We are building a web app on angularJS and WEB API 2.2, basic funtctionality of the app is to download documents from certain Fileshare.
Talking in architectural details, these two apps (angular JS and REST API) will be hosted on two different websites(ie clientAPP.com and RESTAPI.com).
We need to protect our ClientAPP with siteminder here but also which can be done easily, complexity here is, for downloading the files instead of using APIController i have used MVCController for its FILECONTENTRESULT behaviour, so basically i redirect my users(when they click on the file links provided on angular UI) to that controller using:
$window.location.href="DOWNLOADCONTROLLER/DownloadFile/IDOfTheDocument"
In turn this url returns the intended file by searching it on the basis of id provided in URL and returns filecontentresult which automatically downloads the file on browser.
We need another functionality where we can share this download file URL with other users, we need to implement security around this URL as well which is part of RESTAPI MVC app, we are marking our options on "how do we protect this URL" since it's an MVC controller we cannot go for token based security like we have done it for API controllers so and also we cannot share tioken with users so, is it possible make this URL siteminder protected so that when user hits this url from browser instead of app it gets the SSO login screen? if yes, how do we ensure that when my user is already logged in to client app,REST API doesn't ask for authentication when he tries to download the file from the client APP,.
Related
I have a webscript to upload and list files which I authenticate via alf_ticket generated using login api of alfresco. I redirect my existing webscript to another webscript which is created using Aikau framework and is a stanalone Aikau Client app to preview the files. When it redirects to authentication page of Aikau(page/ap/ws/document/workspace/SpacesStore/83d72801-6a75-45ab-be8f-99245f3828a5)
it asks for credentials, I want to use the existing ticket generated in my webscript to authenticate the aikau webscript. By looking into login.get.js file of aikau project I couldn't able to identify where I could append ticket.
It's not clear from your question exactly how you're getting this behaviour. For example, is this all running as customization of Alfresco Share or are you building a standalone Aikau client?
For Share, once you have authenticated by logging in then all WebScript requests should be authorized. Similarly with a standalone Aikau client you should be able to login (using the login page provided by the Maven archetype). In both of these cases authentication and credential persistence is managed by Surf.
Are you trying to render Aikau content as a single WebScript that is invoked via an XHR request? How are you attempting to access your Aikau content?
In general, you shouldn't need to worry about authentication issues as Surf takes care of it all for you, however it sounds like you're trying to do something a little bit unusual. Could you try and provide more context to your question please?
I have a Single Page Application built in ember.js, we have this hosted on AWS S3 and I'm trying to come up with a solution for when someone shares a URL from our site to facebook to have facebook be able to scrape the content on that page properly.
Obviously this won't work at this time because facebook does not support indexing javascript like the google search engine does. So one solution I've seen is to use apache .htaccess to redirect requests from facebook to a server file that can make a barebones html page with the necessary open graph tags like in this post
https://rck.ms/angular-handlebars-open-graph-facebook-share/
However since we're on S3 I can't do an apache .htaccess, and from what I've been able to gather from the sparse docs on how their S3 redirect rules work and what they can do I'm not sure if there is a way to do this with that method.
So my question is does facebook or open graph or even just normal meta tags have away of allowing the user to share a url, have facebook use that but follow a link to a server generated file, and then if someone clicks that link actually have it point the user to the real single page application page instead of the server file facebook will use for the scrape data.
Facebook supports “pointers” to request the meta data from a different URL – but that likely won’t help you here, because the reference to the URL that serves the meta data would again have to be part of the HTML code of your original URL that you want to share.
You might do better the other way around: Let your users share the URL to your server-generated document that contains the correct meta data – and redirect human visitors that follow that link to the real target URL within your application. You can either do that via JS (location.href='…'), or server-side (but in that case you need to implement an exception from that redirect for the FB scraper; it can be recognized by its User Agent, see https://developers.facebook.com/docs/plugins/faqs#scraperinfo)
In my project, I implemented CRUD using Asp.net Web API 2 and consumed that using Angularjs. Now I want to build user and admin authentication as two location of the application be authorized to both accordingly. I am already familiar with PHP and ASP.net authentication, but this time I am building my application with HTML and Angularjs only, and I am asked (by a test) to implement user and admin authentication by HTML and Javascript.
1) Please guide me whether to use pure js or angularjs authentication, and what good step by step references.
2) please explain to me how can I secure two locations of the application, first of for registered users and second is for admins only.
I actually did basic search and got confused, I came here for guidance.
Thank you in advance.
Backend: ASP.Net Web API
Frontend: Angular/HTML
You can create a service endpoint for logging - something like this:
public partial class ContainerController
{
[AllowAnonymous]
public ActionResult Login (string success, string error, string returnUrl)
{
//Authenticate User
}
}
Once you've authenticated the user you can redirect the user to a new cshtml page (which is visible only to authenticated users).
Please note that since you're passing your username and id from JavaScript they can be easily detected from a third part intercepting your calls to the server. If you don't want that then you need to run your login page on https. Configuring security certificates and https is a bigger topic and I'll not be able to explain it here.
Background on the Application:
Embedded system that will connect to nest-api as a client to retrieve required data. This embedded system can connect to a wifi network and provides a web interface through which user can carry out authentication.
For authentication, currently the user is directed to
https://home.nest.com/login/oauth2...
and user can carry out the authorization procedure and get an 8-char PIN.
The user is then asked to input this PIN in a text box and submit it to the embedded web server which then requests the access_token (using C platform).
There are two questions related to this issue:
1) Is there a way to carry out request for access_token also from the client browser, and only return the access_token back to the embedded system? Any Javascript code that can request access_token after user inputs the PIN and submits?
2) The second issue is related to lack of automation. The user needs to type the PIN back in the web interface. Is there a way to extract the PIN from the website automatically using some script. For example, open the /login/oauth2 page embedded within another page and run a script on the main page to keep scanning the embedded page until the PIN becomes available (i.e. the user logs in and grants permissions). As soon as it becomes available, it can be copied and returned back to device web and access_token requested automatically.
I understand that this type of automation can be achieved by web-based authentication, but from my understanding that would require a proxy server for redirect URI. The idea is to make the device self-sufficient without a need for maintaining another server.
Yes, see the control-jquery sample code for an example of how to work with OAuth tokens in JavaScript
Nest allows you to use addresses that start with http://localhost or https:// as the OAuth Redirect URI. You can either run a web server locally, or monitor the WebView for a redirect URI pattern of your choice and parse the results.
The instructions on the JanRain installation page says to load the app id dynamically. Could someone explain what that means? This is Javascript, so the appid has to go the client, correct? Thanks.
http://documentation.janrain.com/engage/widgets/sign-in
Yes - as the documentation states, you need to provide your AppID (provided on the home page of your Janrain account). Depending on what your choice of server-side markup is, you can provide the AppID as a server side markup sequence referring to a configuration source, or something similar.
This is a suggestion made so that if you need to change this key at some point (perhaps the application gets compromised and you need to change your app and secret keys, you change your application name) there's a single location in some configuration file to change instead of throughout all your web pages.
Without any further knowledge of what your server side technology is, I can't be more specific about how to implement the "app ID dynamically (through configuration)".
If you're confused about having multiple keys, think of it in the way of public/private key authentication. The App ID is your public key; with which you communicate to their the servers publically to say who you are (along with the URL used in the RPX widget, which also identifies you and your application).
When you receive your callback through the token url provided to them, you make the call back to them server side and use the private key there (as well as communicating via SSL), to complete the authentication.