (and user authentication) through a separate subdomain, like api.example.com.
This would speed up the loading time of the site, and I could keep the frontend stuff in a completely separate repo so that the developers don't have to worry about setting up the backend to develop and test new features.
Is this already possible in some JS framework perhaps, backbone.js, angular.js, ember.js, knockout.js ?
It definitely is, but I think it is more about approach rather than technology. I have implemented what you describe for a project (it's online but don't want to do a shameless plug here, if interested to check it out I can post the link). My stack is java in the backend exposing a REST api for both autentication and business logic. The client is a backbone.js application. I explicitely decided NOT to use sessions at all. It is completely stateless. This of course means that the user must be re-authenticated at every request.
When the user logs in through a slightly modified OAuth endpoint, it gets a token that must be passed at every request. Cookie works in this case as they are handled automatically by the browser. If not passed as cookie, the backend expect it as a parameter. The frontend communicates using the REST endpoints. It's a single-page application, full client side, this means that the backend serves a page that is basically empty, that include few JS files that are the application itself. No other pageload occurs. Logout is done by simply deleting the cookie or not sending the authToken, the server cannot and doesn't have to "forget" about the user. Token are nice as they can be invalidated, both expilcitely or by changing the password. I've chosen this approach as it made it easy to develop desktop app and browser plugin for my webapp without touching a single line of backend code.