I have simple method in controller class.
Class TrainingController{
def getTrainingsJson(){
def trainingList = Training.list()
println "called===="
//render trainingList as JSON
render "${params.callback}(${trainingList as JSON})"
}
}
Which gets the list of training, In my HTML page I have request as follows
<script type="text/javascript">
$(function(){
$.getJSON('http://localhost:8080/training/getTrainingsJson?callback=?',
function(data) {
console.log("success");
alert(data);
});
});
</script>
The request is served only after the login. Without the login the response will be login page HTML format.
The request is across the servers (from php to grails).
I want to ensure that secure communication must be established, So how to authenticate
through json using spring security in grails.
And How to ensure that Nobody can forge the request and get the response from the server.
And Do need to follow the REST Or Can i write the methods in existing controllers OR Do i need to create a separate controller/service for this kind of requests.
If all access is through the browser, then spring authentication will take care of it - just secure the url accordingly. All requests (including ajax) will go through the spring auth
To prevent snooping consider implementing SSL
The Spring Security plugin docs has more information on securing your application. In particular read about Authentication, IP Address restriction and Session Fixation Prevention
Related
In my api, I have a /users endpoint which currently shows (eg address) details of all users currently registered. This needs to be accessed by the (Ember) application (eg to view a user shipping address) but for obvious reasons I can't allow anyone to be able to view the data (whether that be via the browsable api or as plain JSON if we restrict a view to just use the JSONRenderer). I don't think I can use authentication and permissions, since the application needs to log a user in from the front end app (I am using token based authentication) in the first instance. If I use authentication on the user view in Django for instance, I am unable to login from Ember.
Am I missing something?
UPDATE
Hi, I wanted to come back on this.
For authentication on the Ember side I'm using Ember Simple Auth and token based authentication in Django. All is working fine - I can log into the Ember app, and have access to the token.
What I need to be able to do is to access the user; for this I followed the code sample here https://github.com/simplabs/ember-simple-auth/blob/master/guides/managing-current-user.md
I have tested the token based authentication in Postman, using the token for my logged in user - and can access the /users endpoint. (This is returning all users - what I want is for only the user for whom I have the token to be returned but that's for later!).
The question is how to do I pass the (token) header in any Ember requests, eg
this.store.findAll('user') .... etc
This is clearly not happening currently, and I'm not sure how to fix this.
UPDATE
Fixed it. Turns out that the authorize function in my application adapter was not setting the headers, so have changed the code to set the headers explicitly:
authorize(xhr) {
let { access_token } = this.get('session.data.authenticated');
if (isPresent(access_token)) {
xhr.setRequestHeader('Authorization', `Token ${access_token}`);
}
},
headers: computed('session.data.authenticated.token', function () {
const headers = {};
if (this.session.isAuthenticated) {
headers['Authorization'] = `Token ${this.session.data.authenticated.token}`
}
return headers;
})
Ember is framework for creating SPAs. These run in the browser. So for Ember to get the data, you have to send the data to the browser.
The browser is completely under the control of the user. The browser is software that works for them, not for the owner of the website.
Any data you send to the browser, the user can access. Full stop.
If you want to limit which bits of the data the user can read from the API, then you need to write the logic to apply those limits server-side and not depend on the client-side Ember code to filter out the bits you don't want the user to see.
I don't think I can use authentication and permissions, since the application needs to log a user in from the front end app (I am using token based authentication) in the first instance. If I use authentication on the user view in Django for instance, I am unable to login from Ember.
This doesn't really make sense.
Generally, this should happen:
The user enters some credentials into the Ember app
The ember app sends them to an authentication endpoint on the server
The server returns a token
The ember app stores the token
The ember app sends the token when it makes the request for data from the API
The server uses the token to determine which data to send back from the API
I want to post the modal data (modal fields for each entry in JSON format) from my app (made up of Python Django) to a remote service using the provided endpoint URL.
I want to achieve something like this below of which I tried but failed
def modal_data_view(generics.ListAPIView):
remote_service_response= requests.post(remote_url, data=my_modal_data)
return HttpResponse(remote_service_response.text)
I am expecting my modal data to be received by the remote endpoint and return a text response.
If your remote service supports REST api just do it with :
r = requests.post(remote_url,json=my_modal_data,headers={'Content-Type': 'application/json' })
also your "my_modal_data" must be in json format.
In REST api you may need authentication
there is an example of GET and POST to rest api with token authentication in my github :
Example of POST to REST
and if your remote does not use REST you may need to put your data in url (as options) or in body in the format of your remote service
I am working on a sample Flutter mobile application.
Does Flutter / Dart have any http libraries that support persisting secure cookies.
Example use case ( guessing it should be pretty common use case): User logs in once and the application should be able to use secure cookie from successful sign-in until session gets expire/ user signs out.
On android, OkHttp supports persisting cookies and sending those persisted cookies whenever client (application) makes a request to the backend.
What is the best way to acheive that in Flutter?
Thanks
This is not related to flutter, it is pure dart but :
For cookies, there's dart:io with Cookie class
There's the boolean secure property and boolean httpOnly you can set.
As for Http connections, you can simply use dart:http's HttpClient.
OR you can use flutter's createHttpClient method which is recomended by flutter for testing purpose (mock) ; as stated here
I've published a small flutter library called requests to assist with cookie-aware http requests (with the assistance of shared_preferences)
as of now, it uses shared_preferences which is not the best practice (security-wise) to store sensitive data (session-ids etc) Issue #1
pubspec.yaml
dependencies:
requests: ^1.0.0
Usage:
import 'package:requests/requests.dart';
// ...
// this will persist cookies
await Requests.post("https://example.com/api/v1/login", body: {"username":"...", "password":"..."} );
// this will re-use the persisted cookies
dynamic data = await Requests.get("https://example.com/api/v1/stuff", json: true);
i'm reading RESTful Web Services and on the first chapters they talk about taking advantages over the stuff HTTP already serves.
They introduce en example that does authentication to del.icio.us using HTTP Basic Authentication.
Until now, the apps I've been written in NodeJS implemeted Authentication by sending a POST request from a form containing user and a password field.
How do you guys implement this? Do webpages implement auth via http basic auth?
Which one is recommended?
Thanks in advance.
You may find Basic HTTP authentication in Node.JS? useful as it describes how to do Basic Authentication in NodeJS.
As for its use in Web Services, well...there are lots of ways to authorize requests from using a shared secret (like an API key), cookies (like Basic Auth) or user credentials added to a request string. All have their pluses and minuses.
For most of my coding, I rely on public/private key pairs to assure the identity of clients.
http-auth module should do the job
// Authentication module.
var auth = require('http-auth');
var basic = auth.basic({
realm: "Simon Area.",
file: __dirname + "/../data/users.htpasswd" // gevorg:gpass, Sarah:testpass ...
});
// Creating new HTTP server.
http.createServer(basic, function(req, res) {
res.end("Welcome to private area - " + req.user + "!");
}).listen(1337);
In my App I need to communicate with my Django website. Some resources require authentication so I need user login.
But this does not happen in a browser or a web view. I need to use Object-C to issue a login request and handle the response - basically to store the session ID I guess.
On the web server side, how should I do this in Django? To have a stand-alone view for that and return JSON maybe? How can I get the newly generated session ID though?
I wouldn't get the session ID. I believe logging in a user is more geared toward a web interface. I would create an API that serves the resources you need in your app. http://en.wikipedia.org/wiki/Representational_state_transfer Authentication would probably be best suited for a private/public key pair or some other similar popular api authentication system.
You don't need to make any changes to your authentication system, save for maybe making sure the login form is usable on the smaller screen. Cookies work the same on iOS as they do on the web. You can display a modal UIWebView with your login form. After the user logs in, presumably you are setting a session cookie. If you make a subsequent request to the domain the cookie matches, the cookie should be sent along. You want to look into the HTTP 'Accept' header field, which specifies the content type the client expects to receive. In your controller (view?), you'll want to check the 'Accept' header, and return the appropriate content type, probably 'application/json' (or a custom type for your API).