Search Results

Search found 1208 results on 49 pages for 'proxied authorization'.

Page 11/49 | < Previous Page | 7 8 9 10 11 12 13 14 15 16 17 18  | Next Page >

  • Membership provider

    - by Adonis L
    What would be the best way to store additional information outside of active directory? I will be utilizing AD authentication as well as WIndowsTokenRoleProvider but I will also need to store some additional information about a user that will be used for authorizations purposes. This is a ASP.net application with a SQL backend, I am looking for suggestions or perhaps some articles that can provide direction.

    Read the article

  • How to project an ASP Classic Page?

    - by SH
    How to project an ASP Classic page with either HTTP AUTH (you must provide a username and password to OrderGroove) or a randomly generated access key that will be included as one of the parameters of the HTTP POST using the variable name access_key. Can anybody provide asp classic code in this regard? Quick help will be appreciated...

    Read the article

  • Rails subscription limitations

    - by David Lyod
    I have an application with set limits on subscription attributes i/e a user can have five projects for subscription A but have ten for subscription B At present I run a check on there current usage when linking to the create action and if they are over there limit I do not display the link to create a new project. On the view (for the new project ) I again run the check (in a helper) to see if they can create a new project and if they are not I display a message stating so and a little upgrade link. Is this a secure method of stopping a user bypassing there subscription attribute limitations ? What about direct PUT requests etc ?

    Read the article

  • How do I stop IIS from sending minutely GET requests to my proxied mongrel server?

    - by brad
    I have a rails application running on Windows Server 2008 running IIS7.5. I am using Application Request Routing to send requests to the Mongrel server via IIS (I didn't want to set it up like this but this was the environment I have been forced to use). IIS seems to send a GET request to the Mongrel server once every minute. This is not a huge deal but it does cause a lot of pollution in my logs and also creates a large amount of unwanted session data. I would really like to stop it from doing this. Is there a way?

    Read the article

  • Do HTTP reverse proxies typically enable HTTP Keep-Alive on the client side of the proxied connection and not on the server side?

    - by LostInComputer
    HAProxy has the ability to enable HTTP keep-alive on the client side (client <- HAProxy) but disable it on the server side (HAProxy <- server). Some of our clients connect to our web service via satellite so the latency is ~600ms and I think that by enabling keep-alive, it will speed things up a bit. Am I right? Is this supported by Nginx? Is this a widely implemented feature in other software and hardware load balancers? What else besides HAProxy?

    Read the article

  • .NET Winform AJAX Login Services

    - by AdamSane
    I am working on a Windows Form that connects to a ASP.NET membership database and I am trying to use the AJAX Login Service. No matter what I do I keep on getting 404 errors on the Authentication_JSON_AppService.axd call. Web Config Below <?xml version="1.0"?> <!-- Note: As an alternative to hand editing this file you can use the web admin tool to configure settings for your application. Use the Website->Asp.Net Configuration option in Visual Studio. A full list of settings and comments can be found in machine.config.comments usually located in \Windows\Microsoft.Net\Framework\v2.x\Config --> <configuration> <configSections> <sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"> <sectionGroup name="scripting" type="System.Web.Configuration.ScriptingSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"> <section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/> <sectionGroup name="webServices" type="System.Web.Configuration.ScriptingWebServicesSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"> <section name="jsonSerialization" type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="Everywhere"/> <section name="profileService" type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/> <section name="authenticationService" type="System.Web.Configuration.ScriptingAuthenticationServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/> <section name="roleService" type="System.Web.Configuration.ScriptingRoleServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/> </sectionGroup> </sectionGroup> </sectionGroup> </configSections> <connectionStrings <!-- Removed --> /> <appSettings/> <system.web> <!-- Set compilation debug="true" to insert debugging symbols into the compiled page. Because this affects performance, set this value to true only during development. --> <compilation debug="true"> <assemblies> <add assembly="System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> <add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add assembly="System.Xml.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> <add assembly="System.Data.DataSetExtensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> <add assembly="System.Data.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> </assemblies> </compilation> <membership defaultProvider="dbSqlMembershipProvider"> <providers> <add name="dbSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="Fire.Common.Properties.Settings.dbFireConnectionString" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/> </providers> </membership> <roleManager enabled="true" defaultProvider="dbSqlRoleProvider"> <providers> <add connectionStringName="Fire.Common.Properties.Settings.dbFireConnectionString" applicationName="/" name="dbSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/> </providers> </roleManager> <authentication mode="Forms"> <forms loginUrl="Login.aspx" cookieless="UseCookies" protection="All" timeout="30" requireSSL="false" slidingExpiration="true" defaultUrl="default.aspx" enableCrossAppRedirects="false"/> </authentication> <authorization> <allow users="*"/> <allow users="?"/> </authorization> <customErrors mode="Off"> </customErrors> <pages> <controls> <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add tagPrefix="asp" namespace="System.Web.UI.WebControls" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> </controls> </pages> <httpHandlers> <remove verb="*" path="*.asmx"/> <add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add verb="GET,HEAD" path="ScriptResource.axd" validate="false" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> </httpHandlers> <httpModules> <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> </httpModules> </system.web> <location path="~/Admin"> <system.web> <authorization> <allow roles="Admin"/> <allow roles="System"/> <deny users="*"/> </authorization> </system.web> </location> <location path="~/Admin/System"> <system.web> <authorization> <allow roles="System"/> <deny users="*"/> </authorization> </system.web> </location> <location path="~/Export"> <system.web> <authorization> <allow roles="Export"/> <deny users="*"/> </authorization> </system.web> </location> <location path="~/Field"> <system.web> <authorization> <allow roles="Field"/> <deny users="*"/> </authorization> </system.web> </location> <location path="~/Default.aspx"> <system.web> <authorization> <allow roles="Admin"/> <allow roles="System"/> <allow roles="Export"/> <allow roles="Field"/> <deny users="?"/> </authorization> </system.web> </location> <location path="~/Login.aspx"> <system.web> <authorization> <allow users="*"/> <allow users="?"/> </authorization> </system.web> </location> <location path="~/App_Themes"> <system.web> <authorization> <allow users="*"/> <allow users="?"/> </authorization> </system.web> </location> <location path="~/Includes"> <system.web> <authorization> <allow users="*"/> <allow users="?"/> </authorization> </system.web> </location> <location path="~/WebServices"> <system.web> <authorization> <allow users="*"/> <allow users="?"/> </authorization> </system.web> </location> <location path="~/Authentication_JSON_AppService.axd"> <system.web> <authorization> <allow users="*"/> <allow users="?"/> </authorization> </system.web> </location> <system.codedom> <compilers> <compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CSharp.CSharpCodeProvider,System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" warningLevel="4"> <providerOption name="CompilerVersion" value="v3.5"/> <providerOption name="WarnAsError" value="false"/> </compiler> <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.VisualBasic.VBCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" warningLevel="4"> <providerOption name="CompilerVersion" value="v3.5"/> <providerOption name="OptionInfer" value="true"/> <providerOption name="WarnAsError" value="false"/> </compiler> </compilers> </system.codedom> <!-- The system.webServer section is required for running ASP.NET AJAX under Internet Information Services 7.0. It is not necessary for previous version of IIS. --> <system.webServer> <validation validateIntegratedModeConfiguration="false"/> <modules> <remove name="ScriptModule"/> <add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> </modules> <handlers> <remove name="WebServiceHandlerFactory-Integrated"/> <remove name="ScriptHandlerFactory"/> <remove name="ScriptHandlerFactoryAppServices"/> <remove name="ScriptResource"/> <add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add name="ScriptResource" verb="GET,HEAD" path="ScriptResource.axd" preCondition="integratedMode" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> </handlers> </system.webServer> <runtime> <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> <dependentAssembly> <assemblyIdentity name="System.Web.Extensions" publicKeyToken="31bf3856ad364e35"/> <bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/> </dependentAssembly> <dependentAssembly> <assemblyIdentity name="System.Web.Extensions.Design" publicKeyToken="31bf3856ad364e35"/> <bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/> </dependentAssembly> </assemblyBinding> </runtime> </configuration>

    Read the article

  • any clue in these logs why keyboard audio and internet are messed up

    - by mmj
    Jun 7 00:01:18 Isis lightdm: pam_unix(lightdm-autologin:session): session opened for user mimi by (uid=0) Jun 7 00:01:18 Isis lightdm: pam_ck_connector(lightdm-autologin:session): nox11 mode, ignoring PAM_TTY :0 Jun 7 00:01:26 Isis polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.36 [/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) Jun 7 00:01:29 Isis dbus[610]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.44" (uid=1000 pid=1763 comm="/usr/lib/indicator-datetime/indicator-datetime-ser") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.15" (uid=0 pid=1219 comm="/usr/sbin/console-kit-daemon --no-daemon ") Jun 7 00:07:55 Isis sudo: pam_unix(sudo:auth): authentication failure; logname=mimi uid=1000 euid=0 tty=/dev/pts/1 ruser=mimi rhost= user=mimi Jun 7 00:08:11 Isis sudo: mimi : TTY=pts/1 ; PWD=/home/mimi ; USER=root ; COMMAND=/usr/bin/add-apt-repository ppa:colingille/freshlight Jun 7 00:08:11 Isis sudo: pam_unix(sudo:session): session opened for user root by mimi(uid=1000) Jun 7 00:08:32 Isis sudo: pam_unix(sudo:session): session closed for user root Jun 7 00:11:20 Isis sudo: mimi : TTY=pts/1 ; PWD=/home/mimi ; USER=root ; COMMAND=/usr/bin/apt-get install gparted Jun 7 00:11:20 Isis sudo: pam_unix(sudo:session): session opened for user root by mimi(uid=1000) Jun 7 00:11:59 Isis sudo: pam_unix(sudo:session): session closed for user root Jun 7 00:17:02 Isis CRON[2651]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 00:17:02 Isis CRON[2651]: pam_unix(cron:session): session closed for user root Jun 7 00:17:32 Isis polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 successfully authenticated as unix-user:mimi to gain ONE-SHOT authorization for action com.ubuntu.pkexec.gparted for unix-process:2655:96838 [/bin/sh /usr/bin/gparted-pkexec] (owned by unix-user:mimi) Jun 7 00:17:32 Isis pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=1000) Jun 7 00:17:32 Isis pkexec: pam_ck_connector(polkit-1:session): cannot determine display-device Jun 7 00:17:32 Isis pkexec[2657]: mimi: Executing command [USER=root] [TTY=unknown] [CWD=/home/mimi] [COMMAND=/usr/sbin/gparted] Jun 7 00:48:15 Isis polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 successfully authenticated as unix-user:mimi to gain ONE-SHOT authorization for action com.ubuntu.pkexec.gparted for unix-process:3813:281120 [/bin/sh /usr/bin/gparted-pkexec] (owned by unix-user:mimi) Jun 7 00:48:15 Isis pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=1000) Jun 7 00:48:15 Isis pkexec: pam_ck_connector(polkit-1:session): cannot determine display-device Jun 7 00:48:15 Isis pkexec[3815]: mimi: Executing command [USER=root] [TTY=unknown] [CWD=/home/mimi] [COMMAND=/usr/sbin/gparted] Jun 7 01:17:01 Isis CRON[3960]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 01:17:01 Isis CRON[3960]: pam_unix(cron:session): session closed for user root Jun 7 02:08:52 Isis gnome-screensaver-dialog: gkr-pam: unlocked login keyring Jun 7 02:17:01 Isis CRON[4246]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 02:17:01 Isis CRON[4246]: pam_unix(cron:session): session closed for user root Jun 7 02:17:05 Isis sudo: mimi : TTY=pts/1 ; PWD=/home/mimi ; USER=root ; COMMAND=/usr/bin/apt-get install unetbootin Jun 7 02:17:05 Isis sudo: pam_unix(sudo:session): session opened for user root by mimi(uid=1000) Jun 7 02:17:57 Isis sudo: pam_unix(sudo:session): session closed for user root Jun 7 02:18:59 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 02:18:59 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 02:18:59 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 02:18:59 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 02:18:59 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 02:18:59 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 02:18:59 Isis sudo: mimi : 3 incorrect password attempts ; TTY=unknown ; PWD=/home/mimi ; USER=root ; COMMAND=/usr/bin/unetbootin 'rootcheck=no' Jun 7 02:18:59 Isis sudo: unable to execute /usr/sbin/sendmail: No such file or directory Jun 7 02:19:26 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 02:19:26 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 02:19:26 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 02:19:26 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 02:19:26 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 02:19:26 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 02:19:26 Isis sudo: mimi : 3 incorrect password attempts ; TTY=unknown ; PWD=/home/mimi ; USER=root ; COMMAND=/usr/bin/unetbootin 'rootcheck=no' Jun 7 02:19:26 Isis sudo: unable to execute /usr/sbin/sendmail: No such file or directory Jun 7 02:33:21 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 02:33:21 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 02:33:21 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 02:33:21 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 02:33:21 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 02:33:21 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 02:33:21 Isis sudo: mimi : 3 incorrect password attempts ; TTY=unknown ; PWD=/home/mimi ; USER=root ; COMMAND=/usr/bin/unetbootin 'rootcheck=no' Jun 7 02:33:21 Isis sudo: unable to execute /usr/sbin/sendmail: No such file or directory Jun 7 02:40:04 Isis sudo: mimi : TTY=pts/1 ; PWD=/home/mimi ; USER=root ; COMMAND=/usr/bin/unetbootin rootcheck=no Jun 7 02:40:04 Isis sudo: pam_unix(sudo:session): session opened for user root by mimi(uid=1000) Jun 7 03:17:01 Isis CRON[5506]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 03:17:01 Isis CRON[5506]: pam_unix(cron:session): session closed for user root Jun 7 03:33:24 Isis sudo: pam_unix(sudo:session): session closed for user root Jun 7 03:33:43 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 03:33:43 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 03:33:43 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 03:33:43 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 03:33:43 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 03:33:43 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 03:33:43 Isis sudo: mimi : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/mimi ; USER=root ; COMMAND=/usr/bin/unetbootin showall=yes 'rootcheck=no' Jun 7 03:33:43 Isis sudo: unable to execute /usr/sbin/sendmail: No such file or directory Jun 7 04:17:01 Isis CRON[6119]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 04:17:01 Isis CRON[6119]: pam_unix(cron:session): session closed for user root Jun 7 04:18:35 Isis polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 successfully authenticated as unix-user:mimi to gain TEMPORARY authorization for action org.debian.apt.install-or-remove-packages for system-bus-name::1.79 [/usr/bin/python /usr/bin/landscape-client-ui-install] (owned by unix-user:mimi) Jun 7 04:19:11 Isis groupadd[6702]: group added to /etc/group: name=landscape, GID=127 Jun 7 04:19:11 Isis groupadd[6702]: group added to /etc/gshadow: name=landscape Jun 7 04:19:11 Isis groupadd[6702]: new group: name=landscape, GID=127 Jun 7 04:19:11 Isis useradd[6706]: new user: name=landscape, UID=115, GID=127, home=/var/lib/landscape, shell=/bin/false Jun 7 04:19:12 Isis usermod[6711]: change user 'landscape' password Jun 7 04:19:12 Isis chage[6716]: changed password expiry for landscape Jun 7 04:19:37 Isis polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 FAILED to authenticate to gain authorization for action com.canonical.LandscapeClientSettings.configure for unix-process:6146:1543697 [/usr/bin/python /usr/bin/landscape-client-settings-ui] (owned by unix-user:mimi) Jun 7 04:20:20 Isis polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 FAILED to authenticate to gain authorization for action com.canonical.LandscapeClientSettings.configure for unix-process:6832:1555313 [/usr/bin/python /usr/bin/landscape-client-settings-ui] (owned by unix-user:mimi) Jun 7 04:21:04 Isis polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 FAILED to authenticate to gain authorization for action com.ubuntu.languageselector.setsystemdefaultlanguage for unix-process:6827:1555123 [/usr/bin/python /usr/bin/gnome-language-selector] (owned by unix-user:mimi) Jun 7 04:21:08 Isis polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 FAILED to authenticate to gain authorization for action com.ubuntu.languageselector.setsystemdefaultlanguage for unix-process:6827:1555123 [/usr/bin/python /usr/bin/gnome-language-selector] (owned by unix-user:mimi) Jun 7 04:21:44 Isis polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 FAILED to authenticate to gain authorization for action org.debian.apt.install-or-remove-packages for system-bus-name::1.87 [/usr/bin/python /usr/bin/gnome-language-selector] (owned by unix-user:mimi) Jun 7 04:22:27 Isis polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 successfully authenticated as unix-user:mimi to gain TEMPORARY authorization for action com.canonical.LandscapeClientSettings.configure for unix-process:7830:1567424 [/usr/bin/python /usr/bin/landscape-client-settings-ui] (owned by unix-user:mimi) Jun 7 04:25:50 Isis polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 FAILED to authenticate to gain authorization for action com.ubuntu.languageselector.setsystemdefaultlanguage for unix-process:7876:1584865 [/usr/bin/python /usr/bin/gnome-language-selector] (owned by unix-user:mimi) Jun 7 04:25:52 Isis polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 FAILED to authenticate to gain authorization for action com.ubuntu.languageselector.setsystemdefaultlanguage for unix-process:7876:1584865 [/usr/bin/python /usr/bin/gnome-language-selector] (owned by unix-user:mimi) Jun 7 05:11:57 Isis polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 successfully authenticated as unix-user:mimi to gain TEMPORARY authorization for action org.debian.apt.install-or-remove-packages for system-bus-name::1.95 [/usr/bin/python /usr/bin/gnome-language-selector] (owned by unix-user:mimi) Jun 7 05:17:02 Isis CRON[8708]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 05:17:02 Isis CRON[8708]: pam_unix(cron:session): session closed for user root Jun 7 05:28:03 Isis lightdm: pam_unix(lightdm-autologin:session): session opened for user mimi by (uid=0) Jun 7 05:28:03 Isis lightdm: pam_ck_connector(lightdm-autologin:session): nox11 mode, ignoring PAM_TTY :0 Jun 7 05:28:17 Isis polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.32 [/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Jun 7 05:28:32 Isis dbus[660]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.44" (uid=1000 pid=1736 comm="/usr/lib/indicator-datetime/indicator-datetime-ser") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.17" (uid=0 pid=1333 comm="/usr/sbin/console-kit-daemon --no-daemon ") Jun 7 06:17:01 Isis CRON[2391]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 06:17:02 Isis CRON[2391]: pam_unix(cron:session): session closed for user root Jun 7 06:25:02 Isis CRON[2492]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 06:25:02 Isis CRON[2492]: pam_unix(cron:session): session closed for user root Jun 7 07:17:01 Isis CRON[3174]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 07:17:01 Isis CRON[3174]: pam_unix(cron:session): session closed for user root Jun 7 07:30:01 Isis CRON[3397]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 07:30:01 Isis CRON[3397]: pam_unix(cron:session): session closed for user root Jun 7 08:09:01 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 08:09:01 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 08:09:01 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 08:09:01 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 08:09:01 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 08:09:01 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 08:09:01 Isis sudo: mimi : 3 incorrect password attempts ; TTY=unknown ; PWD=/home/mimi ; USER=root ; COMMAND=/usr/share/checkbox/backend --path=/usr/share/checkbox/scripts:/usr/lib/lightdm/lightdm:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games /tmp/checkboxQbuE6V/input /tmp/checkboxQbuE6V/output Jun 7 08:09:01 Isis sudo: unable to execute /usr/sbin/sendmail: No such file or directory Jun 7 08:09:59 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 08:09:59 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 08:09:59 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 08:09:59 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 08:09:59 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 08:09:59 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 08:09:59 Isis sudo: mimi : 3 incorrect password attempts ; TTY=unknown ; PWD=/home/mimi ; USER=root ; COMMAND=/usr/share/checkbox/backend --path=/usr/share/checkbox/scripts:/usr/lib/lightdm/lightdm:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games /tmp/checkboxQbuE6V/input /tmp/checkboxQbuE6V/output Jun 7 08:09:59 Isis sudo: unable to execute /usr/sbin/sendmail: No such file or directory Jun 7 08:10:55 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 08:10:55 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 08:10:55 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 08:10:55 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 08:10:55 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 08:10:55 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 08:10:55 Isis sudo: mimi : 3 incorrect password attempts ; TTY=unknown ; PWD=/home/mimi ; USER=root ; COMMAND=/usr/share/checkbox/backend --path=/usr/share/checkbox/scripts:/usr/lib/lightdm/lightdm:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games /tmp/checkboxQbuE6V/input /tmp/checkboxQbuE6V/output Jun 7 08:10:55 Isis sudo: unable to execute /usr/sbin/sendmail: No such file or directory Jun 7 08:17:01 Isis CRON[4215]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 08:17:01 Isis CRON[4215]: pam_unix(cron:session): session closed for user root Jun 7 09:17:02 Isis CRON[4766]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 09:17:02 Isis CRON[4766]: pam_unix(cron:session): session closed for user root Jun 7 10:17:02 Isis CRON[5046]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 10:17:02 Isis CRON[5046]: pam_unix(cron:session): session closed for user root Jun 7 11:17:02 Isis CRON[5325]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 11:17:02 Isis CRON[5325]: pam_unix(cron:session): session closed for user root Jun 7 12:17:01 Isis CRON[5617]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 12:17:01 Isis CRON[5617]: pam_unix(cron:session): session closed for user root Jun 7 13:07:51 Isis gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): authentication failure; logname= uid=1000 euid=1000 tty=:0.0 ruser= rhost= user=mimi Jun 7 13:07:51 Isis gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): getting password (0x00000388) Jun 7 13:07:51 Isis gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): pam_get_item returned a password Jun 7 13:07:51 Isis gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user Jun 7 13:08:03 Isis gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): conversation failed Jun 7 13:08:03 Isis gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): auth could not identify password for [mimi] Jun 7 13:08:03 Isis gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): getting password (0x00000388) Jun 7 13:08:08 Isis lightdm: pam_unix(lightdm:session): session opened for user lightdm by (uid=0) Jun 7 13:08:08 Isis lightdm: pam_ck_connector(lightdm:session): nox11 mode, ignoring PAM_TTY :1 Jun 7 13:08:13 Isis lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "mimi" Jun 7 13:08:16 Isis dbus[660]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.91" (uid=104 pid=5961 comm="/usr/lib/indicator-datetime/indicator-datetime-ser") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.17" (uid=0 pid=1333 comm="/usr/sbin/console-kit-daemon --no-daemon ") Jun 7 13:08:18 Isis dbus[660]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.98" (uid=104 pid=5999 comm="/usr/lib/indicator-datetime/indicator-datetime-ser") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.17" (uid=0 pid=1333 comm="/usr/sbin/console-kit-daemon --no-daemon ") Jun 7 13:10:15 Isis lightdm: pam_unix(lightdm:session): session closed for user lightdm Jun 7 13:17:02 Isis CRON[6181]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 13:17:02 Isis CRON[6181]: pam_unix(cron:session): session closed for user root Jun 7 13:55:14 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 13:55:14 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 13:55:14 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 13:55:14 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 13:55:14 Isis sudo: pam_unix(sudo:auth): conversation failed Jun 7 13:55:14 Isis sudo: pam_unix(sudo:auth): auth could not identify password for [mimi] Jun 7 13:55:14 Isis sudo: mimi : 3 incorrect password attempts ; TTY=unknown ; PWD=/home/mimi ; USER=root ; COMMAND=/usr/bin/unetbootin 'rootcheck=no' Jun 7 13:55:14 Isis sudo: unable to execute /usr/sbin/sendmail: No such file or directory Jun 7 14:02:33 Isis polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 FAILED to authenticate to gain authorization for action com.canonical.LandscapeClientSettings.configure for unix-process:6736:3087856 [/usr/bin/python /usr/bin/landscape-client-settings-ui] (owned by unix-user:mimi) Jun 7 14:02:51 Isis polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 FAILED to authenticate to gain authorization for action com.canonical.LandscapeClientSettings.configure for unix-process:6752:3089992 [/usr/bin/python /usr/bin/landscape-client-settings-ui] (owned by unix-user:mimi) Jun 7 14:03:14 Isis polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 successfully authenticated as unix-user:mimi to gain TEMPORARY authorization for action com.canonical.LandscapeClientSettings.configure for unix-process:6763:3092515 [/usr/bin/python /usr/bin/landscape-client-settings-ui] (owned by unix-user:mimi) Jun 7 14:17:01 Isis CRON[6933]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 14:17:01 Isis CRON[6933]: pam_unix(cron:session): session closed for user root Jun 7 15:17:02 Isis CRON[7611]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 7 15:17:02 Isis CRON[7611]: pam_unix(cron:session): session closed for user root

    Read the article

  • How to use ASP.NET Authorization Yet Permit Access to .css Files?

    - by Chaitanya
    <authentication mode="Forms"> <forms loginUrl="Login.aspx"/> </authentication> <authorization> <deny users="?"/> </authorization> I am using forms authentication, and when i place the arguments cited above, the css formatting I have done for the whole document is not being implemented, it's vanishing. what should i be doing so that the CSS remains intact.

    Read the article

  • How do I force .htaccess authorization to occur over ssl?

    - by kenja
    I'm trying to force a particular directory to require only allowed IPs and a valid username/password through basic authorization. To ensure that the username/password are sent in encrypted form, I want the directory to also force SSL use. Here is what I have in my .htaccess file: # Force HTTPS-Connection RewriteEngine On RewriteCond %{SERVER_PORT} !^443$ RewriteRule (.*) https://www.mywebsite.com%{REQUEST_URI} [R,L] ## password begin ## AuthName "Restricted Access" AuthUserFile /var/www/admin/.htpasswd AuthType Basic Require valid-user Order deny,allow Deny from all Allow from 79.1.231.151 62.123.134.83 Satisfy All Unfortunately, when I access that directory using http protocol, it is asking for the password before it redirects the page to the secure version. This means the password is sent unencrypted. What am I doing wrong? Is there a way to do this?

    Read the article

  • Windows 2008 DHCP service fails - "...failed to see a directory server for authorization."

    - by ewwhite
    I have a small environment running Windows 2008 R2 where the DHCP service on the domain controller fails every two weeks. The most-visible error is Event ID 1059 and the Event Viewer message is: "The DHCP service failed to see a directory server for authorization." The setup features two domain controller and the usual services and roles (file, print, Exchange). Restarting the service fails for a variety of reasons. I've had the following messages at different times: "Not enough storage is available to complete this operation". "Unable to determine the DHCP Server version for the Server 192.168.x.x" "The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service." A reboot of the domain controller resolves the issue for ~2 weeks. The systems are virtualized and there are no network connectivity issues. Any ideas what's happening here?

    Read the article

  • How do I force .htaccess authorization to occur over ssl?

    - by kenja
    I'm trying to force a particular directory to require only allowed IPs and a valid username/password through basic authorization. To ensure that the username/password are sent in encrypted form, I want the directory to also force SSL use. Here is what I have in my .htaccess file: # Force HTTPS-Connection RewriteEngine On RewriteCond %{SERVER_PORT} !^443$ RewriteRule (.*) https://www.mywebsite.com%{REQUEST_URI} [R,L] ## password begin ## AuthName "Restricted Access" AuthUserFile /var/www/admin/.htpasswd AuthType Basic Require valid-user Order deny,allow Deny from all Allow from 79.1.231.151 62.123.134.83 Satisfy All Unfortunately, when I access that directory using http protocol, it is asking for the password before it redirects the page to the secure version. This means the password is sent unencrypted. What am I doing wrong? Is there a way to do this?

    Read the article

  • ASP.NET C# Session Variable

    - by SAMIR BHOGAYTA
    You can make changes in the web.config. You can give the location path i.e the pages to whom u want to apply the security. Ex. 1) In first case the page can be accessed by everyone. // Allow ALL users to visit the CreatingUserAccounts.aspx // location path="CreatingUserAccounts.aspx" system.web authorization allow users="*" / /authorization /system.web /location 2) in this case only admin can access the page // Allow ADMIN users to visit the hello.aspx location path="hello.aspx" system.web authorization allow roles="ADMIN' / deny users="*" / /authorization /system.web /location OR On the every page you need to check the authorization according to the page logic ex: On every page call this if (session[loggeduser] !=null) { DataSet dsUser=(DataSet)session[loggeduser]; if (dsUser !=null && dsUser.Tables.Count0 && dsUser.Tables[0] !=null && dsUser.Tables[0].Rows.Count0) { if (dsUser.Table[0].Rows[0]["UserType"]=="SuperAdmin") { //your page logic here } if (dsUser.Table[0].Rows[0]["UserType"]=="Admin") { //your page logic here } } }

    Read the article

  • Apache NameVirtualHost on port 443 ignores ServerAlias

    - by Ryan
    I've got a name-based virtual host setup on port 443 such that requests on host 'apple.fruitdomain' are proxied to the apple-app and requests on host 'orange.fruitdomain' are proxied to orange-app. This is working, but I'd like to add a ServerAlias for each such that requests on host 'apple' are proxied to apple-app and requests on host 'orange' are proxied to the orange-app. If I simply add a ServerAlias directive to the virtual host it doesn't work. ssl.conf below: Listen 443 NameVirtualHost *:443 <VirtualHost *:443> ServerName apple.fruitdomain ServerAlias apple SSLProxyEngine on ProxyPass /apple-app https://localhost:8181/apple-app ProxyPassReverse /apple-app https://localhost:8181/apple-app ... </VirtualHost> <VirtualHost *:443> ServerName orange.fruitdomain ServerAlias orange SSLProxyEngine on ProxyPass /orange-app https://localhost:8181/orange-app ProxyPassReverse /orange-app https://localhost:8181/orange-app ... </VirtualHost> Interestingly if I do a similar setup but with port 80 then the ServerAlias works...

    Read the article

  • Unit testing authorization in a Pylons app fails; cookies aren't been correctly set or recorded

    - by Ian Stevens
    I'm having an issue running unit tests for authorization in a Pylons app. It appears as though certain cookies set in the test case may not be correctly written or parsed. Cookies work fine when hitting the app with a browser. Here is my test case inside a paste-generated TestController: def test_good_login(self): r = self.app.post('/dologin', params={'login': self.user['username'], 'password': self.password}) r = r.follow() # Should only be one redirect to root assert 'http://localhost/' == r.request.url assert 'Dashboard' in r This is supposed to test that a login of an existing account forwards the user to the dashboard page. Instead, what happens is that the user is redirected back to the login. The first POST works, sets the user in the session and returns cookies. Although those cookies are sent in the follow request, they don't seem to be correctly parsed. I start by setting a breakpoint at the beginning of the above method and see what the login response returns: > nosetests --pdb --pdb-failure -s foo.tests.functional.test_account:TestMainController.test_good_login Running setup_config() from foo.websetup > /Users/istevens/dev/foo/foo/tests/functional/test_account.py(33)test_good_login() -> r = self.app.post('/dologin', params={'login': self.user['username'], 'password': self.password}) (Pdb) n > /Users/istevens/dev/foo/foo/tests/functional/test_account.py(34)test_good_login() -> r = r.follow() # Should only be one redirect to root (Pdb) p r.cookies_set {'auth_tkt': '"4c898eb72f7ad38551eb11e1936303374bd871934bd871833d19ad8a79000000!"'} (Pdb) p r.request.environ['REMOTE_USER'] '4bd871833d19ad8a79000000' (Pdb) p r.headers['Location'] 'http://localhost/?__logins=0' A session appears to be created and a cookie sent back. The browser is redirected to the root, not the login, which also indicates a successful login. If I step past the follow(), I get: > /Users/istevens/dev/foo/foo/tests/functional/test_account.py(35)test_good_login() -> assert 'http://localhost/' == r.request.url (Pdb) p r.request.headers {'Host': 'localhost:80', 'Cookie': 'auth_tkt=""\\"4c898eb72f7ad38551eb11e1936303374bd871934bd871833d19ad8a79000000!\\"""; '} (Pdb) p r.request.environ['REMOTE_USER'] *** KeyError: KeyError('REMOTE_USER',) (Pdb) p r.request.environ['HTTP_COOKIE'] 'auth_tkt=""\\"4c898eb72f7ad38551eb11e1936303374bd871934bd871833d19ad8a79000000!\\"""; ' (Pdb) p r.request.cookies {'auth_tkt': ''} (Pdb) p r <302 Found text/html location: http://localhost/login?__logins=1&came_from=http%3A%2F%2Flocalhost%2F body='302 Found...y. '/149> This indicates to me that the cookie was passed in on the request, although with dubious escaping. The environ appears to be without the session created on the prior request. The cookie has been copied to the environ from the headers, but the cookies in the request seems incorrectly set. Lastly, the user is redirected to the login page, indicating that the user isn't logged in. Authorization in the app is done via repoze.who and repoze.who.plugins.ldap with repoze.who_friendlyform performing the challenge. I'm using the stock tests.TestController created by paste: class TestController(TestCase): def __init__(self, *args, **kwargs): if pylons.test.pylonsapp: wsgiapp = pylons.test.pylonsapp else: wsgiapp = loadapp('config:%s' % config['__file__']) self.app = TestApp(wsgiapp) url._push_object(URLGenerator(config['routes.map'], environ)) TestCase.__init__(self, *args, **kwargs) That's a webtest.TestApp, by the way. The encoding of the cookie is done in webtest.TestApp using Cookie: >>> from Cookie import _quote >>> _quote('"84533cf9f661f97239208fb844a09a6d4bd8552d4bd8550c3d19ad8339000000!"') '"\\"84533cf9f661f97239208fb844a09a6d4bd8552d4bd8550c3d19ad8339000000!\\""' I trust that that's correct. My guess is that something on the response side is incorrectly parsing the cookie data into cookies in the server-side request. But what? Any ideas?

    Read the article

  • How do I handle user authorization the safest way?

    - by Irro
    I'm developing a small website where I'm going to allow user to create accounts but I'm quite clueless when it comes to safety around authorizations. I have built my project in PHP with codeigniter and found a library (Tank Auth) that could handle authorization for me. It stores password in a safe way but I'm still worried about the part when the user sends their password to my server. One easy way to do it would be to send the password in a post-request but I would guess that it's quite easy to sniff such a password. Should I do something with the password on the client side before sending it to my server? And is there any good javascript libraries for this?

    Read the article

  • Would OpenID or OAuth work for authorization/authentication on a distributed web service?

    - by David Eyk
    We're in the early stages of designing a RESTful/resource-oriented web service API for a computational lingustics application. Because many of the resources we plan to serve are rights-encumbered, a key design decision has been to specify the platform so that each resource provider can expose their own web service that complies with the API spec. This way, the rights owner maintains control over their content (and thus the ability to throttle or deny access at will) and a direct relationship with the consumer, while still being able to participate in in the collaborative network. At the same time, to simplify the job of writing a client for this service, we want to allow a client access to the distributed service through one end-point, with the server handling content negotiation and retrieval from the appropriate providers. Right now, we're at an impasse on authentication/authorization schemes. One of our number has argued for the (technical) simplicity of a central authentication registry, but others are concerned about the organizational complexity of such a scheme. It seems to me, based on an albeit limited understanding of the technologies, that a combination of OpenID and OAuth would do the trick, with a client authenticating with the end-point via OpenID, and the server taking action on the user's behalf with the various content providers using OAuth. I've only ever seen implementations (e.g. stackoverflow, twitter, etc.) where a human was present to intervene, and I still need to do more research on these technologies. Would a scheme like this work for an automated web service, or would it make the client too difficult to implement and operate?

    Read the article

  • New Big Data Appliance Security Features

    - by mgubar
    The Oracle Big Data Appliance (BDA) is an engineered system for big data processing.  It greatly simplifies the deployment of an optimized Hadoop Cluster – whether that cluster is used for batch or real-time processing.  The vast majority of BDA customers are integrating the appliance with their Oracle Databases and they have certain expectations – especially around security.  Oracle Database customers have benefited from a rich set of security features:  encryption, redaction, data masking, database firewall, label based access control – and much, much more.  They want similar capabilities with their Hadoop cluster.    Unfortunately, Hadoop wasn’t developed with security in mind.  By default, a Hadoop cluster is insecure – the antithesis of an Oracle Database.  Some critical security features have been implemented – but even those capabilities are arduous to setup and configure.  Oracle believes that a key element of an optimized appliance is that its data should be secure.  Therefore, by default the BDA delivers the “AAA of security”: authentication, authorization and auditing. Security Starts at Authentication A successful security strategy is predicated on strong authentication – for both users and software services.  Consider the default configuration for a newly installed Oracle Database; it’s been a long time since you had a legitimate chance at accessing the database using the credentials “system/manager” or “scott/tiger”.  The default Oracle Database policy is to lock accounts thereby restricting access; administrators must consciously grant access to users. Default Authentication in Hadoop By default, a Hadoop cluster fails the authentication test. For example, it is easy for a malicious user to masquerade as any other user on the system.  Consider the following scenario that illustrates how a user can access any data on a Hadoop cluster by masquerading as a more privileged user.  In our scenario, the Hadoop cluster contains sensitive salary information in the file /user/hrdata/salaries.txt.  When logged in as the hr user, you can see the following files.  Notice, we’re using the Hadoop command line utilities for accessing the data: $ hadoop fs -ls /user/hrdataFound 1 items-rw-r--r--   1 oracle supergroup         70 2013-10-31 10:38 /user/hrdata/salaries.txt$ hadoop fs -cat /user/hrdata/salaries.txtTom Brady,11000000Tom Hanks,5000000Bob Smith,250000Oprah,300000000 User DrEvil has access to the cluster – and can see that there is an interesting folder called “hrdata”.  $ hadoop fs -ls /user Found 1 items drwx------   - hr supergroup          0 2013-10-31 10:38 /user/hrdata However, DrEvil cannot view the contents of the folder due to lack of access privileges: $ hadoop fs -ls /user/hrdata ls: Permission denied: user=drevil, access=READ_EXECUTE, inode="/user/hrdata":oracle:supergroup:drwx------ Accessing this data will not be a problem for DrEvil. He knows that the hr user owns the data by looking at the folder’s ACLs. To overcome this challenge, he will simply masquerade as the hr user. On his local machine, he adds the hr user, assigns that user a password, and then accesses the data on the Hadoop cluster: $ sudo useradd hr $ sudo passwd $ su hr $ hadoop fs -cat /user/hrdata/salaries.txt Tom Brady,11000000 Tom Hanks,5000000 Bob Smith,250000 Oprah,300000000 Hadoop has not authenticated the user; it trusts that the identity that has been presented is indeed the hr user. Therefore, sensitive data has been easily compromised. Clearly, the default security policy is inappropriate and dangerous to many organizations storing critical data in HDFS. Big Data Appliance Provides Secure Authentication The BDA provides secure authentication to the Hadoop cluster by default – preventing the type of masquerading described above. It accomplishes this thru Kerberos integration. Figure 1: Kerberos Integration The Key Distribution Center (KDC) is a server that has two components: an authentication server and a ticket granting service. The authentication server validates the identity of the user and service. Once authenticated, a client must request a ticket from the ticket granting service – allowing it to access the BDA’s NameNode, JobTracker, etc. At installation, you simply point the BDA to an external KDC or automatically install a highly available KDC on the BDA itself. Kerberos will then provide strong authentication for not just the end user – but also for important Hadoop services running on the appliance. You can now guarantee that users are who they claim to be – and rogue services (like fake data nodes) are not added to the system. It is common for organizations to want to leverage existing LDAP servers for common user and group management. Kerberos integrates with LDAP servers – allowing the principals and encryption keys to be stored in the common repository. This simplifies the deployment and administration of the secure environment. Authorize Access to Sensitive Data Kerberos-based authentication ensures secure access to the system and the establishment of a trusted identity – a prerequisite for any authorization scheme. Once this identity is established, you need to authorize access to the data. HDFS will authorize access to files using ACLs with the authorization specification applied using classic Linux-style commands like chmod and chown (e.g. hadoop fs -chown oracle:oracle /user/hrdata changes the ownership of the /user/hrdata folder to oracle). Authorization is applied at the user or group level – utilizing group membership found in the Linux environment (i.e. /etc/group) or in the LDAP server. For SQL-based data stores – like Hive and Impala – finer grained access control is required. Access to databases, tables, columns, etc. must be controlled. And, you want to leverage roles to facilitate administration. Apache Sentry is a new project that delivers fine grained access control; both Cloudera and Oracle are the project’s founding members. Sentry satisfies the following three authorization requirements: Secure Authorization:  the ability to control access to data and/or privileges on data for authenticated users. Fine-Grained Authorization:  the ability to give users access to a subset of the data (e.g. column) in a database Role-Based Authorization:  the ability to create/apply template-based privileges based on functional roles. With Sentry, “all”, “select” or “insert” privileges are granted to an object. The descendants of that object automatically inherit that privilege. A collection of privileges across many objects may be aggregated into a role – and users/groups are then assigned that role. This leads to simplified administration of security across the system. Figure 2: Object Hierarchy – granting a privilege on the database object will be inherited by its tables and views. Sentry is currently used by both Hive and Impala – but it is a framework that other data sources can leverage when offering fine-grained authorization. For example, one can expect Sentry to deliver authorization capabilities to Cloudera Search in the near future. Audit Hadoop Cluster Activity Auditing is a critical component to a secure system and is oftentimes required for SOX, PCI and other regulations. The BDA integrates with Oracle Audit Vault and Database Firewall – tracking different types of activity taking place on the cluster: Figure 3: Monitored Hadoop services. At the lowest level, every operation that accesses data in HDFS is captured. The HDFS audit log identifies the user who accessed the file, the time that file was accessed, the type of access (read, write, delete, list, etc.) and whether or not that file access was successful. The other auditing features include: MapReduce:  correlate the MapReduce job that accessed the file Oozie:  describes who ran what as part of a workflow Hive:  captures changes were made to the Hive metadata The audit data is captured in the Audit Vault Server – which integrates audit activity from a variety of sources, adding databases (Oracle, DB2, SQL Server) and operating systems to activity from the BDA. Figure 4: Consolidated audit data across the enterprise.  Once the data is in the Audit Vault server, you can leverage a rich set of prebuilt and custom reports to monitor all the activity in the enterprise. In addition, alerts may be defined to trigger violations of audit policies. Conclusion Security cannot be considered an afterthought in big data deployments. Across most organizations, Hadoop is managing sensitive data that must be protected; it is not simply crunching publicly available information used for search applications. The BDA provides a strong security foundation – ensuring users are only allowed to view authorized data and that data access is audited in a consolidated framework.

    Read the article

  • Securing an ADF Application using OES11g: Part 2

    - by user12587121
    To validate the integration with OES we need a sample ADF Application that is rich enough to allow us to test securing the various ADF elements.  To achieve this we can add some items including bounded task flows to the application developed in this tutorial. A sample JDeveloper 11.1.1.6 project is available here. It depends on the Fusion Order Demo (FOD) database schema which is easily created using the FOD build scripts.In the deployment we have chosen to enable only ADF Authentication as we will delegate Authorization, mostly, to OES.The welcome page of the application with all the links exposed looks as follows: The Welcome, Browse Products, Browse Stock and System Administration links go to pages while the Supplier Registration and Update Stock are bounded task flows.  The Login link goes to a basic login page and once logged in a link is presented that goes to a logout page.  Only the Browse Products and Browse Stock pages are really connected to the database--the other pages and task flows do not really perform any operations on the database. Required Security Policies We make use of a set of test users and roles as decscribed on the welcome page of the application.  In order to exercise the different authorization possibilities we would like to enforce the following sample policies: Anonymous users can see the Login, Welcome and Supplier Registration links. They can also see the Welcome page, the Login page and follow the Supplier Registration task flow.  They can see the icon adjacent to the Login link indicating whether they have logged in or not. Authenticated users can see the Browse Product page. Only staff granted the right can see the Browse Product page cost price value returned from the database and then only if the value is below a configurable limit. Suppliers and staff can see the Browse Stock links and pages.  Customers cannot. Suppliers can see the Update Stock link but only those with the update permission are allowed to follow the task flow that it launches.  We could hide the link but leave it exposed here so we can easily demonstrate the method call activity protecting the task flow. Only staff granted the right can see the System Administration link and the System Administration page it accesses. Implementing the required policies In order to secure the application we will make use of the following techniques: EL Expressions and Java backing beans: JSF has the notion of EL expressions to reference data from backing Java classes.  We use these to control the presentation of links on the navigation page which respect the security contraints.  So a user will not see links that he is not allowed to click on into. These Java backing beans can call on to OES for an authorization decision.  Important Note: naturally we would configure the WLS domain where our ADF application is running as an OES WLS SM, which would allow us to efficiently query OES over the PEP API.  However versioning conflicts between OES 11.1.1.5 and ADF 11.1.1.6 mean that this is not possible.  Nevertheless, we can make use of the OES RESTful gateway technique from this posting in order to call into OES. You can easily create and manage backing beans in Jdeveloper as follows: Custom ADF Phase Listener: ADF extends the JSF page lifecycle flow and allows one to hook into the flow to intercept page rendering.  We use this to put a check prior to rendering any protected pages, again calling on to OES via the backing bean.  Phase listeners are configured in the adf-settings.xml file.  See the MyPageListener.java class in the project.  Here, for example,  is the code we use in the listener to check for allowed access to the sysadmin page, navigating back to the welcome page if authorization is not granted:                         if (page != null && (page.equals("/system.jspx") || page.equals("/system"))){                             System.out.println("MyPageListener: Checking Authorization for /system");                             if (getValue("#{oesBackingBean.UIAccessSysAdmin}").toString().equals("false") ){                                   System.out.println("MyPageListener: Forcing navigation away from system" +                                       "to welcome");                                 NavigationHandler nh = fc.getApplication().getNavigationHandler();                                   nh.handleNavigation(fc, null, "welcome");                               } else {                                 System.out.println("MyPageListener: access allowed");                              }                         } Method call activity: our app makes use of bounded task flows to implement the sequence of pages that update the stock or allow suppliers to self register.  ADF takes care of ensuring that a bounded task flow can be entered by only one page.  So a way to protect all those pages is to make a call to OES in the first activity and then either exit the task flow or continue depending on the authorization decision.  The method call returns a String which contains the name of the transition to effect. This is where we configure the method call activity in JDeveloper: We implement each of the policies using the above techniques as follows: Policies 1 and 2: as these policies concern the coarse grained notions of controlling access to anonymous and authenticated users we can make use of the container’s security constraints which can be defined in the web.xml file.  The allPages constraint is added automatically when we configure Authentication for the ADF application.  We have added the “anonymousss” constraint to allow access to the the required pages, task flows and icons: <security-constraint>    <web-resource-collection>      <web-resource-name>anonymousss</web-resource-name>      <url-pattern>/faces/welcome</url-pattern>      <url-pattern>/afr/*</url-pattern>      <url-pattern>/adf/*</url-pattern>      <url-pattern>/key.png</url-pattern>      <url-pattern>/faces/supplier-reg-btf/*</url-pattern>      <url-pattern>/faces/supplier_register_complete</url-pattern>    </web-resource-collection>  </security-constraint> Policy 3: we can place an EL expression on the element representing the cost price on the products.jspx page: #{oesBackingBean.dataAccessCostPrice}. This EL Expression references a method in a Java backing bean that will call on to OES for an authorization decision.  In OES we model the authorization requirement by requiring the view permission on the resource /MyADFApp/data/costprice and granting it only to the staff application role.  We recover any obligations to determine the limit.  Policy 4: is implemented by putting an EL expression on the Browse Stock link #{oesBackingBean.UIAccessBrowseStock} which checks for the view permission on the /MyADFApp/ui/stock resource. The stock.jspx page is protected by checking for the same permission in a custom phase listener—if the required permission is not satisfied then we force navigation back to the welcome page. Policy 5: the Update Stock link is protected with the same EL expression as the Browse Link: #{oesBackingBean.UIAccessBrowseStock}.  However the Update Stock link launches a bounded task flow and to protect it the first activity in the flow is a method call activity which will execute an EL expression #{oesBackingBean.isUIAccessSupplierUpdateTransition}  to check for the update permission on the /MyADFApp/ui/stock resource and either transition to the next step in the flow or terminate the flow with an authorization error. Policy 6: the System Administration link is protected with an EL Expression #{oesBackingBean.UIAccessSysAdmin} that checks for view access on the /MyADF/ui/sysadmin resource.  The system page is protected in the same way at the stock page—the custom phase listener checks for the same permission that protects the link and if not satisfied we navigate back to the welcome page. Testing the Application To test the application: deploy the OES11g Admin to a WLS domain deploy the OES gateway in a another domain configured to be a WLS SM. You must ensure that the jps-config.xml file therein is configured to allow access to the identity store, otherwise the gateway will not b eable to resolve the principals for the requested users.  To do this ensure that the following elements appear in the jps-config.xml file: <serviceProvider type="IDENTITY_STORE" name="idstore.ldap.provider" class="oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider">             <description>LDAP-based IdentityStore Provider</description>  </serviceProvider> <serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">             <property name="idstore.config.provider" value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/>             <property name="CONNECTION_POOL_CLASS" value="oracle.security.idm.providers.stdldap.JNDIPool"/></serviceInstance> <serviceInstanceRef ref="idstore.ldap"/> download the sample application and change the URL to the gateway in the MyADFApp OESBackingBean code to point to the OES Gateway and deploy the application to an 11.1.1.6 WLS domain that has been extended with the ADF JRF files. You will need to configure the FOD database connection to point your database which contains the FOD schema. populate the OES Admin and OES Gateway WLS LDAP stores with the sample set of users and groups.  If  you have configured the WLS domains to point to the same LDAP then it would only have to be done once.  To help with this there is a directory called ldap_scripts in the sample project with ldif files for the test users and groups. start the OES Admin console and configure the required OES authorization policies for the MyADFApp application and push them to the WLS SM containing the OES Gateway. Login to the MyADFApp as each of the users described on the login page to test that the security policy is correct. You will see informative logging from the OES Gateway and the ADF application to their respective WLS consoles. Congratulations, you may now login to the OES Admin console and change policies that will control the behaviour of your ADF application--change the limit value in the obligation for the cost price for example, or define Role Mapping policies to determine staff access to the system administration page based on user profile attributes. ADF Development Notes Some notes on ADF development which are probably typical gotchas: May need this on WLS startup in order to allow us to overwrite credentials for the database, the signal here is that there is an error trying to access the data base: -Djps.app.credential.overwrite.allowed=true Best to call Bounded Task flows via a CommandLink (as opposed to a go link) as you cannot seem to start them again from a go link, even having completed the task flow correctly with a return activity. Once a bounded task flow (BTF) is initated it must complete correctly  via a return activity—attempting to click on any other link whilst in the context of a  BTF has no effect.  See here for example: When using the ADF Authentication only security approach it seems to be awkward to allow anonymous access to the welcome and registration pages.  We can achieve anonymous access using the web.xml security constraint shown above (where no auth-constraint is specified) however it is not clear what needs to be listed in there….for example the /afr/* and /adf/* are in there by trial and error as sometimes the welcome page will not render if we omit those items.  I was not able to use the default allPages constraint with for example the anonymous-role or the everyone WLS group in order to be able to allow anonymous access to pages. The ADF security best practice advises placing all pages under the public_html/WEB-INF folder as then ADF will not allow any direct access to the .jspx pages but will only allow acces via a link of the form /faces/welcome rather than /faces/welcome.jspx.  This seems like a very good practice to follow as having multiple entry points to data is a source of confusion in a web application (particulary from a security point of view). In Authentication+Authorization mode only pages with a Page definition file are protected.  In order to add an emty one right click on the page and choose Go to Page Definition.  This will create an empty page definition and now the page will require explicit permission to be seen. It is advisable to give a unique context root via the weblogic.xml for the application, as otherwise the application will clash with any other application with the same context root and it will not deploy

    Read the article

  • BizTalk and SQL: Alternatives to the SQL receive adapter. Using Msmq to receive SQL data

    - by Leonid Ganeline
    If we have to get data from the SQL database, the standard way is to use a receive port with SQL adapter. SQL receive adapter is a solicit-response adapter. It periodically polls the SQL database with queries. That’s only way it can work. Sometimes it is undesirable. With new WCF-SQL adapter we can use the lightweight approach but still with the same principle, the WCF-SQL adapter periodically solicits the database with queries to check for the new records. Imagine the situation when the new records can appear in very broad time limits, some - in a second interval, others - in the several minutes interval. Our requirement is to process the new records ASAP. That means the polling interval should be near the shortest interval between the new records, a second interval. As a result the most of the poll queries would return nothing and would load the database without good reason. If the database is working under heavy payload, it is very undesirable. Do we have other choices? Sure. We can change the polling to the “eventing”. The good news is the SQL server could issue the event in case of new records with triggers. Got a new record –the trigger event is fired. No new records – no the trigger events – no excessive load to the database. The bad news is the SQL Server doesn’t have intrinsic methods to send the event data outside. For example, we would rather use the adapters that do listen for the data and do not solicit. There are several such adapters-listeners as File, Ftp, SOAP, WCF, and Msmq. But the SQL Server doesn’t have methods to create and save files, to consume the Web-services, to create and send messages in the queue, does it? Can we use the File, FTP, Msmq, WCF adapters to get data from SQL code? Yes, we can. The SQL Server 2005 and 2008 have the possibility to use .NET code inside SQL code. See the SQL Integration. How it works for the Msmq, for example: ·         New record is created, trigger is fired ·         Trigger calls the CLR stored procedure and passes the message parameters to it ·         The CLR stored procedure creates message and sends it to the outgoing queue in the SQL Server computer. ·         Msmq service transfers message to the queue in the BizTalk Server computer. ·         WCF-NetMsmq adapter receives the message from this queue. For the File adapter the idea is the same, the CLR stored procedure creates and stores the file with message, and then the File adapter picks up this file. Using WCF-NetMsmq adapter to get data from SQL I am describing the full set of the deployment and development steps for the case with the WCF-NetMsmq adapter. Development: 1.       Create the .NET code: project, class and method to create and send the message to the MSMQ queue. 2.       Create the SQL code in triggers to call the .NET code. Installation and Deployment: 1.       SQL Server: a.       Register the CLR assembly with .NET (CLR) code b.      Install the MSMQ Services 2.       BizTalk Server: a.       Install the MSMQ Services b.      Create the MSMQ queue c.       Create the WCF-NetMsmq receive port. The detailed description is below. Code .NET code … using System.Xml; using System.Xml.Linq; using System.Xml.Serialization;   //namespace MyCompany.MySolution.MyProject – doesn’t work. The assembly name is MyCompany.MySolution.MyProject // I gave up with the compound namespace. Seems the CLR Integration cannot work with it L. Maybe I’m wrong.     public class Event     {         static public XElement CreateMsg(int par1, int par2, int par3)         {             XNamespace ns = "http://schemas.microsoft.com/Sql/2008/05/TypedPolling/my_storedProc";             XElement xdoc =                 new XElement(ns + "TypedPolling",                     new XElement(ns + "TypedPollingResultSet0",                         new XElement(ns + "TypedPollingResultSet0",                             new XElement(ns + "par1", par1),                             new XElement(ns + "par2", par2),                             new XElement(ns + "par3", par3),                         )                     )                 );             return xdoc;         }     }   //////////////////////////////////////////////////////////////////////// … using System.ServiceModel; using System.ServiceModel.Channels; using System.Transactions; using System.Data; using System.Data.Sql; using System.Data.SqlTypes;   public class MsmqHelper {     [Microsoft.SqlServer.Server.SqlProcedure]     // msmqAddress as "net.msmq://localhost/private/myapp.myqueue";     public static void SendMsg(string msmqAddress, string action, int par1, int par2, int par3)     {         using (TransactionScope scope = new TransactionScope(TransactionScopeOption.Suppress))         {             NetMsmqBinding binding = new NetMsmqBinding(NetMsmqSecurityMode.None);             binding.ExactlyOnce = true;             EndpointAddress address = new EndpointAddress(msmqAddress);               using (ChannelFactory<IOutputChannel> factory = new ChannelFactory<IOutputChannel>(binding, address))             {                 IOutputChannel channel = factory.CreateChannel();                 try                 {                     XElement xe = Event.CreateMsg(par1, par2, par3);                     XmlReader xr = xe.CreateReader();                     Message msg = Message.CreateMessage(MessageVersion.Default, action, xr);                     channel.Send(msg);                     //SqlContext.Pipe.Send(…); // to test                 }                 catch (Exception ex)                 { …                 }             }             scope.Complete();         }     }   SQL code in triggers   -- sp_SendMsg was registered as a name of the MsmqHelper.SendMsg() EXEC sp_SendMsg'net.msmq://biztalk_server_name/private/myapp.myqueue', 'Create', @par1, @par2, @par3   Installation and Deployment On the SQL Server Registering the CLR assembly 1.       Prerequisites: .NET 3.5 SP1 Framework. It could be the issue for the production SQL Server! 2.       For more information, please, see the link http://nielsb.wordpress.com/sqlclrwcf/ 3.       Copy files: >copy “\Windows\Microsoft.net\Framework\v3.0\Windows Communication Foundation\Microsoft.Transactions.Bridge.dll” “\Program Files\Reference Assemblies\Microsoft\Framework\v3.0 \Microsoft.Transactions.Bridge.dll” If your machine is a 64-bit, run two commands: >copy “\Windows\Microsoft.net\Framework\v3.0\Windows Communication Foundation\Microsoft.Transactions.Bridge.dll” “\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0 \Microsoft.Transactions.Bridge.dll” >copy “\Windows\Microsoft.net\Framework64\v3.0\Windows Communication Foundation\Microsoft.Transactions.Bridge.dll” “\Program Files\Reference Assemblies\Microsoft\Framework\v3.0 \Microsoft.Transactions.Bridge.dll” 4.       Execute the SQL code to register the .NET assemblies: -- For x64 OS: CREATE ASSEMBLY SMdiagnostics AUTHORIZATION dbo FROM 'C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMdiagnostics.dll' WITH permission_set = unsafe CREATE ASSEMBLY [System.Web] AUTHORIZATION dbo FROM 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Web.dll' WITH permission_set = unsafe CREATE ASSEMBLY [System.Messaging] AUTHORIZATION dbo FROM 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Messaging.dll' WITH permission_set = unsafe CREATE ASSEMBLY [System.ServiceModel] AUTHORIZATION dbo FROM 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll' WITH permission_set = unsafe CREATE ASSEMBLY [System.Xml.Linq] AUTHORIZATION dbo FROM 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll' WITH permission_set = unsafe   -- For x32 OS: --CREATE ASSEMBLY SMdiagnostics AUTHORIZATION dbo FROM 'C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMdiagnostics.dll' WITH permission_set = unsafe --CREATE ASSEMBLY [System.Web] AUTHORIZATION dbo FROM 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll' WITH permission_set = unsafe --CREATE ASSEMBLY [System.Messaging] AUTHORIZATION dbo FROM 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Messaging.dll' WITH permission_set = unsafe --CREATE ASSEMBLY [System.ServiceModel] AUTHORIZATION dbo FROM 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll' WITH permission_set = unsafe 5.       Register the assembly with the external stored procedure: CREATE ASSEMBLY [HelperClass] AUTHORIZATION dbo FROM ’<FilePath>MyCompany.MySolution.MyProject.dll' WITH permission_set = unsafe where the <FilePath> - the path of the file on this machine! 6. Create the external stored procedure CREATE PROCEDURE sp_SendMsg (        @msmqAddress nvarchar(100),        @Action NVARCHAR(50),        @par1 int,        @par2 int,        @par3 int ) AS EXTERNAL NAME HelperClear.MsmqHelper.SendMsg   Installing the MSMQ Services 1.       Check if the MSMQ service is NOT installed. To check:  Start / Administrative Tools / Computer Management, on the left pane open the “Services and Applications”, search to the “Message Queuing”. If you cannot see it, follow next steps. 2.       Start / Control Panel / Programs and Features 3.       Click “Turn Windows Features on or off” 4.       Click Features, click “Add Features” 5.       Scroll down the feature list; open the “Message Queuing” / “Message Queuing Services”; and check the “Message Queuing Server” option  6.       Click Next; Click Install; wait to the successful finish of the installation Creating the MSMQ queue We don’t need to create the queue on the “sender” side. On the BizTalk Server Installing the MSMQ Services The same is as for the SQL Server. Creating the MSMQ queue 1.       Start / Administrative Tools / Computer Management, on the left pane open the “Services and Applications”, open the “Message Queuing”, and open the “Private Queues”. 2.       Right-click the “Private Queues”; choose New; choose “Private Queue”. 3.       Type the Queue name as ’myapp.myqueue'; check the “Transactional” option. Creating the WCF-NetMsmq receive port I will not go through this step in all details. It is straightforward. URI for this receive location should be 'net.msmq://localhost/private/myapp.myqueue'. Notes ·         The biggest problem is usually on the step the “Registering the CLR assembly”. It is hard to predict where are the assemblies from the assembly list, what version should be used, x86 or x64. It is pity of such “rude” integration of the SQL with .NET. ·         In couple cases the new WCF-NetMsmq port was not able to work with the queue. Try to replace the WCF- NetMsmq port with the WCF-Custom port with netMsmqBinding. It was working fine for me. ·         To test how messages go through the queue you can turn on the Journal /Enabled option for the queue. I used the QueueExplorer utility to look to the messages in Journal. The Computer Management can also show the messages but it shows only small part of the message body and in the weird format. The QueueExplorer can do the better job; it shows the whole body and Xml messages are in good color format.

    Read the article

  • How do you unit test web page authorization using ASP.NET MVC?

    - by Kevin Pang
    Let's say you have a profile page that can only be accessed by the owner of that profile. This profile page is located at: User/Profile/{userID} Now, I imagine in order to prevent access to this page by other users, you could structure your UserController class's Profile function to check the current session's identity: HttpContext.Current.User.Identity.Name If the id matches the one in the url, then you proceed. Otherwise you redirect to some sort of error page. My question is how do you unit test something like this? I'm guessing that you need to use some sort of dependency injection instead of the HttpContext in the controller to do the check on, but I am unclear what the best way to do that is. Any advice would be helpful.

    Read the article

  • What are the best authentication and authorization examples for your favorite web framework?

    - by Nathan Feger
    I have been looking through java web frameworks lately (though this question need not be limited to java), and I noticed that most examples on web framework websites leave out auth & auth examples in their stock documentation. one ruby example: acts_as_authenticated (link?) grails has: http://www.grails.org/Authentication+Plugin Anyway, please throw up some links to your framework of choice, and a link to a nice walkthrough to implementing an auth&auth solution.

    Read the article

  • Should I skip authorization, with CanCan, of an action that instantiates a resource?

    - by irkenInvader
    I am writing a web app to pick random lists of cards from larger, complete sets of cards. I have a Card model and a CardSet model. Both models have a full RESTful set of 7 actions (:index, :new, :show, etc). The CardSetsController has an extra action for creating random sets: :random. # app/models/card_set.rb class CardSet < ActiveRecord::Base belongs_to :creator, :class_name => "User" has_many :memberships has_many :cards, :through => :memberships # app/models/card.rb class Card < ActiveRecord::Base belongs_to :creator, :class_name => "User" has_many :memberships has_many :card_sets, :through => :memberships I have added Devise for authentication and CanCan for authorizations. I have users with an 'editor' role. Editors are allowed to create new CardSets. Guest users (Users who have not logged in) can only use the :index and :show actions. These authorizations are working as designed. Editors can currently use both the :random and the :new actions without any problems. Guest users, as expected, cannot. # app/controllers/card_sets_controller.rb class CardSetsController < ApplicationController before_filter :authenticate_user!, :except => [:show, :index] load_and_authorize_resource I want to allow guest users to use the :random action, but not the :new action. In other words, they can see new random sets, but not save them. The "Save" button on the :random action's view is hidden (as designed) from the guest users. The problem is, the first thing the :random action does is build a new instance of the CardSet model to fill out the view. When cancan tries to load_and_authorize_resource a new CardSet, it throws a CanCan::AccessDenied exception. Therefore, the view never loads and the guest user is served a "You need to sign in or sign up before continuing" message. # app/controllers/card_sets_controllers.rb def random @card_set = CardSet.new( :name => "New Set of 10", :set_type => "Set of 10" ) I realize that I can tell load_and_authorize_resource to skip the :random action by passing :except => :random to the call, but that just feels "wrong" for some reason. What's the "right" way to do this? Should I create the new random set without instantiating a new CardSet? Should I go ahead and add the exception?

    Read the article

  • Combine Related Resources With TastyPie

    - by Aaron Ng
    How can I combine multiple Resources in TastyPie? I have 3 models I'd like to combine: users, profiles and posts. Ideally I'd like profiles nested within user. I'm not sure where to go from here. class UserResource(ModelResource): class Meta: queryset = User.objects.all() resource_name = 'user' fields = ['username','id','date_joined'] #Improper Auth authorization = Authorization() class UserProfileResource(ModelResource): class Meta: queryset = UserProfile.objects.all() resource_name = 'profile' class UserPostResource(ModelResource): user = fields.ForeignKey(UserResource,'user', full=True) class Meta: queryset = UserPost.objects.all() resource_name = 'userpost' #Improper Auth authorization = Authorization()

    Read the article

  • Users being forced to re-login randomly, before session and auth ticket timeout values are reached

    - by Don
    I'm having reports and complaints from my user that they will be using a screen and get kicked back to the login screen immediately on their next request. It doesn't happen all the time but randomly. After looking at the Web server the error that shows up in the application event log is: Event code: 4005 Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired. Everything that I read starts out with people asking about web gardens or load balancing. We are not using either of those. We're a single Windows 2003 (32-bit OS, 64-bit hardware) Server with IIS6. This is the only website on this server too. This behavior does not generate any application exceptions or visible issues to the user. They just get booted back to the login screen and are forced to login. As you can imagine this is extremely annoying and counter-productive for our users. Here's what I have set in my web.config for the application in the root: <authentication mode="Forms"> <forms name=".TcaNet" protection="All" timeout="40" loginUrl="~/Login.aspx" defaultUrl="~/MyHome.aspx" path="/" slidingExpiration="true" requireSSL="false" /> </authentication> I have also read that if you have some locations setup that no longer exist or are bogus you could have issues. My path attributes are all valid directories so that shouldn't be the problem: <location path="js"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="images"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="anon"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="App_Themes"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="NonSSL"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> The only thing I'm not clear on is if my timeout value in the forms property for the auth ticket has to be the same as my session timeout value (defined in the app's configuration in IIS). I've read some things that say you should have the authentication timeout shorter (40) than the session timeout (45) to avoid possible complications. Either way we have users that get kicked to the login screen a minute or two after their last action. So the session definitely should not be expiring. Update 2/23/09: I've since set the session timeout and authentication ticket timeout values to both be 45 and the problem still seems to be happening. The only other web.config in the application is in 1 virtual directory that hosts Community Server. That web.config's authentication settings are as follows: <authentication mode="Forms"> <forms name=".TcaNet" protection="All" timeout="40" loginUrl="~/Login.aspx" defaultUrl="~/MyHome.aspx" path="/" slidingExpiration="true" requireSSL="true" /> </authentication> And while I don't believe it applies unless you're in a web garden, I have both of the machine key values set in both web.config files to be the same (removed for convenience): <machineKey validationKey="<MYVALIDATIONKEYHERE>" decryptionKey="<MYDECRYPTIONKEYHERE>" validation="SHA1" /> <machineKey validationKey="<MYVALIDATIONKEYHERE>" decryptionKey="<MYDECRYPTIONKEYHERE>" validation="SHA1"/> Any help with this would be greatly appreciated. This seems to be one of those problems that yields a ton of Google results, none of which seem to be fitting into my situation so far.

    Read the article

< Previous Page | 7 8 9 10 11 12 13 14 15 16 17 18  | Next Page >