I'm unable to do the following: Any help is appreciated . Thanks .
1) Set some data(Objects) into HttpSession in custom Implicit/Explicit Login Filters and access that data across all the portlets after logging in.
2) Tried this - HttpSession sesson = request.getSession(true) and set an attribute on the session . But unable to access the attribute inside the portlets after logging in .
3) Last option is Dynacache. Avoiding this and checking this to see if there is any elegant way doing using Implicit/Explicit login filters.
Use Case: Set some shared data in Implicit / Explicit Login Filters and access it in all portlets after logging in .
References used:
http://www.ibm.com/developerworks/websphere/library/techarticles/0905_buchwald/0905_buchwald.html
You can achieve the same result with Explicit/Implicit login filter and SessionValidation filter as below:
Inside Explicit/Implicit login filter set data as session attribute.
Create a SessionValidationFilter and inside this filter read the attribute from session and set it as request attribute. Now configure this filter from WAS admin console.
Inside the portlet use following code snippet to get the shared data:
PortletUtils.getHttpServletRequest(renderRequest).getAttribute(attributeName)
OR
PortletUtils.getHttpServletRequest(actionRequest).getAttribute(attributeName)
AFAIK there is no way to get the HTTPSession from the Portlet API. However most Portal implementations do offer a platform specific way of accessing it.
import com.ibm.wps.pb.utils.portlet.PortletUtils;
...
HttpServletRequest httpRequest = PortletUtils.getHttpServletRequest(portletRequest);
HttpSession httpSession = httpServletRequest.getSession();
You can use this in your portlet to access the HTTPSession object and then manipulate it as you need.
I don't know how you're trying to pull data from the portlet session but, there is this article for Portal v5. At quick glance, it seems to imply that you could set something in the HTTP Session and then access it as an application-scoped portlet session attribute. However if this behavior is simply an implementation detail and not part of the official documentation, I wouldn't rely on this to be true in the future.
To share data across portlet once user is logged in is a two step process.
Inside Explicit/Implicit login filter set data as session attribute.
Create a ServletFilter and inside this filter read the attribute from session and set it as request attribute. Now configure this servlet filter with wps.ear as follows:
a. Export the servlet filter as JAR and place this JAR at
C:\IBM\WebSphere\PortalServer\shared\app\
Note: I assume that WebSphere portal server is installed at C:\IBM
b. Add filter mapping for your custom filter in web.xml and web_merged.xml present at
C:\IBM\WebSphere\wp_profile\config\cells\10Cell\applications\wps.ear\deployments\wps\wps.war\WEB-INF\
Inside the portlet use following code snippet to get the shared data:
PortletUtils.getHttpServletRequest(renderRequest).getAttribute(attributeName)
or
PortletUtils.getHttpServletRequest(actionRequest).getAttribute(attributeName)
Restart the portal server.
Related
I have added the alert rule and action group manually in the Azure portal to send mail whenever it fails.
Is it possible to create these things using the Azure resource manager template?
Yes, this tutorial will help you create the alert using ARM template. You can refer to the "simplestaticmetricalert.json" and "simplestaticmetricalert.parameters.json" in this tutorial and replace the parameters in json with your parameters. Then use PowerShell or Azure CLI to deploy the template.
By the way, if you are confused about some parameters in "simplestaticmetricalert.parameters.json", you can use this command below
az monitor metrics alert show [--ids]
[--name]
[--resource-group]
[--subscription]
to show the properties of the alert you have created before for your reference when you edit the new template.
I need to set up Shibboleth IdP to validate user name and password against a custom application.
Our application exposes a REST API to which one can pass a user's credentials and either returns a 401 on failure or a JSON object with some user metadata on success.
I was able to achieve this in SimpleSamlPHP IdP with a 30-line class, but having to switch to Shibboleth, I am having a hard time finding directions to do the same there.
Reading through the documentation the suggested solution seems to be to create a custom back end for the password login flow but the Wiki does not explain in detail how to do this.
Can somebody point me out to some tutorials or sample code on which files need to be created or changed in order to do this (even basic examples of checking against a credential file or database would be fine)?
You are looking for an [External Authentication Flow] (https://wiki.shibboleth.net/confluence/display/IDP30/ExternalAuthnConfiguration)
For an example, see the shib-cas-authn3 project (https://github.com/Unicon/shib-cas-authn3). It uses the CAS Server to authenticate the users. It then creates an IdP session from information retrieved from CAS.
I'm creating an app using ionic/angularjs using Backand as the backend service. I have it setup to use a MySQL database.
1) When I create a user through the SDK (version 1.8.2 from the CDN), the user shows up in Registered Users area but does not get a row in the 'users' table. Someone mentioned that I should have Anonymous Access set to User as they said this is a permissions issue but that did not solve the issue for me.
2) I can manually add a user through the Backand GUI and the user gets a row in the 'users' table as I would expect.
3) I can not manually delete users or rows in the 'users' table through the Backand GUI. I get an error stating that the "Delete My App User" failed to perform. You can't specify target table 'users' for update in FROM clause. I haven't modified the Security Actions at all. They're all default. Updating a user receives a similar error.
4) I created a blank app in Backand and updated my app with the new tokens and app name. I was able to login to that app using login credentials that were created on the original app but were not a part of this app. Does this mean users can access any Backand once registered with one app on the system?
Am I just really missing how 'users' registration and logins are suppose to work in Backand?
Any guidance would be appreciated. Thank you in advance.
You can read more on the Back& security concept here.
User can only access to the app he was registred into. In your case I believe the second app has anonymus access, so you have signed in to the first app and got access token, and using the anonymus header you accessed the second app.
Please use incognito window mode for the second app and then you could debug two apps.
You can also review Back& User example to play around with the security.
I'am creating application which can be used by unknown and logged in users. Only difference is that logged in user can use some additional functions like saving its content in database.
All communication is based on ajax calls, so what I need is to deny access to some controller functions (end points) in backend for unknown users and on the client side I need to know that it is in logged in state to set this extra functions active. Only one page, login form should be in dialog. I'm little bit confused, because standard Spring Security aproach doesn't fit this case. I was reading this tutorial but I cant't fully understand it.
First: What Principal object does? They send credentials to this endpoint on submit with login() function but where is handled password check? What if I have my users in database?
Second Is it possible to write this configuration in XML style? I guess that it can be done with <intercept-url/> in spring-security.xml file.
Principal Object
The Principal Object is used to be able to get basic information about a user that is attempting to login when using automatic server authentication (i.e. LDAP). However, you will only be able to get a username from the principal object. With a server JBoss/WildFly, for example, you can link the server to Active Directory to allow Microsoft Windows to authenticate users.
Simple Solution
First, Spring Security will add additional complexity to your application where it doesn't sound like you are trying to do that. Instead, use a simple Servlet Filter. If you are using LDAP on a JBoss/WildFly sever, you can make a POST to j_security_check and the server will send the request to the filter if correct credentials are provided. Inside the filter, you may use the getName() function of the Principal object to get the username so that you may store it in the user's session. However, if you are not using LDAP, you may make a simple POST to a Java Servlet or Spring Controller (with an #RequestMapping) to attempt to login the user and store the user's information in the session.
At this point, you can filter out what URLs you will allow users to see. For example, the URL that contains /administrator/some/other/stuff.jsp could be restricted if the URL contains the word "administrator" in the first directory of the URL.
I'm looking for information on how to implement secure pages using ExtJS 4. By secure pages I mean the user will log into our website using Siteminder (SSO) and so we will have the user's identity. Then we would determine what roles the user would have by making a database/LDAP call and only render those views/components that the user has access to.
Several questions come to mind:
1.) Of course I would expect we would do the authorization check prior to rendering the pages on the server-side, so how do you do this prior to firing Ext.onReady()? I need to have the ExtJS wait for the response from the server?
2.) What is the best way to organize a page's components where the case may be someone could see a particular component and another person cannot?
3.) How do I deliver the resulting page (i.e., the pieces the user has access to) to the client?
TIA!
If you're working from a Java background and are comfortable using Spring, I wrote up an approach using Spring Security here. This will allow you to plug-in any authentication mechanism you want. The main difference is that instead of using an index.html to bootstrap the application, I have a JSP so that the Spring Servlet Filter will fire for authentication. The Ext JS app blocks until the user is authenticated and the user's roles/permissions are provided.
Use a server side technology to pre-process authorization by putting your JS App launch script into a JSP/GSP. What this does is forces server side components to kick off first and then render the HTML/JS/CSS to the client. For full RIA app use index.gsp(or jsp) and the your URL stays "domain/contextroot" .
You can interrogate access privs to content via ajax request to server or alternatively you could set JS variables via again JSP technology that is processed first before the rest of the client response is returned.
< g:javascript>
//global env var definition
var env = "${System.getProperty(Environment.KEY)}";
< /g:javascript>
Both of these are not 100% safe as client side code can be altered. The real security enforcement must be handled on server side when data is submitted for processing.
'3. Easy way would be to hide/show views etc based on 2. above. There are also some experimentation out there with modularizing the client side MVC application by lazy(manually) initializing controllers that may or may not be needed.
Hope this helps.
DB :)
I am currently experimenting with the following solution. Although it will only work for apps with a rather simple set of users, it could be of some help to you.
To begin with, user authentication is done without extjs, using a simple HTML/CSS page. Once the user logs in, its details (user id, role) are saved into the PHP session. And then the page redirects to one of two extjs apps.
One app for normal users (I'll call them clients), these are people who's client side JS does not include any admin functionality. The other app is for admins.
Both apps have their classes inherit from base classes. So we have, for example, base.mainMenu from which both admin.mainMenu and clients.mainMenu inherit. The only difference in the app.js script is the controllers loaded, and per extJS 4 dynamic loading module, only the related views are loaded (ie, seen on the client side). In my case, all pages load dynamically anyway, so my users can only dynamically load pages in their mainmenu.
The admin app blocks certain features using a global JS variable that includes the user's role. So for example, the hiding of an 'edit' button from moderators (an admin group with less rights) is done once the view is loaded (in practice this is actually done by not loading a plugin that allows editing on the view).
To wrap it all up, any call to the server checks whether the session user has rights for the requested operation, so regardless of client side scripts, server operation can only be performed by people with the appropriate rights.
To summarise, you have 3 different strategies that you can mix-and-match:
Loading different apps for different users. If your classes all inherent from base classes, this is easier than maintaining 2 or more completely different apps.
Using a global JS variable to disable/enable certain features for certain users. This is only good if you don't have a problem with the client side loading features that are then disabled (but still seen by debuggers).
Regardless of anything, all server-side calls are checked against session variable.
check out Role-based access control. I use Yii's database-based RBAC, and have a php script that returns the rbac rules in json format when ext starts up
on the client, the best bet is to simply hide or disable functionality that is not allowed.
on the server, you should throw a 403 http error if the user is not allowed to perform a function. handle ajax exceptions in ext and check for 403s.