I'm doing a authorization check from a WinForms application with the help of the AzMan authorization provider from Enterprise Library and I'm receiving the the following error: Unable to update the password. The value provided as the current password is incorrect. (Exception from HRESULT: 0x8007052B) (Microsoft.Practices.EnterpriseLi...
What is the best way to authorize all users to one single page in a asp.net website. For except the login page and one other page, I deny all users from viewing pages in the website. How do you make this page accessible to all users? Thanks. ...
What is the best way to handle user account management in a system, without having your employees who have access to a database, to have access to the accounts. Examples: Storing username/password in the database. This is a bad idea because anyone that has access to a database can see the username and password. And hence use it. Sto...
How would you implement a system with the following objectives: Manage authentication, authorization for hundreds of thousands of existing users currently tightly integrated with a 3rd party vendor's application (We want to bust these users out into something we manage and make our apps work against it, plus our 3rd party vendors work ...
Hi all, I'm implementing a secure WCF service. Authentication is done using username / password or Windows credentials. The service is hosted in a Windows Service process. Now, I'm trying to find out the best way to implement authorization for each service operation. For example, consider the following method: public EntityInfo GetEnt...
We don't exactly comply with the XML-RPC spec, but the concepts are nearly identical. A client comes in over HTTP/HTTPS with an XML payload. We respond with an XML payload answering the request. This is primarily machine to machine, so no human to type a username/password. Our construct runs within apache tomcat. We would like to au...
The JDBC realm specifies a table structure for authentication which contains the columns defined by the attributes userNameCol and userCredCol. These correspond to user and password which makes sense for FORM or BASIC auth-methods. They are interactive and require these two pieces from the client's user. What comes back from the cert...
Publishing and/or collaborative applications often involve the sharing of access to resources. In a portal a user may be granted access to certain content as a member of a group or because of explicit access. The complete set of content could include public content, group membership content, and private user content. Or, with collaborati...
Hello, We are connecting to a WCF web service which has Anonomous Access turned off, Windows Authentication turned on. The web.config file has a local user account for allow users and deny users="?". I can download and generate the service proxy fine (being prompted for creds), however from my windows form project (even when passing...
Ok, so I'm looking for a bit of architecture guidance, my team is getting a chance to re-cast certain decisions with a new feature that we're building, and I wanted to see what SO thought :-) There are of course certain things that we're not changing, so the solution would have to fit in this model. Namely, that we've got an ASP.NET app...
So let's say I have an eBay-type application where only the seller can edit his/her listing. How do I go about restricting access to the Edit action based on the Id of the item we're editing and the currently logged in user? As far as I can tell, the Authorize attribute only allows you to restrict access to controller actions based on ...
In ASP.NET MVC, you can mark up a controller method with AuthorizeAttribute, like this: [Authorize(Roles = "CanDeleteTags")] public void Delete(string tagName) { // ... } This means that, if the currently logged-in user is not in the "CanDeleteTags" role, the controller method will never be called. Unfortunately, for failures, Au...
I'm working on a REST service that has a few requirements: It has to be secure. Users should not be able to forge requests. My current proposed solution is to have a custom Authorization header that look like this (this is the same way that the amazon web services work): Authorization: MYAPI username:signature My question is how t...
I'm having a friendly debate with a developer about a situation where users are logging in and accessing documents in a web application. When we load the document for the user to view, we have the userID in session and the documentID that may be passed via QueryString. To prevent the user from modifying the documentID on the QueryString...
Hi! I have some question: How to make a role based web application? Such as in forum sites, there is many user types, admin, moderator etc... is the roles of these user types stored in database or web.config? And when a user login to our site, how to control this users roles? In short I want to learn about authorization and authenticati...
I'm working on a Rails web application, and it's currently being used by some 20 users. Some parts of the application are only accessible by some users, so we already have a basic authorization framework in place, which I implemented using the acts_as_authenticated plugin. The users' privileges depend on which department they work in, ...
We currently have a custom authorization service built on .Net technologies. We are working with our Busienss Intelligence team to try and find a way to integrate these authorization services with our arcPlan Enterprise reports so that we can have a consistent mechanism for implementing authorization. I have very little understanding a...
Our shop is in the process of converting our internal project management application from ASP.NET Web Forms to ASP.NET MVC. I would like to provide an RSS feed for our customers of their current open issues ... but I would like to do so with some type of authorization, e.g. login and a password. Is this possible using ASP.NET MVC o...
I'm using the repository pattern to query our database using NHibernate. It makes it really easy to do things like: public T GetById(int id) {...} But that doesn't help much when someone start mucking with the querystrings to see things they aren't allowed to. To compound it, some objects are deeply nested children of the parent obje...
I know questions of this kind have been asked before, but my situation differs a little. On my rails app I have to validate the user login against an existing repository and then control authorization to given modules. So, I don't want the solution I go for to generate a model for my users and rely on that. The authetication per se need...