john lazeraski

Ranch Hand
+ Follow
since Nov 14, 2011
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
1
Received in last 30 days
0
Total given
2
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by john lazeraski

Hey all,

I have been trying to protect my APIs with spring oauth2. I have looked at and taken numerous examples, and it all looks easy enough using Spring 4.x, the @EnableAuthorizationServer, and so forth. However, despite trying in memory, jwt and jdbc, whenever I try to create a token using the /token endpoint, I see in my log output:
2017-01-19 12:21:05.047  WARN 30061 --- [243-8081-exec-4] o.s.web.servlet.PageNotFound             : No mapping found for HTTP request with URI [/api/error] in DispatcherServlet with name 'dispatcherServlet'

which makes me think I am missing something that allows the server forward to some page that needs to be sent back as an error response.   I dont have anything hosted at /api/error endpolint, I assumed that the magic of Spring OAUTH2 and such properly returned a JSON chunk of error and the 401 error code.

From time to time I seem to send in the right POST call that generated a different error, basically telling me:
No adapter for handler [public org.springframework.http.ResponseEntity<org.springframework.security.oauth2.common.OAuth2AccessToken>

So this last one makes me think that the auth worked, but somehow I am again missing something on my runtime classpath to handle the OAuth2AccessToken response type. Which again is baffling to me because I assumed with all the POM dependencies set up, and annotations in my code configured as other examples show, it just all magically worked. Nothing I have found explains anything else on configuration, etc for either of these issues I am seeing.

I built a Postman request to http://<ip>:80801/api/token?client_id=foo&grant_types=client_credentials

That is a POST call, with Accept: application/json set as a header.  

I am trying to set up the ability for an API consumer to create a token that they can then use to make API calls with e.g. Bearer <token> in Authorization header.

Any help would be appreciated.
7 years ago
I see.. I've always seen jquery with $().. although I do understand a little OO JS, so figured there was an object behind it somewhere, just haven't seen examples with using the JQuery() format. Thanks for the heads up.
10 years ago
JSF
I totally agree Tim. I've asked a bunch of questions. The way it works is you get a public key that you pass to their JS function, which uses it to encrypt the local fields. It then sends that data to your server, where you apply your private key to the encrypted values to further encrypt it before sending it to their server for the transaction. Check them out, https://www.braintreepayments.com/ Their support is top notch and used by a lot of clients. They were recommended by some java sites as well, so figured I'd try them out. They seem good and I posed the same question.. about security in a JS function that could be hackable. For now anyway they look good.. as long as I run in my own SSL cert when providing the form to users, it should remain 128-bit encrypted to my server, as well as they encrypt the form fields again. But I am not a security expert.

The solution you speak of is a way to avoid having to be PCI compliant on your own site because of users sending credit card info to your server. They have that option as well, but this option seemed to provide the right security along with a bit easier way of working with it.
10 years ago
JSF
Interesting Tim.. because it seems to work. I figured out that I had to use the \\: instead of : within a $() for jquery. With that in place, my form is now working. So far I am not using any EL on my pages, just JSF and the #{} syntax.

The thing is, the Braintree.js creditcard processor api requires you to encrypt specific form elements, and their JS provides routines to encrypt and submit the form to your server side, encrypted. I am trying to allow a user to enter credit card billing info, but ALSO save the billing info as their home address since both are typically the same thing. So I need to submit two forms. The first is the encrypted form which the Braintree.js provides a jquery handler that you set up with the button (in my case h:commandButton) id. But, you can provide your own handler as well, for client side validation and such that their handler calls before it submits the encrypted data. Within that, in order to save the billing info but still send the credit card info encrypted, my own routine has to pluck each element out, submit the billing info as one form, then submit the encrypted data as another form. It sounds more complicated than it is, they provide a pretty nice and easy to use API that keeps my site from having to be PCI compliant with the exception of an SSL cert. But I am also trying to make my signup process super easy.. so that our users don't have to repeat/type the same thing twice (in this case, billing info IF they decide it's the same as their home address).

I am not quite sure the jQuery() notation you speak of, I'll have to look it up. I assume it's calling the actuall jquery object rather than using $. So when you say don't do brute force and use the onsubmit attribute... because the Braintree.js has it's own built in form + encrypt function, I am not quite sure how I should do that. I'll see if I can call all there stuff from my own routine directly, rather than use their onFormSubmit function with my button id.

10 years ago
JSF
Hey all,

Been trying to find a solution to this. I am using JSF 2, Primefaces 3 which loads jquery. I've found examples of how to add my own function handler to a form onSubmit. I've verified that my JS is being called, with the following:



In the above, the Working alert shows up when the page loads (after it's loaded). I also did verify that the $("#cc.clientId}:creditcard-form exists (set it on var, checked for null.. it wasn't null). So that seems to work fine. The form is tied to a command button:




The form DOES submit to my server, however the JS function above never activates. I am using a creditcard library called Braintree, which allows encryption of form fields before it's sent to my server, but I also need to save the billing address info. So I am trying to call the braintree routine in my own handler, instead of using it's specific form submit handler.

That's about alll I have right now. Is there any way to verify my function is attached to the form.. or perhaps some way to determine if it's being removed?

I realize this is a javascript related bit of code, but I am asking here in JSF because I am unclear if the JSF generator removes or somehow affects onSubmit or other calls on JSF elements such as the commandButton.

Thanks.
10 years ago
JSF
Makes sense. Where do you typically create the data model? In the @PostConstruct? I assume you use the FacesContext to find the data table component, then set the model with your created one?
10 years ago
JSF
Thanks.. that makes sense. I have yet to have done anything like this so thank you for the info. Good to know.
10 years ago
JSF
Hi Tim,

When you say use a session bean, then inject viewscope beans.. does this mean each page of the wizard uses the session bean for things like action methods to call upon, and the session scoped bean has each of the view scoped beans injected in it? I am unclear how using a session bean and view bean at the same time would work or work together. Or why you would have both, as opposed to just one or the other?

Thanks.
10 years ago
JSF
Ouch.. tough decision.. this reminds me of not too long ago..well about 10 or so years ago when we were using shtml files, trying to use a template engine to process the shtml file to replace $$tokens$$ for dynamic content. Mean while, JSP 0.7 came along, and soon JSP 1.0 with the MVC model 1 architecture, which was "better" (sort of) than the shtml way we were doing things. The problem was, shtml and jsp were not the same thing.. the cool thing was, we could do one page at a time.

I would first take what Tim is saying to heart.. even though you say there is budget for a move next year, are you in any position at all to suggest moving to say Tomcat 6 or 7 (not sure what container you deploy in). Tomcat 6 I believe supports JSF 1.x apps, but ALSO supports JSF 2. The same would be for GlassFish 3 or JBoss 5 or something. My point is.. if you can move to a container version with minimal effort that supports both versions, you may open up a case for you to slowly work on a JSF 2 page, converting an existing page to JSF 2 in the process, one step at a time. This would allow you to use the now standard JSF 2 right way of doing things, while keeping the existing app in place. I was surprised when JEE 1 came out how easy it was to quickly built a WAR and EAR file, modify our code a slight bit, and deploy and have things working. I would imagine it wouldn't take too long if you spend a few hours each day extra (if you can and if it will pay off) to move to a better supported platform, even if it's on your own accord on your own computer to see it work. This may give you a good learning experience as well and then perhaps you can show your peers or boss and show them how easy it is, why it is better, etc.

Anyway, just some thoughts.. I know in many cases we developers are just pawns on a board and have no say in anything. That is why I prefer smaller teams, where everybody has a say and is important to the project.
10 years ago
JSF
Hey Tim,

Interesting.. most examples I see show the List<object> as the backing model. I'll look at using ListDataModel. I assume then I also need the DataTable component, and set the ListDataModel<MyType> on it as the backing model.

Out of curiosity, is there a problem with parameterizing the button click? Is it just bad form, or is it that because the ListDataModel is created already, no point in using a 2nd list and thus no need to specify the parameter in the call? You say it muddies the view.. but if I am iterating an object anyway with the <p:dataTable.. why does it make a difference if I set the var and pass that in a click?



10 years ago
JSF
Nice! I figured they must have gone that direction. I am still torn though.. which is better JEE6 (and now 7) or using Spring/Hibernate. Most shops I've interviewed with seem to lean heavily towards Spring and Hibernate, but JEE 6/7 is so nice and at least for me GlassFish 4 is rock solid and easy to work with. Unzip, create a domain, start it, ready to deploy into it with all the JEE services ready to go. I went back to using @ManagedBean because I wanted to make sure my app could run in Tomcat if need be, but then all my @EJB stuff would no longer work, hence why I want to start looking back at Spring/Hibernate to understand them as well so that I can deploy my app in Tomcat (or Jetty) and not need the EJB layer or have to deploy a separate EJB tier into a JBoss or Glassfish container and work with remote calls and such. Seems like Tomcat + Servlet/JSF + Spring/Hibernate offer a pretty solid solution if you don't want the full JEE stack.
10 years ago
JSF
Hi Tim,

I think we went over security or maybe it was BalusC from the other forum..can't remember. I was originally going to use JEE security, but I ended up going to Shiro. I find it easier to work with, easy to set up access rights for user roles and define those roles, and from what I've read, it's every bit as good as JEE directly, with another added bonus that you can use it outside a JEE container. I have that in place now and it works great, tied to a couple tables (users and roles) and so far, I can't access any resources that I defined that require a specific user role to authenticate with. But I agree with you, after reading either you and/or BalusC's info on why the usual login forms with basic calls are so typical of apps and easy to circumvent, I recalled many a login form over the years that i've worked with that were exactly that. So I am glad I was able to find Shiro and implement what I believe to be a pretty secure login process.

Yes, I thought of what you are saying and as I said, I think it's a better design to use separate pages than trying to use the rendered property of panels to show/hide the panel on the same page. Makes it more difficult to maintain it as well.

Thus far, I have been using view scoped beans, and upon the "next" button being pressed, I typically update the database. So I don't know that I need a session bean in this case. When the page is rendered, I grab the data from the database if it's available. If not, it's an empty form (first time filling it out or they skipped it and are coming back to it if allowed to). I was trying to use request scope in these cases since I do store it in the db and pull it again from db to show it, but the post back stuff fails if I don't use view scoped, so I've been sticking to using view scoped.

So you pretty much confirmed what I thought.. which is using discrete pages as the user navigates the wizard like process.
10 years ago
JSF
Tim, been years since I used Spring, never used Hibernate. But given that JEE 6 seems to have stemmed from Spring and Hibernate, does Spring still require all the xml-from-hell configuration stuff? Or is it more annotation friendly like JEE6/7 is for configuring things.. like injecting resources, beans, etc?

10 years ago
JSF
This will be great when CDI is the only thing going, which I assume then that a JSF 2.3 container like Tomcat would support CDI at the time it's available. But that's years away given that 2.2 just came out, so for the forseeable future, if we're deploying in Tomcat, or Jetty, or what not, then ManagedBean seems the best route for now.
10 years ago
JSF
Hey all,

I'd like to learn the best (or more common) way to handle conditional navigation and thus what is displayed "next". In my case, the first time a user registers, I keep a flag of the last step they were on. For example, after they activate their account, the status may be set to 1. If they are at step 1, I want to show some text and a form for them to enter some data. If they completed that, when they log in (or upon completing it, the next step) is to show another form. It's wizard like, but they may also come back to any of these specific forms at a later time to add more to them, change them, etc.

My first thought was to have the initial page (/loggedin/index.xhtml) use the rendered="" attribute in a h:panelGroup or something, such that if they were step 1, one specific panel group (and children) would be rendered, the others would not due to the rendered="" conditionals being false. If they were on step 2, a different panel is rendered. Going from step 1 to step 2 could be a post back or a redirect to the same page but with the update state causing the next panel to show up.

The other option, the one that I think makes more sense, is in the login bean method, or at any step really, returning a navigation string configured in faces-config, that causes a redirect to a specific page, such that each of the panels in the above scenario would be their own pages.

The problem I am facing though, is in some cases, some of these panels in the first scenario my need to be on one page, later on during editing, but initially as part of a "setup" wizard I want them to be individual. Therefore, I am thinking what I really need is composite components that can be reused in different views... but then, should the setup "wizard" still use individual pages where each page uses the component, or would it make more sense to use a single page with panels that show/hide depending on a condition?

10 years ago
JSF