authorization

Situation I have a Silverlight application that uses a WCF backend. Going forward we have moved to JS clients with WebAPI. I have a couple of WebAPI controllers that I would like to use from the Silverlight client and so have them loaded within the ASP.Net application that hosts the WCF services. This works fine from a "all services are available" point of view, however Authorization is being invoked multiple times for WCF calls; from OWIN and through WCF ServiceAuthorizationManager On the WCF side, my ServiceAuthorizationManager implementation validates the token in the AuthHeader and then

I have a pyramid project using the formalchemy admin interface. I added the basic ACL authentication and the pyramid_formalchemy plugin always denys even though I am authenticated. Any thoughts on how only allow authenticated users to use the pyramid_formalchemy admin interface? The authorization policy was add like this: authn_policy = AuthTktAuthenticationPolicy('MYhiddenSECRET', callback=groupfinder) authz_policy = ACLAuthorizationPolicy() config = Configurator( settings=settings, root_factory='package.auth.RootFactory', authentication_policy=authn_policy, authorization_policy=authz_policy

The JDBC realm specifies a table structure for authentication which contains the columns defined by the attributes userNameCol and userCredCol. These correspond to user and password which makes sense for FORM or BASIC auth-methods. They are interactive and require these two pieces from the client's user. What comes back from the certificate? What would an example of the data stored in userNameCol and userCredCol look like? Is there an alternative table structure for the realm in this case? PS - I'm using tomcat 5.5.x. JDBCRealm Supports CLIENT-CERT Yes, it can. However, there are few quirks to

I want to know if its possible to set roles based on a selected category. In our app there are categories which contain articles. Now we have a role hierarchy like this: ROLE_ADMIN > ROLE_EDITOR > ROLE_USER . The problem is that a user might have different roles based on the currently selected category: user1 - cat1 - ROLE_USER user1 - cat2 - ROLE_EDITOR The categories are not static. New ones can be added and older deleted. Is it possible to achieve this using Spring Security? From your description, it sounds like the RBAC model that Spring Security gives you is not enough. You have 2 options

I'm following security guidelines found on Pyramid docs along with wiki tutorial Adding Authorization Now I need to add restrictions based un single user rather than groups. Let's say for example that, if any blog editor can have permission to review all comments, only post author can edit the post itself . For the first task I will have in my Root ACL like this: __acl__ = [ (Allow, Everyone, 'view'), (Allow, Authenticated, 'view_profile'), (Allow, 'groups:editor', 'edit_comment') ] but whay about for edit_post ? I've read this answer but seems overkill to me for my needs since I don't need to

I using java to implement oauth for obtaining an unauthorized request token. How do I pass the parameters in the authorization header? I need to pass : GET /request_token HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm="http://photos.example.net/request_token", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_nonce="kllo9940pd9333jh", oauth_timestamp="1191242096", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D" How do I go about that? For those looking for an example of how to pass the OAuth2 authorization (access