I'm new to using aws , so really sorry if I'm asking something stupid.
I have built my angularJS app which using REST APIs that i made using spring boot. Since i call a session cookie from the same domain.
As most of my API authorizes users using http cookie
(www.example.com) and not (xyz.example.com)
I would now have to keep all my API's and client code coming from the same domain.
How can i manage that with aws ?
Any help would be great. Thanks
Related
I'm quite new to React.js. I tried to access the Spring Rest Api call through Axios and it worked. Would like to know how to add authentication to the same and is there any possibility to access Spring Login functionality through React Js. Please provide some suggestions.
I've a SPA (Angular based) published at my-example-domain.com and rest API (based on Laravel 5.3), exposed at my-example-domain.com/api.
All API are public, so unauthenticated user can use my Angular SPA and call backend API.
I would like to allow ONLY my SPA to call my backend rest API so, for example, nobody should be able to call my rest APIs through a rest client/curl.
How can I reach this goal?
What kind of authentication should I have to set up in my Laravel app?
Is Passport the right way?
You can't.
Your client is available to the public.
It runs in a browser, so all the HTTP requests it makes can be inspected by its users (i.e. everyone).
Anything you do to try to identify the request as coming from your client, can be inspected and replicated by anyone.
I am currently developing a web application that has separate API and Front end.
For production purpose, I wish to develop the web app locally while hosting the API on the remote server.
The issue is the API is behind a SAML authentication along with Mod Auth in second stage.
Using postman and wget I am able to access the API endpoint by adding a auth_tkt cookie in the request.However I am unable to access the same using AJAX.
I need help in executing the same.
Just to help anyone else facing similar problem. The solution to this problem is using chromium with disabled security. It sends your session cookies along with the request. Also there is no problem of CORS that was coming in picture before.
i am working on a spring rest project and using OAuth 2.0 to protect these API's from unauthorised access.
Frontend: Angular.js
Backend: Spring Rest+ Spring Security + Oauth2
Everything was working fine:
1) I got a token from backend using oauth with following uri:
..../oauth/token?grant_type=password&client_id=angularapp&client_secret=angularapp&username=user5#gmail.com&password=user5#123
2) I got a token from backend and use that token to acess the API's.
Now my problem is that, once i hit backend with /oauth/token?grant_type=password&client_id=angularapp&client_secret=angularapp&username=user5#gmail.com&password=user5#123
this uri, this is all there at page in angular js files, anyone can access them with view page source.
Please suggest a way to hide these credential at js level, some encryption or any other implement at backend if necessary.
Do i implementing it wrong? please suggest a right path
Thanks
The answer lies at JWT tokens. Dont use URL encoded.
In this situation, your Auth0 server and API server both share a secret encryption key. There are plenty of JWT frameworks you can use to avoid boilerplate coding. for instance: https://github.com/auth0/java-jwt
Any help, advice and experience is welcome.
Im currently having a separate AngularJS SPA on a Apache HTTP Server and a Spring Backend on a Tomcat 7 Servlet. The backend serves as a Rest API for the SPA.
Some rest resources will require a user to have a certain role.
I've been searching the internet for days on what and how to implement the best security strategy:
Basic Auth
Digest
oAuth
Stateless, Cookies? Sessions? Tokens? CSRF?
How would you go about communicating Spring Security in Json or XML to your SPA to show the user an authentication page or an "your successfully authenticated page"?
Any help is appreciated.
I finally figured out how to make the SPA authenticate with my Rest Backend.
In spring security I created a
Custom SimpleUrlAuthenticationFailureHandler which returns a HTTP-Unauthorizated if a login attempt fails.
Custom SavedrequestAwareAuthenticationSuccessHandler which returns Http-Oke if a login attempt is successful.
Custom AuthenticationEntryPoint which returns Http-Unauthorizated instead of a redirect.
Custom LogoutSuccessHandler which returns Http-OK.
I disabled CSRF.
If anyone needs more help feel free to let me know or message me.
I highly recommend watching this Spring's introductory video. It explains usage of Spring Security from ground up using Java configuration. Apart basic configuration, authentication and CLRF token usage also dive into field security. Uses templating on server with Thymeleaf though, but can provide a lot of wisdom for REST based app also.