I'm designing a course management system which has different kinds of users, including sysadmin, branch manager and branch user. As you might expect, the sysadmin can manage all records, the branch manager can manage all records from its branch and the branch user can only manage its records. My question is, where should this filtering ...
I've got a hardware internet radio player which needs to play a stream which is behind an http auth (standard 401 request). Unfortunately, the device can't cope with http auth, you can't build the username and password into the link (eg: username:password@http etc - and besides, the server won't accept that) and it plays streams by call...
Actually I am interested in Java AA framework that supports many types of A&A. I found that exist JAAS, but don't fond any information about OpenId support. Maybe there exists a module to use it? Spring security supports OpenId but I just want to see any alternative. Also I read that Spring Security is a little bit complicated. I think ...
I am writing an ASP.NET MVC 2 application and don't want to use ASP.NET Membership. I do want to use the Authorize attribute on the Controllers. What I have done so far is ... Web.config <roleManager enabled="true" /> <authentication mode="Forms"> <forms loginUrl="~/Authentication/Login" timeout="2880"/> </authentication> <authoriza...
hello friends, I am using Acl in new web app. in my app there are four groups of users. I have given $this->Auth->authorize = 'actions' so that it will check the permission for actions automatically. my problem is some of the actions such as change Password,edit profile,etc... are common to all users. But now i need to create each rec...
I'm trying to build custom AuthorizeAttribute, so in my Core project (a class library) I have this code: using System; using System.Web; using System.Web.Mvc; using IVC.Core.Web; using System.Linq; namespace IVC.Core.Attributes { public class TimeShareAuthorizeAttribute : AuthorizeAttribute { protected override bool Aut...
Hello, I'm working on an internal ASP.NET application that uses an Active Directory distribution list for managing who has access to the web site. However, due to the fact that this distribution list could contain both users and groups, I had to develop a solution for checking to see if the current user is able to access this site (e.g...
Are there any good books, blogs, wiki's, etc, on coding security systems? and standards that should be followed? I'm specifically interested in writing Access Control (DAC, MAC, RBAC) and auditing. I think I have a solid working understanding of DAC due to my experience with *nix systems. But I don't know what goes into implementing thes...
I am using facebook oauth with web authentication and extended permissions My resulting authorization URL ends up like https://graph.facebook.com/oauth/authorize?client_id={myAppId}&redirect_uri={my_redirect_uri}&scope=offline_access,read_stream,friends_activities,user_activities,user_photos,friends_photos,user_location,user_a...
I'm using MVC 2 with futures, and I'm trying to hide/show content based on role. Is there a way with ActionFilterAttribute or AuthorizeAttribute if the authentication fails to not show the controller child action all through attributes? Or is all I can do with those attributes is redirect or throw up an error message? I just need the ...
Hi everyone, Basic question here (I think), I was hoping someone could point me in the right direction. I don't know much about WCF but I'd like to create a web service to be called from an ASP.Net MVC application. The goal is to make sure only authorized ASP.Net users (we're using forms authentication) can call the web service, not j...
Hi I'm creating a website which besides other tasks will play some recorded files. these recorded files are on a remote server with private ip address, so I've created a virtual directory which points to a share directory on the mentioned server. now I'm able to playback the files using client side controls like wmplayer. BUT the proble...
Hello. I have an application that consists of 3 layers: UI: to be implemented in ASP.NET MVC Business: Holds the business logic and resource access control Repository (DAL): Implemented with POCO objects and EF, using the repository pattern. My POCO objects are shared with the upper layers. I have questions about what information/meth...
I'm working on a website for the marching band that I'm part of, and there is a "Member's Only" page that requires a password. When you click the link for the page, you're prompted for a username and password. If you enter an incorrect user/pass and click OK you are correctly directed to a generic error page. However, if you click Cance...
I'm implementing authorization in my gwt app, and at the moment it's done in the following fashion: The user signs up by putting his credentials in a form, and I send them in clear text to the server The server code hashes the received password using BCrypt and puts the hash in a database When the user wishes to log in, his password is...
Slapping on [Authorize] attributes on Controllers and Actions to restrict access is awesome. Is it possible to do the equivalent for an entire Area in MVC 2? Where I can restrict Area-wide access dependent on Roles/Users/whatever in a central place instead of littering them throughout all the Controllers? ...
I am making a small app that deletes log files. I am using an NSTask instance which runs rm and srm (secure rm) to delete files. I want to be able to delete files in: /Library/Logs ~/Library/Logs The issue is that the user account does not have permissions to access some files in the system library folder, such as the Adobe logs sub...
Summary: I need to authorize pages based upon the data present in the query string of a url, not just the page name. Background: Let's say I'm building a library inventory system. Users can be created and assigned to a single library in either an Admin or User role. There are hundreds of competing libraries in the same database, so i...
Java EE 5 / EJB 3 / JSF 1.2, using Facelets / ICEfaces 1.8.2 I'm authenticating my users with JAAS, but I think that simple role-based authorization is insufficient for my needs—my users' permissions need to be computed out of data in JPA entities. I'd like to add to certain pages a check that gets some entities from an EJB, does a litt...
I have an ASP.NET app using Ajaxpro and forms authentication. First I was having trouble trying to avoid passing the ajaxpro handlers through authorization, which was resolved when I included them on separate locations on the web.config: <location path="ajaxpro/prototype.ashx"> <system.web> <authorization> ...