Hi, I have been investigating OAuth to share resources in my site to other sites. But, hole of OAuth specification was reported several days ago. http://oauth.net/advisories/2009-1 Many sites decided to stop OAuth until fixed version is released. Currently, can we have any alternative to OAuth? I want an open-standard and secure aut...
I know I can use htpasswd to create a password file for apache, but how do I configure it to use valid users or groups from the system? ...
Are there any open source centralized authorization services available? There are lots of solutions for centralizing the authentication information (eg: CAS and JOSSO), but what about the authorization information? There are some really good authorization frameworks (eg: Spring Security (formerly Acegi) and Seam Security), but it seems...
What are the options to accept a credit card payment from an iPhone application? This will be a stand alone application, not an iPhone specific web site. Can I integrate with a payment gateway like Authorize.net? What about paypal or Google checkout? I know on some web sites, it will take you to a paypal site for the payment authoriz...
After I authenticate user login info, i create this session for them: $_SESSION['username']= $userName; Then, I redirect them like this: header('Location:www.domain.com/profile/' . $_SESSION['username']; I want my website to have a beauty URL, something like: www.domain.com/profile/userName Thus, in all my redirect links (HTML <a...
Hello, (?) wildcard represents unauthenticated users while (*) represents all users, authenticated and unauthenticated. My book shows the following example of URL authorization: <authorization> <deny users="?" /> <allow users="dan,matthew" /> <deny users="*" /> </authorization> But doesn’t the above code...
Hello, A) We can also control access to specific files using <location> tags. Why aren’t <location> elements contained inside <system.web> tag, but are instead nested directly inside <configuration> element? B) I realize <system.web> element is used for Asp.Net settings, but why does <location> also contain <system.web>? Is it so...
I have a CustomeAuthorize action filter that forwards the user to signin page if user is not authenticated. I apply this filter to actions or controllers. [CustumeAuthorize] public ActionResult MyAction() { //do something here return View(); } and the filter looks like this: public class CustomAuthorizeAttribute : ActionFilter...
I need to redirect users to the Change Password page if their password has expired. I want to place this code in one place so that any request can be redirected to the change password page. I've looked into extending the AuthorizeAttribute, and overriding OnActionExecuting, but neither work/allow me to short circuit the routing logic t...
Example: [Authorize] public ActionResult Index() { var person = _userPersonalizationService.GetPersonForUser(User.Identity.Name); var campaigns = _campaignRepository.GetCampaignsByCompanyId(person.Company.CompanyId); return View(campaigns); } Basically every user is tied to a person model, and in this instance, I want the ...
I am trying to navigate from one website on my localhost to second website on my localhost. Both sites have their own membership provider. I'm trying to use a FormsAuthorizationTicket from site #1 to SSO a user into site #2. Currently I'm getting this error: System.Security.Cryptography.CryptographicException: Padding is invalid and c...
I need to validate a basic authorization header that is being sent to my HttpListener in VB.NET. I'm grabbing the header like so (feel free to point out better ways to do this as well): EncodedAuth = Context.Request.Headers.GetValues("Authorization")(1) Now how do I decode them? I understand the theory but I can't seem to find the r...
Hello, URL authorization only applies to Asp.Net related file types?1 But why couldn’t it also be applied to non-Asp.Net file types? Thanx ...
Besides what it comes with in 2.0 (the generated aspnetdb.mdf), is there a standard login authorization authentication system for asp.net Internet websites? One that can plug into a website. ...
I have to create a website in asp.net with C#. And the requirement is.. According to the user type ( like Admin, Manager, User) the Menu Should be different and it should change dynamically. I have done this before by creating different pages( for admin, manager, user) depending on the user but this time the controls should load dynamic...
I am looking for a good role based authorization solution to use alongside Authlogic. Anyone have any good suggestions? Please list some pros and cons from your experience if possible please. ...
Hello, Q1 – Reason as to why native UrlAuthorizationModule doesn’t understand roles is due to the fact that roles information is stored in managed object implementing IPrincipal interface, to which native modules don’t have access to. A) But if native UrlAuthorizationModule understands authentication ticket, and thus can work in co...
Hello, I have an ASP.NET MVC application using Authorization Attributes on Controllers and Actions. This has been working well but a new wrinkle has shown up. Object: Shipment Roles: Shipping, Accounting, General User The Shipment moves through a workflow. In state A it can be edited by Shipping only. In state B it can be edited b...
I'm having a bit of an issue setting up our test site. In IIS 7, our app pool for the site is running in integrated mode. In Authentication, I have Anon enabled and Forms auth enabled. In Authorization, I have Allow All users. All pages allow anon users, EXCEPT the default (Home/Index.aspx). That page always forwards the user to the...
I have several actions that are protected by filters that check for logged_in? and admin? and spit out 401 or 403 errors respectively if the tests fail. What's a good way of getting around these filters in development mode only so I can test out my app? I can't go through the actual login procedure because it relies on infrastructure I...