Hi I use spring security to define some role's on server side and to limit the access on some Restful address. The server side is not a problem. The javascript is a problem. I have some link on the client side that I will disable when the user has not an admin role.
What is the bast way to do this in javascrip/jquery? Is there a script that manage this?
P.S.: I'm a javascript newbie
On server side the roles are managed by spring security to avoid unautorized users to get access on them. What i would know is: is there a script that helps me to manage all link that i whant obfuscate to normal user on client side (centralized) or have I to go manually to every 50 link on my page and add a check on the role?
It would be more appropriate to prevent the link from even appearing from the server side. Because if you just disable it, any smart user can just view source and get the link and run it. But here is how to disable a link
$('.my-link').click(function () {return false;});
Rather than returning false, you can event.preventDefault()
/// Disable all Links with a class
$("a").click(function(event){
event.preventDefault();
//// check if admin
if( isAdminFunc() ){
handleThisLinkClickForAdmin();
}else{
//// non admin users can not access links..
}
});
finally I found how to do. On back-end side I don't have to change anything.
On Front-end side I have to add a taglib on my html page:
<%# taglib prefix="sec" uri="http://www.springframework.org/security/tags"%>
After I can securize the block that only the user with this role and up can access:
All normal user can access
<sec:authorize access="hasRole('admin')">
Only user with Admin role cann access
</sec:authorize>
In this example the first link is accessible for all, and the second only for user with the 'admin' role.
Related
Basically I want a Login, Logout and Registration Functionality in my application using JavaScript
This is my Registration Page : https://i.stack.imgur.com/KY4vz.png
This is my Login Page : https://i.stack.imgur.com/IBEff.png
I can't find any question here.. if you want to find out how to validate forms using JavaScript just google it..
But my advice for login / register forms authentication is that it's must be done server-side and not on the client's side because if you will make it JavaScript like this:
var passInput = document.getElementById("passInput").value;
if(passInput == "correct password"){
//...
}
The client can just open the source code and simply see the correct password..
What you should do is to validate the form on server side so the client can't simply view the correct password.
MY application url is : http://219.41.192.244:8080/KanaApp/login - it will take user to login page
Login is the first page then only user can access the application.
But if user put this url - http://219.41.192.244:8080/KanaApp , it's redirecting to http://219.41.192.244:8080/KanaApp/#/home and taking user to the home page without login. How can I prevent this and make the login page mandatory?
whenever user put this url http://219.41.192.244:8080/KanaApp, I want redirect to http://219.41.192.244:8080/KanaApp/login url, can someone help me here please.
Spring boot application:
I have set the context path here
server.contextPath=/KanaApp
and in front end angular
SecurityConfig class:
.antMatchers("/static/**").permitAll()
.antMatchers("/assets/**").permitAll()
.antMatchers("/css/**").permitAll()
.antMatchers("/forgotPassword").permitAll()
.antMatchers("/setForgotPassword").permitAll()
.and()
.formLogin()
.successHandler(handler)
.usernameParameter("username")
.passwordParameter("password")
.loginPage("/login").permitAll()
.and()
.logout()
.logoutSuccessUrl("/login?logout")
.invalidateHttpSession(true).permitAll()
.and()
.csrf().disable();
I think what you are missing is a proper security configuration.
If you want your user to be connected, then you must force your user to be. Meaning that you must allow requests only to authenticated user.
You will find a lot of guide on how doing it spring example here.
What you must do is register a class extending WebSecurityConfigurerAdapter, and define which part of your application are secured.
For example:
.antMatchers("/public/**").permitAll()
.anyRequest().authenticated()
Meaning all uris in /public/... would be allowed for everyone, so you won't have to login to go there, and any others needs to be logged to go there.
As you have a login page, a basic way to force users to go there is to implement spring form login (specified in more depth in the link before). This is the part doing the job
.formLogin()
.loginPage("/login")
.permitAll()
Declaring spring security form login, all request that must be authenticated will be redirected to the page specified here. You can of course customize this page as you like (an example from spring documentation).
Is there a way to send username and password to a url of a login web page?
For example, if the login web page contains 2 textboxes : user name and password and a login button, is there a way to send to the url the credential in order to go directly to the next page coming after the login?
The url for the login page looks like:
http://[ip address]/jsp/login.xhtml
I tried to send the username and passord as following:
http://[username:password]/[ip address]/jsp/login.xhtml
http://[ip address]/jsp/login.xhtml?[username:password]
If there is a way to do it by sending the command through a batch file?
If it can be done using c# or javascript it is also fine.
The best option is Javascript. It can easily run from a plugin of your browser.
(I'm using 'Custom Javascript for Websites', a chrome plugin: https://chrome.google.com/webstore/detail/custom-javascript-for-web/poakhlngfciodnhlhhgnaaelnpjljija)
Firstly you navigate to the login page and check the source code for the following ID's:
- Username-inputbox
- Password-inputbox
- Submit button
Knowing these things, we can add this to our plugin: (Fill in the id's at the right places)
// First we check if we're on the right page
if (window.location.href == "URL")
{
// Find the ID's of the corresponding inputs
document.getElementById("username").value = "user0";
document.getElementById("password").value = "user0scode";
// Then click the submit button, just as we do
document.getElementById("btnSubmit").click();
}
There is free tool called Fiddler. It monitors/debugs all the traffic on your machine i.e. using browsers or any other medium. You can try capturing the action/request behind the login button using Fiddler, and then mutate the same action/request and you will be able to change the username/password for that action/request.
Download from here, and read this.
I'm trying to build a client-side application that allows people to login with their Instagram accounts. Problem is, I'm not sure if that's still possible.
I've coded a sample JavaScript after reading "Client-Side (Implicit) Authentication" section of their related docs.
I'm getting the following error:
{
"code": 400,
"error_type": "OAuthException",
"error_message": "JS login temporarily disabled"
}
From the error message I'm guessing it's not about my code but it's something on Instagram's side. Is there a way for me to do client-side login? Also, if I can't, what are my options?
Thanks.
I had similar issue and this is how I fixed it.
You have to uncheck the "Disable implicit OAuth:" by going to :
-> Manage Clients
-> Click edit on the app/webapp.
-> Uncheck - Disable implicit OAuth:
-> Update the settings and try to run it again by going to the link :
https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=token
In the link, replace the values that were provided to you and in the response_type, give value as token to get the access token and if you want to get the request code, just replace token with the code in the URL.
Hope this helps for you and for future viewers.. Good luck.. :)
Just unset the "Disable implicit OAuth:" in app settings.
So, it seems it's impossible to do JS login at the moment with Instagram.
But they still allow implicit redirects so the solution is to have a server to make a redirect to your client side application. You only need two endpoints. I've written a small Node.JS app for this which you can find here.
I had tried for the same,I think there are not still providing any api to login with Instagram credentials username and password,You can just authenticate your account via
https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=code
When using a mailto link chances are that it doesn't do anything for the user if he doesn't have an email client setup, or didn't setup his webmail to be his default client (ea. gmail as default client in macosx).
What would be the best way to gracefully offer a fallback, kindly asking the user to manually email you?
I could use JS or css to show a message once the link has been clicked:
submit was successful, or if nothing happened please email us manually.
What about using a form with mailto, can I use a redirect page upon success without or with serverside scripting? Is there a way to filter out the success from failure, instead of relying on the user's judgement with the double success/failed message above?
edit: At least what would be the most suitable way of changing a state when a mailto link (or form) has been clicked. Obviously JavaScript or css are options, but can't I simply create a double action link or form submit; mailto and also link to another page (you have submitted/clicked the button')
This article discusses a hack of checking if the window's blur event fired after clicking the mailto. It uses a timeout, so it's not foolproof, but might address most cases. Here's a JavaScript/jQuery example, simplified from the article.
(function($)) {
$('a[href^=mailto]').each(function() {
$(this).click(function() {
var t;
$(window).blur(function() {
// The browser apparently responded, so stop the timeout.
clearTimeout(t);
});
t = setTimeout(function() {
// The browser did not respond after 500ms, so open an alternative URL.
document.location.href = '...';
}, 500);
});
});
})(jQuery);
You cannot detect whether or not a user has an email client setup. So I would suggest you to setup a server-side form for the user to contact you.
Beneath or above this you can provide the user a link explaining him that if he wants to contact you directly through his main e-mail account, he can click this link (this link being a mailto: link).
By providing him two ways of contacting you (webform or e-mail client), you give the user the opportunity to choose which one he wants to use. So it's up to him to realize whether or not he has an e-mail client installed and whether or not he wants to use it.
Use a JavaScript confirm popup to ask the user if they have email setup on their computer.