JSF sends an redirect to the webbrowser. But for some strange reason the browers doesn't react on the redirect.
I have been able to identify when this happend, but not why it happend.
The system is coded in Primefaces 4.0, Glassfish 3.1.2.2, JSF 2.1.11.
The receipt for creating the problem is:
1.) Have a session-timeout (for test purpose it is set to 2 minutes).
2.) Login to the module.
3.) Wait to the session timeout expire.
4.) Press the logout button.
5.) The logoutbutton will fire away an event to the login/logout module. Which will contact the IDP (SingleSignOn/SingleSignOut provider).
An response that the user is not valid will be recived. The login/logout module, will response back to the user with an Redirect URL.
The webbrowser will get the response. But do nothing.
It is possible to see this with the F12 button in the browser (Chrome).
If I take that response URL and paste it into another browser/tab. The browser will send the user to the right location. In this case,
to the IDP:s inlogging module.
Here is where it gets a little bit confusing for me.
If I open a clean new browser. With no session active. I take the URL to the "secure" page, and enter it to the URL-line. Press Enter, and
I can see that the browser will try to access the page. But then an authorizationFilter will fetch the request/response.
Identify the users as not logged in user. Then send the user (response.redirect) to the inlogging module.
Which is the right behaviour.
When it comes to the problem describe above. I can see in every log, and in the browser development window. That the same thing happend
when the session times out.
The only differences what I can see, is that the users browsers is not redirected to the loginmodule.
From a user perspective, it seems like the logout button is dead.
This is an problem with a twist. On that page, there is a button to download a file. If the user press that button. The file will be downloaded.
Once the file have been downloaded. There is no problem for the logout button to redirect the user to the right page.
So here is another question on the same topic. Why? It seems like the system "refresh" it self, and become active again.
Overview of the different modules:
Loginmodule: Redirect the user to the LoginModule, and get a answer back if the user is authorized for login or not. I.e. the IDP sends an SAML to the loginmodule.
IDP: An identity Provider.
GUI-module: The module that the user tries to access. Primefaces 4.0, JSF 2.1.11
The GUI module have an AuthorizationFilter, that checks so that the user is authorized and authenticated (got a valid not tampered SAML) to be on the GUI module.
I would be really happy for any hint suggestion that could lead to that I can solve this problem. Or even better, an clear instruction how to solve it.
I have added a login button to my site anad added scope to publish actions as per guide i found here: developers.facebook.com/docs/reference/plugins/login/ and this works fine but my question is: How can i have same function but this prompt to show to users without needing to click on the Login Button.
If user has not installed app, he would be prompted automatically to install it.
Thanks for any help.
Use FB.getLoginStatus of the JavaScript SDK to see if you have a user connected to your app visiting your page. If not, redirect them to the server-side auth dialog (using client-side auth would not be a good idea, since most browsers will block a popup that’s opened without any actual user interaction).
I'm currently developing my first native iPhone app (though I have many years of experience as a web developer). I'm having some difficulty understanding the best way to handle login and I'm looking for some advice on the best way to go about it. The more I think about all the things that can go wrong during login, the more my brain wants to jump out of my head. I'm getting really frustrated with this and could really use some advice from some more experienced iPhone developers. Thanks in advance for your help.
My goal is to support Facebook Connect in the first version of the app, and then to support other SSO services (Twitter, Google, etc.), as well as my own user account system in future versions. The current plan is to have a MySQL table on the server that looks something like this:
users (id, nickname, facebook_id, ...)
When a user logs into the app via Facebook for the first time, an entry will be created in this table for them. You may think this isn't necessary, but it will allow me to expand to other services later on. For example, I could do this:
users (id, nickname, facebook_id, twitter_id, google_id, username, ...)
This table would have nullable fields for facebook_id, twitter_id, google_id, and username. If the user logs in with facebook, they'll have a facebook_id. Twitter users will have a twitter_id, Google users a google_id, and my own users will have a username. They'll all be uniquely identified by my own id regardless of what login system they're using.
So I'm pretty comfortable with the back-end implementation of user accounts. I can setup a web service that the app can call to create/retrieve users, verify logins, etc. No problem.
The problem I'm having is implementing a proper login flow with the iPhone UI components. My particular app uses a UITabBarController that serves as the main navigation. One of the tabs is labeled "My Account" and contains information about the currently logged in user. If the user clicks on the "My Account" tab, they are presented with a table view that serves as a submenu. It has options such as "My Profile", "Settings", and some other things. If they click on any of these menu items and they aren't logged in, then I use the presentViewController function to pop up a login screen. They click "login with facebook" and go through the typical Facebook authorization process. When they've completed that process, I use dismissViewController to remove the login page and display the page they were trying to access. If they cancel the login or if the login fails, then I use popViewControllerAnimated on the UINavigationController to send them back up to the "My Account" submenu. For those of you who are having a difficult time envisioning this, check out the Amazon app. It is almost the exact same thing (just click the "More" tab when you're not logged in and try to click one of the menu items underneath it).
That all works pretty well and I'm happy with it. But here's where I get confused:
What the heck do I do if they're several levels deep into the UINavigationController within the "My Account" tab and their login session expires?
Let's take Facebook login for example. Facebook uses session tokens to keep users logged in. The tokens expire after a certain amount of time. Let's say the user navigated down into "My Account", then clicked "My Profile", and then clicked on "Edit" and are shown a screen where they can edit their profile information. So they obviously need to be authenticated in order to view this page. In fact, they're 2-3 levels deep into pages that they need to be authenticated to see. Now let's say they get interrupted by a phone call or something and forget all about what they were doing. The next time they access the app is a week later when their login session has expired. I can handle this in a few ways. None of them seem great to me.
Solution #1
The Facebook SDK will automatically call a method on the AppDelegate class that notifies me of the expired session. Since I am notified of the session expiration at the AppDelegate level, I have no idea what page the user is currently looking at and whether or not they need to be authenticated in order to use it. To get around this, I can have all ViewControllers that require login to extend a "ProtectedViewController" class or something that indicates the user should be logged in to see that page. Then when the AppDelegate is notified of the session expiration, it will try to figure out what the current ViewController is and check if it extends "ProtectedViewController". If it does, then present a login screen. If the user successfully logs in, then everything proceeds as normal. If not, then return the user to the first screen of the app where they have to start all over. This is bad because the user will lose anything they've typed in already, but I don't see any way to avoid it with this solution.
Solution #2
Ignore the session expiration event at the AppDelegate level and instead do this: before any action is taken that requires a user to be logged in (e.g. when the user clicks "Save" on their "Edit Profile" page), check if they are still logged in. If they aren't, then present a login screen. If the user fails to login, then send them back to the start screen. This solution is a pain in the ass to code because I have to perform a check on practically everything the user does within the protected area of the app -- when they view a page, when they click a button -- just about everything.
I would also prefer to avoid sending the user all the way back to the start screen of the app if they fail to re-authenticate. Instead, in this case, I'd prefer to send the user back up the UINavigationController to the "My Account" menu -- which is the closest page that doesn't require login. Sure, I could hardcode that, but I'm looking for a solution/pattern that works a little more naturally and that I can reuse in other apps.
I would really appreciate some guidance. Surely I'm not the first person in the world who has needed to solve this problem. Unfortunately, Google hasn't been much help.
Thanks.
EDIT: Another idea is to subclass UIViewController (e.g. "ProtectedViewController") and implement the "viewWillAppear" method. Inside this method, I can check if the user is logged in. If not, then I slide up a login page. I still don't know how to handle the case when they fail to login, though. This solution has a problem, though: if the user's session expires while they're using the app, then I won't re-authenticate them until the next time they click on a new view. If they're already looking at say an "edit" page and click the "save" button, then they won't be re-authenticated. But perhaps this is a step closer to the solution.
Don't forget that the app delegate is the one that adds the whole tab bar to the main UIWindow. On detection of credentials failing, you could simply remove the UITabBarController from the UIWindow, and replace it only with your own login view to re-authenticate. That eliminates any possibility they could interact with anything in the tab structure, but when restored means whatever position they are at within the tabs is preserved (since you would simply remove the tab bar controllers view but leave the controller intact).
Here how I managed it in a recent project using singletons.
Create a singleton class, say LoginManager that has a method called,
-(UserInfo*) getValidatedUser: (UIView*) senderView
Inside this method check to see if the token is still valid.
If it is not valid simply create a new view that forces the user to login using FB credentials and overlay it on top of the "senderView" so that the user is forced to login, like this:
[senderView addSubview:loginView];
Once the token is valid, you return back the user information.
With this basic logic in place you can now call this getValidatedUser method from your view controller classes whenever you need a valid credential to do something:
UserInfo* myUser = [loginManagerObj getValidatedUser:self.view]
The method internally decides if a login page should be shown or not.
Hope this helps.
I am trying to use new enhanced auth dialog instead of old one in a new application,
I want to first of all display a page with a message to the user, then he can click on a button and then he have the enhanced auth dialog.
My worries are when i set up my new application, the auth dialog v2 is displayed and then if the user accept permissions, then he is redirected to my home.php.
Is it possible to use enhanced auth dialog but first of all displaying a page which inform about the application?
Thanks! :-)
Yes it is possible to first display a page to the user before putting up the auth dialog. I have a current production app that does just that.
In your app, have a connect button of your own making that you display to the user when they are not connected to Facebook.
When a user clicks it, redirect to the page you want to show them with the special wording.
On that special page, have the real facebook login button (or a button/link that fires off FB.login())
Well, I have found the answer.
If you don't want that Facebook display the enhanced auth dialog before your application, but do it manually, when you want,
in your app settings, in "auth dialog" tab, don't write anyting in "Authenticated Referrals" !
And that's all :-)
When I am login in GWT Application, it will open my dashboard but when I am click on browsers refresh/reload button it will call entry point of my application and it will load my login page.
So how can I stop this issue.
How can I stay at same page when I am click on Browsers refresh button?
You can save user info in session after logging in and check it in your entry point class before calling login form/method and than decide to show login form or not.
But I think, the better way is not to write login logic by hands, but to integrate spring-security to your gwt application. It will do all logic by itself, you need only to create login page (you can write login page not in gwt) and make it work with gwt.
Spend week if needed to understand how it works and you will have no problems in future.