GWTP HttpSessions with Cookies disabled - gwt

I have a GWT app that is loaded within an iFrame. The app uses GWTP for client server communication. In the ActionHandler implementation a HttpSession Provider is injected.
#Inject
private final Provider<HttpSession> sessionProvider;
If cookies are disabled in the browser, a new HttpSession is provided each time the provider calls .get()
requestProvider.get();
So, there is no chance to store any information in the http session.
How can this problem be solved?
Is there a way to add the jsessionid to each action request and if so, how do I get the jsessionid?

Are you looking for the approach that is described here. The technique relies on url rewrite for sessionid.
You can also reference section "Using URL Rewriting Instead of Cookies" from oracle documentation here.

Related

How to redirect the url from nested site in pencilblue?

I want to 301 redirect the URLs from previous site that are nested, as pencilblue doesn’t support them,
e.g. a/b to page/b
For this I have been experimenting in include/http/request_handler.js but facing some issues.
Call never comes inside RequestHandler.prototype.handleRequest or even RequestHandler.prototype.onSessionRetrieved (seems these methods are not being called from anywhere)
Therefore I placed the code in RequestHandler and after confirming that req is not for public resource or api, I create a new url and execute
return this.doRedirect(newUrl, 301)
This actually works but at the same time I receive
Can’t render headers after they are sent error
#1075 has not helped me much as I’m not sure which specific controller I should modify. I need to catch the req as early as possible and see if it’s a page then redirect to page prefixed url.
Thanks in advance.
There are couple of ways to do redirects. You can do them from a controller or from middleware. You are correct in that, some of the functions in the request handler are not called. These are deprecated despite the fact pencilblue team didn't mark them as such. They replaced a good deal of the request handler functionality with /include/http/router.js and include/http/middleware/index.js. Plugins can register their own middleware to hijack the request pipeline.
See Advanced Routing on wiki for more info about creating your own middleware.
Using the routing framework your plugin would be able to register middleware that would be able to inspect the request and then redirect based on your specific criteria. The Router will be accessible from req.router and from there you could call req.router.redirect (Source).
Reference: #1224

Issue with form based auth and requesting static resource after session timeout

We are using form-based auth in our GWT application and I'm currently struggling a lot with session timeout.
If the user is logged in and performs an action that will trigger a request for a static resource AFTER the session has timed out, then the login page is shown and when the user logs in again, then only the image resource is shown to the user. An example is if the user hovers the mouse over a button, and the button need to fetch a icon which is shown on mouse over.
It is logical that this will happen, since the login page was triggered by the request for the image, but it is not really the behavior that we want. It would much better that the user is redirected to the page he was on, or alternatively another page.
How can this be handled in a better way? As I understand it is very difficult to change the redirect url, which j_security_check uses to redirect the user after successful login.
The way I solve it is to only protect the HTML host page with a <security-constraint>. Static resources (images, stylesheets, GWT scripts) aren't protected at all, and AJAX endpoints (GWT-RPC, RequestFactoryServlet, or other endpoints called using AJAX from the app) only check the presence of a user Principal in the request (this can be done in a servlet filter, or a RequestFactory ServiceLayerDecorator), and return an error otherwise (but do not trigger the login page).
You can see an example web.xml here with the code to handle the security in RequestFactory here (and the code to handle the response on the client-side here). For GWT-RPC, you'd probably do that using a servlet filter and a custom RpcRequestBuilder or a base AsyncCallback<?> implementation.

GateIn - redirect within portlet

How can you redirect a user by URL (within backing bean) to some other page within portlet? We are using GateIn 3.1 on JBoss 5.1.0
Usually, FacesContext.getCurrentInstance().getExternalContext().redirect("url") is enough, but here it doesn't work, it doesn't redirect user.
context.getApplication().getNavigationHandler().handleNavigation(context, null, page) doesn't work either.
We want to avoid making navigation rules for every possible page we can redirect to.
EDIT:
It appears a4j:commandButton was causing some problems, after we replaced it with h:commandButton we are being redirected but not only within portlet but within portal.
To have sendRedirect available, you have to cast object response to HttpServletResponse :
HttpServletResponse objHttpServletResponse = (HttpServletResponse)
FacesContext.getCurrentInstance()
.getExternalContext()
.getResponse();
objHttpServletResponse.sendRedirect(url);
This is doing a 302 redirect, managed by browser.
The only other alternative (to having many navigation cases in faces-config.xml) I've found that works is using FacesContext.getCurrentInstance().getViewRoot().setViewId(page) to redirect, where page is String page = FacesContext.getCurrentInstance().getViewRoot().getViewId().

GWT JSONP with Post not Get

I have a web service in the form `http://....../methodName
It returns a jsonp result such as:
methodName(["a":"a", "b":"b"])
GWT provides JsonpRequestBuilder class to parse jsonp.
JsonpRequestBuilder rb = new JsonpRequestBuilder();
rb.setCallbackParam("callback");
rb.requestObject("http://...../methodName", new AsyncCallback<TestJS>(){
...
});
This structure makes a request to url :
"http://...../methodName/?callback=__gwt_jsonp_P0.onSuccess".
My web service returns a callback with methodName not with __gwt_json.....
So gwt could not create a JavaScriptObject from that response.
Also JsonpRequestBuilder works with GET not POST.
How can I achieve those: Sending requests with POST and modifying GWT's default callback name.
JSONP will NOT work with POST. Its not a GWT limitation btw.
JSONP is essentially including a javascript file from your server. So, when you make a JSONP call, a temporary tag is added to the DOM.
Now, a <script> tag can always makes a GET request. That's a browser thing, and GWT cannot do much about it.
If you want to make a cross-domain POST call, you have to chose from one of the following options (and they have nothing to do with GWT)
Use Flash plus a crossdomain.xml that allows cross domain posts
Use Cross Origin Resource Sharing, or CORS. NOTE that this is only supported in modern browsers
Use a proxy server on your domain
Unfortunatly, this isn't how JsonP works. The requests are made by adding a tag to the page, and the results are passed into a function wrapped around the data – in your case, __gwt_jsonp_P0.onSuccess.
The callback name can't be affected, at least while using JsonpRequestBuilder – the system needs to account for the fact that you could send multiple requests out at once, possibly even to different endpoints. A JsonP endpoint that doesn't allow the caller to customize the callback function name is very unusual, and even more odd is an endpoint expecting JsonP calls that expects an impossible POST.
You can implement your own JsonP client side code by using the ScriptElement type, and registering your own global callback to call into your GWT java code.
Look into the API docs for the web service, and see if there is perhaps a better way to communicate with it, perhaps by using a proxy on your own server, avoiding the cross domain issue altogether.

MVC 2 how to go to url without redirecting?

Is there a way to go to a url without redirecting to it? Basically I want to call a url from within my application in the background so it can logout a reliant party.
Appreciate the help.
What you are trying to do does not compete us to answer as it's directly related to your own Authentication implementation.
A normal ASP.NET Authentication based in Forms Authentication you will need always to lunch the url from a browser as it is there that relies the Authentication given.
You can give yourself a try by opening your website and log in into it, after that, open other browser brand (not browser window) into your application url... you will see that you also need to login again as the Authentication is hook up into the first browser.
It's Up to you as Application Architect to make this by implementing another way of authentication, normally in this kind'a cases, this happend when consuming web services where you need a authentication code first (given by calling a Login method) and that code is always needed to be appended to the body or header of any call to the system.
This way you can easily remove the authentication code and all procedure calls will fail.
As said, this is not up to us, it's up to you to create the correct Authentication Layer.
from your comment
it's as simple as using WebClient object
WebClient client = new WebClient ();
string reply = client.DownloadString (address);
If you wish to transfer to a new url request you can still use
Server.TransferRequest()
The problem with this is that by not using a redirect the browsers address bar will not reflect the fact that you have moved their request to another URL.
To have the client visit a given URL in the background you should either make an AJAX call to it or possibly have an image with an src of your logout url (though you'd have to make sure that you return a FileResult of your image too). This is how most analytics packages call to their relevant urls in the background.
The problem here though is that neither is 100% reliable, turn off javascript or images on your browser and these results fail.
From what you've said I think what you're after is for a user to continue to any of a variety of pages rather than a specific logout page. If this is indeed the case your best solution is in fact a double redirect.
Have your application redirect to your logout url but before hand put the url of the page you want them to go to into tempdata. Then in the actionresult for the logout page you can do your logging out as required and return a redirect to the url from tempdata.