I am trying to implement a small application using Swing and MVC Design Pattern with MS SQL Server as the backend.
The application starts with a simple login form. Also there are two kinds of roles for the users of the application.
Administrator: Can create, delete, modify, view all users plus all the functionality the application provides.
Application Users: Can only use the functionality the application provides.
I'm thinking to have two separate Frames i.e. UI for each role.
The main login form/GUI acts as a view, with a Login controller class which registers the view using Observer pattern. The button registers the event, which the controller listens, calls the appropriate DAO to connect to database and verify if the user can log on to the application.
The stored procedure for login returns access_role i.e. either administrator, application user, unknown user or non-authenticated user which is returned through DAO back to Login Controller.
I want to keep the coupling as low as possible, hence the separation of concerns and MVC design with Observer Pattern.
Now my questions are,
Should the Login controller decide based on the access_role returned to show either the application user UI or the Administrator UI or should it pass that information back to the Login UI which should initialize the respective GUI ?
If the Login Controller should decide which UI to initiate, then it would need to set all listeners as well for the respective GUI? Is that a good design decision or is there a better way of doing this?
If the Login Controller passes the access_control back to the Login Form, then that Login Form would have to initialize all the Listeners for the new GUI and instantiate the new GUI as well? Is this better than the controller doing the stuff?
Should the UI for Administrator and Application User be JFrame or Dialogs ?
Hoping to hear your views about it.
Best regards,
Kashif Khan
I'm not sure if I would want the Login Controller or the Login UI initialize a different part of my application. In the interest of keeping things decoupled I would want the Login stuff to handle no other function but logging in a user. It might be a good idea to have like a Application Controller that initializes the Login part of your application and when it authenticates a user pass that message back to it which will decide which GUI needs to be initialized next.
As stated in part 1, the the Login Controller should just pass a message back to the Overall Application Controller which will make a decision on which part of the Application needs to be initialized next.
It would seem out of scope of the Login Form to handle all of these actions. The Login form should merely just communicate to the Application controller whether login was successful or not and some basic information about the user so additional information can be gathered as needed from the database on during the next part of initialization.
From the JDialog Oracle Documentation "A Dialog window is an independent subwindow meant to carry temporary notice apart from the main Swing Application Window" This being said you wouldnt want to use Dialogs for your main application. You could however use a Dialog for the Login form if you chose to and that would be acceptable.
I hope this helps.
Related
I am just looking into .Net Core's Identity system for authentication I have a home screen (a razor page with #page "/") that has a login form. I would like to use this login form to authenticate the user.
Every example I've seen seems to use Areas/Identity/Pages/Account/Login.cshtml generated from the Identity.UI package, I would like to avoid this and ideally I would like to be able to authenticate a user from a Razor component thus allowing me to authenticate from any page.
However, from what I've read for reasons I don't yet understand fully that's not possible. I'm not sure if this information is out of date.
So, is it possible to authenticate a user using _signInManager.PasswordSignInAsync from a razor page or component in .NET 5?
This question comes from the following post:
OWIN cookie authentication get roles on client side
I've created a separate thread for the question since it is more general than one in the post above.
In short:
Let's say we have a web application with javascript as client side + ASP.NET web api as server side and also an identity server. Only authenticated users can access web api endpoints, some of them accessible only for specific roles of user.
Now the client side of application should show specific items based on what role user is in. For example: user in administrator role can see an extra tab: manage items. There are two approaches to achieve this:
When rendering client side application, one could call an endpoind in web api which would return what roles user have. Based on that result, show/hide items in html.
When application loads, an endpoint, which returns how the structure should look like (for example: json string) would be returned, and based on that structure client application would be rendered. No show/hide html on client side based on roles in such case.
Now regarding 1st point: some could argue that there is a security leak, since malicious user can modify html to see elements that he is not supposed to see. But in this case he will not see any content from database and will not be able to load/update it since he will not be authorized to do that based on his role which is checked in server side.
2nd point seems more valid since we keep all identity related information logic on server side. And also all unnecessary content is not in html (while in 1st point it's hidden) - so that leads to better performance? In this case though if for example developing angular application, the json structure of application should include such information as name of angular controller and route for example. Would that not add complexity to developing application?
Assume that the application itself have a lot of roles and a lot of items should be visible/not visible based on these roles.
Pros/cons between 1st and 2nd? Thanks!
I stick always with the first suggested point.
As you mentioned the second choice will add more complexity for developing. For the 1st there is no security leak. If you don't want your users to modify the html and to access forbidden areas in your application simply use ng-if instead of ng-show. If you are not familiar - ng-if will not just hide the content with display: none;. It will completely remove it from the DOM and this leading the user unable to show that content as it is not in the DOM.
Read this for more detailed explanation for ng-if and ng-show: what is the difference between ng-if and ng-show/ng-hide
I usually have an endpoint getting information about the user - including it's role and save that user into a service (factory). This gives me the flexibility to use it everywhere in the application and check if the user has access or not to certain parts of it.
I am working on an Identity management application, using which my goal is to manage users on Box application.
I was going through Box documentation, and there are two ways for authentication
OAuth 2.0, which has redirection URI as required parameter. And due to which I cannot make use of it, since I will not be able to enter username and password and Authorize dynamically using my Java code.
Reference: https://box-content.readme.io/reference#oauth-2
JWT authentication, this I can use in my code and successfully get Access token. But problem here is, this access token can only be used to manage App Users (who will not have login to Box website).
Reference: https://box-content.readme.io/docs/box-developer-edition
So, is there any other authentication mechanism which I can use for getting Access token for managing Box users?
Regards,
Sandeep
The current best option is #1 with a process like this:
Create a Box application with the 'Manage an Enterprise' scope enabled.
Use a web-based access token generator (such as this or this) to get an initial access/refresh token pair. Save these somewhere safe (flat file, DB).
Code your application to initialize itself with the access/refresh token pair from its saved location.
When the access/refresh token pair is refreshed, write them out to the save location.
If your application runs across multiple nodes/processes this approach will require some (painful) coordination between them. I believe Box is working on some improvements in this area, so you may not have to live with this for long.
I have build a local search engine with little data. I am using solrj for user interface i.e where user will write a query. Now the problem is that there is no submit button in that interface only user needs to enter and get result. How to add a button in solrj so that user have more than one option for request.
Any idea?
The button can be created only in the front-end using HTML coding or anything of that kind but solrj is a API for java and it cannot be applied in the front-end. Run a web server along by the side and access the solrj API.
I was wondering if it is possible to have multiple custom push notifications setup in a single AIR App.
What I am trying to do is allow users to setup custom alerts based on information they would like to receive for example say user 1 would like to know when new actions or drama movies are released on DVD, user 2 would like to know when new comedies are released, user 3 would like to know when any new movie is released.
This is a simple example and there are possibly 1000's of options (postcode/zip information).
Thanks
Technically, there's nothing that wouldn't allow you to do this.
The implementation is mostly backend related though, let me just quickly draft a design for that here;
The user's device registers for push notifications at your backend service.
Your service takes the user's id stores in a DB and passes the device token to the corresponding push notification server.
Once the registration is completed, the user selects what items he'd like to get notified of (naturally your backend service has to know this information as well to store it in the DB).
As soon as a new action movie (or whatever kind of information the user registered for) is available, your service looks in the DB what users registered for that kind of movies and sends a message via push.
So a simple database and some server side scripting will get you going.