We have an application for use in medical offices, and with CCHIT certification becoming a requirement, are revisiting our own security. We have traditionally done our own login/password/access level authentication/authorization, but as long as we have to rewrite to meet standards, why not become more flexible. While we are a Windows a...
When running Sharepoint (WSS 3.0) with Windows Authentication (NTLM), external users must supply their usernames in the form of DOMAIN\username. This makes sense, because you could have multiple domains, trusts between them, etc. However in my case, I only have one domain, and I want my users to be able to logon with their pure username ...
Hi, I am writing WCF service that uses wsHttpBinding binding,which is not hosted in IIS but in Windows Service.I want to have a Login(user,pass) method in service, which will give a ticket to the client if the user is valied. Can anyone help me to understand how to implement ticket base authentication in WCF? Is there any standard mecha...
A colleague and I had a heated debate yesterday whether it is safe to send login credentials via URL parameters as a means of authentication. He correctly pointed out that HTTPS encrypts all non-hostname/port characters in a URL before sending a request to the server side. However, I still think there are edge cases here where it is po...
I have always thought that in order to connect to SQL server using windows authentication with explicitly specified creds, you must LogonUser, Impersonate, then connect. It seems to me that this link suggests that it's possible to connect to SQL server without all this hassle, simply by specifying "uid=...;pwd=..." in connection string....
I saw an interesting blank page today titled "saml post profile intersite transit." What is SAML? What was it created for? What is it commonly used for? What was the page I mentioned above all about? What functions does it provide that it's rarely used for but are otherwise interesting? Is there something better or other technology tha...
I have an ASP.Net MVC application. I am using an AJAX request on a page which requires user authentication to fire an action on another controller, which returns a view to update a table on the page. The action that the AJAX request makes also requires authentication. The issue comes up when the user lets their session timeout and the...
Hello, (?) wildcard represents unauthenticated users while (*) represents all users, authenticated and unauthenticated. My book shows the following example of URL authorization: <authorization> <deny users="?" /> <allow users="dan,matthew" /> <deny users="*" /> </authorization> But doesn’t the above code...
Hello, A) We can also control access to specific files using <location> tags. Why aren’t <location> elements contained inside <system.web> tag, but are instead nested directly inside <configuration> element? B) I realize <system.web> element is used for Asp.Net settings, but why does <location> also contain <system.web>? Is it so...
How can i get the password for a user from Active Directory ...
I'm using Jbos AS 5 and the DatabaseServerLoginModule for the authorization. I've my application policy defined as (for example only, not the actual code): <application-policy name = "jbossmq"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-opt...
I have a Java Enterprise Edition web application, a standard WAR. I want to integrate this with an existing .NET infrastructure running IIS. To be specific, I need to be able to share user sessions between the two applications in some secure manner. Is there a "standard" way of doing this? Edit: I do not need full session sharing, sorr...
I am writing a server-client application to receive user message and publish it. Thinking about authentication method. Asymmetric encryption, probably RSA. Hash (salt+password+'msg'+'userid'), SHA256 HMAC, SHA256. seems to be more secured than the method 2. Also involve hashing the password and msg data. Symmetric Encryption of the '...
I have a text file on a unix machine containing the SSH user name and password that someone might use to connect to it. How do I verify that the user name and password are valid using Java? Do I try to SSH connect to the same machine by using Runtime.exec()? I can grep for the user /etc/passwd. But, the password is shadowed. I'd a...
First off, I know how to and has Integrated Windows Authentication in IIS7. This works great for seeing the Active Directory user logged on the computer. But, the need is to get the username of a Novell authenticated user. I don't want the password or anything more than the username. Other restrictions: Can't install anything on the...
Hey there, Some time ago I set up a Svn Repository (svnserv as far as I remember), using svn+ssh for authentication. As I finally want to switch to Git on Github now, I want to enable public access to let Github do the import stuff. As it seems like I've lost the Setup documentation, I'd like to know how to enable public access for th...
I am trying to create a custom realm in Tomcat. My problem is that there is a SessionAttributeListener as part of the framework which checks to see if any object added to the session is serializable, and if it isn't it causes problems... like invalidating the session. Because org.apache.catalina.realm.GenericPrincipal is not serializab...
Hello, I'm currently planning a new web project. Clients are going to connect using a regular web browser and, in case of regular java-enabled cell phones, j2me client. I would really like to make use of the OpenID authentication. In case of regular web browser things are pretty straightforward. However, I am really not sure about insta...
Example: [Authorize] public ActionResult Index() { var person = _userPersonalizationService.GetPersonForUser(User.Identity.Name); var campaigns = _campaignRepository.GetCampaignsByCompanyId(person.Company.CompanyId); return View(campaigns); } Basically every user is tied to a person model, and in this instance, I want the ...
Hello, We are loading the combobox on demand using a WCF service. This way, as the user starts typing, the ComboBox talks to the WCF service and fetches the necessary data. We have forms authentication on the ASP.NET application. The issue is that I want to only allow the authenticated users from our system to make this WCF call. I...