I have a webscript to upload and list files which I authenticate via alf_ticket generated using login api of alfresco. I redirect my existing webscript to another webscript which is created using Aikau framework and is a stanalone Aikau Client app to preview the files. When it redirects to authentication page of Aikau(page/ap/ws/document/workspace/SpacesStore/83d72801-6a75-45ab-be8f-99245f3828a5)
it asks for credentials, I want to use the existing ticket generated in my webscript to authenticate the aikau webscript. By looking into login.get.js file of aikau project I couldn't able to identify where I could append ticket.
It's not clear from your question exactly how you're getting this behaviour. For example, is this all running as customization of Alfresco Share or are you building a standalone Aikau client?
For Share, once you have authenticated by logging in then all WebScript requests should be authorized. Similarly with a standalone Aikau client you should be able to login (using the login page provided by the Maven archetype). In both of these cases authentication and credential persistence is managed by Surf.
Are you trying to render Aikau content as a single WebScript that is invoked via an XHR request? How are you attempting to access your Aikau content?
In general, you shouldn't need to worry about authentication issues as Surf takes care of it all for you, however it sounds like you're trying to do something a little bit unusual. Could you try and provide more context to your question please?
Related
I created a Chrome extension which is just HTML/CSS/JavaScript. When the user clicks on a button, I have it send a message to me. But the problem is I don't want to include any API keys or server information where the app can POST to as it can be used for abuse if someone was to extract this information from my Chrome app. Is there a method of getting a response from a web app with a public service where anyone can post to? I was thinking pastebin, but even that requires an API key.
You could ask the user to create their own key. For example, many GitHub extensions require an API key to make requests to the GitHub API, so what they do is they send you to a GitHub settings page where you can create a personal API key.
We are building a web app on angularJS and WEB API 2.2, basic funtctionality of the app is to download documents from certain Fileshare.
Talking in architectural details, these two apps (angular JS and REST API) will be hosted on two different websites(ie clientAPP.com and RESTAPI.com).
We need to protect our ClientAPP with siteminder here but also which can be done easily, complexity here is, for downloading the files instead of using APIController i have used MVCController for its FILECONTENTRESULT behaviour, so basically i redirect my users(when they click on the file links provided on angular UI) to that controller using:
$window.location.href="DOWNLOADCONTROLLER/DownloadFile/IDOfTheDocument"
In turn this url returns the intended file by searching it on the basis of id provided in URL and returns filecontentresult which automatically downloads the file on browser.
We need another functionality where we can share this download file URL with other users, we need to implement security around this URL as well which is part of RESTAPI MVC app, we are marking our options on "how do we protect this URL" since it's an MVC controller we cannot go for token based security like we have done it for API controllers so and also we cannot share tioken with users so, is it possible make this URL siteminder protected so that when user hits this url from browser instead of app it gets the SSO login screen? if yes, how do we ensure that when my user is already logged in to client app,REST API doesn't ask for authentication when he tries to download the file from the client APP,.
I'm newbie to Facebook Graph API and Facebook JavaScript SDK but I'd like to know some things:
Is there any way to put my Access Token in a Open Source application without actually showing it? I'm using GitHub and for security purposes I'd like to make it private.
Can I show my user information without asking the users to Authenticate themselves?
Where in Facebook Developers App can I allow more "scopes" to share publicly? For example, user_photos, user_posts, user_likes, user_status, etc...
These "scopes" that Facebook allows by default are actually the information I'm getting from the user while I'm Authenticating them right?
Just to clarify what I'm trying to do, I want to share things about my Facebook Account through the Facebook Graph API in the gh-pages branch on GitHub, but I don't like the idea of having to authenticate every single user that has access to the page.
I'd like to make my user information public, but don't want to show my access token, because it's Open Source and it can get dangerous eventually.
If you'd like to see my repository and have a better understanding of the project. You can access https://github.com/iszwnc/rye
If I recap:
you don't want to share your app access token (good!),
you don't want your users to authenticate.
Basically, you can't hide your token and let your users query Facebook directly. You need some server-side code on a machine that would be the only one reaching Facebook. Your server would play the role of an interface between Facebook and your users. So you will have to:
do the API calls from a server using server-side code (i.e. Node.js),
save the information you want in a database. This is optional but better to avoid the same information to be retrieved multiple times, thus avoiding your future 100 users to (voluntarily or not) reach your app API limit.
let the users query your server using some client-side code (i.e. AngularJS) in order to retrieve what you and only you know (remember, you own the token).
About Github, don't share your token on it. People can generate their own token if they want to run your app. Here are several suggestions:
Add your token to an environment variable which you can set just before launching the app (don't forget to mention that in your README),
Add your token to a file:
Create a credentials.js file that contains an empty token:
// Please use your own token
var APP_TOKEN = '';
Commit the file to Github,
Have a .gitignore file that contains the credentials.js,
var APP_TOKEN = 'now-you-can-put-your-token-here';
Good luck with your project, it looks exciting :-)
My current project constists of 2 components:
a WCF server application
a purely client-sided (javascript, jQuery, TypeScript etc) website which consumes the service.
When the client saves data to my database via the WCF service, I need to log who made the last modification to that data.
To do this I need the username of the account the client website's browser is running under.
Browser support needs to be:
Chrome
Firefox
IE 10/11.
I don't want to create a login form for my website, I want the user to be able to open the website and be logged on using their Windows/Citrix account.
Javascript can't get to the account username because of security concerns obviously.
Any suggestions?
I have a experimental answer for you. Not sure but posible to work correctly. I think, you can activate impersonation and basic authentication on iis. Then client(browsers) ask credentials to client. In service layer, you can enable impersonation too. but only iis impersonation may enough.
I'm need to automatically perform the login at: http://gsc.klub-modul.dk/. After I am logged in, I need to able to fetch pages from this domain, which requires me to be logged in. As far as I have gathered, the site is using ASP.NET to interact with the server. I am open to all suggestions. I'm looking for a script to do this, as I am still new to this.
What you are trying to do is botting (Automated access of site or online game),so follow these steps,
Generic steps
Monitor the HTTP request being made by the browser (I use
Fiddler,you might also find browser built-in network tool(press F12) handy)
You need to look for cookies especially.
In short you should be able to make same HTTPRequest on each event
(by event I mean first time page request ,page submit for login and
etc)
Use python for botting
use these libraries Mecanize / twill /scrapy / Beautiful Soup
Tutorials to get started
http://docs.python-guide.org/en/latest/scenarios/scrape/
http://www.pythonforbeginners.com/python-on-the-web/web-scraping-with-beautifulsoup/
http://arunrocks.com/easy-practical-web-scraping-in-python/
https://classic.scraperwiki.com/docs/python/python_intro_tutorial/
Stackoverflow links
Scraping sites that require login with Python
Scrape a web page that requires they give you a session cookie first
Fake a cookie to scrape a site in python
Python Scraping Web with Session Cookie
My Advice
I think if you haven't made a web scraper (web-bot or bot-tool) before than you should start with small things like fetching a specific information from a page which doesn't require login then move on to more complex scenarios
As usual Asp.Net uses cookies for session, authorization needs. So basically you just need to make POST request to login page with Login, Password parameters, then you need to obtain cookies from response, and then make new requests for needed pages with these cookies.
By default these cookies are named ASP.NET_SessionId and ASPXAUTH
I have worked on a similar problem but used a generic approach. I used greasemonkey addon in firefox to login on a game and save data on different db. Later I found out that I could've wrote a addon myself (mozilla ref)
Both of these technique will rely on javascript only.(example of a login script of fb in greasemonkey)
The website was on asp.net too! You just need to receive the cookies and login from javascript code. Jsoup is another approach to parse data and login.