I am trying to do silent login (redirect) to an ADF application directly from the java post method by setting input parameters including username and password in a JSP. But seems like, this way doesn't work with ADF application as does work usually with JAVA applications. Currently I do see the ADF application page saying that
Because of inactivity, your session has timed out and no longer active.
I do not have much idea how ADF application's login module internally works.
I'm looking for any insights on this or any idea why the above method cannot work with ADF application?
Thanks.
Related
We have asp.net core(v3.0) Web API backend(no auth yet). A frontend is going to be a SPA(React).
A frontend basically will be an admin panel, it means the website's home page should be just the login page. We are planning on using IdentityServer4 for auth(separate project). If we create the IdentityServer4 project(MVC) it will have its own login form/page. Since opening our client website(react) login form should be opened, popout and iframe is not the way we are considering to use, what is the best way to accomplish this?
I've done some research and it seems it is possible to make our login form in react client and send the users login and password to IdentityServer4 if the client is set as ResourceOwnerPassword flow. But, it is not a secure and recommended way. I've read a lot of questions in SO and a lot of articles, but that is outdated and most of the samples are in IdentityServer4's repo is deprecated.
Questions:
Another way we are thinking is, on home page load, just redirect to the IdentityServer4 login page(MVC) and after login redirects back to our website. Is this a proper way of doing it? will the user see the redirection or it will not be much difference since the user opens our website and it seems like the home page?
What type of GrantType should I use for this case? Hybrid?
Is it possible to make a custom login page like in React?
What is the best way of implementing it?
Thanks for any advice, and my bad if the question is duplicated since I spend a couple of days to figure this out but couldn't.
Edit:
Now, IdentityServer4 with JavaScript client is available in IdneityServer4 official repositoty:https://github.com/IdentityServer/IdentityServer4/tree/master/samples/Quickstarts/4_JavaScriptClient
Also, I cloned and changed a little bit, so IdentityServer4 and WebApi are in a single project: https://github.com/Jamaxack/IdentityServerSPA
Is this a proper way of doing it? will the user see the redirection or it will not be much difference since the user opens our website and it seems like the home page?
That is recommended by redirecting user to identity provider's login page for sign-in , Resource Onwer Flow is not recommended as you said for security reasons.
What type of GrantType should I use for this case? Hybrid?
You can use Proof Key for Code Exchange (PKCE) which is already the official recommendation for native applications and SPAs . See Grant Types for more details .
Is it possible to make a custom login page like in React?
You can fully custmize the identity server's login user interface and identity management system , custmize the IdentityServer4.Quickstart.UI/ASP.NET Identity/Your own identity provider services .
In addition , ASP.NET Core 3.0 or later offers authentication in Single Page Apps (SPAs) using the support for API authorization. ASP.NET Core Identity for authenticating and storing users is combined with IdentityServer for implementing Open ID Connect :
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-api-authorization?view=aspnetcore-3.1
1) You can use a flow something like below
'First, load the react project. then check for the token/user object. If there is no token/user, then redirect to the MVC project from react project. You can have the login page in MVC'
2) Use Implicit grant type
3) Yes. You can make customization in MVC login page
4) In order to do that, you can use the oidc-client npm package in react project. For the identity, use the Quickstart template from identity server 4 documentation.
Here it is
I've got an web app developed using angularjs for the front-end, java ee for the server side and a java restful api to connect both ends. I am using glassfish for the development process but the solution should be compatible with websphere, wildfly (not as important as the other three) and weblogic (doesn't need to be the same approach to all of them but that would be ideal).
So both the front-end and the resful api authenticate against the server which was solved by using BASIC authentication and only ONE username/password combination was asked for. When I changed BASIC to be FORM (using j_security_check) so I could design a proper login page. After having changed this, first I have to login using the form and then I have to login against the rest api as well, which is not what I want. So I've been trying different approaches ever since without any success.
Things I've tried so far:
Create a filter so I can capture username/password and add this into the header of the restful calls so no log in info is asked after the form login page -> doesn't work in glassfish
Change the login for specified in the web.xml for one developed by myself using angular so I can capture username/password and use an injector to add it to all the calls to the resful api -> Cannot login against the server since it doesn't accept any of my attempts by either rejecting then or saying that the page doesn't exist (probably doing it wrong but couldn't find much info about this...)
Using web.xml form authentication try adding an angular controller to capture the username/password and use an injector (angular doesn't work with the login page using j_security_check)
Capturing the response from the server on login so I can use the session to authenticate when using the restful api (don't know how to capture the response in the form page...)
Any thoughts are more than welcome after almost two weeks trying to make this work.
If you need more information or a example of any part of the code please just say and I will add it to the question.
Thanks!
I would like to create a new AngularJS, Web API Single page application. Does anyone have any examples that show how I can set up a user login screen that connects to a WEB API controller for a simple login (no need for google/facebook login etc) that uses ASP.NET Identity and without the need for user registration.
Also how can I handle showing a new view once the login has been completed. What I would like is to have a solution that does not show routing in the browser URL. So for example I would like to be able to switch from the login view and a couple of other different views without the url changing from www.abc.com.
In other words I would like to avoid showing www.abc.com/login, www.abc.com/screen1, www.abc.com/screen2
Any advice would be much appreciated.
So, instead of trying to find an example, I created one instead (link at the bottom). To explain how the functionality works, I want to go over a few things:
The new ASP.NET Identity system provides an OAuth 2.0 Bearer token implementation which can be used with clients that consume a Web API resource over HTTP. Since the authentication is not stored in a session cookie, the server is not responsible for maintaining the authentication state. The side-effect is that the consumer has to manage authenticating the server and managing the returned token. This is the system that Microsoft uses in the SPA template that it provides with VS 2013.
AngularJS makes no assumptions about authentication, so it's up to you how to authenticate.
AngularJS provides the $http service for querying remote HTTP-based services as well as $resource which is built on top of $http. Using Authorization headers with the Bearer token implementation above, you can combine both to provide authenticated access to server resources over HTTP. AngularJS allows you to set a 'default' Authorization header which it will use in every subsequent HTTP transaction.
With that in mind, the way I accomplished this is by creating a User service that handles all of the authentication details, including setting the HTTP Authorization header, between the Web API server and the SPA. Based on the authentication status of the user, you can hide certain UI elements in order to prevent navigation. However, if you also define the state as requiring authentication as a property of the resolve object for the state, a watcher set on the $stateChangeError event will capture the error and redirect the user to the login form. Upon proper authentication, it will then redirect the user to the state they were trying to navigate to.
In order to prevent authentication from being lost between browser sessions (since the client is responsible for maintaining the authentication token, and that token is maintained in memory), I also added the ability for the user to persist the authentication to a cookie. All of this is transparent to the user. For them, it is practically identical to traditional form-and-session based authentication.
I'm not sure why you want to prevent the user from seeing the routes, but I have coded it as such. I am in debt to Sedushi's Plunker example of how to use AngularUI Router to navigate in a stateful manner without using URLs. Still, I'm not sure I can personally recommend this for any application I would write on my own.
The full solution (both the WebAPI and the WebUI) is available with step-by-step instructions here.
Let me know about any specific part that is unclear, and I will try to make it more clear in the answer.
Refer the following blog for the demo of single page application (SPA) for ASP.NET Web API 2 and AngularJS, developed by the team at Marlabs.
http://weblogs.asp.net/shijuvarghese/archive/2014/01/25/demo-spa-app-for-asp-net-web-api-2-and-angularjs.aspx
The app is built with following technologies:
ASP.NET Web API 2
EF 6 Code First
AutoMapper
Autofac
Semantic UI
AngularJS 1.1.5
The application is published on github at https://github.com/MarlabsInc/webapi-angularjs-spa.
#DavidAntaramian gave a great example. But if you want a simple one, you can look to this HOL from Microsoft.
Their latest example on github uses .NET Core, but you can download release from October 2015.
I have created Silverlight Login Page. I use PasswordBox in that page and use this solution to do MVVM in my application. BTW after I read this answer I realize that current solution is not secure.
I want to know how can I improve security in my solution even though it will break MVVM.
You should send the password over HTTPS. The Session ID should also be transmitted over HTTPS at all times or you would be violating OWASP A9 - Insufficient Transport Layer Protection.
I always consider my Silverlight applications in the context of the website they're running on. So, if the user logs into the website, I don't want them to have to login again when they get to the Silverlight app that runs from the website.
As such, I do not have a login screen in my Silverlight app. The folder that contains the Silverlight app redirects back to the ASP.Net login page and the user logs in there before ever entering the Silverlight app. Once that is done, the Silverlight app can get the user's details by making a request to the server.
I'm just wondering if there's any way for WPF application integrated with windows live ID?
and it's actually for windows health vault [www.healthvault.com]
so health vault is using windows live id or open id to login into their system.
and what i gonna do is, creating wpf application (instead of web application) for health vault, so all of the login form username pass and everything is handled inside the wpf application without showing/using any internet browser.
so since this's quite new for me, i hope if there's somebody ever did this before especially for health vault system that run on standalone wpf app.
alright, so that's it,
thank you in advance!
You need to use "offline" authentication, instead of "online" authentication.
Online authentication requires the user to login every time through a web browser. This is good for web applications, but not good for applications like your's.
Offline authentication lets your application access the user's HealthVault record any time it wants to. The user never has to login. To use this, the user must go through a one time connection process. This is done using a connect-request. After the user goes through this process, your application is given two authentication tokens: a person-id and a record-id. These are what your application uses to connect to the user's HealthVault record, so they should be saved to a database or somewhere similar.
This MSDN page should help: http://msdn.microsoft.com/en-us/healthvault/cc507205.aspx