Search Results

Search found 92246 results on 3690 pages for 'user authentication'.

Page 169/3690 | < Previous Page | 165 166 167 168 169 170 171 172 173 174 175 176  | Next Page >

• need some concrete examples on user stories, tasks and how they relate to functional and technical specifications

  - by gideon

  Little heads up, Im the only lonely dev building/planning/mocking my project as I go. Ive come up with a preview release that does only the core aspects of the system, with good business value and I've coded most of the UI as dirty throw-able mockups over nicely abstracted and very minimal base code. In the end I know quite well what my clients want on the whole. I can't take agile-ish cowboying anymore because Im completely dis-organized and have no paper plan and since my clients are happy, things are getting more complex with more features and ideas. So I started using and learning Agile & Scrum Here are my problems: I know what a functional spec is.(sample): Do all user stories and/or scenarios become part of the functional spec? I know what user stories and tasks are. Are these kinda user stories? I dont see any Business Value reason added to them. I made a mind map using freemind, I had problems like this: Actor : Finance Manager Can Add a Financial Plan into the system because well thats the point of it? What Business Value reason do I add for things like this? Example : A user needs to be able to add a blog article (in the blogger app) because..?? Its the point of a blogger app, it centers around that feature? How do I go into the finer details and system definitions: Actor: Finance Manager Action: Adds a finance plan. This adding is a complicated process with lots of steps. What User Story will describe what a finance plan in the system is ?? I can add it into the functional spec under definitions explaining what a finance plan is and how one needs to add it into the system, but how do I get to the backlog planning from there? Example: A Blog Article is mostly a textual document that can be written in rich text in the system. To add a blog article one must...... But how do you create backlog list/features out of this? Where are the user stories for what a blog article is and how one adds/removes it? Finally, I'm a little confused about the relations between functional specs and user stories. Will my spec contain user stories in them with UI mockups? Now will these user stories then branch out tasks which will make up something like a technical specification? Example : EditorUser Can add a blog article. Use XML to store blog article. Add a form to add blog. Add Windows Live Writer Support. That would be agile tasks but would that also be part of/or form the technical specs? Some concrete examples/answers of my questions would be nice!!

  Read the article

• Scrum - how to carry over a partially complete User Story to the next Sprint without skewing the backlog

  - by Nick

  We're using Scrum and occasionally find that we can't quite finish a User Story in the sprint in which it was planned. In true Scrum style, we ship the software anyway and consider including the User Story in the next sprint during the next Sprint Planning session. Given that the User Story we are carrying over is partially complete, how do we estimate for it correctly in the next Sprint Planning session? We have considered: a) Adjusting the number of Story Points down to reflect just the work which remains to complete the User Story. Unfortunately this will mess up reporting the Product Backlog. b) Close the partially-completed User Story and raise a new one to implement the remainder of that feature, which will have fewer Story Points. This will affect our ability to retrospectively see what we didn't complete in that sprint and seems a bit time consuming. c) Not bother with either a or b and continue to guess during Sprint Planning saying things like "Well that User Story may be X story points, but I know it's 95% finished so I'm sure we can fit it in."

  Read the article

• To track or not to track user created images for display in a dynamic website?

  - by Question Overflow

  I have a website that allows user to upload and display images. Currently, I am not using a database to track these user images. A folder having the user id as the folder name is created for each user and under each folder, the image files are labelled numerically with filenames ranging from 01.jpg to 20.jpg. Up to 20 such images can be displayed on each user page. I am using javascript to hide these images in case of any of them is absent. I have seen many websites having user images with unique random filenames and possibly tracking these files with a database Since obscurity is not something that I need for these web accessible images, is there any reason why I should track them with a DB? I am not sure if a reduction of 404 errors is a good enough reason to justify the added complexity of maintaining a database or can anyone enlighten me?

  Read the article

• How to do URL authentication in struts2

  - by Enrique Malhotra

  Hi, I am using struts2.1.6 + Spring 2.5 I have four modules in my application. Registration Module Admin Module Quote Module Location Module. In registration module the customer can register himself and only after registering he is supposed to have access of the remaining three modules. I want to implement something like if the action being called belongs to the registration module it will work as normal but if the action being called belongs to the rest of those three modules it first should check if the user is logged-in and session has not timed-out. if yes it should proceed normally otherwise it should redirect to the login page. Through research I have found out that interceptors could be used for this purpose but before proceeding I thought its better to get some feedback on it from experts. Please suggest how it should be done and If possible put some code suggestions. Here is my struts.xml file(The struts.xml contains four different config files belonging to each module): <struts> <include file="struts-default.xml" /> <constant name="struts.i18n.reload" value="false" /> <constant name="struts.objectFactory" value="spring" /> <constant name="struts.devMode" value="false" /> <constant name="struts.serve.static.browserCache" value="false" /> <constant name="struts.enable.DynamicMethodInvocation" value="true" /> <constant name="struts.multipart.maxSize" value="10000000" /> <constant name="struts.multipart.saveDir" value="C:/Temporary_image_location" /> <include file="/com/action/mappingFiles/registration_config.xml" /> <include file="/com/action/mappingFiles/admin_config.xml" /> <include file="/com/action/mappingFiles/quote.xml" /> <include file="/com/action/mappingFiles/location_config.xml" /> </struts> The sample registration_config.xml file is: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE struts PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN" "http://struts.apache.org/dtds/struts-2.0.dtd"> <struts> <package name="registration" extends="struts-default" namespace="/my_company"> <action name="LoginView" class="registration" method="showLoginView"> <result>....</result> <result name="input">...</result> </action> </package> </struts> The sample admin_config.xml file is: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE struts PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN" "http://struts.apache.org/dtds/struts-2.0.dtd"> <struts> <package name="admin" extends="struts-default" namespace="/my_company"> <action name="viewAdmin" class="admin" method="showAdminView"> <result>....</result> <result name="input">...</result> </action> </package> </struts> Same code is there in the rest of two struts2 xml config files. I have used the same namespace in all the four config files with the different package names(As you can see)

  Read the article

• JavaScript - get detailed information about the browser

  - by iconiK

  Basically I'm looking for something to give me easy access to information like useragentstring.com, but in JS, without me parsing the user agent and looking for each possible bit of text. The object could be something like this: browser = UserAgent.Browser; // Chrome browserVer = UserAgent.BrowserVersion; // 5.0.342.9 os = UserAgent.OperatingSystem; // Windows NT osVer = UserAgent.OperatingSystemVersion; // 6.1 layoutEng = UserAgent.LayoutEngine; // WebKit layoutEngVer = UserAgent.LayoutEngineVersion; // 533.2 Does something similar to that exist or do I have to write one myself? Writing yet another user agent parser doesn't seem that easy with all those impersonations going back to the dark ages of the web. Specifically I'm looking for something that doesn't just split the user agent into parts and give them to me, because that's as useless as the user agent itself; instead it should parse the user agent and recognize the engine, browser, OS, etc. and return the concrete parts only, as in the example.

  Read the article

• How can I generate a client proxy for a WCF service with an HTTPS endpoint?

  - by ng5000

  Might be the same issue as this previuos question: WCF Proxy but not sure... I have an HTTPS service connfigured to use transport security and, I hope, Windows credentials. The service is only accessed internally (i.e. within the intranet). The configuration is as follows: <configuration> <system.serviceModel> <services> <service name="WCFTest.CalculatorService" behaviorConfiguration="WCFTest.CalculatorBehavior"> <host> <baseAddresses> <add baseAddress = "https://localhost:8000/WCFTest/CalculatorService/" /> </baseAddresses> </host> <endpoint address ="basicHttpEP" binding="basicHttpBinding" contract="WCFTest.ICalculatorService" bindingConfiguration="basicHttpBindingConfig"/> <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/> </service> </services> <bindings> <basicHttpBinding> <binding name="basicHttpBindingConfig"> <security mode="Transport"> <transport clientCredentialType = "Windows"/> </security> </binding> </basicHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="WCFTest.CalculatorBehavior"> <serviceAuthorization impersonateCallerForAllOperations="false" principalPermissionMode="UseWindowsGroups" /> <serviceCredentials > <windowsAuthentication allowAnonymousLogons="false" includeWindowsGroups="true" /> </serviceCredentials> <serviceMetadata httpsGetEnabled="True"/> <serviceDebug includeExceptionDetailInFaults="False" /> </behavior> </serviceBehaviors> </behaviors> </system.serviceModel> </configuration> When I run the service I can't see the service in IE. I get a "this page can not be displayed" error. If I try and create a client in VS2008 via the "add service reference" wizard I get this error: There was an error downloading 'https://localhost:8000/WCFTest/CalculatorService/'. There was an error downloading 'https://localhost:8000/WCFTest/CalculatorService/'. The underlying connection was closed: An unexpected error occurred on a send. Authentication failed because the remote party has closed the transport stream. Metadata contains a reference that cannot be resolved: 'https://localhost:8000/WCFTest/CalculatorService/'. An error occurred while making the HTTP request to https://localhost:8000/WCFTest/CalculatorService/. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. The underlying connection was closed: An unexpected error occurred on a send. Authentication failed because the remote party has closed the transport stream. If the service is defined in the current solution, try building the solution and adding the service reference again. I think I'm missing some fundamental basics here. Do I need to set up some certificates? Or should it all just work as it seems to do when I use NetTcpBinding? Thanks

  Read the article

• Django auth without "auth_*" tables

  - by Travis Jensen

  We would like to use our own tables for user management instead of the Django "auth" tables. We already have database tables that include all of the relevant information our application needs but it isn't in the Django format. We would prefer not to have the information duplicated in two tables. We would like to utilize the auth package, though, as there is some very nice functionality that we don't want to replicate. I realize we could build our own auth backend, but that doesn't, as far as I can tell, remove the need for two sets of tables in this case. Am I correct in assuming that we cannot do this? I have found no docs that discuss how to modify the underlying model that the auth package is using. The backend simply pre-populates the user object that would eventually be saved in the auth tables. Thanks!

  Read the article

• RIA Services: custom autorization

  - by Budda

  Here is a good example how to create custom autorization for RIA services: http://stackoverflow.com/questions/1195326/ria-services-how-can-i-create-custom-authentication In my case a silverlight-pages will be displayed as a part of HTML-content and user authorisation is already implemented on the server-side (ASP.NET Membership is not used). It is required to show on the silverlight pages different information for authorised and non-authorised users. Is there any possibility to track on the Silverlight side if user is already authorized on the server side (on the usual ASP.NET web-site)? Please adivse how to do this. Thank you in advance.

  Read the article

• How can I use htaccess to protect a subdirectory of codeigniter installation?

  - by Art Peterson

  I have codeigniter installed at the root directory, and would like to have a subdirectory called "test" password protected using htaccess. I keep getting a "404 page not found" no matter what I try. The directory structure is: /public_html /css /images /system (codeigniter directory) /test .htaccess .htaccess .htpasswd index.php The root .htaccess file looks like: RewriteEngine On RewriteBase / Options -Indexes # Removes trailing slashes RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.+)/$ $1 [L,R=301] # Enforce www RewriteCond %{HTTP_HOST} !^(www) [NC] RewriteRule ^(.*)$ http://www.mydomain.com/$1 [L,R=301] #Checks to see if the user is attempting to access a valid file, #such as an image or css document, if this isn't true it sends the #request to index.php RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} !^(.*)test(.*) RewriteRule ^(.*)$ index.php?/$1 [L] The /test/.htaccess file: AuthUserFile /home/dir/.htpasswd AuthName "Protected Area" AuthType Basic <limit GET POST PUT> require user adminuser </limit> I'm not even getting the authentication prompt, just the codeigniter 404 page when I navigate to the url "http://www.mydomain.com/test/". Please advise!

  Read the article

• Public ASPXAUTH cookie and security

  - by Bara

  Due to a bug in Flash, I have to use the ASPXAuth cookie to log a user in on a page that a flash upload script calls after upload. See this page for more information: http://geekswithblogs.net/apopovsky/archive/2009/05/06/working-around-flash-cookie-bug-in-asp.net-mvc.aspx I have to make the ASPXAUTH string "public" in the sense that it will be in the HTML of the page. My question is, how secure is this? I understand that anyone that can get to the string in the HTML can probably get to it from the cookie just as easily, but let's say someone does have this ASPXAUTH string. Is it possible that they can login as another user using this cookie? Would they be able to decrypt it? Bara

  Read the article

• Django-allauth redirected to connections

  - by camara90100

  I'm using django-allauth to signup users with Facebook, and I'm setting the ACCOUNT_EMAIL_REQUIRED to True so when a user doesn't have email saved on his account I get redirected to the allauth/templates/socialaccount/Signup.html and when I use a test user to enter a valid email, I get redirect to "connections.html" which then asks me to choose one of the social accounts and remove it. and the form action method is set to 'connections url' so it becomes an infinite loop. anyone knows what's wrong? here's my settings SOCIALACCOUNT_PROVIDERS = \ { 'facebook': { 'SCOPE': ['email', 'publish_stream'], # 'AUTH_PARAMS': { 'auth_type': 'reauthenticate' }, 'METHOD': 'js_sdk' , 'LOCALE_FUNC': lambda request: 'en_US'}} ACCOUNT_EMAIL_REQUIRED =True ACCOUNT_ADAPTER = 'profiles.adapter.MyAccountAdapter' SOCIALACCOUNT_ADAPTER ='profiles.adapter.MySocialAccountAdapter'

  Read the article

• How to handle security constraints using GWT 2.1's RequestFactory?

  - by Marc

  I am currently developing a GWT 2.1 application that is to be deployed on Google App Engine. I would like to realise the server communication using the new RequestFactory. Now my question is how to handle fine-grained security issues in this context? Some server actions (of those declared in the RequestContext stubs) shall be restricted to certain users (possibly depending on the parameters of the remote call). If a call is unauthorised, I would like the client to show a login page (so that one may log in as a different user, for example). From the Expenses example, I know how to implement an automatic redirection to a login page, but in this example, the security model is quite simple: A client is allowed to access the servlet if and only if a user is logged in. Shall I raise a custom UnAuthorizedException in my server-side service? Where should I intercept this exception? (Can I do this in a servlet filter like the GaeAuthFilter of the Expenses example?)

  Read the article

• What could be the reason for continuous Full GC's during application startup.

  - by Kumar225

  What could be the reason for continuous Full GC's during application (webapplication deployed on tomcat) startup? JDK 1.6 Memory settings -Xms1024M -Xmx1024M -XX:PermSize=200M -XX:MaxPermSize=512M -XX:+UseParallelOldGC jmap output is below Heap Configuration: MinHeapFreeRatio = 40 MaxHeapFreeRatio = 70 MaxHeapSize = 1073741824 (1024.0MB) NewSize = 2686976 (2.5625MB) MaxNewSize = 17592186044415 MB OldSize = 5439488 (5.1875MB) NewRatio = 2 SurvivorRatio = 8 PermSize = 209715200 (200.0MB) MaxPermSize = 536870912 (512.0MB) 0.194: [GC [PSYoungGen: 10489K->720K(305856K)] 10489K->720K(1004928K), 0.0061190 secs] [Times: user=0.01 sys=0.00, real=0.00 secs] 0.200: [Full GC (System) [PSYoungGen: 720K->0K(305856K)] [ParOldGen: 0K->594K(699072K)] 720K->594K(1004928K) [PSPermGen: 6645K->6641K(204800K)], 0.0516540 secs] [Times: user=0.10 sys=0.00, real=0.06 secs] 6.184: [GC [PSYoungGen: 262208K->14797K(305856K)] 262802K->15392K(1004928K), 0.0354510 secs] [Times: user=0.18 sys=0.04, real=0.03 secs] 9.549: [GC [PSYoungGen: 277005K->43625K(305856K)] 277600K->60736K(1004928K), 0.0781960 secs] [Times: user=0.56 sys=0.07, real=0.08 secs] 11.768: [GC [PSYoungGen: 305833K->43645K(305856K)] 322944K->67436K(1004928K), 0.0584750 secs] [Times: user=0.40 sys=0.05, real=0.06 secs] 15.037: [GC [PSYoungGen: 305853K->43619K(305856K)] 329644K->72932K(1004928K), 0.0688340 secs] [Times: user=0.42 sys=0.01, real=0.07 secs] 19.372: [GC [PSYoungGen: 273171K->43621K(305856K)] 302483K->76957K(1004928K), 0.0573890 secs] [Times: user=0.41 sys=0.01, real=0.06 secs] 19.430: [Full GC (System) [PSYoungGen: 43621K->0K(305856K)] [ParOldGen: 33336K->54668K(699072K)] 76957K->54668K(1004928K) [PSPermGen: 36356K->36296K(204800K)], 0.4569500 secs] [Times: user=1.77 sys=0.02, real=0.46 secs] 19.924: [GC [PSYoungGen: 4280K->128K(305856K)] 58949K->54796K(1004928K), 0.0041070 secs] [Times: user=0.01 sys=0.00, real=0.01 secs] 19.928: [Full GC (System) [PSYoungGen: 128K->0K(305856K)] [ParOldGen: 54668K->54532K(699072K)] 54796K->54532K(1004928K) [PSPermGen: 36300K->36300K(204800K)], 0.3531480 secs] [Times: user=1.19 sys=0.10, real=0.35 secs] 20.284: [GC [PSYoungGen: 4280K->64K(305856K)] 58813K->54596K(1004928K), 0.0040580 secs] [Times: user=0.01 sys=0.00, real=0.01 secs] 20.288: [Full GC (System) [PSYoungGen: 64K->0K(305856K)] [ParOldGen: 54532K->54532K(699072K)] 54596K->54532K(1004928K) [PSPermGen: 36300K->36300K(204800K)], 0.2360580 secs] [Times: user=1.01 sys=0.01, real=0.24 secs] 20.525: [GC [PSYoungGen: 4280K->96K(305856K)] 58813K->54628K(1004928K), 0.0030960 secs] [Times: user=0.00 sys=0.00, real=0.00 secs] 20.528: [Full GC (System) [PSYoungGen: 96K->0K(305856K)] [ParOldGen: 54532K->54533K(699072K)] 54628K->54533K(1004928K) [PSPermGen: 36300K->36300K(204800K)], 0.2311320 secs] [Times: user=0.88 sys=0.00, real=0.23 secs] 20.760: [GC [PSYoungGen: 4280K->96K(305856K)] 58814K->54629K(1004928K), 0.0034940 secs] [Times: user=0.00 sys=0.00, real=0.00 secs] 20.764: [Full GC (System) [PSYoungGen: 96K->0K(305856K)] [ParOldGen: 54533K->54533K(699072K)] 54629K->54533K(1004928K) [PSPermGen: 36300K->36300K(204800K)], 0.2381600 secs] [Times: user=0.85 sys=0.01, real=0.24 secs] 21.201: [GC [PSYoungGen: 5160K->354K(305856K)] 59694K->54888K(1004928K), 0.0019950 secs] [Times: user=0.00 sys=0.00, real=0.00 secs] 21.204: [Full GC (System) [PSYoungGen: 354K->0K(305856K)] [ParOldGen: 54533K->54792K(699072K)] 54888K->54792K(1004928K) [PSPermGen: 36300K->36300K(204800K)], 0.2358570 secs] [Times: user=0.98 sys=0.01, real=0.24 secs] 21.442: [GC [PSYoungGen: 4280K->64K(305856K)] 59073K->54856K(1004928K), 0.0022190 secs] [Times: user=0.01 sys=0.00, real=0.01 secs] 21.444: [Full GC (System) [PSYoungGen: 64K->0K(305856K)] [ParOldGen: 54792K->54792K(699072K)] 54856K->54792K(1004928K) [PSPermGen: 36300K->36300K(204800K)], 0.2475970 secs] [Times: user=0.95 sys=0.00, real=0.24 secs] 21.773: [GC [PSYoungGen: 11200K->741K(305856K)] 65993K->55534K(1004928K), 0.0030230 secs] [Times: user=0.01 sys=0.00, real=0.01 secs] 21.776: [Full GC (System) [PSYoungGen: 741K->0K(305856K)] [ParOldGen: 54792K->54376K(699072K)] 55534K->54376K(1004928K) [PSPermGen: 36538K->36537K(204800K)], 0.2550630 secs] [Times: user=1.05 sys=0.00, real=0.25 secs] 22.033: [GC [PSYoungGen: 4280K->96K(305856K)] 58657K->54472K(1004928K), 0.0032130 secs] [Times: user=0.00 sys=0.00, real=0.01 secs] 22.036: [Full GC (System) [PSYoungGen: 96K->0K(305856K)] [ParOldGen: 54376K->54376K(699072K)] 54472K->54376K(1004928K) [PSPermGen: 36537K->36537K(204800K)], 0.2507170 secs] [Times: user=1.01 sys=0.01, real=0.25 secs] 22.289: [GC [PSYoungGen: 4280K->96K(305856K)] 58657K->54472K(1004928K), 0.0038060 secs] [Times: user=0.00 sys=0.00, real=0.00 secs] 22.293: [Full GC (System) [PSYoungGen: 96K->0K(305856K)] [ParOldGen: 54376K->54376K(699072K)] 54472K->54376K(1004928K) [PSPermGen: 36537K->36537K(204800K)], 0.2640250 secs] [Times: user=1.07 sys=0.02, real=0.27 secs] 22.560: [GC [PSYoungGen: 4280K->128K(305856K)] 58657K->54504K(1004928K), 0.0036890 secs] [Times: user=0.01 sys=0.00, real=0.01 secs] 22.564: [Full GC (System) [PSYoungGen: 128K->0K(305856K)] [ParOldGen: 54376K->54377K(699072K)] 54504K->54377K(1004928K) [PSPermGen: 36537K->36536K(204800K)], 0.2585560 secs] [Times: user=1.08 sys=0.01, real=0.25 secs] 22.823: [GC [PSYoungGen: 4533K->96K(305856K)] 58910K->54473K(1004928K), 0.0020840 secs] [Times: user=0.00 sys=0.00, real=0.01 secs] 22.825: [Full GC (System) [PSYoungGen: 96K->0K(305856K)] [ParOldGen: 54377K->54377K(699072K)] 54473K->54377K(1004928K) [PSPermGen: 36536K->36536K(204800K)], 0.2505380 secs] [Times: user=0.99 sys=0.01, real=0.25 secs] 23.077: [GC [PSYoungGen: 4530K->32K(305856K)] 58908K->54409K(1004928K), 0.0016220 secs] [Times: user=0.00 sys=0.00, real=0.00 secs] 23.079: [Full GC (System) [PSYoungGen: 32K->0K(305856K)] [ParOldGen: 54377K->54378K(699072K)] 54409K->54378K(1004928K) [PSPermGen: 36536K->36536K(204800K)], 0.2320970 secs] [Times: user=0.95 sys=0.00, real=0.23 secs] 24.424: [GC [PSYoungGen: 87133K->800K(305856K)] 141512K->55179K(1004928K), 0.0038230 secs] [Times: user=0.01 sys=0.01, real=0.01 secs] 24.428: [Full GC (System) [PSYoungGen: 800K->0K(305856K)] [ParOldGen: 54378K->54950K(699072K)] 55179K->54950K(1004928K) [PSPermGen: 37714K->37712K(204800K)], 0.4105190 secs] [Times: user=1.25 sys=0.17, real=0.41 secs] 24.866: [GC [PSYoungGen: 4280K->256K(305856K)] 59231K->55206K(1004928K), 0.0041370 secs] [Times: user=0.01 sys=0.00, real=0.00 secs] 24.870: [Full GC (System) [PSYoungGen: 256K->0K(305856K)] [ParOldGen: 54950K->54789K(699072K)] 55206K->54789K(1004928K) [PSPermGen: 37720K->37719K(204800K)], 0.4160520 secs] [Times: user=1.12 sys=0.19, real=0.42 secs] 29.041: [GC [PSYoungGen: 262208K->12901K(275136K)] 316997K->67691K(974208K), 0.0170890 secs] [Times: user=0.11 sys=0.00, real=0.02 secs]

  Read the article

• Does CAS Support Application Level Impersonation?

  - by Rob Wilkerson

  I have a PHP application that is successfully authenticating against a CAS server. One of the features supported by the application is impersonation; a user with the appropriate privileges can impersonate another of the application. Generally, this isn't a problem because the app itself can keep track of who the user is impersonating and manage privileges (which are based on username). A new requirement has come up, though, that requires the original app to include, via an iframe, content from a second PHP app that is also CAS-enabled. Somehow, I need for the second app to know whether impersonation is happening in the first. I don't want to pass usernames around for security reasons, so I'm wondering whether I can offload the responsibility for handling impersonation to the CAS server which is shared by both apps. Thanks.

  Read the article

• ASP.NET Login Page Redirection Problem

  - by Daniel

  Hello everyone! I'm building a silverlight application hosted on ASP.NET Web App. / IIS7 / SSL-enabled website. For security, I put my silverlight page inside a Members folder in the ASP.NET Web Application, and restricted access from anonymous users.(see web.config below) when users try to access pages under Members folder, they get redirected to https://www.ssldemo.com/authenticationtest/login.aspx. (see web.config below) (I've mapped www.ssldemo.com to 127.0.0.1). for security, I'm switching to HTTPS in login.aspx, and back to HTTP after validation. below is the code for login.aspx.cs. protected void Page_Load(object sender, EventArgs e) { LoginControl.LoggedIn += new EventHandler(LoginControl_LoggedIn); } void LoginControl_LoggedIn(object sender, EventArgs e) { //for going to ReturnURL & switching back to HTTP string serverName = HttpUtility.UrlEncode(Request.ServerVariables["SERVER_NAME"]); string returnURL = Request["ReturnURL"]; Response.Redirect(ResolveClientUrl("http://" + serverName + returnURL)); } The problem is, when I deploy another application to http://www.ssldemo.com/authenticationtest/members/AnotherApplication/ and open http://www.ssldemo.com/authenticationtest/members/AnotherApplication/default.aspx, Users get redirected to https://www.ssldemo.com/authenticationtest/login.aspx?ReturnUrl=%2fauthenticationtest%2fmembers%2fanotherapplication%2fdefault.aspx. but even when I enter the correct credentials at login page, I get redirected to the same login page again, not to the ReturnUrl. when I looked into fiddler, it said '302 object moved to here.' Thank you for reading! Any input will be much appreciated. <configuration> <connectionStrings> <add name="CompanyDatabase" connectionString="Data Source=192.168.0.2;Initial Catalog=SomeTable;User ID=Username;Password=P@ssword" /> </connectionStrings> <system.web> <compilation debug="true" targetFramework="4.0" /> <authentication mode="Forms"> <forms slidingExpiration="true" timeout="15" loginUrl="https://www.ssldemo.com/authenticationtest/login.aspx" defaultUrl="~/Members/Default.aspx" > </forms> </authentication> <!--Custom Membership Provider--> <membership defaultProvider="MyMembershipProvider" userIsOnlineTimeWindow="15"> <providers> <clear /> <add name="MyMembershipProvider" type="AuthenticationTest.Web.MyMembershipProvider" connectionStringName="CompanyDatabase" applicationName="AuthenticationTest.Web"/> </providers> </membership> </system.web> <!--securing folders--> <location path="Members"> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location> </configuration>

  Read the article

• last_login_at not working (null) w/ Authlogic Magic Columns...

  - by bgadoci

  I am using the Authlogicgem for authentication and most of it seems to be working great. Authlogic provides several columns that you can add to your Users table (for example) that it knows to fill in if they are present. i.e. login_count, current_login_ip, last_request_at and last_login_at. All seem to be working fine with the exception of the last_login_at field which is null for each user. Is there anything specific that could be causing this perhaps having to do with the user sessions, etc? I can post code if needed but wasn't sure what would relate to this.

  Read the article

• Mac Safari randomly recreating cookie when I refresh my login screen. Very bizarre

  - by mcintyre321

  We have found an issue in our app where Safari on the Mac randomly recreates a login cookie from a logged off session. I have a fiddler archive with this behaviour here. Note that some stuff has been removed from this to make it easier to get, but nothing which sets a cookie or anything has been taken out - only repetitions of requests 3-8. I'll talk you through the running order Request 1: user logs out via call to /logout.aspx - Set-Cookie returned setting cookie expiry date to 1999 Requests 2-8: user refreshes login page sending calls to root or /res/en-US/s.js - no cookie is sent to server or received back, and access is denied. I have cut out a lot of requests of this nature from the log as they are boring Request 9: request for /res/en-US/s.js - Hv3 authentication cookie has mysteriously reappeared! Wat. There was NO set-cookie! WTFF! Request 10+ : now the cookie has reappeared, the site logs the user in AGAIN The cookie, when examined in Safari looks like <dict> <key>Created</key> <real>259603523.26834899</real> <key>Domain</key> <string>.mysite.dev</string> <key>Expires</key> <date>2010-03-24T16:05:22Z</date> <key>HttpOnly</key> <string>TRUE</string> <key>Name</key> <string>.Hv3</string> <key>Path</key> <string>/</string> </dict> One thing to note is that in Safari, the cookie domain is .mysite.dev not mysite.dev (which is the cookie domain specified in web.config) - however, given that access is denied in requests 2-8, it looks like the cookie has expired OK. If you look in the list of cookies in the browser during 2-8, the .Hv3 cookie is not there. Is this our bug or Safari's? What can I do to stop it happening?

  Read the article

• Why is it a bad idea to use ClientLogin for web apps in the Google API?

  - by Onema

  I just picked up the Google API today to allow some users of our site to upload videos to our own organization YouTube account. I Don't want our users to know our user name and password, but rather give them the option if they want to upload videos to youtube or not. If they choose to do it, they check on a check box and hit the submit button. I keep seeing over, and over in the Developers guide that ClientLogin, which to me looks like the best option to implement what I want to do, is not a good idea for user authentication in web applicaitons. The "AuthSub for web applications" doesn't seem to be the best mechanism for what I want to implement! Any ideas on what to do? Thank you

  Read the article

• Login or Register (Ruby on rails)

  - by DanielZ

  Hello stackoverflow, I'm working on an Ruby on Rails application (2.3.x) and i want to make a form that lets the user login or register. I want to do this in the same form. I have a JS function that replaces the form elements like this: Login form: <% form_for @user do |f| %> <div id="form"> <%= f.label :email, "E-mail" %> <%= f.text_field :email %> <%= f.label :password, "Password" %> <%= f.password_field :password %> <%= link_to "I don't have an account, "#", :id => "changeForm"%> <%= f.submit "Login" %> </div> <% end %> The id "changeForm" triggers a JS function that changes the form elements. So if you press the url the html looks like this: <% form_for @user do |f| %> <div id="form"> <%= f.label :name, "Name" %> <%= f.text_field :name %> <%= f.label :email, "E-mail" %> <%= f.text_field :email %> <%= f.label :password, "Password" %> <%= f.password_field :password %> <%= f.label :password_confirmation, "Password confirmation" %> <%= f.password_field :password_confirmation %> <%= link_to "I do have an account, "#", :id => "changeForm"%> <%= f.submit "Register" %> </div> <% end %> I added the neccesary validations to my user model: class User < ActiveRecord::Base attr_reader :password validates_presence_of :name, :email, :password validates_format_of :email, :with => /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\Z/i validates_confirmation_of :password But what happens when you fill in the email / password you get the errors that the name is missing and that the password fields aren't confirmed. So i could do some nasty programming in my user model like this: #if password_conf or the name are present the user has tried to register... if params[:user][:password_confirmation].present? || params[:user][:name].present? #so we'll try to save the user if @user.save #if the user is saved authenticate the user current_session.user = User.authenticate(params[:user]) #if the user is logged in? if current_session.user.present? flash[:notice] = "succesvully logged redirect_to some_routes_path else #not logged in... flash[:notice] = "Not logged in" render :action => "new" end else #user not saved render :action => "new" end else #So if the params[:user][:password_confirmation] or [:user][:name] weren't present we geuss the user wants to login... current_session.user = User.authenticate(params[:user]) #are we logged_in? if current_session.user.present? flash[:notice] = "Succesvully logged in" redirect_to some_routes_path else #errors toevoegen @user.errors.add(:email, "The combination of email/password isn't valid") @user.errors.add(:password," ") render :action => "new" end end end Without validations this (imho dirty code and should not be in the controller) works. But i want to use the validates_presence_of methods and i don't want to slap the "conventions over configurations" in the face. So another thing i have tried is adding a hidden field to the form: #login form <%= f.hidden_field :login, :value => true %> # and ofcourse set it to false if we want to register. And then i wanted to use the method: before_validation before_validation_on_create do |user| if params[:user].login == true #throws an error i know... validates_presence_of :email, :password validates_format_of :email, :with => /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\Z/i else validates_presence_of :name, :email, :password validates_format_of :email, :with => /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\Z/i validates_confirmation_of :password end end But this doesn't work because i can't access the params. And login isn't a attribute for the user object. But i thought that in this way i could validate the email and password params if the user wants to login. And all the other attrs if the user want to register. So all i could think of doesn't work how i want it to work. So my main goal is this: 1 form for login/register with the use of the validation methods in the user model. So if we want to login but don't fill in any information = give validation errors. And if the user wants to login but the email/password combination doens't match give the "@user.errors.add(:email, "the combination wasn't found in the db...")". And the same goes for user register... Thanks in advance!

  Read the article

• REST client website login

  - by Jordan

  I have written a REST service that uses WSSE as an authentication method but i want to be able to use this rest service through a browser by creating a website around the service. I want the user to be able to log in on the website then when they view, for example the "view users" page an ajax request is made to test.com/users and back comes the list. The part i'm trying to get my head around is the logging in/out on the website and keeping the user logged in across pages. Since in a true REST implementation there's no state held on the server, i can't use $_SESSION and now i don't know where to start! What is the best way to go about this? Do i still need to store session information on the server then possibly use cURL to make the request? Thanks Jay

  Read the article

• mobile browsers' can't login to my site

  - by imin

  i've tested my site on 2 phone models using the 'generic' browser that came with the phone, but sadly, everytime I tried to login, it will return me back to my index page. here's my login code <form name='login' method='POST' action='authentication.php'> <table border=0 cellpadding=2> <tr><td>Login:</td><td></td></tr> <tr><td>E-mail: </td><td><input type=text name='email' id='email' size=20 maxlength="200"></td></tr> <tr><td>Password: </td><td><input type=password name='password' id='password' size=20 maxlength="100"></td></tr> <tr><td></td><td><input type=submit value='Login'></td></tr> </table></form> and here's the authentication.php (snippet) $currentUserEmail = $_POST["email"]; $currentUserPwd = md5($_POST["password"]); $stmt = $dbi->prepare("select status from users where email=? and pwd=?"); $stmt->bind_param('ss', $currentUserEmail,$currentUserPwd); mysqli_stmt_execute($stmt); mysqli_stmt_store_result($stmt); $isUserAvailable = mysqli_stmt_num_rows($stmt); $stmt->bind_result($getUserStatus); $stmt->execute() or die (mysqli_error()); $stmt->store_result(); $stmt->fetch(); $stmt->close(); if($isUserAvailable > 0){ if ($getUserStatus == "PENDING") { $userIsLoggedIn = "NO"; $registeredUser = "NO"; unset($userIsLoggedIn); setcookie("currentMobileUserName", "", time()-3600); setcookie("currentMobileUserEmail", "", time()-3600); setcookie("currentMobileSessionID", "", time()-3600); setcookie("currentMobileUID", "", time()-3600); header('Location: '.$config['MOBILE_URL'].'/index.php?error=2&email='.$currentUserEmail); }elseif (($getUserStatus == "ACTIVE") || ($getUserStatus == "active")){ //means successfully logged in //set the cookie setcookie("currentMobileUserName", $currentUserName, $expire); setcookie("currentMobileUserEmail", $currentUserEmail, $expire); setcookie("currentMobileSessionID", $getGeneratedMobileUSID, $expire); setcookie("currentMobileUID", $currentUID, $expire); $userIsLoggedIn = "YES"; $registeredUser = "YES"; $result = $stmt->execute() or die (mysqli_error($dbi)); if ($caller == "indexLoginForm"){ header('Location: '.$config['MOBILE_URL'].'/home.php'); }else{ header('Location: '.$config['MOBILE_URL'].'/home.php'); } } }else{ $userIsLoggedIn = "NO"; $registeredUser = "NO"; unset($userIsLoggedIn); setcookie("currentMobileUserName", "", time()-3600); setcookie("currentMobileUserEmail", "", time()-3600); setcookie("currentMobileSessionID", "", time()-3600); setcookie("currentMobileUID", "", time()-3600); header('Location: '.$config['MOBILE_URL'].'/index.php?error=1'); } The only way I can access my mobile site is by using opera mini. Just FYI, both the 'generic browsers' i tested my site with supports cookie (at least this is what the browser settings said). thanks

  Read the article

• How to set the ReturnUrl for the Login link in MVC 3 app?

  - by user762196

  using System; using Microsoft.Practices.Unity; namespace <MyNameSpace> { public class UrlFactory { public static UrlFactory Current { get { return HttpApplicationUnityContext.Current.Resolve<UrlFactory>(); } } public string GetLoginUrl() { return String.Format("{0}/login?ReturnUrl={1}", MyConfig.BaseHttpUrl, <GET_PAGE_URL>); } } The user can be on any page on the site and click the Login link. But the ReturnUrl must always point to the exact page where he clicked it. I must take the user back to the page he clicked the login link. In my code above, how do I get the page url in <GET_PAGE_URL>? Thanks

  Read the article

• CakePHP Auth how to allow specific controller and actions

  - by nolandark

  I have a "Posts" and a "Users" controller. I use the Auth Component and I want that all users can visit "Post.index" but only logged in users can visit "User.index". In my app_controller.php I have this $this->Auth->allow('signup', 'confirm', 'index'); but with that all users can visit post.index and user.index. How can I specify a Controller in the allow-method? This didn't work for me: $this->Auth->allow('signup', 'confirm', 'Post.index');

  Read the article

• Regarding Authlogic and page redirection.

  - by Paddy

  I am using authlogic for authentication in my Rails app. Have named routes for the frequent actions, viz: map.login "login", :controller = "user_sessions", :action = "new" map.logout "logout", :controller = "user_sessions", :action = "destroy" map.register "register", :controller = "users", :action = "new" map.edit 'user/edit/:id', :controller = "users", :action = "edit" But also in my routes.rb i have these automatically created REST routes too: map.resources :user_sessions map.resources :users The problem now is that a user can login from two different routes. Ex: From, http://localhost/login and also from http ://localhost/user_sessions/new. How do i restrict access only from the named route i have defined and not allow from user_sessions/new?

  Read the article

• Logging out of Facebook invalidates offline_access token

  - by Mike Pateras

  I'm getting an offline access token like this: https://graph.facebook.com/oauth/access_token?scope=offline_access&client_id=MYCLIENTID&redirect_uri=MYREDIRECTURI&client_secret=MYSECRET&code=MYCODE obviously the MYCLIENTID and stuff have been changed for the sake of this post. Anyway, as soon as the user logs out of facebook, the key seems to no longer be valid. Am I not requesting offline_access properly (there's still an "expires" value on it, should there be if it is actually getting offline access), or is that just how it works? If it's the latter, how can I get a key that will persist, regardless of if the user logs out of facebook? I'm sure this is possible, because Tweetdeck can still write to Facebook, even though I'm currently logged out.

  Read the article

< Previous Page | 165 166 167 168 169 170 171 172 173 174 175 176  | Next Page >