I am trying to develop a REST API in spring boot and having React as the frontend. React will send GET or POST requests happening on the frontend to modify the MySQL DB in the backend via REST API. In my application, A user can have multiple companies inside the application and each company data is isolated from one another. I have come across Multi-Tenancy in Spring boot. How can I do this implementation for REST API ?? How can I configure my React application for this multi-tenancy?? Is Reactive Core in spring is useful??. Any resources where I can find these answers so that I can implement it. Or any other better way to implement this use case. Please, someone help me. Google results have confused me a lot
You could read a lot about this if you focus on little more details than a broad topic search in Stackoverflow
Here is one way you can achieve your requirement.
React App authenticates your end-users
There will be an API call from UI to get the list of accessible tenants
The list of tenants will be shown in the UI like in a dropdown
The end user will choose a tenant
Once chosen, untill a change next time, you will pass the selected tenant in all the API request headers so that you are identifying the tenant context of the user that is requesting for the data.
Regarding the data-isolation, you do have a lot of options explained in stackoverflow and people have multiple approaches depending on the multi-tenancy levels of course.
The above are the steps that you could achieve in any language (java in your case)
In case of choosing whether your API's are Reactive depends on the business needs. However you should be able to weigh the differences between the aync and reactive implementations, both have their needs, so identify the requirement and choose an approach that suits.
In case you need help in choosing the right approach for a given scenario, do share with us the scenario, how you did it and what you have issue / doubt and the community will be happy to help you.
Related
I'm planning to build web application on top of a REST api. I have been thinking about 2 different ways to write web UI layer for controlling the views, user session management, etc.
One way : Just write everything in Javascript using Angular or similar frameworks. But, the problem I see here is, user session management and also it may not be good idea to expose everything to client. I'm thinking anybody with good knowledge of web design, can find out javascript logic and end points.
second way: Write a thin controller and user session management layer on REST in may be Spring web mvc project / Node JS, etc, and control everything from there. But, the problems I see here are, we have to have some end point lookup logic here, to map web ui request to REST end point. Everytime, we we add more end points, we have to maintain that catalog as well. Also, the JSONs will go through many transformations, and which may add some overhead.
can anybody suggest some architecture ideas for this ? Am I missing anything here ? Can we write secure Javascript web ui layer on REST ?
I was also thinking about having Message broker like RabbitMQ to scale it. Any suggestions are appreciated.
Thanks in advance.
You should first decide on how you divide responsibilities between the client and the server. What do you want the server to do, and what do you want the client to do? You already figured out that the server should hide the sensitive information, to keep the application secure. Is there anything else you need from the server? If there is a database, you probably also want to let the server handle all access to the database.
Notice that there are also alternatives such as Firebase, where they take care of the backend for you, and you focus on the front-end mainly. Might save you a lot of work on authentication, and data access.
You also need to think what kind of communication style they will be using? If it is Request-Response, then REST is suitable. If it is some kind of bidirectional messaging such as chat, I recommend to take a look at Meteor. In Meteor, you write in Javascript for front-end, back-end and mobile.
You mentioned that you're concerned with having to transform your Jsons often. If you do your server-side with NodeJS, this problem disappears. It's Javascript on the server-side.
There are many ways to implement an application. You can more specifics about what you're trying to do, and then we may recommend the frameworks that are better for you.
I have set up a Symfony based API which is being used by an Angular front end which is totally dependent of it (User registration included)
I have read multiple threads recommending using WSSE or FOSOAuthServerBundle but I'm not sure about the best method ?
If I understood correctly, WSSE has to send for each API request x-wsse headers which make me think it is not the best suited for performance.
About the FOSAuthServerBundle I have never used it and looks a bit complicated to me compared to WSSE, thus that's why I'm asking there before trying to implement it.
I have 2 simple groups of user (basic and admin), what would be the best way to secure my API, additionally providing an easy way to keep user persistence (I mean accesses through the different pages)?
How should it be in the Angular front side ?
Thanks for your help.
Refs: http://blog.tankist.de/blog/2013/07/16/oauth2-explained-part-1-principles-and-terminology/
http://obtao.com/blog/2013/06/configure-wsse-on-symfony-with-fosrestbundle/
It all depends on what your requirements are.
First of all, OAuth 2 is an authentication mechanism/spec which you can use in combination with sessions/bearer tokens/... This also applies for local accounts (since you want to do user registration).
FOSAuthServerBundle is a bundle to implement the server-side of the OAuth2 specification. This basically means you can expose your OAuth2 side of the API to other applications and allow them to use your accounts to authenticate. Think google login, twitter login, etc but for your own app.
This all has nothing to do with the way you validate / authorize your requests after the initial login has taken place.
Do you want to implement stateless authentication? Then I would recommend using the new JSON Web Token (JWT) specification.
See Symfony Bundle (LexikJWTAuthenticationBundle) and JWT description (JWT.io)
There are many resources on it from the angular side of things and the API part is pretty straightforward.
WSSE does not seem suited to implement in a RESTful API and I have no experience using/implementing it so I cannot comment on it too much.
I am trying to develop a web application that can communicate with another web application. App1 is an app developed using Angular.js and Struts2. This apps sole purpose is to perform search queries on several databases and returning the information about the products for the user to view. App2, the current app I am developing, will be developed using Angular.js and Flask/Python. This app will be responsible for storing the products the user selects in a shopping cart and allowing the user to make a purchase.
I am stuck as to how to get the two applications to communicate(passing login information, selected items ids, etc.) with eachother.
I have tried passing information via a url redirect (http://www.example.com/?myVar=someData&...) but Angular is giving me a lot of trouble to try and get around that. Even if I can get this to work, I think it would be insecure as data the user shouldn't know will be exposed in the url.
My second thought would be to somehow access the session data from App1 in App2 but that could also lead to security issues.
My final thought would be to some how make a call to App1 that returns a json object that can be parsed in App2 but I am not entirely sure how to pass that information along.
How can I get the two applications to communicate with each other?
Thanks for your help
In my opinion this isn't really within the scope of AngularJS. However, I believe that the best, most accepted practice for communication between web applications in this day and age is RESTful Web Services.
It's not a small topic, but once you get the concept behind it you can use it in any programming language that supports web applications (Java which I'm assuming you're using because of struts has multiple REST libraries, I prefer Jersey but that's just me).
It's also an amazing way to use your Angular front end to talk with its own back end. The entire Angular $resource framework is built around the idea of using RESTful services.
Check out this link on Wikipedia for a brief synopsis of what makes a service RESTful: http://en.wikipedia.org/wiki/Representational_state_transfer#Applied_to_web_services
Now, that applies to most of what you asked. As far as login information is concerned, that's going to depend on your security implementation. A lot of times you can put information like that in the header of a web services request, and only accept requests that come from trusted servers, etc. but there's a good bit of stuff to understand there. It's an entirely separate topic.
Hopefully this helps you get started. Let me know if you'd like more information or pointers.
I've created a angularjs app which uses php for handling the database queries and enforcing an authentication schema.
When the user logs in into the app, he does so in php and php fetches the user data into a session. Then angularjs issues a http post request to a php page to read the fetched data.
After that, whenever a user asks for data, angular issues a post to a php page.
I'm considering using a framework for doing the authentication and the database queries in a better way. My security knowledge is primitive and I fear that I have mistakes in my code.
After doing a research I found laravel which seems straightforward and easy.
Now my questions are:
Can a php framework such as laravel do these things for me?
Is there something else I could use to have people authenticate and making sure that they are doing the CRUD operations they are authorized to do?
What are the keywords I'm searching about, is it routing, is it php restful? I'm asking in order to do further research on the matter.
Is there any other way in which a SPA could work with CRUD operations and Authenticating in a "safe" manner using php?
I know that the above questions are not programming questions per se, but I don't know where to ask (because I feel I cannot communicate what I want to learn about/ *that's why the keywords question above).
Thank you
There's basically two kinds of relevant "routing" both based on URLs, either client side or server side. AngularJS has the $routeProvider which you can configure so when the location changes (handled by $location) the client side template and controller being used also change. On the server side you may have redirects or "routes" that map a URL to a particular PHP file (or Java method) where at the destination it parses the incoming URL to get extra information/parameters.
I know nothing about laravel, but googling laravel and authentication came back with this which looks promising:
http://bundles.laravel.com/category/authentication
I also know things like Zend framework provide many similar options for plugging in some authentication code.
Ultimately if you're writing the CRUD operations something in your code is going to have to do deal with the role based execution of code or access to data.
RESTful is it's own thing. At a very basic level a RESTful interface uses HTTP "verbs/vocuabulary" like PUT, POST, DELETE, GET (part of the request headers which is just data that comes before any body data in the request) are given special meaning like update an entry etc. It's mostly orthogonal to the issue of authentication though if you do true REST I'm not sure if using the SESSION for maintaining authentication would be allowed since it's not completely stateless in that case (anyhow just an academic argument). Point being you can use the other ideas of REST or use some implementation that is "RESTful" and it can be written in any language or you can choose not to do this, either way you still have the issue of controlling resources (functions/methods/data) that you want to control and this issue is not the same as choosing RESTful or not RESTful (if you wanted to keep true to REST for reasons of scalability across a cluster of servers etc. you could follow guidance here How do I authenticate user in REST web service?). Also to note here the $resource in AngularJS provides an abstraction above $http specifically for handling restful services.
IMHO you should be searching for two things
1 php security/authentication
2 php hacking/hacks/vulnerabilities
You can simply write your own authentication mechanism using a session to keep track of the signed in user. http://php.net/manual/en/features.sessions.php There is no difference in a SPA vs a traditional web app as far as the server is concerned, these are simply differences in the client side code.
Any security you intend on putting in place is really only as good as your understanding of that security. I wouldn't trust someone else's plugin from the internet to handle authentication for me unless time was an extremely critical factor and security not so much. One thing that you hadn't mentioned but I think is worth looking into and necessary for any of this to really be secure is SSL. If you don't have your data encrypted there is always a possibility of a man in the middle attack (someone getting the plaintext username and password as their submitted to the database) or session hijacking (someone getting the sessionid of an active session then using that to act as the original user). Basically I would suggest you keep doing research regarding best practices and personally look over any code you plan to use to be sure you understand how it's working and what kind of security it provides you with.
I also wanted to mention, though it's a bit off topic languages wise, that Java Spring has some really nice stuff for dealing with authentication and handling access to services and data. If security is a major concern I would probably strongly consider running a Java server (not to say Java has never had it's issues or that it's automatically more secure but there's a lot of production code that has withstood the test of time). There's the free Tomcat J2EE Server or IBM WebSphere if you need to massively distribute an application. If interested search for Java, Spring, Hibernate (ORM), MyBatis, Data Access Objects. Those are all the parts (some optional) I can think of you would need to put together a service layer in Java. Good intro in the video on the left of this page:
http://static.springsource.org/spring-security/site/index.html
Also SSL isn't a silver bullet, but every layer of security helps.
Kevin Mitnick said in one of his books that lots of places have "hard-shell candy security" (paraphrasing) where breaking the outer layer means you get to all the mushy goodness inside. Any direct answer I would bank will result in this type of security.
Depending on the scope of the project it might be necessary to have security professionals do penetration testing on the system to determine if there are vulnerabilities so they can be plugged.
I'm currently in the process of dating the data from other networks by the use of Gigya to allow users to login to my site and then post the data with php to my database.
I don't know if this is the best option available as they aren't precise on installing it to post the data etc; they put everything in sub sections on how to do individual things.
I'm curious if there is a custom tutorial on using a different service or making it myself. I've read the API's and developements of some of the site, and facebook using JSON apparently, which I'm not familiar with.
You have two elements in your question.
First, authentication. There are several services offering you multiple networks authentication, but using several of them for a single user is not as common: you will most likely have to do it yourself. To handle multiple identities in parallel, your server will have to store them and manage the session on its own. Gigya is one authentication solution, there is also two other good ones:
http://www.janrain.com/products/engage/social-login
www.clickpass.com/docs (still under development)
Then, using api. To do that, you will have to decide what to do and then call the API yourself using Javascript SDKs or server-side ones. Notice the authentication will need to provide you with oauth (most common authentication method) keys to post messages or fetch data. More here:
developers.facebook.com/docs/api
developer.twitter.com/doc
One thing worth noting about Gigya. The have a function called "showAddConnectionUI" which basically lets users establish simultaneous connections with multiple social networks. For example, once a user authenticates to your site w/ Facebook, they can also connect with Twitter and Google if you want to allow this. The nice thing is that Gigya manages these identities for you so you technically don't have to implement anything on your side... just call their getUserInfo function and they'll return a collection of identities.
Not sure if that helps... we use this functionality on our site and it works well. Here's the link to showAddConnectionsUI:
http://wiki.gigya.com/030_API_reference/010_Client_API/020_Methods/socialize.showAddConnectionsUI