When using Visual Studio's built in web server, every time I make a page request the standard login box pops up and asks for credentials. It doesn't work if I actually put in my credentials, so I just have to hit cancel 5 times so it will go away. When I run the application through IIS (locally or on test server) it works just fine (no ...
I'm writing a small webapp in Grails, and to make sure all users are authenticated I'm using the following filter: class LoginFilters { static filters = { loginCheck(controller:'*', action:'*') { before = { if (session.user_id) { request.user = User.get(session.user_id) } else if (!actionName.equals...
I've seen this question posted similarly in the past, I was hoping someone can point me in the right direction, the User.Identity.Name class returns the domain login. Which class exposes the actual name? For user "John Doe" who logs into the web application supplying my_domain\jdoe User.Identity.Name - Returns : *my_domain\jdoe* Sy...
I've been writing tests for my domain objects for some time now, but I'm still not quite sure how to go about testing for security in my web project. Certain users in certain environments can access certain properties of my models etc, but how would you go about testing this? Right now, I'm basing it on the current authenticated user, ...
On the intranet at my part time job (not IT related) there are various web applications that we use that do not require logging in explicitly. We are required to login to Windows obviously, and that then authenticates us some how. I'm wondering how this is done? Without worrying about security TOO much, how would I go about authenticati...
I have a cocoa class set up that I want to use to connect to a RESTful web service I'm building. I have decided to use HTTP Basic Authentication on my PHP backend like so… <?php if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="My Realm"'); header('HTTP/1.0 401 Unauthorized'); //Stuff that users...
I'm making a website in c# .NET and using the windows live id web authentication sdk for my logins. I'm trying to deploy the site using server 2003 and IIS 6.0, but I'm getting the following error, when redirecting from the login page to webauth-handler: "HTTP Status 405 - HTTP method POST is not supported by this URL type Status repor...
I'm wondering when login timeouts are being used, specifically when using same session (same browser session). On a number of sites I have completed recently I have added 60 minute timeouts and they seem to be causing problems, such as users are not able to fill out larger forms (like a resume submission--people don't think of copying th...
We distribute our web-application to our customers as a .war file. That way, the user can just deploy the war to their container and they're good to go. The problem is that some of our customers would like authentication, and use the username as a parameter to certain operations within the application. I know how to configure this using...
Is there a non-IIS way of authenticating users that is not with HTML? I know I can create my own ISAPI filter for IIS, but I want to achieve the same thing, with .NET code and not integrate it with IIS. Is there a way to do this now, with the latest .NET, or is ISAPI still the way to go? ...
Hi all I am prototyping a AJAX based web application running up against ASP.NET, where I need to have general authorization to different parts of the site, and also have to make sure that various web methods/web services can't be called by unauthorized users (from a rouge html page for example). Is there anything I need to be aware of,...
In SQL 2005 Reporting services we were able to spoof a user when calling a report. This doesn't seem to work in 2008 and the technet articles that appear relevant seem to be implying that you need to create a seperate security extension( Technet Article )if you're wanting to expose reports to the internet. Is this what people are using i...
Does anyone know of any good screenscasts or documentation covering the integration Active Directory Federation Services (ADFS) with Authorization Manager (AzMan)? ...
Hello all, Could anyone explain to me in simple programmatic terms how these RSA key dongles work? I know Blizzard has them for WoW and paypal as well as some of the trading sites. Thanks! ...
This issue is really losing me. I have a model for authentication : user. I have a model for comments : comment. I have a model that is commentable : weburl. Weburl 1..* Comment Weburl *..1 User Comment *..1 User The issue I have is not testable (my tests are all passing), and does not happen all the time. Usually it happens the sec...
Bug: I've got an ASP.NET web application that occasionally sets identical cookie keys for ".www.mydomain.com" and "www.mydomain.com". I'm trying to figure out what default cookie domain ASP.NET sets, and how I accidentally coded the site to sometimes prepend a "." to the cookie domain. When 2 cookies have the same key and are sent up f...
Hey Everyone, Are there any good examples out there of how the following webservice would work? I would like a windows/web client to be able to access a webservice, but the client should pass a username, password, and ip address and the webservice should be able to determine if it is on the list of allowed users or not before taking the...
Hi I've built a class called Login with a construct that either logs them in or it doesn't... I also have a static function called isAuthenticated which is meant to check if the user is logged in or not... I've been messing around with static functions etc but can't seem to get what I want. Ideally, it'd be where I can easily go <?php...
We have an existing Web application and we want to migrate from a custom authentication solution to Active Directory Federation Services so that our partner organizations can manage the authorization of their users on their side. Right now the site is using custom database tables to manage users and custom logic to manage authentication...
I'm wondering what the best method is for creating a forgot password function on a website. I have seen quite a few out there, here are a few or combination of: passphrase question / answer (1 or more) send email with new password on screen give new password confirmation through email: must click link to get new password page requiring...