I'm new to Spring MVC and trying out a simple project.It will contain a simple adding, viewing, updating and deleting user work flows. It will have login page and once authenticated the user will be taken to a welcome screen which will have links to add, view, update and delete users. Clicking on any of the links will take to individual pages where the user can do the specific tasks. What I'm doing here is, I'm using a MultiActionController to group together all requests related to User work flow. So the request from "Add User" link will handled by the addUser method in the UserController which will redirect the user to the "Add User" page, and the user can then fill in the details and save the new user. Now here is where I'm getting confused. Where should I put the save process of the new user, should I put that in new method inside UserController, or use the same "addUser" method. What is the best way to handle this kind of scenario.
I hope I was able to clear my question.
did you try to check the Petclinic example which is in the Spring distribution? There you can find all the CRUD operation examples and much more...
Based on your example I suggest that you implement a "goto action page" method and a "perform action" mthod in your UserController. For the AddUser operation, the "goto action page" method might be AddUserPage() which performs any necessary initialization and setup required for the "add user" page then forwards the request to the "add user" web page and the "perform action" method might be AddUser() in which you implement the action of adding a user to your website.
For a "Delete User" action, you might have a "DeleteUserPage" and a "DeleteUser". etc.
The idea here being that you need a method in the MultiActonController to send the user to the correct page and another method to implement the desired action. The name of the methods is not important, but I suggest that you name them consistantly (for instance, xxxPage() sends the user to the xxx activity page and xxx() implements the xxx activity).
Related
I want to integrate Google's Oauth2 in my symfony-1.4 CRM. I have successfully implemented this, I have extended sfGuardAuth in my own module, and now mysfGuardAuth is being used for siging and signout. Is there where I handle Google's Oauth2 with 2 extra actions:
executeCkeckGoogleAccess();
executeOauth();
The problem is to checkout if Google's token is still a valid one, I have to redirect in each action of everymodule to the action checkGoogleAccess in mysfGuardAuth module.
What I want is to check this in an implicit way in the same place where symfony, or sfGuard or whatever checks for the right perms or credentials before executing or not executing the requested action.
I only want to write the code once.
Thank you.
After some research this is how sfGuard checks everything.
When you make a request to a module action, before the action is executed, a new sfContext is dispached.
The sfContext gets the user that extends sfGuardUser and has some methods that are executed. There is where perms, session status and everithing else is checked
The user must be configured in apps/yourApp/lib
By default is apps/yourApp/lib/myUser which extends sfGuardUser. The most apropiate way to achieve this is to create a new user class like: apps/yourApp/lib/yourAppUser which extends aswell sfGuardUser, and there extend the methods initialize and/or shutdown with the functionality you want.
By this way I have achieved to get Google's Oauth2 working in my app.
I hope this is usefull for more people.
UPDATE
All described above is true, but if you want to check something always before an action execution you must use filters instead of whats described before.
Filters are executed before each action, so there you can checkout whatever you need having access to the current context, and set up new attributes for the user. In my case I wanna check if the requested action needs a google token, if true, then Another filter will check if the user has alraedy a valid token, in that case, nothing happens, otherwise, the user is redirected to the module/action which handles google token requests.
Comunication between diferent filters, actions and requests are handled via user attributes.
the user is an object of the clas myOwnUser which extends sfGuardSecurityUser, there the function signOut is extended in order to delete all attributes saved in "myOwnNamespace"
I need to change the behaviour of the login-page of OpenStack. I am working on an alternatively way to authenticate an user. I use no more name and password. It works on command line but I have to use it also in the graphically part (horizon).
I should change the action performed when I click the LogIn button, but I can not find where is the implementation of that action: which is the function called by Horizon to authenticate an user?
My aim is to call my new keystone functions to get the token, but I can not find which horizon's function calls keystone.
[UPDATED QUESTION]
the *../horizon/views/auth_forms.py* defines how the login page is defined. Where does its class Login is called? I need to modify the code that starts the login page creation
Horizon instantiates an entire class set for keystone interaction.
checkout horizon/openstack_dashboard/api/keystone.py
it mostly uses the python-keystoneclient api set.
You may want to also check out http://docs.openstack.org/developer/horizon/topics/customizing.html
I tried to modify some files like: horizon/openstack_auth/view.py where Login is called.
In rails I could do something like this to make sure a user is authenticated before accessing an action in the controller:
before_filter :checked_logged_in, :only => [:edit, :update]
I was wondering if ASP.NET MVC had something similar or if there was a framework out there that could essentially do something like the following:
For certain methods with actions that take a certain parameter, I want to point the action to a method, check to see if the user owns that object, and if so, proceed to the controller action. If not, I want to redirect him to another action where I can show him he has invalid credentials.
So basically I am looking for a sort of "before_filter." Anyone know of anything out there that can do this? Thanks!
They are called Action filters in ASP.Net MVC, you can read more here http://www.asp.net/mvc/tutorials/understanding-action-filters-cs.
Asp.net MVC comes with an Authorize filter to indicate actions that requiere the user to be authenticated.
Usage:
[Authorize]
public ActionResult Index()
{
}
I have ASP.NET MVC site with authentication dialog (login/password) that is accessible on every page. When user provides login/password post-back is initiated to special controller, not the same as the one generated the page with dialog.
I do some authentication stuff and wish to return user's browser to the same page request came from. I do the following (simplified):
protected ActionResult Authorize(string login, string password)
{
...
return Redirect(Request.UrlReferrer.AbsoluteUri);
}
what is the best practice to perform such action?
Thank you in advance!
In the default Membership of ASP.NET they simply use a returnUrl parameter in the query string. I find that this gets the job done quite well. It also allows me to bounce them to a different url if that is what the requirement is.
There is nothing wrong with the way you are doing it now, I just prefer the flexibility of the query string parameter.
I have a form that sits behind ASP.NET forms authentication. So far, the implementation follows a typical "out of the box" type configuration.
One page allows users to post messages. If the user sits on that page for a long time to compose the message, it may run past the auth session expiration. In that case, the post does not get recorded... they are just redirected to the login page.
What approach should I take to prevent the frustrating event of a long message being lost?
Obviously I could just make the auth session really long, but there are other factors in the system which discourage that approach. Is there a way I could make an exception for this particular page so that it will never redirect to the Login so long as its a postback?
My coworker came up with a general solution to this kind of problem using an HttpModule.
Keep in mind he decided to to handle his own authentication in this particular application.
Here goes:
He created an HttpModule that detected when a user was no longer logged in. If the user was no longer logged in he took the ViewState of that page along with all the form variables and stored it into a collection. After that the user gets redirected to the login page with the form variables of the previous page and the ViewState information encoded in a hidden field.
After the user successfully reauthenticates, there is a check for the hidden field. If that hidden field is available, a HTML form is populated with the old post's form variables and viewstate. Javascript was then used auto submit this form to the server.
See this related question, where the answers are all pretty much themes on the same concept of keeping values around after login:
Login page POSTS username, password, and previous POST variables to referring page. Referring page logs in user and performs action.
Login page writes out the form variables and Javascript submits to the referring page after successful login
AJAX login
If you don't care if they're logged in or not when they POST (seems a little iffy security-wise to me...) then hooking HttpContext.PostAuthenticateRequest in an IHttpModule would give you a chance to relogin using FormsAuthentication.SetAuthCookie. The FormsAuthenticationModule.Authenticate event could be used similarly by setting an HttpContext.User:
// Global.asax
void FormsAuthentication_OnAuthenticate(object sender, FormsAuthenticationEventArgs e) {
// check for postback somehow
if (Request.Url == "MyPage.aspx" && Request.Form["MySuperSecret"] == "123") {
e.User = new GenericPrincipal(new GenericIdentity(), new string[] { });
}
}
When the session timeout happens the user's session (and page information) get disposed, which would mean the eventual postback would fail. As the others have suggested there are some work arounds, but they all assume you don't care about authentication and security on that particular page.
I would recommend using Ajax to post back silently every 10 mins or so to keep it alive, or increase the timeout of the session as you suggest. You could try to make a page specific section in your web config and include in there a longer timeout.
I handled this once by adding the form value to the database, identified by the remote IP instead of user ID.
( HttpContext.Request.UserHostAddress )
Then, after login, you can check to see if the current user's IP address has a row in the database, and perform the required action.
Michael