What is the ASP.NET Membership framework's reputation as far as security goes? Are there any typical default configuration settings that are problematic? What best practices are there? Are there any built-in methods to combat things like session hijacking? ...
What is the best way to go about implementing authentication and authorization for a JSF web application? Preferrably I'd still want to use container-based security, as I need to call EJBs that require the principal. I realize form-based authentication is a major struggle with JSF, but can I perhaps use a PhaseListener or something simi...
I'm trying to come up with a good way to do authentication and authorization. Here is what I have. Comments are welcome and what I am hoping for. I have php on a mac server. I have Microsoft AD for user accounts. I am using LDAP to query the AD when the user logs in to the Intranet. My design question concerns what to do with that A...
We currently have a group of web-services exposing interfaces to a variety of different client types and roles. Background: The web-service application code is (and will stay) written in a weakly typed dynamic language. Authentication is handled seperately, this post is about Authorisation. All operations exposed by the web-services ...
I have created an authentication module in ASP.Net but I do not want the logic in the authentication module to be executed if the resource is configured for anonymous access since the logic is expensive. There are pages that require authentication in the same directory with pages that do not require authentication. I have no control ove...
Hi, If I've applied an authorisation attribute at controller level, is it possible to override this on one of the methods on that controller? Thanks James ...
I am using Windows authentication and don't have a custom membership. However I do have a custom role provider and turned it on. However, what about the < authorization /> element in the web.config? Do I need to do something with that as well? At the moment I can't get use Roles.GetRolesForUser("") method (returns nothing) but have to d...
In ASP.NET I often see (and have copied the following) but never really understood the difference between the * and ? symbols. for example <system.web> <authorization> <deny users="*" /> <deny users="?" /> </authorization> </system.web> Just wondering if anyone can tell me the difference? Cheers. ...
Hi. I need to know how to go about implementing general security for a C# application. What options do I have in this regard? I would prefer to use an existing framework if it meets my needs - I don't want to re-invent the wheel. My requirements are as follows: the usual username/password authentication manageing of users - assign pe...
I am writing an MVC app that has two branches to travel along right from the beginning. On path authorizes with a PIN and I am using forms authentication to limit access to this section of the code. However, the other path will accept an AD log in and I need stop people from move between the branches using URLs. Should I be using a cu...
I'm writing a custom role provider and I need programmatic access the authorization information stored in the web.config. Certain section of the site are only accessible by certain roles. I would like to find out which roles can access a page and/or which page a certain role can access. I can't seem to figure this one out. ...
I am struggling to choose what to use for authentication and authorization for my .Net application. I am using ASP.Net MVC with C#. In Java I find Spring Acegi Securiyy very easy and good to implement to secure urls, hide menus and button and even secure my methods. Also I would be using windows Active directory to store user profile. ...
I intend building an application using CodeIgniter so I'm currently identifying all the features I want. I would like to know if there are any recommendations for Authentication & Authorization libraries for CodeIgniter. ...
Looked but cannot find answer. Not sure exactly what Title ought to be. Hoping for some suggestions from "outside the box". I don't think I can be the only one facing this. "How can ASP.NET application best "accept" that user authorization has already been performed in a website"? We have our own ASP.NET (2.0) application. It suppo...
Can anyone provide me a link of any example WinForms application that implements the concept of User authentication and authorization one the basis of Roles or Groups? The application should allow access of users to the main-menu on the basis of their roles. ...
I'm working on a Flex 3 application that uses the Flex IFrame project to connect to remote web servers, using basic authentication. When authenticating against the remote web server, the URLRequest is put together with the following code, and loaded with a URLLoader. var request:URLRequest = new URLRequest(targetHost); var authorizat...
Can I use <authorization> to protect webforms from being accessed if a person does not have a specific role? I tried this: <authentication mode="windows" /> <authorization> <allow roles="Admin" /> <deny users="*" </authorization> but if the role Admin is not available then I can still visit the page by typing in the url. How can...
I have an asp.net web site, I want restrict all users to access a folder named "log" and I have this element in web.config: <location path="log"> <system.web> <authorization> <deny users="*"/> </authorization> </system.web> </location> and this element before it in system.web: <authorization> <allow users="*"...
For my actions that are going to interact with the User's account, I would like to create a "TheUser" object in addition to adding that object to "ViewData["TheUser"]" as soon as any action on my controller is called. If the User is logged in, it will grab the User's info from the database, if not, "TheUser" object will just be null. I...
Suppose a high-speed developer was tasked with building a banking application which would be accessed by many different people. Each person would want to access his or her own account information but would not want others to access it. I would like to know the best practice for restricting access in an MVC application so that only the us...