Search Results

Search found 1104 results on 45 pages for 'authorization'.

Page 1/45 | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >

  • Webcast Q&A: Demystifying External Authorization

    - by B Shashikumar
    Thanks to everyone who joined us on our webcast with SANS Institute on "Demystifying External Authorization". Also a special thanks to Tanya Baccam from SANS for sharing her experiences reviewing Oracle Entitlements Server. If you missed the webcast, you can catch a replay of the webcast here.  Here is a compilation of the slides that were used on today's webcast.  SANS Institute Product Review: Oracle Entitlements Server We have captured the Q&A from the webcast for those who couldn't attend. Q: Is Oracle ADF integrated with Oracle Entitlements Server (OES) ? A:  In Oracle Fusion Middleware 11g and later, Oracle ADF, Oracle WebCenter, Oracle SOA Suite and other middleware products are all built on Oracle Platform Security Services (OPSS). OPSS privodes many security functions like authentication, audit, credential stores, token validaiton, etc. OES is the authorization solution underlying OPSS. And OES 11g unifies different authorization mechanisms including Java2/ABAC/RBAC.  Q: Which portal frameworks support the use of OES policies for portal entitlement decisions? A:  Many portals including Oracle WebCenter 11g  run natively on top of OES. The authorization engine in WebCenter is OES. Besides, OES offers out of the box integration with Microsoft SharePoint. So SharePoint sites, sub sites, web parts, navigation items, document access control can all be secured with OES. Several other portals have also been secured with OES ex: IBM websphere portal Q:  How do we enforce Seperation of Duties (SoD) rules using OES (also how does that integrate with a product like OIA) ? A:  A product like OIM or OIA can be used to set up and govern SoD policies. OES enforces these policies at run time. Role mapping policies in OES can assign roles dynamically to users under certain conditions. So this makes it simple to enforce SoD policies inside an application at runtime. Q:  Our web application has objects like buttons, text fields, drop down lists etc. is there any ”autodiscovery” capability that allows me to use/see those web page objects so you can start building policies over those objects? or how does it work? A:  There ae few different options with OES. When you build an app, and make authorization calls with the app in the test environment, you can put OES in discovery mode and have OES register those authorization calls and decisions. Instead of doing  this after the fact, an application like Oracle iFlex has built-in UI controls where when the app is running, a script can intercept authorization calls and migrate those over to OES. And in Oracle ADF, a lot of resources are protected so pages, task flows and other resources be registered without OES knowing about them. Q: Does current Oracle Fusion application use OES ? The documentation does not seem to indicate it. A:  The current version of Fusion Apps is using a preview version of OES. Soon it will be repalced with OES 11g.  Q: Can OES secure mobile apps? A: Absolutely. Nowadays users are bringing their own devices such as a a smartphone or tablet to work. With the Oracle IDM platform, we can tie identity context into the access management stack. With OES we can make use of context to enforce authorization for users accessing apps from mobile devices. For example: we can take into account different elements like authentication scheme, location, device type etc and tie all that information into an authorization decision.  Q:  Does Oracle Entitlements Server (OES) have an ESAPI implementation? A:  OES is an authorization solution. ESAPI/OWASP is something we include in our platform security solution for all oracle products, not specifically in OES Q:  ESAPI has an authorization API. Can I use that API to access OES? A:  If the API supports an interface / sspi model that can be configured to invoke an external authz system through some mechanism then yes

    Read the article

  • Examples of permission-based authorization systems in .Net?

    - by Rachel
    I'm trying to figure out how to do roles/permissions in our application, and I am wondering if anyone knows of a good place to get a list of different permission-based authorization systems (preferably with code samples) and perhaps a list of pros/cons for each method. I've seen examples using simple dictionaries, custom attributes, claims-based authorization, and custom frameworks, but I can't find a simple explanation of when to use one over another and what the pros/cons are to using each method. (I'm sure there's other ways than the ones I've listed....) I have never done anything complex with permissions/authorization before, so all of this seems a little overwhelming to me and I'm having trouble figuring out what what is useful information that I can use and what isn't. What I DO know is that this is for a Windows environment using C#/WPF and WCF services. Some permission checks are done on the WCF service and some on the client. Some are business rules, some are authorization checks, and others are UI-related (such as what forms a user can see). They can be very generic like boolean or numeric values, or they can be more complex such as a range of values or a list of database items to be checked/unchecked. Permissions can be set on the group-level, user-level, branch-level, or a custom level, so I do not want to use role-based authorization. Users can be in multiple groups, and users with the appropriate authorization are in charge of creating/maintaining these groups. It is not uncommon for new groups to be created, so they can't be hard-coded.

    Read the article

  • Silverlight/.Net RIA Services - Authorization Working Sample!??!

    - by Goober
    Hello! I have followed numerous tutorials and walkthroughs/blogs about the capabilities that Ria Services brings to the table when using Silverlight with ASP.Net. Essentially I am looking for a live working example of the authorization functionality that Ria Services can apparently take hold of from ASP.Net. (Even better if it works with ASP.NET MVC too) Example of failed to work Ria Services authorization implementation Navigate to the live demo link on this page....fails This one may work however I couldn't get it to work on my office computer(strange setup that seems to break code for no reason)

    Read the article

  • Declarative authorization and the if_attribute not working...

    - by ro
    I've been having almost the same issues as Victor Martin (you can see the questions asked here). I've got declarative authorization working for just about everything that doesn't involve using conditionals. E.g. has_permission_on :users, :to => [:edit, :update, :destroy] do if_attribute :user => is { current_user } end Are there any common pitfalls with Declarative Authorization? I'm using authlogic and I'm suspicious the 'current_user' method in the application controller might be the source of the problem.

    Read the article

  • What I don’t like about WIF’s Claims-based Authorization

    - by Your DisplayName here!
    In my last post I wrote about what I like about WIF’s proposed approach to authorization – I also said that I definitely would build upon that infrastructure for my own systems. But implementing such a system is a little harder as it could be. Here’s why (and that’s purely my perspective): First of all WIF’s authorization comes in two “modes” Per-request authorization. When an ASP.NET/WCF request comes in, the registered authorization manager gets called. For SOAP the SOAP action gets passed in. For HTTP requests (ASP.NET, WCF REST) the URL and verb. Imperative authorization This happens when you explicitly call the claims authorization API from within your code. There you have full control over the values for action and resource. In ASP.NET per-request authorization is optional (depends on if you have added the ClaimsAuthorizationHttpModule). In WCF you always get the per-request checks as soon as you register the authorization manager in configuration. I personally prefer the imperative authorization because first of all I don’t believe in URL based authorization. Especially in the times of MVC and routing tables, URLs can be easily changed – but then you also have to adjust your authorization logic every time. Also – you typically need more knowledge than a simple “if user x is allowed to invoke operation x”. One problem I have is, both the per-request calls as well as the standard WIF imperative authorization APIs wrap actions and resources in the same claim type. This makes it hard to distinguish between the two authorization modes in your authorization manager. But you typically need that feature to structure your authorization policy evaluation in a clean way. The second problem (which is somehow related to the first one) is the standard API for interacting with the claims authorization manager. The API comes as an attribute (ClaimsPrincipalPermissionAttribute) as well as a class to use programmatically (ClaimsPrincipalPermission). Both only allow to pass in simple strings (which results in the wrapping with standard claim types mentioned earlier). Both throw a SecurityException when the check fails. The attribute is a code access permission attribute (like PrincipalPermission). That means it will always be invoked regardless how you call the code. This may be exactly what you want, or not. In a unit testing situation (like an MVC controller) you typically want to test the logic in the function – not the security check. The good news is, the WIF API is flexible enough that you can build your own infrastructure around their core. For my own projects I implemented the following extensions: A way to invoke the registered claims authorization manager with more overloads, e.g. with different claim types or a complete AuthorizationContext. A new CAS attribute (with the same calling semantics as the built-in one) with custom claim types. A MVC authorization attribute with custom claim types. A way to use branching – as opposed to catching a SecurityException. I will post the code for these various extensions here – so stay tuned.

    Read the article

  • Authorization design-pattern / practice?

    - by Lawtonfogle
    On one end, you have users. On the other end, you have activities. I was wondering if there is a best practice to relate the two. The simplest way I can think of is to have every activity have a role, and assign every user every role they need. The problem is that this gets really messy in practice as soon as you go beyond a trivial system. A way I recently designed was to have users who have roles, and roles have privileges, and activities require some combinations of privileges. For the trivial case, this is more complex, but I think it will scale better. But after I implemented it, I felt like it was overkill for the system I had. Another option would be to have users, who have roles, and activities require you to have a certain role to perform with many activities sharing roles. A more complex variant of this would given activities many possible roles, which you only needed one of. And an even more complex variant would be to allow logical statements of role ownership to use an activity (i.e. Must have A and (B exclusive or C) and must not have D). I could continue to list more, but I think this already gives a picture. And many of these have trade offs. But in software design, there are oftentimes solutions, while perhaps not perfect in every possible case, are clearly top of the pack to an extent it isn't even considered opinion based (i.e. how to store passwords, plain text is worse, hashing better, hashing and salt even better, despite the increased complexity of each level) (i.e. 2, Smart UI designs for applications are bad, even if it is subjective as to what the best design is). So, is there a best practice for authorization design that is not purely opinion based/subjective?

    Read the article

  • Permission based Authorization vs. Role based Authorization - Best Practices - 11g

    - by Prakash Yamuna
    In previous blog posts here and here I have alluded to the support in OWSM for Permission based authorization and Role based authorization support. Recently I was having a conversation with an internal team in Oracle looking to use OWSM for their Web Services security needs and one of the topics was around - When to use permission based authorization vs. role based authorization? As in most scenarios the answer is it depends! There are trade-offs involved in using the two approaches and you need to understand the trade-offs and you need to understand which trade-offs are better for your scenario. Role based Authorization: Simple to use. Just create a new custom OWSM policy and specify the role in the policy (using EM Fusion Middleware Control). Inconsistent if you have multiple type of resources in an application (ex: EJBs, Web Apps, Web Services) - ex: the model for securing EJBs with roles or the model for securing Web App roles - is inconsistent. Since the model is inconsistent, tooling is also fairly inconsistent. Achieving this use-case using JDeveloper is slightly complex - since JDeveloper does not directly support creating OWSM custom policies. Permission based Authorization: More complex. You need to attach both an OWSM policy and create OPSS Permission authorization policies. (Note: OWSM leverages OPSS Permission based Authorization support). More appropriate if you have multiple type of resources in an application (ex: EJBs, Web Apps, Web Services) and want a consistent authorization model. Consistent Tooling for managing authorization across different resources (ex: EM Fusion Middleware Control). Better Lifecycle support in terms of T2P, etc. Achieving this use-case using JDeveloper is slightly complex - since JDeveloper does not directly support creating/editing OPSS Permission based authorization policies.

    Read the article

  • Requiring Multiple Roles in Web.config Authorization

    - by Derek Morrison
    Is it possible to specify that multiple roles are required inside the authorization element of the web.config file? I currently have this block in one web.config of my site for a specific directory: <authorization> <allow roles="Global, Region" /> <deny users="*" /> </authorization> I've just identified a special case where a person with two lower-level permissions than Global and Region should also have access to this directory. Roughly, I want something like this: <authorization> <allow roles="GlobalManager, RegionManager, SiteManager && FooSite" /> <deny users="*" /> </authorization> Any ideas? I realize I probably should have a new role for this scenario, but I'd like to avoid that. Thanks!

    Read the article

  • SVNParentPath directory authorization

    - by James
    The question is a bit stupid but I can't get it sorted. I have a server with SVN that uses the SVNPath directive in httpd.conf and all works fine with path authorizations. Now I'm installing a second serer where I'm going to use SVNParentPath directive and I've got it all running except I can't get the authorization part quite right. From what I understand it's the same as when you use SVNPath but you need to specificy the repo name before the folder name.. My SVNParentPath is /srv/svn/ and I created a directory /srv/svn/testproj and then ran svnadmin create /srv/svn/testproj Now i'm configuring my authorization file: [/] * = svnadmin = rw adusgi = rw [testproj:/svn/testproj] demada = rw degari = rw scarja = rw Now if I try to commit /svn/testproj using user svnadmin or adusgi all is fine. If I try for example demada it doesn't work... (I've run the htpasswd2 commands for the user obviously. The directory is correct or atleast thats how I use the directory with the SVNPath server thats already running, the part I think I'm getting wrong is the repo name, I just used the directory name but what am I really supposed to put there?? Thank you, James

    Read the article

  • What are people's opinions vis-a-vis my choice of authorization plugins?

    - by brad
    I'm slowly but surely putting together my first rails app (first web-app of any kind in fact - I'm not really a programmer) and it's time to set up a user registration/login system. The nature of my app is such that each user will be completely separated from each other user (except for admin roles). When users log in they will have their own unique index page looking at only their data which they and no-one else can ever see or edit. However, I may later want to add a role for a user to be able to view and edit several other user's data (e.g. a group of users may want to allow their secretary to access and edit their data but their secretary would not need any data of their own). My plan is to use authlogic to create the login system and declarative authorization to control permissions but before I embark on this fairly major and crucial task I thought I would canvas a few opinions as to whether this combo was appropriate for the tasks I envisage or whether there would be a better/simpler/faster/cheaper/awesomer option.

    Read the article

  • MVVM/ViewModels and handling Authorization

    - by vdh_ant
    Hey guys Just wondering how how people handle Authorization when using MVVM and/or View Models. If I wasn't using VM's I would be passing back the Model and it would have a property which I could check if a user can edit a given object/property but when using MVVM I am disconnecting myself from the business object... and thus doen't know what the security should be any more. Is this a case where the mapper should be aware of the Authorization that is in place and don't copy across the data if the Authorization check fails. If this was the case I am guessing that the mapper would have to see some properties on the VM to let the interface know which fields are missing data because of the Authorization failure. If this does occur within the mapper, how does this fit in with things like AutoMapper, etc. Cheers Anthony

    Read the article

  • Fetching custom Authorization header from incoming PHP request

    - by jpatokal
    So I'm trying to parse an incoming request in PHP which has the following header set: Authorization: Custom Username Simple question: how on earth do I get my hands on it? If it was Authorization: Basic, I could get the username from $_SERVER["PHP_AUTH_USER"]. If it was X-Custom-Authorization: Username, I could get the username from $_SERVER["HTTP_X_CUSTOM_AUTHORIZATION"]. But neither of these are set by a custom Authorization, var_dump($_SERVER) reveals no mention of the header (in particular, AUTH_TYPE is missing), and PHP5 functions like get_headers() only work on responses to outgoing requests. I'm running PHP 5 on Apache with an out-of-the box Ubuntu install.

    Read the article

  • openldap proxied authorization

    - by bemace
    I'm having some trouble doing updates with proxied authorization (searches seem to work fine). I'm using UnboundID's LDAP SDK to connect to OpenLDAP, and sending a ProxiedAuthorizationV2RequestControl for dn: uid=me,dc=People,dc=example,dc=com with the update. I've tested and verified that the target user has permission to perform the operation, but I get insufficient access rights when I try to do it via proxy auth. I've configured olcAuthzPolicy=both in cn=config and authzTo={0}ldap:///dc=people,dc=example,dc=com??subordinate?(objectClass=inetOrgPerson) on the original user. The authzTo seems to be working; when I change it I get not authorized to assume identity when I try the update (also for searches). Can anyone suggest what else I should look at or how I could get more detailed errors from OpenLDAP? Anything else I can test to narrow down the source of the problem?

    Read the article

  • Wicket Authorization Using MetaDataKey

    - by JGirl
    I am trying to implement a simple authorization strategy for my Wicket application. I am implemented my own AuthorizationStrategy (extending IAuthorizationStrategy). http://old.nabble.com/Authorization-strategy-help-td18948597.html After reading the above link, I figured it makes more sense to use metadata-driven authorization than one using Annotations. So I have a simple RoleCheck class public class RoleCheck { private String privilege; public RoleCheck(String priv) { this.privilege = priv; } public void setPrivilege(String privilege) { this.privilege = privilege; } public String getPrivilege() { return privilege; } } I add it a component public static MetaDataKey priv = new MetaDataKey() {}; editLink.setMetaData(priv, new RoleCheck("Update")); And in my Authorization Strategy class, I try to get the metadata associated with the component public boolean isActionAuthorized(Component component, Action action) { if (action.equals(Component.RENDER)) { RoleCheck privCheck = (RoleCheck) component.getMetaData(EditControlToolBar.priv); if (privCheck != null) { ... } } However the getMetaData gives an error "Bound mismatch: The generic method getMetaData(MetaDataKey) of type Component is not applicable for the arguments (MetaDataKey). The inferred type RoleCheck is not a valid substitute for the bounded parameter " Any help would be appreciated. Thank you

    Read the article

  • Java basic authorization with URLConnection

    - by zigomir
    Hello! I'm opening a connection to WebService with an URLConnection class. I also set request property for basic authorization like this: c.setRequestProperty("Authorization", "Basic " + usernameAndPasswordEncoded); Where c is an object of type URLConnection. So this is client side of WebService call. Now on server side I need to get username from session: User user = (User) request.getSession().getAttribute("user"); But this won't get an username. Also if I look through debug mode, I see an anonymous userName in HttpSession object. What to do to solve this problem, so that username is sent through client to WebService server for authorization? Thanks everyone!

    Read the article

  • Authorization in a more purely OOP style...

    - by noblethrasher
    I've never seen this done but I had an idea of doing authorization in a more purely OO way. For each method that requires authorization we associate a delegate. During initialization of the class we wire up the delegates so that they point to the appropriate method (based on the user's rights). For example: class User { private deleteMemberDelegate deleteMember; public StatusMessage DeleteMember(Member member) { if(deleteMember != null) { deleteMember(member); } } //other methods defined similarly... User(string name, string password) //cstor. { //wire up delegates based on user's rights. //Thus we handle authentication and authorization in the same method. } } This way the client code never has to explictly check whether or not a user is in a role, it just calls the method. Of course each method should return a status message so that we know if and why it failed. Thoughts?

    Read the article

  • getRequestProperty("Authorization") always returns null

    - by Thilo
    I am trying to read the authorization header for an HTTP request (because I need to add something to it), but I always get null for the header value. Other headers work fine. public void testAuth() throws MalformedURLException, IOException{ URLConnection request = new URL("http://google.com").openConnection(); request.setRequestProperty("Authorization", "MyHeader"); request.setRequestProperty("Stackoverflow", "anotherHeader"); // works fine assertEquals("anotherHeader", request.getRequestProperty("Stackoverflow")); // Auth header returns null assertEquals("MyHeader", request.getRequestProperty("Authorization")); } Am I doing something wrong? Is this a "security" feature? Is there a way to make this work with URLConnection, or do I need to use another HTTP client library?

    Read the article

  • Ask StackOverFlow : Canny a LightWeight Authorization library in Java

    - by eltados
    In the course of my work i need to develop an authorization engine ( i'm already authenticated and i check access of a user to an action ) in order to store all the authorization logic inside a same place and be able to reuse it and i have created the mini library. http://github.com/eltados/canny (updated) what do you think about it? What are the limits of my approch ? Do you understand the benefit or it? Is there any lightweight Authorization engine library i could have a look at? I had a look at spring security and it does not really answer my requirement. The main idea is that i want to be able to reuse the same code to controll access in the controllers and the views.

    Read the article

  • Multiple CAS servers with Microsoft Exchange and selective authorization

    - by John Wilcox
    I have a Microsoft Exchange 2010 organization within one Microsoft Windows domain and I have users accessing it through OWA. For simplicity lets say I currently have one CAS server (CAS 1) which is accessible only through a VPN connection. Lets call the users connecting to the first CAS group a. For some users though, I need to install another CAS server (CAS 2) so that they can connect without using a VPN connection. Lets call those users group b. What I need to achieve is that group a can only log in to CAS 1 and group b can only log in to CAS 2. Now I know that one can disable/enable OWA per user but in my case that is not enough because OWA must be enabled for both groups.

    Read the article

  • "Half" ssh authorization to a server with git repository

    - by hsz
    Hello ! Currently I have purchased web hosting with ssh access. I have created a git repository on it and if I set my public key in ~/.ssh/authorized_keys file, I have access to that repo, I can push/pull data, etc. This solution allows access for every user that has his public key in authorized_keys file. But there is one thing that I want to avoid. Every user can login to the server too and has access to whole ssh account. Is it possible to create a blacklist of users' keys that will not have an access to ssh ? I see it that way: user logs in to a git - ok, allow for every one user logs in to ssh account ~/.profile file is hooked and called a custom script: check user's public key if public key is in ~/.ssh/blacklist_keys call bash exit/logout Is it possible in any way ?

    Read the article

  • Authorization error when testing FTP to UNC

    - by user64204
    We have a Windows Server 2008 R2 with Active Directory (hereafter called DC) running as a domain controller on which we have IIS and an FTP site installed. We have a second Server 2008 (hereafter called SHARE) which is joined to that domain and has a disk shared as a network share (\\share\Office). That network share is used as the ftp's physical path on DC. We've tested the FTP from the IIS FTP configuration panel, by clicking on Basic Settings... then Test Settings.... When setting Administrator as a username with the Connect as... option, everything is fine: When no user is provided we can the below error: Q1: Could someone explain in more understandable terms what is written in the Details text area?

    Read the article

  • How to decouple trac from or align trac with apache authorization

    - by Laizer
    I've had a trac server running for about a year now - chugging along just as expected. Today, I implemented basic authorization on the apache server that trac runs under. Trac now picks up the user as authenticated by Apache, and doesn't allow either logout or a login. I tried to create an apache user with the same name and password as a trac user, but the behavior remained - I can't access trac. How do I align trac with Apache authorization?

    Read the article

  • Flex URLRequest and .NET authorization

    - by user252160
    can I make role based authorization when sending requests to an ASP.NET MVC backend system. I am calling action methods and expecting JSON results, however, some action methods are decorated with the [Authorize] attribute, others require some role privileges to be present. I certainly hope that passing authorization data with every request is possible

    Read the article

  • Twitter authentication without authorization

    - by user325377
    I wish to get the tweeter usename of a visitor to my site. I do not wish to post statuses or access any other information. I'd be happy to use OAuth, possibly with a 'Sign in with Twitter' button, but this then takes the user to a page which requests authorization for the application, that I wish to avoid. Is there a way to get the username without authorization? Thanks, Daniel

    Read the article

  • Is there a recommended approach for using SQL Server as an Authorization store and extending AD properties using .Net? [closed]

    - by Jim
    We are going to be using SQL Server as an authorization store for our .Net windows services and WCF services as well as storing additional metadata about users and groups to extend the AD properties. Doing this will make this self service and not require IT to change anything for our department (for users or groups). What if any are the existing recommended stategies or technologies that do this function?

    Read the article

1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >