My WebApp needs to authenticate user before allowing any sort of access. The scenario I'm trying to implement is a login page with username and password fields. Once user hits "send" button, a sign like "Verifing..." should be shown up while an RPC call verifies credentials. In case of success, load the main app screen.
What is the best way to implement that?
Have you looked at this page ?
It describes how to do the following:
Create a 'login' page that is based
on user/password authentication.
Store this data in a secure fashion
on your server.
Allow users to 'remain logged in' for
as long as you want so they don't
have to enter their user name and
password every time.
Make 'auto-complete' features of most
modern browsers work with your GWT's
login page. Discussion on adding more
security with either HTTPS or fancy
hashing algorithm.
I'm not sure how well secure your application has to be... but I would suggest leaving that piece of work to spring security.
You could make a regular login.html page which would, upon successful login, redirect user to the "real" gwt app.
Check out this article:
http://code.google.com/webtoolkit/articles/security_for_gwt_applications.html
Not tailored directly for GWT (can still integrate with it), this is a great tutorial for implementing a secure login system.
http://drdobbs.com/web-development/231002659
Related
We have a Flutter app with Google login feature. In order it to work, we need to send the access grant code to the backend service. In SPA workflow, that could easily be done by setting redirect_uri. But in mobile, we cannot do that as it is the app itself (not a website) that user needs to return. Is there any way that we can set a redirect_uri that will redirect user to app itself? (from in-app web view) Of course, I should also be able to grab the grant code from the query parameters.
Also an example would be great if it is possible to create such a redirect_uri.
A workaround is to point the redirect_uri to a standard webpage hosted by you, and that webpage uses javascript to open the app.
How to open app from webpage: Lots of ways, such as How to open flutter application from url?
Of course, I should also be able to grab the grant code from the query parameters.
You can find plenty of tutorials about how to do that, since in the approach above, redirect_uri points to a very normal webpage.
I've a (WordPress) website that's secured using CAS. Single sign on is fine for most pages, but a few pages contain sensitive information and require a little more security. For those pages I would like to ask the user to re-enter their password. Is that possible with CAS?
(I did wonder whether I could somehow have those pages behave as separate applications that use the "renew" parameter, but that doesn't seem straightforward.)
It depends how WP is integrated with CAS. If it's able to submit renew=true for certain parameters, then yes you could. This is probably a limitation of the WP plugin.
In our project, we want to give the user the option to only fill out one login screen, then the app should check many social networks for this email & password combination and log the user in accordingly.
However, the problem we are facing is with oAuth, which only allows for default login screen.
I heard about it would be possible for Twitter when getting a xAuth certificate from them (hard to get ?)
How's about facebook, linked in ?
Anyone knows how to get this done ?
Thanks, we are stuck with this already for a while.
Most challenging issue you have is the most of the service provider be it OpenID/OAuth enabled will not let you search there system with what you are trying to access.
Even some of the system like Twitter/LinkedIn never give you back user email id they treat it as a security issue (Though they call it as design specifications :))
So i am afraid it is possible.For getting XAuth for Twitter
To use xAuth, send a request to api#twitter.com with plenty
of details about your application and why xAuth is the best choice for it.
here are more details
XAuth Twitter
But even twiter XAuth is almost same as OAuth.XAuth is still in its early stage.One way is to ask user for the email and than based on the domain redirect user to the particular system and let user authorize themself, but personally that is kind of heck and not a good solution at all.
Why user will fill his username and password of other service in your login screen?? don't you think that's something beat the whole idea of security
I am trying to create a login system for my iPhone application. My login system is not an ordinary one. Here is what I want the iphone to do.
First of all I will post to a website
"https://www.example.com/login"
my username and password.
If login is achieved (i.e. username and password are correct), it will redirect me to
"https://www.example.com/login/success"
else it will redirect me to
"https://www.example.com/login/retry".
I know it sounds strange but thats the way it works. By the way my application is programmed using Objective-C.
So what I want from the login system is to detect the address of the redirected site and if it is the success one, it will allow me to view the rest of the application.
Can I do that login system on iOS? Do you have any idea about that?
The NSHTTPURLResponse class has a method allHeaderFields that you can use to pull out the Location header. Be aware that header names are case-insensitive.
It sounds like you are trying to use the actual website for authentication. While this may be possible, I would advise against it. You should write a separate web service (aka an API) for the app to interact with. If you aren't familiar with the concept of an API do a quick google search.
I'm working on an iPhone app that ideally uses OAuth to communicate with Twitter. I know a lot of people are doing the OAuth workflow inside of their apps using a UIWebView, but I don't agree with that and am going with the Pownce approach.
The problem is, Twitter has this whole scheme for working with desktop apps, using a pin number. When I register my app with Twitter, they have a web form asking me if I'm a desktop or web client. If I choose desktop client, when I try to have the user authorize, I can set the oauth_callback parameter but Twitter will ignore it after authorization and show a pin number. If, on twitter's form, I specify that I'm a web client, it requires me to enter a URL to redirect to after authorization. And, since I'm using an iPhone app-specific url scheme, their web form fails on validation as it only seems to accepts URLs conforming to the HTTP protocol.
So, it seems like I'm stuck - I can't say "desktop" because I don't want to bother with a pin, and I can't say "web" or I can't use an iPhone app URL. Any solution to this?
From your question:
I know a lot of people are doing the OAuth workflow inside of their apps using a UIWebView, but I don't agree with that and am going with the Pownce approach.
The Pownce article suggests that quitting your application and opening Mobile Safari to perform the authentication step is problematic, and that they started receiving bad reviews from users for doing it that way. They also experienced a failure rate of around 40%.
Pownce's solution is to use a UIWebView within your application instead, so I have a feeling you may have misinterpreted their recommendations. That being said, they do label this as a "naive" solution and go on to suggest a bunch of theoretical "ideal" solutions.
Another point you might not realise is that desktop applications (using the "out of band" / pin number method) and web applications need to open the Twitter site in either an embedded or external browser.
So you've got two choices on the iPhone:
Open up twitter.com in a UIWebView, specifying no oauth_callback parameter or oauth_callback=oob to start the pin-based out-of-band flow. The user then needs to copy the pin using the iPhone's copy-paste functionality, manually close the UIWebView, and paste the pin into your application. The pin can then be used converted to an access token.
Do it how everyone else is doing it (UIWebView + custom-uri://foo.bar in the callback parameter).
For obvious reasons, the first option is pretty crap and really only useful on platforms where Twitter is unable to redirect to a custom URI.
A simple solution may be to create an HTTP page that always sends a 301 redirect to your custom URL scheme and then provide that HTTP URL to the twitter web API.
Aside from that, Nathan's answer is very complete.
Here's how I do it: tell Twitter you're a web app, and make up any old HTTP:// URL to satisfy Twitter during registration of your oauth client.
Then in your app, pass the URL you want to in the callback parameter. Twitter (in my experience) uses the one you give it.
You could use an intermediate website for the authentication. Your app creates a unique id (hardware based?) and stores it. It then records it has sent the user for authentication and sends the unique id to your website. It then redirects the user to your website. Your website then sends the user to Twitter using oAuth. The user returns to your website and you mark the unique id as authenticated and store the authentication information. The user restarts the app on the iPhone, it reads it has sent the user for authentication and contacts your website with the unique id - and reads in the authentication information.
Long winded and needs another website, but it should work.