authorization

I have a Web API 2 app using windows auth. I have multiple controllers and this in my web.config for authorization: <system.web> <compilation debug="true" targetFramework="4.5" /> <httpRuntime targetFramework="4.5" /> <authentication mode="Windows" /> <authorization> <allow users="AllowedUsersAndGroups" /> <deny users="?" /> </authorization> <sessionState mode="Off" /> </system.web> This "blanket" authorization works great, but I have 2 specific controllers that I need to lock down differently: I want to specify different users that are authorized to hit these 2 controllers . The obvious

this is mostly about public content timed on the future, but not only. In a standard Plone site if you create a top-level content is not shown on the navigation (is still private), then you make it public (via workflow) and it shows up on the navigation, but later you time it in the future and again it disappears from the navigation. Still, at that point, if an anonymous/logged-in user knows the URL they will be able to see the content. In our case, a newspaper, we not only have that (content timed to the future) but we also have different roles of users which need or don't have to see that

I'm trying to get a simple (!) digest authentication working with node js using an an API from gathercontent.com. Everything seems to be working except I still get a "Wrong credentials" response that looks like this: { success: false, error: 'Wrong Credentials!' } The code looks like this: var https = require('https'), qs = require('querystring'); apikey = "[my api key goes in here]", pwd = "[my password goes in here]", crypto = require('crypto'); module.exports.apiCall = function () { var options = { host:'abcdefg.gathercontent.com', port:443, path:'/api/0.1/get_pages_by_project/get_me',

I am looking for proper way how to implement authentification and authorization. If I understand it well - this should be realized through "Identity" - it's offering both of these things I need. My problem is that i can't use a database. I have to use a service (WCF service where our internal DDLs are connected to our system) which is able only Login (I give it user name and password) and after login i can get list of permissons. I already saw articles how to have custom UserStore, RoleStore, UserManager and SignInManager.. but I am still confused and I don't know how to do it. Is this even

In .NET WebAPI, I've created a way to have all of the authorization rules in a central location, rather than scattered throughout controllers. I'm curious why this centralization isn't done more often; are there repercussions/security concerns? My current approach is to create a Dictionary during App_Start that contains all of my Authorization data then using a DelegatingHandler to apply the restrictions (code below). The dictionary key is a Tuple of the Controller and Action, and the value is the authorized roles. The DelegatingHandler ties into WebAPI's routing config to get which controller

I'm currently using a PhaseListener as below to perform user authorization. private PhaseId phaseId = PhaseId.RESTORE_VIEW; @Override public void afterPhase(PhaseEvent event) { FacesContext fc = event.getFacesContext(); boolean isOnAllowedPage = false; String[] allowedPages = choseRightPages(); // chose pages for role for (String s : allowedPages) { if (fc.getViewRoot().getViewId().lastIndexOf(s) > -1) { isOnAllowedPage = true; break; } } if (!isOnAllowedPage) { NavigationHandler nh = fc.getApplication().getNavigationHandler(); nh.handleNavigation(fc, null, "prohibited"); } } It does what I