Hello, Q1 I’ve read that when setting the timeout of an authentication cookie, we should keep in mind that the longer the cookie persists, the greater the chance of a cookie being stolen and misused. A) But assuming we secure our application against replay attacks by enabling SSL for the entire application, and since forms authent...
What is OpenID "Automatic Login"? I've never heard this term in a technical sense until today. It has suddenly appeared in Facebook's marketing blog in reference to their new deal with Google. To be clear, they assert that virtually no other OpenID providers besides Google implement OpenID "Automatic Login", thus no other OpenIDs are c...
I am using a new service to pull xml data from a server. The service provides two methods of logging in, one via a url query: http://<server>/login.asp?username=<User Name>&password=<Password> and the server returns a cookie valid for 7 days. This means instead of logging in for every query (and making my script less effici...
Hi I'm using redmine (a rails ticket management) and I'd like users to be able to log with their net user and password. I've followed the ADAM Step by Step Guide from Microsoft and setup an ADAM instance on my local machine. http://www.microsoft.com/downloads/details.aspx?familyid=5163B97A-7DF3-4B41-954E-0F7C04893E83&displaylang=e...
Using the command: iCACLS.exe \\server\serverroot\siteroot /grant:r domain\id:RX /T /C I can grant access to every file within the site root folder, but the folder itself does not receive the access. The problem being any new file that gets added lacks the read access until the command is run again. What am I not understanding? ...
We're being really stuck here so I decided to ask your help. Yesterday I've been asked to help to consume a web service, got the URL to the WSDL, and the user credentials to use. I've never really had anything to do with web services, but having a general idea about them and seeing a few examples I thought it can't be that bad. Obviousl...
I have a database with LDAP login enabled. It works fine when logging in through the PIA or when logging into app-designer through the application server. I need to make app-designer allow me to login with 2-tier mode using LDAP authentication. Is this possible without customization? ...
We are setting up a SQL Server 2008 Standard edition on a Web Server for the first time. We normally have our SQL Server on our local Intranet and only use windows authentication. What is the best practise authentication mode for a web server? Can I use Mixed mode without any security worries? Thanks! ...
hello everyone, i have following scenario and can't seem to find anything on the net, or maybe i am looking for the wrong thing: i am working on a webbased data storage system. there are different users and different places and only certain users are allowed to access certain parts of the system. now, we do not want them to connect to ...
I have an ASP.Net MVC intranet site which uses Windows Authentication to know who is logged in (no anon browsing allowed). The first time the users visit, I collect some very basic information from them for their Contact object (such as name, email, country) which is then stored in the apps database. I want to make the site role based, ...
How do you implement Roles and Security in your C# Domain Driven Designs? We have some debate raging on wether it should be implemented by the calling application (ASP.NET MVC) or in the Domain Model itself (model entities and services). Some argue that it should be in the web site itself since that's where the authentication already exi...
I am designing a table for the purpose of user authentication. What fields should be included in this table? What is the minimum to be able to track user credentials, track failed login attempts for account locking, actually lock accounts, etc. ...
I've been banging my head against this one for a couple days now: I've got a RoR app using AuthenticatedSystem to require authentication for some of the resources. A before_filter checks to see if the user has logged in. If not, it grabs the request.request_uri and puts it in a session variable (session[:return_to]), then sends the user...
Hi, I have some questions on this topic. Where do I get information about the currently connected user? That is, how does shibboleth pass the information? Can I set some restrictions on actions using [Authorize] attribute based on data acquired from shibboleth? Thanks in advance. Trimack ...
I am developing an internally-facing application that needs to automatically authenticate users via Windows Authentication and fall back to Forms authentication. The fall back would occur in situations where the user on a computer logged in as a group account (such as an operations center). I'm concerned about security where a user cou...
Has anyone ever actually used the AuthenticationListener class in SWT? I downloaded the zip file named "eclipse-jee-galileo-M7-win32.zip" and according to the eclipse site this listener is available as of M6. When I open my project in the IDE this class is not there, nor is any other Authentication class (i.e addAuthenticationListener, A...
We are planning on utilising kerberos in our architecture. I would like to know what perceived or actual advantages this technology has, and if there are any alternatives. Note that we have a .net client side and java server side. communication will be via messaging bus and SOA ...
Is there a way using Java to over-ride the browser authentication dialog box when a 401 message is received from the web server? I want to know when this dialog is being displayed, and instead of it being given to the user, I fill in the credentials for them. Overview of application: i wrote the web server, so essentially i want to sto...
I have several actions that are protected by filters that check for logged_in? and admin? and spit out 401 or 403 errors respectively if the tests fail. What's a good way of getting around these filters in development mode only so I can test out my app? I can't go through the actual login procedure because it relies on infrastructure I...
Hello How to use twitter api with "http basic auth"? I think I should use the "consumer key"! because twitter gave you limit rate of requests per hour, how can they count my requests if I didn't use my consumer key? ...