Sending a server side POST from a java webapp - spring-mvc

I'm working on a spring-mvc based java app at the moment.
One of the features of this app is that the user can change their email address to another email address.
When the user changes their email address, current state functionality is to log the user out in the same operation, which is achieved by returning
redirect:/j_spring_security_logout
from the controller method that updates the users email address.
New webapp functionality is to only support POST (not GET) for logout, which causes the current functionality of logging out the user on email address change to break.
What is the suggested way around this?
Can I:
a) Send a POST somehow from the server side to log the user out?
b) Logout the user server side somehow (invalidate their session, clear their cookies, and redirect them to the login page?)?
c) Should the user be being logged out on email address change in any case or is this a strange thing to do?
Any advice is more than appreciated.

When using Spring Security with a Servlet 3.0 (or higher) capable container it integrates with the HttpServletRequest.logout method. When calling this method it will trigger the registered Spring Security LogoutHandler. Afterwards you can redirect to the page you want.
#RequestMapping
public String yourMethod(HttpServletRequest request) {
// your logic here
request.logout(); // Logout to force a re-login
return "redirect:/login"; // redirect to page you want
}

Related

Redirecting user to a new page after successful login with Firebase

I have a web app and I am using firebase authentication to login/signup our users.
In the past I have used Passport for login in my app which works but you have to maintain your own database and security blah blah... but I can control when my user can visit a page after logging via Passport using middleware like this -
// isAuthentcated is my middleware on server side.
app.get('/home', isAuthenticated,(req,res)=>{
res.render('home');
});
How can I do the same using firebase because there isn't any mechanism to do that. I have read different answers on stackoverflow and most of the pople are suggesting something like below which obviously isn't secure. Anybody can just type home.html and get to the page.
firebase.auth().onAuthStateChanged(user => {
if(user) {
window.location = 'home.html'; //After successful login, user will be redirected to home.html
}
});
Although, I have thought of using firebase-admin sdk token verification and try to follow the suggestion here but I don't know how it can be useful to do that on server side. Do you guys have any suggestions? How do you redirect user to a new page. An ajax post/get request from a client to a route '/home' with a header containing 'Bearer token' just validate the token but doesn't redirect user because it is a ajax call which is meant for updating a portion of a page.
Now, the question really is, Is it even possible to do that with firebase authentication?
If you host your site on App Engine you can send the ID token of the client with the request for the HTML. This could take the form of a cookie, a parameter, or whatever you choose to securely transfer the token from client to server.
Then the server can use the Firebase Admin SDK to verify the ID token, and use whatever logic you need to determine whether the request is authorized.

OWIN Facebook Authentication - What does 'context' mean?

I was trying to implement the Facebook Authentication Login in a web-app but there's something I couldn't figure out. I know for some experienced developers out there this is a pretty dumb question but, can anyone explain me this code snippet?:
public class FacebookAuthProvider : FacebookAuthenticationProvider
{
public override Task Authenticated(FacebookAuthenticatedContext context)
{
context.Identity.AddClaim(new Claim("ExternalAccessToken", context.AccessToken));
return Task.FromResult<object>(null);
}
}
As far as I know context refers to the data in an HTTP Request, right? If that so, when we're doing context.AccessToken the guide says that that's set by Facebook. How's that even possible? What's the flow there?
It says and I quote:
As I’mentioned earlier this token is for the external provider and
issued by Google or Facebook, after we’ve received it we need to
assign it to custom claim named “ExternalAccessToken” so it will be
available in the request context for later use.
I didn't get that.
Can anybody explain, please?
Thanks in advance.
As I said, I know it's a dumb question but I'm the type of person who wanna know how everything works behind the scenes.
-- EDIT --
So, Facebook makes the request and sends along an AccessToken.
Then we store it on that same request context as a claim.
Is that what's happening? If so, then, when is that request context destroyed? (When the request is done, duh) Yea but, when does that request finish? Isn't it after sending the token?
When you authenticate agains an external provider e.g. facebook you redirect your client to the "facebook login page" (not really the login page). There the user enters his credentials and facebook validates them. Then facebook redirects back to your page with an authorization code which you can exchange for an access token.
All of this is done by the Authentication middleware of asp.net when you configure an external authorization provider. I do not know the middleware to well but I assume the Context is transient (per request) but that shouldn't matter to much.
This image is taken from here where you can read up more on the OAuth 2.0 auth code grant.

Customizing CQ / AEM Authentication

What exactly do you have to do to authenticate users against an external source while accessing pages on a CQ publish instance?
From what I have read, a custom AuthenticationHandler can be used for this. The AuthenticationHandler can be configured to be called against the paths requiring authentication and inside the extractCredentials() method, the users will be authenticated against the external source and an AuthenticationInfo object will be returned.
If the supplied credentials are invalid, null would be returned from this method to indicate the same. The SlingAuthenticator will then call requestCredentials() where the user can be redirected to the login page.
Is this understanding correct? If so, what does SlingAuthenticator do with the AuthenticationInfo object returned from extractCredentials()?
In some places, having a custom LoginModule (by overriding AbstractLoginModule) is also suggested for the same purpose. Are these 2 different approaches (custom AuthenticationHandler and Loginmodule) for having custom authentication or are they used together somehow? If so, how do they interact?
And also, the concept of CUG (Closed User Group) can be used to redirect users to the login page if they don't have access to a page. Can CUG still be used with a custom auth mechanism or it only works if the users are present in CQ repository?
Any light shed on this would be much appreciated :)
Your understanding is correct. The AuthenticationInfo object ultimately contains a JCR user id -- but rather than having to use the JCR password for the user, a 3rd party service basically says "this user has authenticated successfully and can access the repository as X".
Example: you're using OpenID or SAML to verify a user is X. user X is then mapped to a user Y in the repository.
I haven't used LoginModule but from what I'm reading, that's just extending login processing for the JackRabbit repo. So, rather than using AuthenticationHandler to redirect a user to some other place and processing the response, you're plugging further down into the chain where there's already AuthenticationInfo (or something like that) being given to JackRabbit to verify and return a session for a user.
So, let's say you did successfully authenticate with OpenID but the user you're mapped to doesn't exist. You could write a login module to create the user in this case (and assign user to a default group). For instance, if user came in with a gmail id, the JCR user could be gmail_$id. And the login module, seeing the name starts with gmail, will know it's ok to create that user automatically.
As far as CUG, yes, all the above can be used in conjunction with it. Basically, if a request doesn't have access to a resource and the request hasn't been authenticated, the authentication handling system kicks in. If a user has authenticated but still doesn't have access to the resource (e.g. not part of a group that can read it), a 403 will be generated.

/oauth/token from Controller

I want to implement oauth2 in my website.
I have the server configured.
In current scenario there is a login page, where user puts her credentials which in turn is submitted to my login controller. Now I want to authenticate user using oauth2. Since the server and client are part of same application I am wondering how to go ahead.
I want to authenticate the user via oauth and return the dashboard along with the bearer token so that next call can me made from here.
Please suggest how to go ahead. If there is a better way to do i am more than happy to adapt it.
Thanks
Configure authorization server with spring-security-oauth. All the necessary endpoints will be mapped automatically (including /oauth/token)
Make a simple webpage with login form
Make POST request to /oauth/token with the username and password. In addition you have to send field called grant_type which will be filled with 'password' value.
As a response you will receive the access token. This means that you are authenticated.
P.S. Please pay attention that Oauth is the authorization standard, not the authentication one!

How to sign-in to WIF federation on the same page?

I have this scenario.
RP with passive federation to 2.
Custom STS for user/password authentication
Everything is working fine. So far the user would press login link, which would go to a restricted area, thus the federation security was triggered, and login screen appeared. It would prompt him to write the credentials, the request was then processed, etc.
Now I'm required to create login (user/password) text-boxes on the same page (default page). How can I achieve federation sign-in operation without redirecting to a login page? Should (or can) I use FederatedPassiveSignIn control? If so, how?
You could show the login boxes on the unprotected landing page if IsAutheticated is false and then send a message to the custom STS login page with the credentials encrypted or whatever which then logs in behind the scenes and redirects back to your app. with the token in the normal manner.
However, if the user is not authenticated and bookmarks a page behind the landing page, they'll be redirected to the STS.
For anyone interested (I doubt someone actually is), I've solved it through - basically - simulating what login page does.
// makes credentials validation, and creates IClaimsPrincipal with the acquired claims
IClaimsPrincipal principal = LoginHelper.SignIn(editEmail.Value, editPassword.Value);
// retrieves the instance of the STS (in this case my custom STS)
TrustedSecurityTokenService service = (TrustedSecurityTokenService) TrustedSecurityTokenServiceConfiguration.Current.CreateSecurityTokenService();
// creates the request manually to point to my original page (or whatever page you desire)
SignInRequestMessage request = FederatedAuthentication.WSFederationAuthenticationModule.CreateSignInRequest(Guid.NewGuid().ToString(), "http://page/i/want/to/go/after/the/validation.aspx", true);
// processes first the request...
SignInResponseMessage response = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(request, principal, service);
// ...then the response is processed, and redirected to URL above
FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponse(response, Response);
This created cookies, and principal is not IsAuthenticated. As if it were process by login page (at least it seems to work so far as expected).

Resources