I want to make an admin section with angular
not sure how to tackle it
1) should i go for authentication and authorization via angular
2) or house my angular app inside a PHP/ROR application which will take care of authentication
if 1) then what is the best practice or style that you guys recommend
This is what you need, the authentication should be server side however you manage it in angular with a service:
https://medium.com/opinionated-angularjs/techniques-for-authentication-in-angularjs-applications-7bbf0346acec
The authentication and authorization should be handled by a server controller with appropriate pages for login and register. Ideally you may want to have the admin sections to be all handled in a single controller so you can protect them against unauthorized access at a controller level.
On the angular side you will want to receive the authentication tokens and save them in local storage.
Since you mentioned a PHP server, Here is a small project I wrote for angular authentication against a Cake PHP server. The Readme has the basic concepts
Related
I am trying to implement Azure AD authentication in a SPA application.
I am using an OWIN Startup.cs file in the WEB API and ADAL.js file in the angularjs front end application. (as per most of the tutorials suggestion)
My application does not have WebAPI and UI hosted in different domains/port. Basically, the WebAPI is referenced in the UI application project. (So no need for enabling CORS).
Now I have registered the applications on the Azure AD separately.
i.e. ClientApp -> Reply URL: http://localhost:90/ and
WebAPI -> APPID SignOn URL: http://localhost:90/Api/V1/
I have configured the ADAL.js and also getting the login page when trying to access the application from the UI. Also, I am able to retrieve the id.token generated after logging through the URL redirection. Also have decorated the web api controllers with the [Authorize] attribute.
My main concern here is that, if I try to call the WebAPI directly using tools like postman, I am getting access denied/Unauthroized Access (401). Can someone pls explain how can I test on my local env. with this scenario?
My sample request is: http://localhost:93/Api/V1/User/Preference (GET)
I am adding the token in the Authroization property of the Headers in the web api call.
Also a side note, I don't think I require OWIN/Startup.cs file for securing the WebAPI. The way I tried is that I got the token value send through the headers and got the AudienceID using JwtSecurityToken and parsing the contents of the Authroization property. Is this approach right as per security or I should stick to the OWIN implementation.
All of the ADAL JS tutorials have the backend API and the UX hosted on the same domain and port, with no need for CORS. See for example https://azure.microsoft.com/en-us/resources/samples/active-directory-javascript-singlepageapp-dotnet-webapi/. Those samples demonstrate that you need only ONE Azure AD registration, as the JS layer is in effect the exact same app as the web API.
We do have some samples demonstrating how to call an external API as well, and those do require CORS- but only for the extra API. The logic for calling the app backend remains the same (just one Azure AD app registration, no need for CORS).Postman doesn't offer any opportunity to pop out UX, hence one strategy you can follow is to obtain the tokens you need beforehand.
The use of OWIN allows you to centralize the auth setup; if you add auth in the controller, you'll need to repeat that logic for every new controller you add. Also, maintaining the code will be harder as you might use API surface that requires code changes when you update the assemblies, while that's less likely to happen if you use the standard middleware setup
I've got an web app developed using angularjs for the front-end, java ee for the server side and a java restful api to connect both ends. I am using glassfish for the development process but the solution should be compatible with websphere, wildfly (not as important as the other three) and weblogic (doesn't need to be the same approach to all of them but that would be ideal).
So both the front-end and the resful api authenticate against the server which was solved by using BASIC authentication and only ONE username/password combination was asked for. When I changed BASIC to be FORM (using j_security_check) so I could design a proper login page. After having changed this, first I have to login using the form and then I have to login against the rest api as well, which is not what I want. So I've been trying different approaches ever since without any success.
Things I've tried so far:
Create a filter so I can capture username/password and add this into the header of the restful calls so no log in info is asked after the form login page -> doesn't work in glassfish
Change the login for specified in the web.xml for one developed by myself using angular so I can capture username/password and use an injector to add it to all the calls to the resful api -> Cannot login against the server since it doesn't accept any of my attempts by either rejecting then or saying that the page doesn't exist (probably doing it wrong but couldn't find much info about this...)
Using web.xml form authentication try adding an angular controller to capture the username/password and use an injector (angular doesn't work with the login page using j_security_check)
Capturing the response from the server on login so I can use the session to authenticate when using the restful api (don't know how to capture the response in the form page...)
Any thoughts are more than welcome after almost two weeks trying to make this work.
If you need more information or a example of any part of the code please just say and I will add it to the question.
Thanks!
I'm writing an Angular app which has Grails with Spring Security as a backend. I don't want to couple frontend with backend, so I don't use any gsp's, the communication goes only through REST requests.
Now the question comes which authentication to use.
Form authentication could be useful, but spring security redirects to the default form page and my login page is outside of Grails (in Angular project). I don't need a form page from spring security, I just need a URL where I can do my post request with credentials and get a cookie back.
So I started with Basic authentication which is easy enough, but then we have to add Authorization header to each request, which is annoying and not secure.
Spring security allows remember me cookie, but it is coupled to form authentication, so it is not possible (or difficult) to use it with basic authentication.
Stateless token authentication (for example, JWT) sounds great, but it is not clear how to configure it with Grails. The documentation for Security plugin has no mention about stateless authentication: http://grails-plugins.github.io/grails-spring-security-core/guide/index.html
So what is the best way to do authentication from Angular in Spring Secirity?
You are using default behavior of spring security. If you want stateless authentication, you will have to override the default behavior. Please go through this wiki page and also see this sample app for angular backend.
I have an angular app that I need to secure. We have a central SSO app in our organisation.
This central app provides a login page and sets cookie after authenticating the user.
Now I need to redirect user from my angular app to this central login page in case authentication cookie is missing/expired.
Can someone please help, how can I redirect to a different page using angular routing ? It seems angular always redirect only relative to base url.
I also tried to use spring mvc and security to restrict access to index.html from server end, but I am not able to set the mapping for showing index.html file (outside web-inf) from dispatcher servlet.
angular's routing is for routing within the page.
Use native location.href for this.
It sounds to me that you are trying to have partial AngularJS page and partial Spring MVC web application. I have also tried this, but then things did not go so well.
If you want to build a web application using AngularJS, I suggest you to start using AngularJS fully as Single Page Web Application and use your Spring MVC as a RESTful web service which is secured by Spring Security.
Read this article: restful-web-service-with-spring-security
The custom AuthenticationEntryPoint must return an HTTP status which AngularJS will process further in $http.success or $http.error. In case of $http.error you force user to go to the login page maybe something like $location.url("/login");
To make all $http.error points to the login page, you can use AngularJS http interceptors.
NB: You should secure your whole web application on the web server level by permanently redirect from http to https. Example: Apache HTTPD
I would like to create a new AngularJS, Web API Single page application. Does anyone have any examples that show how I can set up a user login screen that connects to a WEB API controller for a simple login (no need for google/facebook login etc) that uses ASP.NET Identity and without the need for user registration.
Also how can I handle showing a new view once the login has been completed. What I would like is to have a solution that does not show routing in the browser URL. So for example I would like to be able to switch from the login view and a couple of other different views without the url changing from www.abc.com.
In other words I would like to avoid showing www.abc.com/login, www.abc.com/screen1, www.abc.com/screen2
Any advice would be much appreciated.
So, instead of trying to find an example, I created one instead (link at the bottom). To explain how the functionality works, I want to go over a few things:
The new ASP.NET Identity system provides an OAuth 2.0 Bearer token implementation which can be used with clients that consume a Web API resource over HTTP. Since the authentication is not stored in a session cookie, the server is not responsible for maintaining the authentication state. The side-effect is that the consumer has to manage authenticating the server and managing the returned token. This is the system that Microsoft uses in the SPA template that it provides with VS 2013.
AngularJS makes no assumptions about authentication, so it's up to you how to authenticate.
AngularJS provides the $http service for querying remote HTTP-based services as well as $resource which is built on top of $http. Using Authorization headers with the Bearer token implementation above, you can combine both to provide authenticated access to server resources over HTTP. AngularJS allows you to set a 'default' Authorization header which it will use in every subsequent HTTP transaction.
With that in mind, the way I accomplished this is by creating a User service that handles all of the authentication details, including setting the HTTP Authorization header, between the Web API server and the SPA. Based on the authentication status of the user, you can hide certain UI elements in order to prevent navigation. However, if you also define the state as requiring authentication as a property of the resolve object for the state, a watcher set on the $stateChangeError event will capture the error and redirect the user to the login form. Upon proper authentication, it will then redirect the user to the state they were trying to navigate to.
In order to prevent authentication from being lost between browser sessions (since the client is responsible for maintaining the authentication token, and that token is maintained in memory), I also added the ability for the user to persist the authentication to a cookie. All of this is transparent to the user. For them, it is practically identical to traditional form-and-session based authentication.
I'm not sure why you want to prevent the user from seeing the routes, but I have coded it as such. I am in debt to Sedushi's Plunker example of how to use AngularUI Router to navigate in a stateful manner without using URLs. Still, I'm not sure I can personally recommend this for any application I would write on my own.
The full solution (both the WebAPI and the WebUI) is available with step-by-step instructions here.
Let me know about any specific part that is unclear, and I will try to make it more clear in the answer.
Refer the following blog for the demo of single page application (SPA) for ASP.NET Web API 2 and AngularJS, developed by the team at Marlabs.
http://weblogs.asp.net/shijuvarghese/archive/2014/01/25/demo-spa-app-for-asp-net-web-api-2-and-angularjs.aspx
The app is built with following technologies:
ASP.NET Web API 2
EF 6 Code First
AutoMapper
Autofac
Semantic UI
AngularJS 1.1.5
The application is published on github at https://github.com/MarlabsInc/webapi-angularjs-spa.
#DavidAntaramian gave a great example. But if you want a simple one, you can look to this HOL from Microsoft.
Their latest example on github uses .NET Core, but you can download release from October 2015.