authorization

I am working on a side project in which I want to reuse an existing API. The API has an /auth endpoint which handles POST requests and expects the email and password in the request body. If the email and password are verified, then the server returns a response which contains an Authorization header which holds the value for the token which should be sent in all the subsequent requests. I have a problem retrieving this header from the response. It is visible in both Postman and Chrome Dev Tools (Network section). Chrome Dev tools: console.log of the response headers I have tried multiple

I'm trying to decide if the custom Authorization attribute I wrote is really a good idea. Scenario Say we have a collection of stores, each Store has an owner. Only the owner of the store can do CRUD operations on the store. EXCEPT for users with a Claim that basically overrides the ownership requirement and says they can do CRUD operations on ANY store. Sidenote: I'm using Thinktecture and ADFS So I made a StoreOwnerAuthorize attribute who's parameters ("Manage", "Stores") are used to check if the user has the appropriate claim to "override" not being an owner but still able to pass the

I'm writing a custom role provider and I need programmatic access the authorization information stored in the web.config. Certain section of the site are only accessible by certain roles. I would like to find out which roles can access a page and/or which page a certain role can access. I can't seem to figure this one out. You can access any information stored such as ConnectionStrings,AppSettings and other defined values in web.config by WebConfigurationManager class in System.Web.Security namespace. Let's say you have defined and authorization section as: <system.web> <authorization> <allow

The following rule says subjects with role "acme_manager" can perform any action on the resource "/acme/widgets": <Rule Effect="Permit" RuleId="PermitRule"> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/acme/widgets</AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema

So Im developing a Rails app- primarily serves API which I want to lock down behjind a nice authorization system. Ive created Rails apps which render HTML and for that I used Devise and CanCan. This time I want to serve JSON to my clients. I basically have the following requirements: Need an authorization system thats robust A user should be able to log in with existing apps such as facebook, twitter, linked in and google There should be full stack authorization available Now this is my 1st app that Im writing that serves up API so I started researching and so far Ive found the following

I'm using the Authorize() attribute to secure my controllers/actions and want to only display the Login action to unauthenticated users - or to put it another way, deny access to authenticated users. I haven't been able to find anything on the web dealing with either denying permission or allowing negative permissions (ie !LoggedIn) Can someone please point me in the right direction? MVC2, .Net 4 EDIT: To clairfy, I want something like this: Public Class PublicController Inherits ControllerBase <Authorize()> 'Only logged-in users can logout Public Function Logout() as ActionResult Return View(

I'm new to ASP.NET MVC and need abit of advice on how to implement the following. The site is a heavily used site with roughly 200 users internally (intranet). We use forms authentication hitting a SQL Server DB (not windows integrated). Some actions are protected, some are viewable by anyone and some are viewable by both - so if theres a logged in user they see their stuff from the DB, otherwise they see a temporary profile - much like StackOverflow. How would I go about implementing a security model for this scenario? Can I reuse the existing framework in ASP.NET MVC and use the

Is there a way to pass login credentials from code instead of entering credentials everytime in the popup for login authorization? You dont require login credentials every time for authorization,you'll get an access token and access secret upon successfull authorization by OAuth,use the later for further calls to the API.Oauth protocol works this way. I guess Magento is using OAuth 1.0/1.0a,so everytime you'll authorize a user you get, oauth_token - the Access Token that provides access to protected resources. oauth_token_secret - the secret that is associated with the Access Token. You will

Currently I have a monolith application with Java/Spring Boot the following endpoints: /login /logout /some-resource To access some-resource , the flow is following: The user makes a POST request to /login endpoint. If the credentials are correct, a JWT token is returned in header, otherwise a 401. The users sends the JWT token along with the request to /some-resource . If the token is valid, the resource is returned, otherwise 403. Now I want to split the monolith into 2 services: "AuthServer" and "SomeResourceServer". There will be an API gateway on the top. I am thinking about 2 possible