I have a bunch of pages which should only be accessible when the user is logged in. So that the URLs make sense, and also so that the user may bookmark them, I have made them bookmarkable URLs in Wicket.
Now the problem occurs, that if the user comes to view these pages, but is not yet logged in. The constuctor which takes a PageParameters on my page is called.
My approach is going to be:
For all pages which should only be available logged in, but which are bookmarkable, put an if statement in this constructor to test if the user is logged in or not.
If the user is not logged in:
Store (a) this.class (b) the PageParameters in a special place in the session
setReponsePage to be my login page
In the login page, if the login is successful, check to see if these special attributes in the session are set, and if so, then setResponsePage to be the class/parameters of the desired bookmarkable URL
Is this approach correct? It seems to be a bit of extra/manual work (although not too much!), but Wicket provides a lot of useful stuff "out of the box": so my question is: is this necessary or is there some Wicket facility I'm not aware of which I can take advantage of?
You should use a IAuthorizationStrategy to protect your pages. See for example wicket-auth-roles for a simplistic roles based library.
When Wicket tries to render the page that is mapped to the bookmarked URL of the user it will notice the user is not yet logged in (since the session has no user assigned to it), store the current requested URL, redirect to the login page and wait until the user correctly signs in. In the onSubmit of your login form you then call
if(!continueToOriginalDestination()) {
setResponsePage(SomeReasonableDefaultPageLikeYourHomePage.class);
}
See for an example the Authentication example in the Wicket Examples project (online demo here)
continueToOriginalDestination will instruct Wicket to render the original URL that the user requested, if one is stored, and otherwise return false.
Related
I have a page in Squarespace that I only want viewable after someone inputs their contact information. For example, I would create a Form Block, and then direct them to the otherwise locked page so they can view for that session. But if they close the window, they would need to re-enter their information (Name + Email).
lets say the address to the otherwise unviewable page is www.website.com/access
Once the viewer puts in their Name + Email and hit submit, they can see the /access page. If they do that and say share the address with someone who has not entered in their information, then they would get the Form Block where they need to enter their information.
Is there a way to do this in Squarespace? Would that need to be done with some sort of PHP Session that can be injected into the header of the specific page?
Ideally it would be like if they could see the page which is normally hidden, but of course unless they are an admin, the page is not viewable to the public.
Squarespace doesn't support PHP since it uses JSON template, so you can't create a session there. Please refer to this page: https://support.squarespace.com/hc/en-us/articles/205815358-Custom-code-FAQ
The only option to achieve this will be to create a cookie via JS and redirect if there is no cookie. The page will be still accessible if you turnoff the JS.
Please have in mind that SquareSpace is very limited when it comes to this kind of changes.
I have a JSF 2.0 application that is used for creating accounts using Self Registration. On the first page, there are fields like name, email, uid etc. Typical to any registration, we show the confirmation page, (other custom pages as well in between) and the final success page. Each page is rendered in JSF using the faces-redirect=true so there are 3-4 pages(facelets) in the entire process. In this application, I use a SessionScoped backing bean to show the middle pages/confirmation page/final page etc. After the registration is complete, I clear the SessionScope bean from session and invalidate the session.
The problem is:
The confirmation page/middle page etc. show the User details that the User entered from the first page(using the EL from the backing bean: #sessionBean.firstName etc.). So, if the User enters this URL in the browser directly (host/appName/confirmationPage.xhtml), the page loads with blank values (as the User did not go to the first page directly). Also, after the registration is complete, if the User clicks on the back button blank values show up (no-cache is explicitly set in the filter class, so cache is not used here which is the correct behavior)
How do I force the User to go to the first page if the firstName etc. is not present. i.e. when the User lands up on a page, make sure that User landed on this page only through the first page in this session?
Should a filter class be used? Or should a prerenderview event be used to check for blank values and redirect them to the first page? There is no "User Login" here as there is no authentication. I believe this is a common use-case and I would like to know if there is any best practice in JSF
Salon owners can create an account with their salon information on our platform and they get a page that they can use as a tab app.
I want to be able to serve all these pages from one app instead of having to install each one seprately and I also want to make the life of the salon owner easier by helping them to install the tab.
I know about the link I can create to help them install the app and I know that when a visitor visits the app that facebook will send the page ID. So far so good.
https://developers.facebook.com/docs/appsonfacebook/pagetabs/
But how do I make sure that when the salonowner follows the link to install the app that I get the page ID back (through callback or other) so that I can register which page ID belongs to which salon account.
I've read sone 2011 article about a callback but I can't find any recent info on this.
I think it should be possible as a lot of sites offer easy fb apps to businesses.
Any help would be welcome!
EDIT: Could this last piece of info in the Facebook link above be used to do this? I don't quite get it yet.
In addition, your app will also receive a string parameter called app_data as part of signed_request if an app_data parameter was set in the original query string in the URL your tab is loaded on. It could look like this: "https://www.facebook.com/YourPage?v=app_1234567890&app_data=any_string_here". You can use that to customize the content you render if you control the generation of the link.
Well... Preventing users from adding your application to their page is impossible. You can't prevent that.
What you will be able to do is to detect who has added your application and according to that, change the content (or not display it at all). So you'll have to start with a list of "allowed" page_ids to match to the accounts you want.
Your application will receive a signed_request each time a user arrives at your application (within a page). Inside that signed_request is information not only on the user but also on the page that the application is on (provided it is a page tab app).
Once you have obtained the signed_request, it will hold a page key which contains:
A JSON object containing the page id string, the liked boolean (set to
true if the user has liked the page, false if not) and the admin
boolean (set to true if the user is an admin of the page, false if
they're not). This field is only present if your app is being loaded
within a Page Tab.
So you'll be able to access the page_id from within this variable and make a decision on the type of content you want to be displayed.
Ok, after running some tests I found out that when you add a URL as 'next' parameter to the install URL Facebook will send the admin(user) back to this URL while adding an array to the request containing all the page Id's the app was installed to.
Like this: YOUR_CALLBACK_URL?tabs_added[ID]=1
Proved to be quite easy in the end
I have a facebook page tab iframe and would like to access the browser url in order to get the current facebook page url.
I know it's not possible to use a javascript that interacts with the parent frame because of browser security issues.
An approach that didn't work for all browsers was to read the HTTP_REFERER header from the request.
Is there a better way?
I hope this is impossible at all. Otherwise it will be a security issue, likely to be closed.
You should not write code depending on compromising other users.
It is not possible to get URL of a parent Frame due to cross-domain policy. And there is no way to get the information about page your application running on in client-side.
But on the server-side you can reconstruct the Page URL using details passed in signed_request. For Page Tab Applications it contains page:
A JSON object containing the page id string, the liked boolean (set to true if the user has liked the page, false if not) and the admin boolean (set to true if the user is an admin of the page, false if they're not).
Using that page id you can build the Page URL:
http://www.facebook.com/pages/-/PAGE_ID
If you want the link to your Page Tab with your application use:
http://www.facebook.com/pages/-/PAGE_ID?v=app_APPLICATION_ID
Beware, HTTP_REFERRER is provided by client and cannot be trusted, and it's may be cut by plugin/proxy/etc...
Notes:
Pages may have different URL in real life, but using this technique user will be landing the correct Page since Facebook will issue redirect to correct URL of a Page.
Sample URLs use HTTP scheme, feel free to use HTTPS if you need it.
In PHP for example you can detect the current scheme like this:
$scheme = ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']!=="off") ||
(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
$_SERVER['HTTP_X_FORWARDED_PROTO']=="https")
) ? 'https' : 'http';
HTTP_REFERRER might not work as expected in my experience. If the tab app is designed for a specific page (which I suppose it kind of should), have you tried recreating it?
https://www.facebook.com/MYPAGENAME/app_MYAPPID
Where MYPAGENAME is your page name and MYAPPID is the app id, of course.
If the tab is applied to multiple pages though, I'm quite sure you'll get the relevant data to apply the above from https://graph.facebook.com/PAGEID, where PAGEID is the ID of the page which you get from the signed request.
what is the link between backbutton and continueToOriginalDestination(). method.
how to keep url saved for continueToOriginalDestination() method while clcking browsers back button.
continueToOriginalDestination() is used when a request was (temporarily) redirected to an intercepting page, for example a login page. When a user requests a secured page but is not yet authenticated, the security framework that hooks into wicket (auth-roles, shiro, swarm/wasp) will present the user with a login page, and store the original URL. When the user has authenticated, you can call continueToOriginalDestination and Wicket will process the original request, displaying the requested secured page.
Not only security frameworks can use this, you can do it yourself by throwing a RestartResponseAtInterceptPage exception.
The back button has nothing to do with this, nor does it have any affect on the processing of the original destination page. Wicket keeps storing the original destination until a new one is set, or until continueToOriginalDestination has been called.
continueToOriginalDestination returns true when there was a page to go to, and false when the user landed on the intercept page directly (e.g. guessing the login page URL or clicking on a link pointing to the login page).