c++,windows,winapi,pipe,authorization
This is the first problem: ace.grfAccessPermissions = PIPE_ACCESS_DUPLEX; The PIPE_ACCESS_DUPLEX constant is only meant to be used as an argument to CreateNamedPipe(), it is not a valid access permission. (By coincidence, it is equal to FILE_READ_DATA|FILE_WRITE_DATA but those access rights do not by themselves allow you to connect to a...
asp.net,web-services,wcf,iis,authorization
I have solved it. I hope it will help someone. Some fixes to the configuration (Attached). All users allowed but filtered at lower level folders. Installing missing authorization handlers at the IIS on the OS (Turn windows features on...) Use the local IIS and not IIS Express from the visual...
c#,.net,azure,authorization,azure-documentdb
We have confirmed this to be an issue isolated to the North Europe region. We are applying a hotfix to known accounts effected and will be deploying a fix shortly. If you are NOT in North Europe and are experiencing this issue, or if you continue to see if within...
linux,security,authentication,authorization,pam
Eventually I got it working. Issue 1: The issue I faced was there is very few documentation available to configure TACACS+ server for a non CISCO device. Issue 2: The tac_plus version that I am using tac_plus -v tac_plus version F4.0.4.28 does not seem to support service = shell protocol...
ruby-on-rails,ruby-on-rails-4,authorization,cancan
rescue_from CanCan::AccessDenied do |exception| if exception.action.to_s == "create_or_update" err ={} err[:error_id] = "AUTHORIZATION_ERROR" err[:error_msg] = exception.message render json: err, status: 403 else redirect_to "/", :alert => exception.message end end ...
ruby-on-rails,authorization,pundit
The only way to do this is to have your authorization checks return true for a user or role that has been designated a "super user." So, it would look like this: def update? *normal authorization logic* or is_superuser? end def edit? *normal authorization logic* or is_superuser? end #etc... private...
ruby-on-rails,authorization,cancan,cancancan
CanCan blocks only work on model instances (see this wiki page) and right now your can? sends the model class, not an instance. In order for this to work, you need to pass an instance of Membership. You can do something like this (assuming @group is the group the user...
session,cookies,zend-framework2,authorization
If you're using ZfcUser (and if you're doing user authentication on ZF2 you should be) check out the GoalioRememberMe(https://github.com/goalio/GoalioRememberMe) module, it does exactly what you're looking for (Caveat: I've never actually used it myself so I can't vouch for it's efficacy or security) I also suggest reading this response by...
ruby-on-rails,authorization,activeadmin,cancan
You can display conditionally the block actions: https://github.com/activeadmin/activeadmin/blob/master/docs/9-batch-actions.md#conditional-display...
.net,authorization,azure-mobile-services
I found the solution. It involves: Creating my own ServiceTokenHandler and overriding the CreateServiceUser method to add logic after the call to base.CreateServiceUser(claimsIdentity) that tries to find the roles in my UserProfile table that are linked to the user specified in the claimsIdentity. If it finds roles, it adds new...
security,authorization,claims-based-identity,abac,role-based-access-control
Actually, you should not attempt to implement a new authorization model. There is already a good model called attribute-based access control (or ABAC - see the SO tag abac and xacml). ABAC is an authorization model that: is defined by NIST, the National Institute of Standards and Technology, the very...
http,request,authorization,captcha,recaptcha
Turns out we are not supposed to do that kind of tricks with reCAPTCHA. There is no support for that in API. It seems that it was part of Google's design to prevent that kind of usage. The only walkaround I could come up with is to implement a WebView...
javascript,xmlhttprequest,authorization,cors
If you set an Authorization header then you are making a complex request and you have to handle the OPTIONS preflight before the browser will make the GET request. You can't set the header without handling the OPTIONS request....
authentication,python-3.x,web-crawler,authorization
In my case problem was in 'Referer' parameter in headers, which is required but wasn't specified
asp.net,iis,authorization,relative-path,restriction
You can move the file either to a folder outside of the root of the site or to the App_Data folder (which is protected form direct browsing by the ASP.NET framework) and then set your ImageUrl to point to a generic handler (.ashx file) which will be responsible for delivering...
security,oauth-2.0,authorization
OAuth 2.0 is certainly fit to handle that use case as well. You have two options: assign a scope per calendar e.g. Calendar.1.Read (remember, scopes contents are not defined by OAuth 2.0 and can be dynamic) use a type of opaque bearer access token that requires validation/introspection at the Authorization...
node.js,express,authorization,handlebars.js
One way you could do this is by hydrating your template model with a profileOwner privilege as you suggested. Suppose you wanted to only allow users to edit their own profiles. Using connect-roles you could set up a rule like this: user.use('profile owner', function (req, action) { return req.isAuthenticated() &&...
You have to set different cookies for frontend and backend in config/main.php file. For Eg.: In backend: 'components' => [ 'session' => [ 'name' => 'BACKENDID', //Set name 'savePath' => __DIR__ . '/../tmp', //create tmp folder and set path ], ], In Frontend: 'components' => [ 'session' => [ 'name'...
c#,authentication,authorization,web-api,asp.net-5
Generate an RSA key just for your application. A very basic example is below, but there's lots of information about how security keys are handled in the .Net Framework; I highly recommend that you go read some of it, at least. private static string GenerateRsaKeys() { RSACryptoServiceProvider myRSA =...
php,design-patterns,authorization
OK, So I moved the authentication code to the service layer and found that there were only a couple of instances where I still needed to do additional checks in the model. For consistency, I could pull these checks into the service layer too, at the expense of performance, but...
asp.net-mvc,asp.net-mvc-4,authentication,authorization
The problem was in following action in the _Layout.cshtml file <li>@Html.Action("BasicInfo", "Profile")</li> which is calling ProfileController action BasicInfo, and the ProfileController is decorated with Authorize attribute which redirected action to login. Quite a stupid and misleading mistake... Once I checked if user is authenticated before this action everything was ok...
angularjs,authorization,angular-ui-router
This could be solved using the more prams of the $stateChangeStart event // instead of this $rootScope.$on('$stateChangeStart', function (event, next) { // we can use this $rootScope.$on('$stateChangeStart' , function (event, toState, toParams, fromState, fromParams) { and that means, that we now have access to all passed params inside of the...
In short, yes. The app will ask for the location and camera both permissions in your new app. Also, this is more complicated when it comes to location access. There are 2 cases: 1) Foreground Permission: Your app asks for permission to use the location when you app is in...
asp.net-mvc,authorization,sitecore,sitecore8,sitecore-speak-ui
Have you compared the DLLs in your bin directory to the zip of the web root from dev.sitecore.net? Are you missing any of the SPEAK DLLs? These are the SPEAK DLL's i have in my Sitecore 8 site. Also as Kam said check your call all the SPEAK config files....
design-patterns,permissions,authorization,onion-architecture,hexagonal-architecture
One could argue that access checking should always be as close to the code that performs the operation as possible to reduce the chance that someone can find a side-channel that bypasses access checking. That said, if you can use a wrapper class such that you guarantee that in the...
asp.net-mvc,controller,authorization,actionlink
One possibility is to use MvcSiteMapProvider for your menu. It has a built-in security trimming feature that automatically hides links according to AuthorizeAttribute. If you don't like the built-in HTML helpers, you can customize the templates and/or build your own HTML helpers that hide links based on node accessibility. Or,...
ios,objective-c,authorization,cllocationmanager
You have to do it like this: 1)#import <CoreLocation/CoreLocation.h> 2)Set delegate CLLocationManagerDelegate 3)Create CLLocationManager *locationManager; Object 4)#define SYSTEM_VERSION_GREATER_THAN_OR_EQUAL_TO(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] != NSOrderedAscending) in your .m file 5)Setup location manager if (self.locationManager==nil) { self.locationManager = [[CLLocationManager alloc]init]; } self.locationManager.delegate = self; CLAuthorizationStatus status = [CLLocationManager...
ruby-on-rails,ruby,postgresql,devise,authorization
You seem to be going round in circles. Would this work? if current_user.contracts.find_by(eula_version: 3)...
asp.net-mvc-4,authorization,asp.net-web-api2,bearer-token
Check the WebServer, In IIS the Machine Key can be set at the application level, every time the app pool recycles a new Machine Key is generated hence you need a new token. You can set the Machine key on the Website level or Root Server Level. Maybe this might...
python,django,authorization,django-rest-framework
Well you could try overriding queryset in init of serializer. something like def __init__(self, *args, **kwargs): super(MySerializerClass, self).__init__(*args, **kwargs) if self.context.get('request', None): field = self.fields.get('b') field.queryset = field.queryset.filter(user=request.user) Current user shall be accessible through self.context....
.net,web-services,authentication,authorization,asp.net-web-api2
The last Authentication filter to run successfully simply clobbers the Principal. When you look at the Principal object and the ridiculously complex Claims collections attached to it, you will think that all this complexity is surely intended to support multiple successful authentications! But you'd be wrong. Only one can succeed....
It is not possible just yet but it will be in the near future. Stay tuned for further developments
java,xml,authorization,function-call
You can get an instance of your target class using Class.forName(). The simplest way to instantiate an instance of your class is to do c.newInstance() but if you need to pass constructor arguments you may need to use c.getConstructors() first, followed by ctor.newInstance. You then use the Class instance to...
java,authentication,authorization,jmx,jaas
This is solved by using a Jaas custom login module, then bouncing and relaunching the JMX process with the following in the command line: -Dcom.sun.management.jmxremote.login.config=Sample -Djava.security.auth.login.config=sample_jaas.config where sample_jaas.config has a setting like this: Sample { sample.module.SampleLoginModule required; }; and my SampleLoginModule implements the LoginModule interface, and in its login() method...
angularjs,http-headers,authorization,angular-resource
Documentation for $resource Success callback is called with (value, responseHeaders) arguments. Seems like you can just get the headers with function (res, headers) { console.log(headers); }...
service,authorization,dotnetnuke,dotnetnuke-module
I am not sure but working with the WebAPI you have to register the Service Framework anti forgery stuff ServicesFramework.Instance.RequestAjaxAntiForgerySupport(); This is part of asking the API to work with a specific module....
c#,azure,authorization,azure-active-directory
Yes. The getMemberObjects API returns all groups (transitive) of which the user is a member: https://msdn.microsoft.com/en-us/library/azure/dn835117.aspx . Also, using the checkMemberGroups API you can check whether or not the user is member of a group (transitively): https://msdn.microsoft.com/en-us/library/azure/dn835107.aspx However for your requirement the application roles feature of Azure AD might be...
wordpress,security,authorization
You clearly have a more serious compromise, like an uploaded malicious script or an unpatched vulnerability. You need to rebuild your site from scratch (clean install of the current versions of WP and any plugins and themes, using a known-good database export) ASAP before something really bad happens. Unfortunately, it's...
permissions,authorization,relational-database,rdbms
I think you're on the right track with roles. When logging in, you should request your roles as scopes. It's not a terrible idea to namespace them by API and maybe group ids, if they apply. scopes: ['forum:admin:somegroupid'] The login service could then validate that role by asking the service...
node.js,websocket,socket.io,authorization
Joining a room can only be done on the server. The client typically sends an application-specific message to the server that indicates to your app that they want to join a specific room and then the server carries out that operation on the user's behalf if the request is valid....
java,google-api,authorization,google-oauth,google-api-java-client
Without calling setServiceAccountUser() my code just worked perfectly fine. But you just will have an impersonated account (service_account_mail) not your personal contacts. Another possible source for a "401 Unauthorized" exception is leaving the credential.refreshToken() away. The call is necessary to write the access-code into the reference. Below the finished class:...
authentication,authorization,dynamics-crm,dynamics-crm-online,dynamics-crm-2015
There is a setting on the user called Access Mode that, when set to Non-interactive, makes it so the user doesn't consume a license. Here's an article that outlines how to set a user up for this type of access: http://www.crminnovation.com/blog/crm-online-non-interactive-user/...
php,google-app-engine,authorization
While it's very rare that the nickname will ever change is still possible, so your best option use user's ID by calling the getUserId() instead.
java,java-ee,authentication,ejb,authorization
I strongly recommend PicketLink for your JavaEE application. It's CDI-managed (so you don't need Spring or other heavy-weight framework), has a big pack of tutorials and quite simple for beginners. UPD: It's JBoss dependent....
ruby-on-rails,authentication,devise,authorization,table-relationships
After a great deal of research into using Polymorphic Associations, a friend suggested a gem that provided an even simpler approach that simulates Multi-Table Inheritance via Modules. The gem is called Active_Record-Acts As. https://github.com/hzamani/active_record-acts_as My set up will looks something similar to this: class User < ActiveRecord::Base actable validates_presence_of :first_name,...
authentication,ldap,authorization,sonarqube
"Enable Access Control" is for authorization to access the LDAP Directory Information Tree (and not for authorization of the application). I discovered this later. For application level authorization, attributes like memberOf or isMemberOf are used. Apache Directory Server does not support the memberOf or isMemberOf attribute as on the...
ruby-on-rails,ruby,login,authorization,registration
Is there any error displayed in the console? Do check that. Are you defining user_params? ...
c#,asp.net-mvc,authorization,asp.net-identity,authorize-attribute
The definition of a code attribute in C# is that it is static - hence why you cannot have a method, GetRoles(). You proposed wanting an attribute such as: [Authorize(Roles=GetRoles("UpdateProduct"))] This would mean you would have to implement GetRoles() in your code so use a custom attribute that is derived...
php,paypal,authorization,token
The exchange of a refresh token to an access token should fail if the account is closed. However, this won't help you out if they closed the account after that exchange but before the payment. If you are allowing the use of the service and then payment later, I'd recommend...
asp.net,asp.net-mvc,authentication,authorization
Your solution seems to conflate two related but distinct functions: authentication and authorization. Authentication tells you who the user is. Authorization normally occurs after authentication and tells you what the user can do, typically expressed as a list of one or more roles. Under this traditional model, you would have...
It feels pretty lame to query database for userId by his username for each request. I disagree. In order to provide secure WCF service I would check credentials per request. One way of doing it is to create custom UserNamePasswordValidator and override Validate method. You should also configure your...
permissions,authorization,branch,gitlab
No, it is not possible to have a read protection to certain git branches. That would also defeat how git works. What you could do is forking a repository, creating a branch here and only grant restricted permission to the entire repository. Later it would always be possible to merge...
java,filter,jersey,authorization,jax-rs
request.getEntityStream() will contain an InputStream that represents the body. You can read it there.
Are you interested in physically hiding operations from the group? If so you'll need to host separate services which define only those operations. In this scenario, common operations will need to be replicated or refactored out into another service. If you're only interested in restricting access to certain operations based...
java,authentication,authorization,restlet
In fact, I think that you should leverage the role support of Restlet. In fact, Restlet provides two additional elements regarding security: Verifier that actually authenticates the user based on provided credentials within the request Enroler that loads the roles of the authenticated user. Here is a sample for a...
ruby-on-rails,ruby-on-rails-4,devise,authorization,pundit
If you just want to have 1 user, a single administrator, with a login and password, and no other user accounts, then I would recommend HTTP Digest Auth, which is supported by rails out-of-the-box and doesn't require any extra gems or plugins. (Or HTTP Basic Auth, but digest auth is...
I would strongly suggest against implementing your own logic. Just search around in SO for many failed attempts. There are plenty of frameworks that let you do just the right level of access control you are looking for. Some are even mentioned in the comments. Have a look at: Spring...
authorization,saml,thinktecture
Authorization Server uses WIF and WIF doesn't support SAML. Neither does identityServer. You could go the route: Authorization Server --> WS Fed --> ADFS --> SAML --> SAML IDP or add a SAML stack to Authorization Server. This is non-trivial!...
php,api,youtube-api,authorization
I found the solution. Using the force-ssl scope fixed it. $client->addScope(Google_Service_YouTube::YOUTUBE_FORCE_SSL); Not sure why the ssl scope works when the plain youtube scope doesn't, especially for just listing comments....
c#,.net,http,authorization,.net-4.5
What you are experiencing is normal, this is how the NTLM authentication scheme works. 1: C --> S GET ... 2: C <-- S 401 Unauthorized WWW-Authenticate: NTLM 3: C --> S GET ... Authorization: NTLM <base64-encoded type-1-message> 4: C <-- S 401 Unauthorized WWW-Authenticate: NTLM <base64-encoded type-2-message> 5: C...
rest,authentication,authorization,privatekey,public-key
Let me start by saying I don't have any credentials in the security world. Please take everything I say with a grain of salt. A couple of general thoughts It seems like you want to roll your own which is a bad idea in any security-related area. Even more so...
c#,ldap,authorization,rbac,abac
You can take a step back and look at the bigger access control / authorization use case. IF you want to do resource-action based authorization, you can roll out ABAC, the attribute-based access control model. ABAC is an evolution of RBAC and identity-centric authorization. It was designed by NIST, the...
python,django,authorization,tastypie
I have not received an answer to my question, and added these lines to the top of the method RecordResource.obj_create(): if not bundle.request.user.laptop.approved: raise Unauthorized(u"Доступ планшета к данным не подтвержден администратором.") ...
authentication,authorization,thinktecture-ident-server,thinktecture
Either connect to your "external custom service" form within your IUserService (idsrv specific) - or treat it as an external identity provider. In that case you need to write a Katana authentication middleware for it (reusable Katana component). For the UserService check the IdentityServer docs. For Katana authentication middleware -...
c#,asp.net-mvc,redirect,authorization
A good way to solve this problem would be to check in your ExtendedAuthorize attribute whether the OnAuthorization is running at the page you want the user to redirect to. I guess your ExtendedAuthorize is something like the following: [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)] public class...
api,paypal,authorization,capture
In the beggining, when you create the payment with intent authorize you should be getting an authorization object within the response. This object has the id you need for the capture later. Check this blog post to see if you're missing something fundamental in the picture. I followed the tutorial...
Use config.set_default_permission to set a permission for views for which none is set explicitly. Thus you could do config.set_default_permission('private_view') and restrict the 'private_view' permission to authenticated users; and then explicitly allow the some views, like login, for unauthenticated users. Do also note that: If a default permission is in effect,...
django,google-maps,authorization
I believe that the button you are talking about is part of the Google Maps Javascript API - see: https://developers.google.com/maps/documentation/javascript/signedin Essentially the google maps sign in does not appear to offer user authentication that can be used with python. The python version of google maps uses a server key that...
ruby-on-rails,rest,routes,authorization
Do you know the gems rolify and CanCanCan? I think they can help you manage authorizations on resources in a single place instead of having to do it in every controller....
ruby-on-rails,ruby-on-rails-4,authorization,cancancan
Change the object name used for pagination . def getAssignments @assignments = Assignment.all if (@assignments != nil && @assignments.length > 0) then @assignment = @assignments.paginate(:per_page => 5, :page => params[:page]) end end and in your view like this <% if @assignment != nil then%> <%= will_paginate @assignment, :class => @paginationClass.to_s,...
c#,authorization,domain-driven-design
It makes sense to do authorization in any methods that need authorization otherwise there will be a security problem, especially when these methods are entry points in your backend logic. That means if you deploy these domain services as another tier which is accessible from outside, these methods really need...
if you want the User object in your Session you can set it easily here if (user.Password == usr.Password) { Session["current_user"]=user; return RedirectToAction("Index"); } I recommend to create a new object where the password is not available in the Session. Also you should think about how to save the password....
asp.net-mvc,asp.net-web-api,authorization
The problem was that the authorization I implemented was from MVC. But for web api, another authorization is needed, which looks nearly the same but differs a bit. First I had to remove the reference to MVC in the custom authorization class and use web.http instead: So. I had to...
c#,asp.net,authentication,authorization,owin
The issue was I've removed all authentication types from IIS At least Anonymous Authentication was required to be selected in IIS. The same error could be reproduced with the sample apps like WebApp-OpenIDConnect-DotNet by disabling Windows and Anonymous Authentication in the Project Properties for IIS Express....
security,hadoop,authorization,kerberos
I found the answer in the cloudera Documentation here It seems that the property security.job.client.protocol.acl is for MR1 and for MR2 we can use security.applicationclient.protocol.acl. ...
.net,asp.net-mvc,security,authorization
The only solution that I can think of is to issue client certificates, and use certificate authentication in your application. Managing certificates To manage certificates you need to implement a PKI, which requires: Get a Certification Authority, needed to issue the certificates (it can be a public CA or you...
authentication,jboss,authorization,wildfly
I see 2 problems here. If you want to use your database only to load roles, then use the password-stacking in both login modules. It says to subsequent login modules not to check the credentials and only load roles. The DatabaseCertificate login module should be used together with SSL/TLS and...
php,google-api,authorization,access-token
You're sending the parameters in a GET request to the authorization endpoint (https://accounts.google.com/o/oauth2/auth), but you must send them in a POST request to the token endpoint (https://accounts.google.com/o/oauth2/token).
java,javascript,security,rest,authorization
You want to look at the implicit flow in OAuth 2.0 which is specifically geared towards clients running JavaScript in the browser. It's not using asymmetric encryption directly in JavaScript. If you want to do that, you could look at the crypto-js library....
android,facebook,google-app-engine,oauth,authorization
When your app authenticates a user, store an object in a session which contains an oauth provider that has been used to access the app and, optionally, a token to be used for subsequent requests. Now you can check for this object in every call to the server. If the...
html5,api,websocket,socket.io,authorization
There is really no way to do this directly because of the openness of code that runs in a browser. You can require APIkeys or some such thing, but if you're using those APIkeys from a browser, they are not a secret so anyone can discover them and use them...
asp.net-web-api,filter,dependency-injection,authorization,autofac
Unfortunately, if you want DI in your filters, you can't use attributes. Per the docs: Unlike the filter provider in MVC, the one in Web API does not allow you to specify that the filter instances should not be cached. This means that all filter attributes in Web API are...
java,authorization,quickbooks,quickbooks-online
Normally, you wouldn't have to go through the OAuth process again. You can use the app token from the other app you mentioned. But since you created a new app at developer.intuit.com you will need to generate a token from that app, which isn't a big deal. You can get...
android,oauth-2.0,authorization,retrofit,dagger
The key is to always add the RequestInterceptor and then change whether or not it adds the header. class ApiHeaders implements RequestInterceptor { private String authValue; public void clearAuthValue() { authValue = null; } public void setAuthValue(String authValue) { this.authValue = authValue; } @Override public void intercept(RequestFacade request) { String...
javascript,angularjs,api,authorization,interceptor
If you use a ui-router for your application routing, you could use nested states and a resolve clause in a parent of your 'authenticated' states to make sure that you only get to that controller/template if your 'login' request has successfully resolved and to redirect to a 'sign-in' state if...
session,authentication,oauth,authorization,openid-connect
By requiring that the access token is a JWT, agreeing on the user claims that go in to the JWT, putting expiration/issuance timestamps in there and making sure that you cryptographically verify the issuer of the token you're actually doing the very same thing that OpenID Connect is doing: "profiling"...
authorization,google-cloud-storage,google-cloud-platform
It turns out I'm using the wrong OAuth flow if I want to do this. Thanks to Euca for the inspiration to figure this out. At the time I asked the question, I was assuming there were multiple projects involved in the Google Developers Console: One project for me, the...
authentication,authorization,openid
That totally depends on what you're signing in to. Both options are feasible and the Relying Party that uses AOL/Google for login decides how the accounts are treated/connected.
php,paypal,authorization,stock
You can use any of PayPal's payment products. The standard thing to do when selling limited quantity goods, or other goods which have fullfillment costs/delays/challenges, is to collect a payment authorization from the buyer (so use PAYMENTACTION=AUTHORIZATION), then allocate/reserve/sell the goods to that particular buyer, then capture the funds. Personally...
php,mysql,codeigniter,authorization
I have created menu table and menu permission table seperately. menu table menu id menu name menu permission table id menuid usergroup_id Check whether the current logged in user group id is available in menu permission table or not public function get_menus($user_group_id) { if ($user_group_id == 1) { $query =...