authorization

I started off using the default project's AccountController , but I've extended/changed it beyond recognition. However, in common with the original I have a LogOn and LogOff action. Clearly, the LogOn action must be accessible to everyone. However, since I've added lots of other actions to this controller (to create & edit users), I want 99% of the actions to require administrator role membership. I could decorate all my actions with [Authorize Roles="Administrators"] but there's a risk I'll forget one. I'd rather make it secure by default, by decorating the controller class itself with that

Since I want to add custom claims into my application, I checked the sourcecode of ClaimTypes (decompiled with JetBrains decompiler). Here is a piece of it: namespace System.Security.Claims { /// <summary>Defines constants for the well-known claim types that can be assigned to a subject. This class cannot be inherited.</summary> [ComVisible(false)] public static class ClaimTypes { internal const string ClaimTypeNamespace = "http://schemas.microsoft.com/ws/2008/06/identity/claims"; /// <summary>The URI for a claim that specifies the instant at which an entity was authenticated; http://schemas

I'm writing a Java Spring MVC 4 REST app that'll sit between front-end devices (websites, mobile apps, etc) and a database. I have code below that will create a new session for each request (since REST is stateless), look at the Authorization header of the request, and will confirm the token is valid and request authenticated. When a user is requesting a secure method without a valid token, I'm looking to redirect unauthorized requests from a 500 Access Is Denied message to a 401 Unauthorized message. This is what I have so far. AccessDeniedHandler: public class

I am writing an example file storage system (example just for stackoverflow). My current domain models look as such: public class User { public int ID { get; set; } public string LoginIdentifier { get; set; } public string Password { get; set; } } public class File { public int ID { get; set; } public int UserID { get; set; } public string FileName { get; set; } public byte[] Data { get; set; } } The code I am writing to create the IPrincipal: private static IPrincipal CreatePrincipal(User user) { Debug.Assert(user != null); var identity = new GenericIdentity(user.LoginIdentifier, "Basic"); //

I'm writing a web application with some ACL requirements: a user can make changes to some items, some items may be editable by several users, administrator can edit anything and a manager can edit everything within her organization etc. I'm using the Play! framework, and by the looks of the Secure module, it seems that the place to put authorization concerns is in the Controllers. However, it seems to me that the authorization issues are part of the business logic, and therefore should be in the model. Furthermore, I'm starting to see duplicated logic in the controllers that I need to refactor

We currently use the following authorize url: https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Foutlook.office365.com We want to also use the Graph API, so I added the following: https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Foutlook.office365.com%2F%26https%3A%2F%2Fgraph.microsoft.com I've tried different delimiters between the two resources, but couldn't get it to work. Each one resource works separately. I hope that more than 1 resource at a time is supported? I think what you're trying to do here by passing multiple values to

I've been using the two awesome gems, state_machine and cancan recently in my rails application but I'm curious as to the best way to integrate them cleanly. Currently I've placed state transitions on buttons that go on actions authorized by the controller. This works perfectly, I can restrict who can perform that action. I would like to give the user the ability to change the objects state in the edit form as well. I've noticed that state_machine will pick up on the state_event key in the hash, with the value of the action to perform (so it will go through all of state_machines callbacks).