authorization

OAuth alternative?

Hi, I have been investigating OAuth to share resources in my site to other sites. But, hole of OAuth specification was reported several days ago. http://oauth.net/advisories/2009-1 Many sites decided to stop OAuth until fixed version is released. Currently, can we have any alternative to OAuth? I want an open-standard and secure aut...

Configure apache for system passwords?

I know I can use htpasswd to create a password file for apache, but how do I configure it to use valid users or groups from the system? ...

Centralized Authorization Service?

Are there any open source centralized authorization services available? There are lots of solutions for centralizing the authentication information (eg: CAS and JOSSO), but what about the authorization information? There are some really good authorization frameworks (eg: Spring Security (formerly Acegi) and Seam Security), but it seems...

What options are available to accept credit card payments through an iPhone?

What are the options to accept a credit card payment from an iPhone application? This will be a stand alone application, not an iPhone specific web site. Can I integrate with a payment gateway like Authorize.net? What about paypal or Google checkout? I know on some web sites, it will take you to a paypal site for the payment authoriz...

Are there any session security loopholes in my PHP script?

After I authenticate user login info, i create this session for them: $_SESSION['username']= $userName; Then, I redirect them like this: header('Location:www.domain.com/profile/' . $_SESSION['username']; I want my website to have a beauty URL, something like: www.domain.com/profile/userName Thus, in all my redirect links (HTML <a...

Why is <deny users="?" /> included in the following example?

Hello, (?) wildcard represents unauthenticated users while (*) represents all users, authenticated and unauthenticated. My book shows the following example of URL authorization: <authorization> <deny users="?" /> <allow users="dan,matthew" /> <deny users="*" /> </authorization> But doesn’t the above code...

Controlling access to specific files via <location>

Hello, A) We can also control access to specific files using <location> tags. Why aren’t <location> elements contained inside <system.web> tag, but are instead nested directly inside <configuration> element? B) I realize <system.web> element is used for Asp.Net settings, but why does <location> also contain <system.web>? Is it so...

ASP.NET MVC - CustomeAuthorize filter action using an external website for loggin in the user

I have a CustomeAuthorize action filter that forwards the user to signin page if user is not authenticated. I apply this filter to actions or controllers. [CustumeAuthorize] public ActionResult MyAction() { //do something here return View(); } and the filter looks like this: public class CustomAuthorizeAttribute : ActionFilter...

Where should I place a check that may redirect a request?

I need to redirect users to the Change Password page if their password has expired. I want to place this code in one place so that any request can be redirected to the change password page. I've looked into extending the AuthorizeAttribute, and overriding OnActionExecuting, but neither work/allow me to short circuit the routing logic t...

I've decoupled my user model from the main domain model that represents a 'person' and wonder how to retrieve personalized user data in the controller context.

Example: [Authorize] public ActionResult Index() { var person = _userPersonalizationService.GetPersonForUser(User.Identity.Name); var campaigns = _campaignRepository.GetCampaignsByCompanyId(person.Company.CompanyId); return View(campaigns); } Basically every user is tied to a person model, and in this instance, I want the ...

ASP.NET Authentication and Provider...

I am trying to navigate from one website on my localhost to second website on my localhost. Both sites have their own membership provider. I'm trying to use a FormsAuthorizationTicket from site #1 to SSO a user into site #2. Currently I'm getting this error: System.Security.Cryptography.CryptographicException: Padding is invalid and c...

Easiest way to decode basic authorization in .NET

I need to validate a basic authorization header that is being sent to my HttpListener in VB.NET. I'm grabbing the header like so (feel free to point out better ways to do this as well): EncodedAuth = Context.Request.Headers.GetValues("Authorization")(1) Now how do I decode them? I understand the theory but I can't seem to find the r...

URL-authorization and non-Asp.Net related file types

Hello, URL authorization only applies to Asp.Net related file types?1 But why couldn’t it also be applied to non-Asp.Net file types? Thanx ...

Is there a standard asp.net authentication authorization login system?

Besides what it comes with in 2.0 (the generated aspnetdb.mdf), is there a standard login authorization authentication system for asp.net Internet websites? One that can plug into a website. ...

loading controls according to the usertype asp.net

I have to create a website in asp.net with C#. And the requirement is.. According to the user type ( like Admin, Manager, User) the Menu Should be different and it should change dynamically. I have done this before by creating different pages( for admin, manager, user) depending on the user but this time the controls should load dynamic...

What are some good role authorization solutions used with Authlogic?

I am looking for a good role based authorization solution to use alongside Authlogic. Anyone have any good suggestions? Please list some pros and cons from your experience if possible please. ...

If authentication ticket also contains information about roles, then why...?

Hello, Q1 – Reason as to why native UrlAuthorizationModule doesn’t understand roles is due to the fact that roles information is stored in managed object implementing IPrincipal interface, to which native modules don’t have access to. A) But if native UrlAuthorizationModule understands authentication ticket, and thus can work in co...

ASP.NET MVC: Authorization inside an Action - Suggested Patterns or this is a smell?

Hello, I have an ASP.NET MVC application using Authorization Attributes on Controllers and Actions. This has been working well but a new wrinkle has shown up. Object: Shipment Roles: Shipping, Accounting, General User The Shipment moves through a workflow. In state A it can be edited by Shipping only. In state B it can be edited b...

Default home page of MVC application is always redirecting to logon screen (IIS7)

I'm having a bit of an issue setting up our test site. In IIS 7, our app pool for the site is running in integrated mode. In Authentication, I have Anon enabled and Forms auth enabled. In Authorization, I have Allow All users. All pages allow anon users, EXCEPT the default (Home/Index.aspx). That page always forwards the user to the...

What is a good method to bypass authentication and/or authorization in development mode?

I have several actions that are protected by filters that check for logged_in? and admin? and spit out 401 or 403 errors respectively if the tests fail. What's a good way of getting around these filters in development mode only so I can test out my app? I can't go through the actual login procedure because it relies on infrastructure I...