I have the following problem in a Grails app with Spring Security (SSC). My app should provide some browseable pages as well as a Restful API.
While using the App with the Browser the App should display the Login-Form which is used by SSC and the Login/Logout Controller. But I also want to use alternativly a BasiAuthentication with the same URI.
For example: If I do a call to /myApp/testCall, coming from the Browser it should display the Login Form in case of a not already logged in user. If the user is logged in, it should process normally. But if I call /myApp/testCall with a Authorization Header then the App should recognize this and Authenticate the user by Basic Auth.
What I already got so far, whether the Basic Auth or the Login Form standalone, but not with this wanted bahviour. As soon as I activate the basiAuth in my App, it displays all the time the default Login form the Browser (Basic Auth Browser Login) but it should display the LoginForm.
Hope someone can help me solving this problem, I need somehow to put the Filter, which is responsible for displaying the Login Form in front of the Basic Auth Filter, but in the other case if I provide Basic Auth Credentials it should just log me in.
I had a similar question last week, not totally the answer to your question but it might help you get started. Would have added this as a comment but I don't have the rep.
Related
I have .net web site which designed for working as standalone application. Due to one issue I was made to perform login flow to Facebook manually instead of calling FB.login(from FB javascript sdk). And because of this I am not able to call FB.logout (because in this case another issue appears).
Facebook support advised me this:
"In this case, you should manually clear the user's logged in session, by clearing any stored cookies, or removing any access tokens or user information stored on our end. You can refer to this page for more information on building login/logout flows manually: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/#logout"
I didn't get this answer. How to realize manually logout workflow?
And I didn't find any examples.
You can check what the PHP SDK’s getLogoutUrl method does here, https://github.com/facebook/php-graph-sdk/blob/5d0c4865e80e231d48a4571841bd018828fe58e1/src/Facebook/Helpers/FacebookRedirectLoginHelper.php#L156
Basically it just calls https://www.facebook.com/logout.php with two parameters:
next is the redirect URI the user should be redirected back to after logout; it needs to be within your app domain
access_token is the valid user access token for the current user of your app
Now, I wish to redirect to a private Google group on click of a button on my website along with search parameters. I have generated the required URL using perl. Then I made a simple redirection using . It works when the user is already logged in(using cookies). But it doesn't work if the user has not logged in. I wish to redirect to Google's login page to make sure the user has logged in and thus can access the private group. How do I do this? I read some documentation mentioning OAuth. Is this the only way?
Typically Google handles the login themselfs. A user not logged in will be redirected to their login page first.
You can't use OAuth to log someone into a foreign (aka Google own) service. You could use OAuth to check if a user is logged in at all, but it's not necessary.
The Dancer::Plugin::Auth::Google documentation has a pretty good description on how to setup a Google OAuth login. The Auth::GoogleAuth module might do the job (with less documentation) without using Dancer, but I never tried it myself.
I have a web application that authenticates users through the standard Tomcat mechanism. More specifically, I configured a JDBCRealm that points to my own user and role tables and I am using form-based authentication, which submits the user details to the j_security_check action (as j_username and j_password). The security constraints are configured in my web.xml file.
Now, I'd like to provide users with a second login option: Facebook. I've already configured Facebook login using their Javascript SDK, but I'm having problems to integrate both login options. Ideally, when the user logs into Facebook, I would have to simulate an authentication in the Tomcat realm as well to make sure the Facebook user behaves as a regular Tomcat user. That means I also have to register the Facebook user in my own user table.
My first idea was to register the user in my own user table right after they finish their Facebook login (using an Ajax request, for example). When this request finishes, I would be able to trigger a manual submit to j_security_check.
The Facebook response includes a user id and a token that I could use. However, I don't know what information to use as j_password. I don't even know if using form-authentication is the best option any more.
What would be the best way to integrate both login options?
Thanks a lot!
One option could be to use a Combined Realm: See http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#CombinedRealm
Realm 1 should be JDBCRealm, then implement realm 2 (FacebookRealm). You might change the order, based on which one is the most frequently used. See Tomcat docs for how to implement a realm.
Of course you don't have a password in FacebookRealm, but you could do the following trick:
JDBCRealm:
username = username/userId in your application
password = password
FacebookRealm:
username = username/userId in your application
password = unique user id provided by Facebook
This could allow users to log in with whatever method they want.
Basically, this could be a possible use case for logging in through FacebookRealm (first steps might be a little bit different with JS SDK, but the idea is similar):
1. User is sent, through a link, to Facebook for authentication.
2. Facebook redirects to your server with a token.
3. Your server makes a Facebook call to verify the authenticity of the user.
4. Your server knows that it's a valid user, so it calls login(username, facebookUserId) method from Servlet. See: http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String, java.lang.String)
4.1. Make sure "username" and "facebookUserId" exist in your database before calling the login method.
5. Tomcat FacebookRealm will just perform a database query for that username and id.
I hope this gives you more insights about how this could be done.
Other options could be through Apache Shiro, Spring Security or probably others as well.
I'm getting into the grimy guts of a problem that has turned out to be rather cumbersome so I turn to you, the experts, for help.
what I've done so far: I am building an iphone app with phonegap. I am using the provided fbconnect (in phonegap github) code which gives some rather convenient javascript based example code to build things like a comment and check in request. I have comments and checkins fully working how I want, and I have an auth_token that I am successfully toting around.
enter the like button: I understand that you cannot make like requests via xmlhttprequest in the same way that you can with comments for example, so I am stuck using an iframe (unless there is a better alternative).
what I need help with: right now, since the iframe is triggering its own login, I have the situation where the user might log in to like, and then have to log in again to comment which is not a viable. Is there a way to pass a valid auth token to the iframe so the user wont be prompted to log in again or some other sneaky way to authorize through the childbrowser solution that I have currently implemented and then share the auth token to the rest of the app?
notes: I havent passed an app ID to my auth implementation but I noticed that the iframe does pass an app ID. would including an app ID in my auth request somehow link the logins so facebook could recognize that the user is already logged in through the app?
I can't think of any specific code to include since this is more of a general question but if there is anything you'd like to have a look at please let me know.
The short answer is no, mainly for security and spam prevention. The only way to have the user like your page is rendering the iframe code in a webview. This requires a traditional email/password login with Facebook. Using the graph api is the only way to use things like commenting and checkins, and this requires a user to login via a separate mechanism and then subsequently approve your app. There is no back door logging in mechanism.
I am creating a SaaS that will allow users to interact with it via their web applications. I would like to create a CAS type login mimicking Facebook connect so when you click the 'Login' button on the users website it will popup a window for you to login with my SaaS credentials.
I do not want the SaaS users site to be able to access the users login credentials so this is why I thought of CAS. However, it doesn't look like Facebook Connect redirects to the CAS server. It looks like they just popup a window to the facebook login then create a cookie once the user successfully logs into facebook. How then does the Facebook Connected site access that cookie?
I am wanting to basically be able to keep the end user on the current website without being redirected to my login application. I would like to mimic what facebook does with just popping up a little window and have them login then refresh the page after they login but I am not sure how to go about this.
Any ideas?
Facebook uses a third party cookie: they set a cookie on your domain that you can access to get the necessary credentials.
EDIT: the easiest example would be to look at PHP's setcookie function. Notice that there is a domain parameter. If you change the domain to match the domain of the actual website that initiated the authentication action then you'll be able to set a third-party cookie.
Note that on IE there are certain headers the domain that initiated the authentication action needs to set to allow your third-party cookie to be set. See http://www.spamcollect.com/archives/33 for a short writeup of how that works.
If you are working in a different language you'll need to use whatever cookie management functions they offer.
Another option may be to do this with CAS programmatically using the REST client.
https://wiki.jasig.org/display/CASUM/RESTful+API
In this way you could take the users details and login to CAS without being redirected.
Facebook uses Cross Domain communication which is what I will be using.