Hi Guys, My question is similar to a crapload out there.. I have a simple app to be hosted internal to my company (accessed on the intranet). its an MVC app with windows integrated authentication. I have all the code to authorize a user against AD, but how do i implement this in the client (web.config + global.asax etc) Do i use the...
Need to implement custom business/authorization rules for the product that is based on the well-known CSLA framework. Examples: The logged-in principal or admin can update her details, not anyone else. The last user in the system can't be deleted. Currently I know that rules can be applied during setup phase: BusinessRules.AddRule...
H folks, I am programming a Web-Application with JEE, JSF and Hibernate. I do not use Spring or EJB! Now I am at the point where to implement authentication and authorization. I need to access an Active Directory or LDAP. And I want to implement my own roles, that are not retrieved from the AD/LDAP. My Question is: What's the easiest ...
i wonder if i shld use an ACL rule (PHP/Zend_Acl in my case) for something as small as a edit post page? i guess the criteria to allow users to edit a post will be owner of post editors/moderators/admin the question will be if yes (to use acl), how can i define it (i am using Zend_Acl but if u give me some code example, i might be a...
i am using Zend_Acl, PHP and is wondering how shld ACLs be implemented. shld every page be a resource and i always query the acl to see if a user is authorized? i guess i must use this if i want to use a controller plugin (can be setup to run on every request) to check if a user is allowed? or do i just put the query code where i nee...
Background: Completely new to MVC2. Has C# experience, but limited web experience. I need more fine grained access than simply assigning a Role to a user. The user may have the role at 0+ points in a tree. / /Europe /England /France /USA For example, a user might be moderator of all forums under "Europe" and have access t...
I want to create my site and in the page have it so that the forum pages will use the forum mysql user having privileges on mydb.forum_table, mydb_forum_table2. and the profile page to use the profile user having access to mydb.users and mydb.profiefields and so on with the photogallery, blog, chat and... is this the right way to do it!...
In the documentation of cancan it shows how to fetch all accessible records (in http://wiki.github.com/ryanb/cancan/fetching-records) in this way: @articles = Article.accessible_by(current_ability) but what is current_ability? I've tried passing the current user which I'm using for authentication and authorization, but I've got this e...
I have custom UserInfo and UserAuthorization objects in my app, which determine what is displayed and what actions a user can perform on each page. At the moment this information needs to be retreived for every request to the server. Would it be possible/sensible to cache this information somehow? Can anyone suggest some good google sear...
I'm trying to get into making Facebook apps but I'm having trouble getting authorization working in a redirect scheme inside the canvas. Using the javascript api, I got it working pretty easily in a popup scheme: $("#loginButton").click(function(e) { FB.login(function(response) { if (response.perms) { perms(); ...
Hi I am developing an Android App where I require a user to authenticate his session before using the app. One way is to store a user name and password by asking him to register on the app and then use that to authenticate him. But i was looking to do something else, maybe use an OpenId account to authenticate or Opensoial or something l...
All, I'm a little confused over some of the concepts behind Windows Intentity Foundation and the overall architectural fit in a third-party "trusted" environment as regards Authorisation. I think I may have missed something but I can't see how it would work in the real world. As an example, we have a number of systems behind a portal. ...
I'm trying to evaluate whether to use classic Principal based authorization vs. IdentityModel authorization. It seems like Microsoft is recommending the latter these days, but I haven't seen enough in terms of maturity or support for it. Specifically, I really like the ability to set a PrincipalPermissionAttribute and allow the framework...
i am using Zend Framework Zend_Acl i am wanting to throw an exception when the user is denied access to a resource. which exception class do i use? ...
Hello. I've been reading this question and felt that I don't quite agree with the statement Separation of user and profile data is a nice touch. As I see it, profile data, such as, e.g. country or whatever belongs in the user object, while separating such data into profile leads to creating a new object (and table) with 1-to-1 relation...
Hello folks, Can any one explain me the working of Auth->authorize = "actions" In my project i am planning tp give this. As this taught me the authorize will call the $this->Aro->check($user,"controllers/:controller/:action") This will check the against the user right?? that means the user should be there in aros table. But i don't ne...
I just had this thought, I don't know if I am slow though. Usually, I store the id of the item I am editing in a hidden field. Then in backend (I am using PHP/Zend Framework btw), I get it to determine which item gets edited. But then I thought, in something more secure, eg. edit profile, the user can somehow edit a hidden field right...
Which one is the best approach/method to implement security in J2EE?(JPA/JSPs) I'm working on a personal project so I can learn J2EE and I am a little confuse on how to approach the AUTHORIZATION and AUTHENTICATION process on my website. I have different roles and I don't want certain users to access certain parts of the website. So I'...
Does anybody have some pointers for designing roles for authentication in a big organization? e.g. a user may have a roles as 'manager' within a department 'sales', but have role 'user' for accessing payroll data etc.. Should he then have roles called 'sales_manager' and 'payroll' or are there better ways of doing this? I want to stop...
Hi I am trying to use Role based authorization in declarative way, when unauthorized user attempt to access a page, it never fire an exception or show the user an error message. What I should do to show unauthorized message? is that possible in declarative way? using coding is not a nice option sense I have several roles, and folder a...