How to implement Authorization for Admin Application in react - reactjs

I know normally I have to ask questions about specific code problems. But I need advice to get started at all. I was thinking about making a webapplication with react the application is a admin controll pannel things like, employee costs, orders and so on for a family business. For the authentication part I wanted to keep it simple and do it with google but before doing that, I wanted to ask the experienced developers here if that makes any sense or if I should use Jhipster/Keycloak.
Benefits of google would be I think it is easier to implement and the security part would be handled by google but what could be possible problems? I hope someone could give me a good advice.
with regards

Using Keycloak/JHipster would probably be overkill for a simple family business application.
I would rather use simpler authentication types offered by JHipster that do not require external applications like session. An alternative would be to use provided Okta integration, this way you get a ready-to-go solution.
If you want to use Google, then you'll have to use spring-security-oauth2-client and build your own solution on top of Spring Boot or adapt JHipster generated app if you still want to use JHipster.
Also, do you have decided of where you want to deploy your app? Your cloud provider could offer a good integrated solution for authentication.

Related

Web App Architecture design with REST on Java Stack

I'm planning to build web application on top of a REST api. I have been thinking about 2 different ways to write web UI layer for controlling the views, user session management, etc.
One way : Just write everything in Javascript using Angular or similar frameworks. But, the problem I see here is, user session management and also it may not be good idea to expose everything to client. I'm thinking anybody with good knowledge of web design, can find out javascript logic and end points.
second way: Write a thin controller and user session management layer on REST in may be Spring web mvc project / Node JS, etc, and control everything from there. But, the problems I see here are, we have to have some end point lookup logic here, to map web ui request to REST end point. Everytime, we we add more end points, we have to maintain that catalog as well. Also, the JSONs will go through many transformations, and which may add some overhead.
can anybody suggest some architecture ideas for this ? Am I missing anything here ? Can we write secure Javascript web ui layer on REST ?
I was also thinking about having Message broker like RabbitMQ to scale it. Any suggestions are appreciated.
Thanks in advance.
You should first decide on how you divide responsibilities between the client and the server. What do you want the server to do, and what do you want the client to do? You already figured out that the server should hide the sensitive information, to keep the application secure. Is there anything else you need from the server? If there is a database, you probably also want to let the server handle all access to the database.
Notice that there are also alternatives such as Firebase, where they take care of the backend for you, and you focus on the front-end mainly. Might save you a lot of work on authentication, and data access.
You also need to think what kind of communication style they will be using? If it is Request-Response, then REST is suitable. If it is some kind of bidirectional messaging such as chat, I recommend to take a look at Meteor. In Meteor, you write in Javascript for front-end, back-end and mobile.
You mentioned that you're concerned with having to transform your Jsons often. If you do your server-side with NodeJS, this problem disappears. It's Javascript on the server-side.
There are many ways to implement an application. You can more specifics about what you're trying to do, and then we may recommend the frameworks that are better for you.

liferay like restfull api mobile

I have a app and I need develop a restfull api to be used for this app.
Is liferay a valid option to develop this (using the service builder and persistence layer of liferay) to expose my service api to be used for the app?
I have in mind the performance and availability to this services.
what another option (to develop the api rest) i should consider for this purpose
Thanks
I expect for your replies.
Regards
Liferay can act as a rest server by service buider (I'm not sure it will support any RESTful operation, but only GET/POST).
By this way you can inherit the interesting features provided such as:
- users, roles and groups
- ready scalable platform
- hibernate+ehcache already configured
Ecc... by the other hand, it will bring a great burden to you... so in my mind, if you are interested to other Liferay native features, then you can use it.
On contrary, there are other ligther frameworks for achieving your needs (just think to Spring MVC, it can implement any other restful method, like so PUT/DELETE... and it is more configurable)... so in this case it will ask you to do a bit more work by hand... but you will not "fight" with a complex platform if it is not necessary.
(In the first hypothesis, don't forget to give an eye to the "Liferay Mobile SDK")
thanks for answer.
In fact, I am interested in use the features of liferay like users, groups, profiles, persistence layer and the web content to manager some resources in the app.
My question is thinking in the performance and scalability of the services layer for this app, if is factible use only liferay to expose all the service to the app need and if her performance will be appropriate.
regards.

Which is the better way to store my logincredentials(remember me option) and maintain session throughout the application in angular js

Iam developing angular js web application .I want to store the login credentials when the user checks on remember me option.can any one please suggest me which is the better way to store the details of user (local storage or cookies or etc).And I want to maintain the session throughout the application ..please give your suggestions.
Thanks in advance
There are already plenty of solutions for that kind of stuff. As this is a serious security issue, I would recommend to use one of those instead of "reinventing the wheel".
Whether the system is using cookies or localstorage doesn't really matter at the end of the day. It is however a bad idea in general to store the actual credentials. Instead, use a token-based system that will do a server-client handshake on request.
Personally, I am working with Firebase and Express at the moment.
Firebase
Firebase is "backend as a service". They offer a free plan for production usage, have a look at it. If you like it, things are pretty easy here. You pay money and get a full-featured REST-like "backend" with built-in user management (See Firebase doc's for SimpleLogin). All you have to do is calling service methods.
Express
This is the DIY way. If you want to have full-control and a free way of doing things, this is the way to go. I am no Express master, so you better have a look at some Tutorials (http://expressjs-book.com/forums/topic/express-js-sessions-a-detailed-tutorial/)
If you don't like neither Firebase nor Express, have a look at other Backend-as-a-service offers. You could even use PHP. I would assume that one could say that this is the oldschool way of implementing user sessions :)

Cleanly integrate login from Facebook, Google, Twitter, etc. into CakePHP?

Summary of the question:
I would like to create a CakePHP based registration and login system offering multiple different gateways such as OpenID, Facebook, Twitter, and so forth. I would like the system to allow a user to associate multiple forms of identification with their account.
After much searching, I am turning up a blank on anything that would allow more than one method of authorization. Cake's authorization system does complicate the matter, so using a tutorial for general PHP is not really effective. Does anyone have a solution, or somewhere I can start from?
Example:
To give a simple example, looking at the StackExchange network: you can login/register using a stack exchange account, Google, Yahoo, Facebook, or OpenID. Once logged in, you can add more of these methods to your account so that you are recognized a multitude of ways. I realize StackExchange probably isn't written in Cake, but it serves as an example.
Thank you!
Original Question
Here's the scoop: I'd like to integrate a simple registration/login system for each of the main services that offer oauth/openid in CakePHP.
Basically, I'd like my users to be able to register the old fashion way (including validation e-mail) or using an existing service to verify themselves. I'd like them to be able to login afterwards using that service, or with a username and password.
Now, I have found extremely in depth plugins for full facebook integration and the like, but the bottom line is that I want to just use this for registration and login at this point, and I would like the experience to be the same regardless of which service they choose (plus, I'd like to understand how it works... because this is all about learning CakePHP after all).
I'd also like them to be able to link other services once the account is created if they so desire. In a nut shell, they're account should be able to be linked to any number of login services, or none at all.
How on earth do I go about this?
Thank you,
James
Looks like there is now a third-party library available using Opauth as detailed on this bakery thread
Here is the CakePHP version's github page:
https://github.com/uzyn/cakephp-opauth
Great question - our CakePHP development studio may be looking at this in the coming months also. I suspect you'll have more luck researching this as a general PHP question and then how you can port that solution into Cake. Definitely post back with anything you discover.
You might find this thread a helpful starting point, although it was posted back in 2010:
Best way to implement Single-Sign-On with all major providers?

User API for Google App Engine far too restrictive?

Looking at the Google App Engine API, it seems that despite all its great features, the User API is extremely limiting. It seems you can only authenticate people who have a Google account, or use an OpenID account, or via some OAuth kung fu (handshaking with a Facebook account etc).
This appears to be a major stumbling block for anyone who wants a proprietary user base by creating user accounts within the application. In short, I don't want my users to have to use or create a Google account to access my app.
Has anyone else come across this limitation and has it been a deal breaker for using the GAE? Am I missing something? It is possible to deploy my own Spring based security etc within the app and use my own User API? Comments on this issue greatly appreciated. Thanks.
You're free to completely ignore the Users API and implement your own authentication system, as you would in any other hosting environment. Nothing about App Engine prevents you from doing so.
The Users API is just there as a convenience, in case you'd like to spare yourself the effort of re-implementing everything, and spare your users the inconvenience of filling out another sign up form and remembering another set of credentials.
You can always implement your own user management system.
In my application I have used spring-security for this purpose. spring security 3.0.1 works perfectly fine with app engine 1.3.5. There may occur some issues integrating other versions of both. I found below links extremely useful :
http://www.google-app-engine.com/blog/post/Spring-security-fix-for-google-app-engine.aspx.
http://www.dotnetguru2.org/bmarchesson/index.php?p=1100
http://groups.google.com/group/google-appengine-java/browse_thread/thread/964e7f5e42840d9c

Resources