we are about to code a client side mvc app in javascript (angularjs). on the server side we ha ve node.js running to serve the templates etc.. i am new the "front end" side of the story - i am "typical" java backend guy - so apologies in advance ;-)
i want to authenticate and talk against our own internal rest api which is based on oauth. i can get the handshake to work and the basic setup seems to be working.
my question is: where do i put all the oauth handshaking and "wrapping" code?
so far i've found these solutions:
let's assume both, client and server side are implemented in javascript and the "real server" is a jetty serving the rest api secured with oauth.
client (js) -> server (node.js) -> server (jetty+oauth)
client -> node.js -> does all the oauth stuff
client -> directly to jetty server
version 1. has the benefit of securing all the details of the api and oauth handling (so nobody looking at the source code of the html/js could see this)
version 2. has the advantage of skipping the intermediary layer, but everybody could see the oauth key/secret ....
i hope you get what i mean. is there any guideline/tutorial detailing "best practices" for dealing with a secured api that is needed by a client side mvc application running inside the browser of the user?
any help highly appreciated.
cheers
marcel
Related
We have two applications, one called flexOS locally on "the server", and one called flexVisu remote on "the client". The first one is doing the job, collection data and such things.
Historically those two applications are able to communicate via TCP/IP sockets and a proprietary binary protocol.
Now we want to replace the client application flexVisu with a web page hosted on the IIS locally on the server. Every web browser on every device should be able to display these web page(s).
Firstly we experimented with an additional application (flexVisuWebServer) on the IIS side that basically hosted a web socket server and translated the json data from the client into binary data for the server and vice versa.
But this always requires a http connection and a wss connection to be open at the same time.
I don't know why, but I don't like the idea of using javascript on the client to handle all the data processing to display the server data.
I think that it would be much easier if I wrote an asp.Net c# application that handles the connection to "the server" via our proprietary TCP/IP protocol. That way no conversion of data between binary and json format must be done, and the web page itself can be also written in C#.
This approach much more resembles the current approach with flexVisu connecting directly to flexOS, the binary data is directly used to fill in Windows Forms controls.
What am I missing here?
Would the asp.Net application be able to connect to a tcp socket and use our own protocol?
[Edit: 2021-02-09 at 16:18 localtime]:
I managed to use our proprietary TCP/IP protocol to connect from the web server to the flexOS in the page_load of the asp.net web page.
So basically it should not be a problem to use the underlying library to read data directly from the flexOS.
OT: Should i post subsequent ASP.Net questions here too, or open some more questions?
We decided to follow this concept:
the webpage is using a websocket connection to our application flexVisuWebServer and this application uses our propietary TCP/IP protocoll to talk with flexOS.
I'm working on a project in which we need to authenticate the user in an application by using his/hers windows credentials. Frontend is using Angularjs and backend java.
After doing a sensible amount of research, I discovered that there is no way on the the frontend to obtain directly the Windows user & pass due to security concerns.
But I'm thinking that the whole process should start here, from the frontend, by obtaining these two encrypted credentials or at least a token and sending them to the backend in order to kickstart the ntlm authentication process.
And also, not sure if the user should have to log in the app by typing his windows credentials or if it should automatically be done with ntlm passthrough.
I do not have a good grip on the concept, and that is because most of the related sources that I found are referring to backend solutions (C# 80% of them), but almost nothing for fronted. So, I humbly require some clarifications on this topic. Is there some sort of middleware or npm package that I should use in order to obtain the user & pass, or what would you advise?
Web servers expose certain server variables to code handling requests they serve.
For me, using IIS, these are described here: https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524602%28v%3dvs.90%29
Since I am using IISNode; my node.js environment is completely embedded into IIS; I have access to these server variables. As the link described, each programming language seems to have their own way to access these variables.
So I would doubt it if Java does not have those as well. The exact code to use will depend on you back end.
But a quick search for "java server variables" already yields me the following:
https://docs.oracle.com/cd/E19534-01/820-3288/gawim/index.html for the java access manager.
http://users.polytech.unice.fr/~buffa/cours/internet/POLYS/servlets/Servlet-Tutorial-CGI-Variables.html for old school JSP.
How can I obtain server variables using apache wicket 1.54? for java wicket server.
So have a look at the documentation of your specific web server software or Java API.
There should be a list and example code of how to access these.
Once you obtain this data server side, you can do the LDAP query and then return the results client side.
I've implemented the shell of a microservices-based REST API application. I have simply followed the guides on Pivotal Springs' own documentation using Eureka and Ribbon for load balancing. Everything works. I have a discovery server with a handful of independent services which can register with the discovery server.
Now, my problem is that I might prefer not to write my client-side app in Java - maybe Angular or node.js, etc. However, the load balancing and connecting to the discovery server is all done in Java in the examples I've followed.
Is it possible to use JavaScript to do the same things that the Eureka client does with the Spring Boot microservices so that I don't need to be constrained in my choices of browser client technology? Does anybody have any advice for how this should be approached? I had difficulty finding any articles that cover this, to be honest.
Yes. Definitely you can choose technology of your choice for developing front end application. From your front end application, you make calls to API endpoint that you expose via your spring boot application.
You might want to expose your services via single API gateway that will help you route requests to designated micro services using your discovery server.
Actually you should not be doing load balancing/service discover etc. in the front-end. So the question about whether it is possible in JavaScript or with which libraries is irrelevant.
Typically you'll have an API gateway or a (load balancing) proxy which works with your service registry and routes requests accordingly. In the current project we use Consul for service registry and Nginx + consul-template as proxy. We plan to migrate to some API gateway.
With this setup your front-end will connect to just one central endpoint which would do load balancing/routing to individual service instances behind the scenes. Thus your front-end will not need to implement anything like Eureka/Ribbon etc.
I had to perfrom a mutual authentification with certificate between a Javascript client and a Server running with TomCat
I change the configuration of my server so it will find the trust/keys store
But for the client part,i found many exemples with a JAVA client using the javax.net.ssl to define parameters (keyStore/Truststore) but i did not found anything for a JavaScript Client
is it Possible and how i can do it?
Thanks a lot!
I am developing a RESTfull web services. This web services will serve as a Web API to the outside world to get some data from our system. So, it will be consumed by other external clients: Mobile Apps, JavaScript clients, etc. For security, it will require Basic HTTP Authentication: user name and password sent as clear text over HTTPS.
So, I want to put together a proof of concept JavaScript application to demonstrate how one would use this API. But I don't want to hard-code user name/password in JavaScript code, since it can be viewed in page HTML source. In fact I don't want JavaScript to be involved in Authentication at all. So, I was thinking having another web page for server to server authentication. So that client's server sends credential to WEB Appi server, then Web API server issues a token valid for one session only, after that Client server uses this token in JavaScript.
Is this the right approach? If not, what's the "best" solutions for this scenario? I am sure this was done before. Any articles, or code samples will be much appreciated. Thank you