authorization

问题 In ASP.NET MVC, you can mark up a controller method with AuthorizeAttribute , like this: [Authorize(Roles = \"CanDeleteTags\")] public void Delete(string tagName) { // ... } This means that, if the currently logged-in user is not in the \"CanDeleteTags\" role, the controller method will never be called. Unfortunately, for failures, AuthorizeAttribute returns HttpUnauthorizedResult , which always returns HTTP status code 401. This causes a redirection to the login page. If the user isn\'t

问题 I am having problem with PHP curl request with basic authorization. Here is the command line curl: curl -H \"Accept: application/product+xml\" \"https://{id}:{api_key}@api.domain.com/products?limit=1&offset=0\" I have tried by setting curl header in following ways but it\'s not working Authorization: Basic id:api_key or Authorization: Basic {id}:{api_key} I get the response \"authentication parameter in the request are missing or invalid\" but I have used proper id and api_key which is

问题 In very simple terms, can someone explain the difference between OAuth 2 and OAuth 1? Is OAuth 1 obsolete now? Should we be implementing OAuth 2? I don\'t see many implementations of OAuth 2; most are still using OAuth 1, which makes me doubt OAuth 2 is ready to use. Is it? 回答1: Eran Hammer-Lahav has done an excellent job in explaining the majority of the differences in his article Introducing OAuth 2.0. To summarize, here are the key differences: More OAuth Flows to allow better support for

问题 Currently, I am working on a web project using JSF 2.0, Tomcat 7 and MongoDB. I have a big question of how to handle the session management and authentication/authorization with users in a database. The structure I want is as follows: only logged in users can create events and everyone can see the created events. create.xhtml --> only for logged in users. events.xhtml --> public for everyone. The basic structure I\'m planning is: Check if the page requires logged in user (e.g. create.xhtml )

问题 What\'s the difference in context of web applications? I see the abbreviation \"auth\" a lot. Does it stand for auth -entication or auth -orization? Or is it both? 回答1: Authentication is the process of ascertaining that somebody really is who they claim to be. Authorization refers to rules that determine who is allowed to do what. E.g. Adam may be authorized to create and delete databases, while Usama is only authorised to read. The two concepts are completely orthogonal and independent, but

问题 I need to control the access to views based on users privilege levels (there are no roles, only privilege levels for CRUD operation levels assigned to users) in my MVC 4 application. As an example; below the AuthorizeUser will be my custom attribute and I need to use it like this: [AuthorizeUser(AccessLevels=\"Read Invoice, Update Invoice\")] public ActionResult UpdateInvoice(int invoiceId) { // some code... return View(); } [AuthorizeUser(AccessLevels=\"Create Invoice\")] public ActionResult

问题 I am using JSF2. I have implemented a custom faces servlet like so: public class MyFacesServletWrapper extends MyFacesServlet { // ... } wherein I\'m doing some authorization checks and sending a redirect when the user is not logged in: public void service(ServletRequest request, ServletResponse response) { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse res = (HttpServletResponse) response; if (...) { String loginURL = req.getContextPath() + \"/LoginPage.faces\";

问题 I would like to block the access of some page even if the user knows the url of some pages. For example, /localhost:8080/user/home.xhtml (need to do the login first) if not logged then redirect to /index.xhtml . How do that in JSF ? I read in the Google that\'s needed a filter, but I don\'t know how to do that. 回答1: You need to implement the javax.servlet.Filter class, do the desired job in doFilter() method and map it on an URL pattern covering the restricted pages, /user/* maybe? Inside the

问题 When designing a REST API or service are there any established best practices for dealing with security (Authentication, Authorization, Identity Management) ? When building a SOAP API you have WS-Security as a guide and much literature exists on the topic. I have found less information about securing REST endpoints. While I understand REST intentionally does not have specifications analogous to WS-* I am hoping best practices or recommended patterns have emerged. Any discussion or links to

问题 I\'m trying to make a custom authorization attribute in ASP.NET Core. In previous versions it was possible to override bool AuthorizeCore(HttpContextBase httpContext) . But this no longer exists in AuthorizeAttribute. What is the current approach to make a custom AuthorizeAttribute? What I am trying to accomplish: I am receiving a session ID in the Header Authorization. From that ID I\'ll know whether a particular action is valid. 回答1: The approach recommended by the ASP.Net Core team is to