Search Results

Search found 11365 results on 455 pages for 'authorization basic'.

Page 18/455 | < Previous Page | 14 15 16 17 18 19 20 21 22 23 24 25 | Next Page >

Why isn't Apache Basic authentication working?

- by Brad

I just upgraded Apache from it's 2003 build, to a squeaky-clean, brand-new 2.4.1 build. All seems pretty good except for one glaring thing: In my httpd.conf file I have the following: <Directory /> AllowOverride none Options FollowSymLinks AuthType Basic AuthName "Enter Password" AuthUserFile /var/www/.htpasswd Require valid-user </Directory> This should allow only users in the specified auth file to access the server - just as it had under the older version of Apache. (Right?) However, it's not working. Requests are granted with no authentication provided. When I switch logging to LogLevel Debug, for the accesses, it says: [Sat Mar 24 21:32:00.585139 2012] [authz_core:debug] [pid 10733:tid 32771] mod_authz_core.c(783): [client 192.168.1.181:57677] AH01626: authorization result of Require all granted: granted [Sat Mar 24 21:32:00.585446 2012] [authz_core:debug] [pid 10733:tid 32771] mod_authz_core.c(783): [client 192.168.1.181:57677] AH01626: authorization result of <RequireAny>: granted I really don't know what this means - and I (to the best of my knowledge) don't have any "Require all granted" or "" statements in any of my files. Any ideas why this isn't working, or where to debug??

Read the article
Outlook Anywhere inconsistencies with authentication methods

- by gravyface

So I've read this question and attempted just about every other workaround I've found online. Problem seems completely illogical to me, anyways: SBS 2011, vanilla install; haven't touched anything in IIS or Exchange outside of what's been done through the checklist (brand new domain, completely new customer) except to import an existing wildcard certificate for *.example.com (which is valid, Remote Web Workplace and Outlook Web Access work fine). On the two test machines and one production machine running a mixture of Windows XP Pro, Windows 7 and Outlook 2003 through to 2010, I've had no problem saving the password after configuring Outlook Anywhere using the wrong authentication method. I repeat, I have had no issues using the wrong authentication method on these test machines; password saves the first time, no problem, can verify it exists in the credentials manager (Start Run control userpasswords2), close Outlook, reboot, go make a sammie, come back, credentials are still saved. When I say wrong, it's because I was choosing NTLM and Exchange (under Exchange Console Server Configuration Client Access) was set by default to use Basic. On two completely different machines setup by a co-worker, they had (under my guidance) used NTLM as well... except that frustratingly, Outlook would always ask for a password. One machine was Windows XP with Outlook 2010, the other was Windows 7 with Outlook 2003. When these two machines were set to use Basic -- the correct settings -- the option to save was there and now works without issue. Puzzled by how my machines could possibly work with the wrong authentication, I then went into one of them and changed the authentication method to Basic. Now here's where it gets a little crazy: if I go under Outlook and change the authentication to use the correct setting (Basic) it fails to save the password and Outlook prompts every time (without a "remember me" checkbox). I have not had a chance to change it to Basic on the other two machines to see if this is just a fluke or not, but something just isn't right here. My two hunches are either a missing/installed KB Update or perhaps a local security policy. I should add that none of the 5 test machines in the equation here have ever been joined to the domain.

Read the article
Join ActiveDirectory (Win 2k8R2) to OpenDirectory(Snow Leopard)

- by Tom O'Connor

The vast majority of questions and so on regarding the interoperability of Active and Open directories involves getting Mac clients to see an AD and auth against it. What we'd like to do is get a Windows 7 workstation to auth completely against Open Directory. We tried setting it up as an NT4 type PDC, and that doesn't work satisfactorily. We tried using pGina and the LDAP backend, which allows Authentication, but has no support for Authorization, and as a result, if we mount an NFS Share, the user has the rights to do anything they damn well please. Not ideal for security (Totally bloody unacceptable, actually). We tried using a Samba server (newer version than on the Open Directory Server) as an intermediate, so that it knows about the LDAP server on the OD Server, but uses Samba 4 instead of v3. That didn't work either. We could login, but couldn't mount, and if we did, we had the same rights as with pGina. If we right-click the mounted drive in Windows, and have a look at NFS UID, it returns -2, not the correct (mapped) UID. So the final plan I've got is to use an Active Directory, inside a Windows 2008R2 Virtual Machine. What I want to achieve is to have the Active Directory sync it's user data from OpenDirectory (read-only would be fine). That way, we'd have the ability to connect Windows 7 clients to a "virtual domain" which would actually just grab information from OD's LDAP. All the information I've found is about how to go the other way. Does anyone know how we can do this?

Read the article
Active Directory problems while trying to perfom compare operation

- by Alex

I have CentOs 5.5 with Apache 2.2 and SVN installed. Also I have Windows 2003 R2 with Active Directory. I'm trying to authorize users via AD so each user have access to repo if he is a member of corespondent group in AD. Here is my apache config: LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so LDAPVerifyServerCert off ServerName svn.mydomain.com DocumentRoot /var/www/svn.mydomain.com/htdocs RewriteEngine On [Location /] AuthType basic AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL ldaps://comp1.mydomain.com:636/DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=*) AuthLDAPBindDN [email protected] AuthLDAPBindPassword binduserpassword [/Location] [Location /repos/test] DAV svn SVNPath /var/svn/repos/test AuthName "SVN repository for test" Require ldap-group CN=test,CN=ProjectGroups,DC=mydomain,DC=com [/Location] When I'm using "Require valid-user" everything goes fine, "Require ldap-user" also works. But as soon as I use "Require ldap-group" authorization fails. Trere are no errors in apache logs, but Active Directory shows folowing error: Event Type: Information Event Source: NTDS LDAP Event Category: LDAP Interface Event ID: 1138 Date: 10/9/2010 Time: 1:28:52 PM User: MYDOMAIN\binduser Computer: COMP1 Description: Internal event: Function ldap_compare entered. Event Type: Error Event Source: NTDS General Event Category: Internal Processing Event ID: 1481 Date: 10/9/2010 Time: 1:28:52 PM User: MYDOMAIN\binduser Computer: COMP1 Description: Internal error: The operation on the object failed. Additional Data Error value: 2 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=mydomain,DC=com' I'm confused by this problem. What I'm doing wrong?

Read the article
Ruby on rails: Image downloads with Authentication/Authorization/Time outs

- by ak1dnar

Hi Guys, I'm having few doubts on implementing file downloads. I'm creating an app where I use attachment_fu with Amazon s3 to upload files. Things are working pretty well so far on uploading side. Now its the time to start the file downloads. Here is what I need, a logged in user search and browse for Images and they should able to add the files in to a download basket (Let's say its a Download Shopping Cart). Finally the user should be able to download these file(s) from S3 probably as a zipped file. Is there any plugin/gem where I can use for this?

Read the article
Twitter oauth authorization in a pop-up instead of in main browser window

- by niyogi

I feel incredibly stupid for even asking this since the answer might already be under my nose but here it goes: TweetMeme has a Re-tweet twitter widget that publishers can place on their blogs. When a user clicks on the widget, it pops open a window which allows the user to authenticate themselves with twitter and then re-tweet. This seems to use some special Twitter oauth popup form factor - unless there is something fancier happening under the surface to authenticate the user. The pop-up window looks like this: http://twitpic.com/1kepcr I'd rather handle an authentication via a pop-up rather than send the user to a brand new page (for the app I'm working on) and they seem to have the most graceful solution. Thoughts on how they did this?

Read the article
Facebook Graph API - authorization types?

- by Alex Cook

I'm struggling with the new Facebook Graph API, perhaps someone here can help. Here is what I want to do: provide a ‘login w/ FB’ button, throw to /authorize, get a code, throw to /access_token, get an access_token, and be able to hit https://graph.facebook.com/me for info about the user. When I try to use type=client_cred in the /authorize call, I get an access_token that lets me hit URLs with userIDs or names, but not /me. I receive an error stating I need a valid token. If I can't hit /me, how do I figure out who the current user is? What exactly should I use in the type param if I want a website to access a users data? I've seen posts with type=web_server, etc, but I can't seem to find a sure fire way to do, what I think, is pretty simple... Thanks ahead of time for any help thats provided...

Read the article
NSURLConnection and Basic HTTP Authentication

- by Justin Galzic

I need to invoke an initial GET HTTP request with Basic Authentication. This would be the first time the request is sent to the server and I already have the username & password so there's no need for a challenge from the server for authorization. First question: 1) Does NSUrlConnection have to be set as synchronous to do Basic Auth? According to the answer on this post, it seems that you can't do Basic Auth if you opt for the async route. 2) Anyone know of any some sample code that illustrates Basic Auth on a GET request without the need for a challenge response? Apple's documentation shows an example but only after the server has issued the challenge request to the client. I'm kind of new the networking portion of the SDK and I'm not sure which of the other classes I should use to get this working. (I see the NSURLCredential class but it seems that it is used only with NSURLAuthenticationChallenge after the client has requested for an authorized resource from the server).

Read the article
Cannot install Office 2003 Professional on a machine which formerly had 2003 Basic

- by Paul

Hi to all, I have a problem with one of our PCs. I've inherited this PC and it's always had MS Office basic on it; the time has come to install our Access application on it, so I'm trying to install Office Professional 2003, the problem I have is the installer says the license key is invalid; I can only assume this is down to the fact that the PC used to have Office Basic installed. I've deleted the registration keys for the OFFICE11 section of the registry, but am still getting the problem... Any suggestions as to how to kill any trace of the old install would be appreciated - its' no longer showing up in the add/remove programs window.

Read the article
Install Office 2003 professional over Office 2003 Basic?

- by Paul

I have a problem with one of our PCs. I've inherited this PC and it's always had MS Office Basic on it. The time has come to install our Access application on it, so I'm trying to install Office Professional 2003. The problem I have is the installer says the license key is invalid. I can only assume this is down to the fact that the PC used to have Office Basic installed. I've deleted the registration keys for the OFFICE11 section of the registry, but am still getting the problem. Any suggestions as to how to kill any trace of the old install would be appreciated - it's no longer showing up in the add/remove programs window.

Read the article
Setting up sendgrid for rails..returning Authorization error

- by Trip

The emails now send from my local, but do not send from my box. I am returned this error. Anyone know what this might be? Net::SMTPAuthenticationError (535 5.7.8 Error: authentication failed: authentication failure ): My environments/production.rb ActionMailer::Base.delivery_method = :smtp ActionMailer::Base.smtp_settings = { :address => "smtp.sendgrid.net", :port => '25', :domain => "mydomain.com", :authentication => :plain, :user_name => "[email protected]", :password => "password1234" } /etc/ssmtp/ssmtp.conf : root=postmaster mailhub=smtp.sendgrid.net [email protected] AuthPass=password1234 AuthMethod=LOGIN rewriteDomain=mydomain.com FromLineOverride=YES UseSTARTTLS=NO

Read the article
Facebook Developer Toolkit doesn't redirect after authorization

- by Mika Kolari

I have a small facebook test app (iframe) based on sample http://blogs.claritycon.com/blogs/kevin_marshall/archive/2009/10/06/facebook-developer-toolkit-3-0-asp-net-mvc-sample.aspx public class HomeController : Controller { public ActionResult Index() { var api = this.GetApi(); var userId = api.Session.UserId; return View(); } // redirects to Index // which doesn't redirect back here [FacebookAuthorization(IsFbml = false)] public ActionResult About() { var api = this.GetApi(); // goes here without FacebookAuthorization // but userId = 0 var userId = api.Session.UserId; return View(); } } When I try to go to 'About' page, FacebookAuthorizationAttribute redirects to 'Index' for authentication. The problem is, it never redirects back to 'About'. What am I doing wrong here?

Read the article
Securing Files over Web: Fine Grained Authorization Based File Access

- by Nishant

I have a system where employees can upload files. There are three ways Upload to my account in public, private or protected mode Upload to department account in public, private or protected mode Upload to organization account in public, private or protected mode where public is visible to anyone, private to the group or person only and protected to anyone in the organization. All the files for an organization are stored in a directory say, /files/<organizationId>/, on file server like files +-- 234809 | +img1.jpg | +doc1.pdf +-- 808234 | +doc2.pdf I am storing file-path and privacy level in DB. So, I can control whether to show link to a file URL to an user -- on a given page. The problem is, I do not have any control over file's URL... so, if some one types the URL to img1.jpg in his browser's address bar, there is no way to know whether a logged in user is eligible to see img1.jpg. Any suggestion? Thanks Nishant

Read the article
NAnt authorization access issue

- by Luís Custódio

I'm having a problem trying to move a file through my network, I want to transfer the release from my continuos integration virtual machine to the host of this VM. but i get this: System.UnauthorizedAccessException: Access to the path '\\192.168.0.36\E$\WebApps\MyProgram' is denied. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, DirectorySecurity dirSecurity) at System.IO.Directory.CreateDirectory(String path, DirectorySecurity directorySecurity) at NAnt.Core.Tasks.MoveTask.DoFileOperations() at NAnt.Core.Tasks.CopyTask.ExecuteTask() at NAnt.Core.Task.Execute() at NAnt.Core.Target.Execute() at NAnt.Core.Project.Execute(String targetName, Boolean forceDependencies) at NAnt.Core.Project.Execute() at NAnt.Core.Project.Run() I'm trying to transfer from a Windows Server 2003 R2 to a Windows Server 2008 R2.

Read the article
Rails user authorization

- by Zachary

I am currently building a Rails app, and trying to figure out the best way to authenticate that a user owns whatever data object they are trying to edit. I already have an authentication system in place (restful-authentication), and I'm using a simple before_filter to make sure a user is logged in before they can reach certain areas of the website. However, I'm not sure the best way to handle a user trying to edit a specific piece of data - for example lets say users on my site can own Books, and they can edit the properties of the book (title, author, pages, etc), but they should only be able to do this for Books that -they- own. In my 'edit' method on the books controller I would have a find that only retrieved books owned by the current_user. However, if another user knew the id of the book, they could type in http://website.com/book/7/edit , and the controller would verify that they are logged in, then show the edit page for that book (seems to bypass the controller). What is the best way to handle this? Is it more of a Rails convention routing issue that I don't understand (being able to go straight to the edit page), or should I be adding in a before_find, before_save, before_update, etc callbacks to my model?

Read the article
rpcbind authorization problems

- by Milan

Hy, I am using rpcbind (SunRPC) on Arch linux and python rpc.py (wich use standard python socket module) interface for comunication with it, but every time I try to send request for registration or unregistration to rpcbind I get message that I am rejected for security reasons. Only situation when everything works is that when I call rpcbind in insecure mode (rpcbind -i) but I realy want to make everything works in secure mode.I found information from rpcbind datasheet that i can make request in secure mode only from loopback address, but I have tried every aproach i had knew to make such socket and everything fall down. Please help me. Thank you

Read the article
How to secure authorization of methods

- by Kurresmack

I am building a web site in C# using MVC.Net How can I secure that no unauthorized persons can access my methods? What I mean is that I want to make sure that only admins can create articles on my page. If I put this logic in the method actually adding this to the database, wouldn't I have business logic in my data layer? Is it a good practise to have a seperate security layer that is always in between of the data layer and the business layer to make? The problem is that if I protect at a higher level I will have to have checks on many places and it is more likely that I miss one place and users can bypass security. Thanks!

Read the article
Authorization and Jquery dialog problem.

- by bbrepols

Hi, I have a little problem with a Jquery dialog for an action that requires a role. In my example, the user can click on a delete button and must confirm the action. In my controller, the Delete action requires a role, if the user is in the required role, the object is deleted. The problem: How to alert the user if * the element was deleted (redirect to the Index view) * there was an error (alert with the message) * he doesn't have the rights to delete (alert with the message) Before using the authorize filter, the delete action returned a JSON with a Boolean that indicates if there was an error, an URL to redirect on success and a message to alert on error. As I can't return a JSON from my filter, I created an other method with the authorize filter that returns a partial view with the confirm content. If the user doesn't have the rights, the filter returns a partial view with an unauthorized exception content. The problem: How to distinct which partial view was returned. When I create the dialog, I need to know for the buttons function. Thanks!

Read the article
google oauth doesn't redirect to callback after authorization

- by dstywho

I can't seem to get google to redirect to the callback url after obtaining the auth token. By redirecting the user to the following url, the user can click grant or deny access. After that the user clicks on one of the choices, the user is not redirected back to the callback url. https://www.google.com/accounts/OAuthAuthorizeToken?oauth_token=4%2F5ETLZ84rGmRxE_yx0b-_IFDReUxe&oauth_callback=http://blahblahblah.com/user_sessions/create&oauth_version=1.0&hd=default I'm wondering if anyone knows what the problem might be. Also does google require I use something like openssl.

Read the article
Good way to make Authentication and Authorization information available between application layers

- by DutrowLLC

I have a web application running on Google App Engine (GAE) for JAVA. I'm authenticating the client at the Servlet layer but would like to make the client information available to my business and data layers without having to pass the client object through the arguments of every single function. I'm considering setting up a "session" type object using ThreadLocal. That way any function can just say something like: CurrentUser.getRoles(); Is this a good way to do this or is there something else that is a more accepted solution? Thanks!

Read the article
apache redirect to https for basic auth

- by shreddd

I have a tricky variation on an old problem. I have an apache based site that should generally be accessed via http/port 80. However for certain areas protected areas that require authentication (designated by .htaccess), I want to be able to redirect the user the https/port 443. The key here is that I want this to always happen - i.e. I don't want to have to rewrite each htaccess file with a redirect. I only want to enforce this for basic authentication and the protected areas are scattered all over the site. Is it possible to somehow redirect all basic authentication requests to the SSL host?

Read the article
Allow from referer for HTTP-basic protected SSL apache site

- by user64204

I have an apache site protected by HTTP basic authentication. The authentication is working fine. Now I would like to bypass authentication for users that are coming from a particular website by relying on the HTTP Referer header. Here is the configuration: SetEnvIf Referer "^http://.*.example\.org" coming_from_example_org <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Deny from all Allow from env=coming_from_example_org AuthName "login required" AuthUserFile /opt/http_basic_usernames_and_passwords AuthType Basic Require valid-user Satisfy Any </Directory> This is working fine for HTTP, but failing for HTTPS. My understanding is that in order to inspect the HTTP headers, the SSL handshake must be completed, but apache wants to inspect the <Directory> directives before doing the SSL handshake, even if I place them at the bottom of the configuration file. Q: How could I workaround this issue? PS: I'm not obsessed with the HTTP referer header, I could use other options that would allow users from a known website to bypass authantication.

Read the article
Dynamic Disk: Revert back to basic or...?

- by someguy

When I was trying to create a new partition (via Disk Management) it warned me that the disk would be dynamic, but I thought it meant the partition and went ahead. Now, my hard disk, which has the main C partition, is dynamic. I haven't shut down the computer, and I'm not sure what the consequences are. Should I revert back to basic or...? What ever happens, I don't want to lose my data. Edit: I think I should mention that I don't know how to revert back to basic...

Read the article
Rails - Seeking a Dry authorization method compatible with various nested resources

- by adam

Consensus is you shouldn't nest resources deeper than 1 level. So if I have 3 models like this (below is just a hypothetical situation) User has_many Houses has_many Tenants and to abide by the above i do map.resources :users, :has_many => :houses map.resorces :houses, :has_many => :tenants Now I want the user to be able edit both their houses and their tenants details but I want to prevent them from trying to edit another users houses and tenants by forging the user_id part of the urls. So I create a before_filter like this def prevent_user_acting_as_other_user if User.find_by_id(params[:user_id]) != current_user() @current_user_session.destroy flash[:error] = "Stop screwing around wiseguy" redirect_to login_url() return end end for houses that's easy because the user_id is passed via edit_user_house_path(@user, @house) but in the tenents case tenant house_tenent_path(@house) no user id is passed. But I can get the user id by doing @house.user.id but then id have to change the code above to this. def prevent_user_acting_as_other_user if params[:user_id] @user = User.find(params[:user_id] elsif params[:house_id] @user = House.find(params[:house_id]).user end if @user != current_user() #kick em out end end It does the job, but I'm wondering if there is a more elegant way. Every time I add a new resource that needs protecting from user forgery Ill have to keep adding conditionals. I don't think there will be many cases but would like to know a better approach if one exists.

Read the article
Authentication and authorization for RESTfull API (java jersery)

- by abovesun

Hi, implementing service something similar with tinyurl or bit.ly, I'm would like to expose service as API, I'm using java and jersey as RESTfull service implementation. I'm looking for simplest way for authentification of users who use API, OAuth is first thing coming in mind, but the problem is I don't need this 3 iteration calls with request token query, than access token query with callback url passing. I just need to give user ability to invoke api with no additional security calls to my server.

Read the article

< Previous Page | 14 15 16 17 18 19 20 21 22 23 24 25 | Next Page >