Search Results

Search found 2054 results on 83 pages for 'ion auth'.

Page 56/83 | < Previous Page | 52 53 54 55 56 57 58 59 60 61 62 63  | Next Page >

• Replay attacks for HTTPS requests

  - by MatthewMartin

  Let's say a security tester uses a proxy, say Fiddler, and records an HTTPS request using the administrator's credentials-- on replay of the entire request (including session and auth cookies) the security tester is able to succesfully (re)record transactions. The claim is that this is a sign of a CSRF vulnerability. What would a malicious user have to do to intercept the HTTPS request and replay it? It this a task for script kiddies, well funded military hacking teams or time-traveling-alien technology? Is it really so easy to record the SSL sessions of users and replay them before the tickets expire? No code in the application currently does anything interesting on HTTP GET, so AFAIK, tricking the admin into clicking a link or loading a image with a malicious URL isn't an issue.

  Read the article

• Authenticating wcf service

  - by Muhammad Jamal Shaikh

  hi , i want to implement a web service which is both in java and .net.but i will first create a wcf service and later convert the code to java . for securing the webservice , i have this in my mind. i shall be implementing asp.net form authentication type of stuff . i intent to sent a token to the client on providing valid userID and password to the login method. in return i would send a token. on all other service operations i shall check the token . Now i have a wcf client and a wcf service . what should be the shortest way forward ?should i use soap auth header to send the user ID and password and how should the token be transported ( in which field ? http or soap's ?) . P.S: of course i shall enable ssl later.

  Read the article

• Custom login in Django

  - by alpgs

  Django newbie here. I wrote simplified login form which takes email and password. It works great if both email and password are supplied, but if either is missing i get KeyError exception. According to django documentation this should never happen: By default, each Field class assumes the value is required, so if you pass an empty value -- either None or the empty string ("") -- then clean() will raise a ValidationError exception I tried to write my own validators for fields (clean_email and clean_password), but it doesn't work (ie I get KeyError exception). What am I doing wrong? class LoginForm(forms.Form): email = forms.EmailField(label=_(u'Your email')) password = forms.CharField(widget=forms.PasswordInput, label=_(u'Password')) def clean_email(self): data = self.cleaned_data['email'] if not data: raise forms.ValidationError(_("Please enter email")) return data def clean_password(self): data = self.cleaned_data['password'] if not data: raise forms.ValidationError(_("Please enter your password")) return data def clean(self): try: username = User.objects.get(email__iexact=self.cleaned_data['email']).username except User.DoesNotExist: raise forms.ValidationError(_("No such email registered")) password = self.cleaned_data['password'] self.user = auth.authenticate(username=username, password=password) if self.user is None or not self.user.is_active: raise forms.ValidationError(_("Email or password is incorrect")) return self.cleaned_data

  Read the article

• Mongodb using db.help() on a particular db command

  - by user1325696

  When I type db.help() It returns DB methods: db.addUser(username, password[, readOnly=false]) db.auth(username, password) ... ... db.printShardingStatus() ... ... db.fsyncLock() flush data to disk and lock server for backups db.fsyncUnock() unlocks server following a db.fsyncLock() I'd like to find out how to get more detailed help for the particular command. The problem was with the printShardingStatus as it returned "too many chunks to print, use verbose if you want to print" mongos> db.printShardingStatus() --- Sharding Status --- sharding version: { "_id" : 1, "version" : 3 } shards: { "_id" : "shard0000", "host" : "localhost:10001" } { "_id" : "shard0001", "host" : "localhost:10002" } databases: { "_id" : "admin", "partitioned" : false, "primary" : "config" } { "_id" : "dbTest", "partitioned" : true, "primary" : "shard0000" } dbTest.things chunks: shard0001 12 shard0000 19 too many chunks to print, use verbose if you want to for ce print I found that for that particular command I can specify boolean parameter db.printShardingStatus(true) which wasn't shown using db.help().

  Read the article

• 3-legged-oauth and Google ContactsClient problem

  - by PanosJee

  Hi I am using 3-legged-oauth to import a users' Google contacts in my app. I did not find the ContactsClient library but i was using only the ContacsService and i was fetching the ContactsFeed but that resulted to not having a lot of data. After the user allows my apps i store the auth_token key and secret so i can run a cron task to fetch contacts' updates I am using this code atm: google = gdata.contacts.service.ContactsService(source=GOOGLE_OAUTH_SETTINGS['APP_NAME']) google.SetOAuthInputParameters(GOOGLE_OAUTH_SETTINGS['SIG_METHOD'], GOOGLE_OAUTH_SETTINGS['CONSUMER_KEY'], consumer_secret=GOOGLE_OAUTH_SETTINGS['CONSUMER_SECRET']) access_token = gdata.auth.OAuthToken(user_oauth_token, user_oauth_secret) access_token.oauth_input_params = google.GetOAuthInputParameters() google.SetOAuthToken(access_token) feed = google.GetContactsFeed() When i try to use the contacts client contacts_client = gdata.contacts.client.ContactsClient( source=GOOGLE_OAUTH_SETTINGS['APP_NAME']) feed2 = contacts_client.GetContacts(auth_token = access_token) I get the following error (please note that the access_token is the same as above and I user 3-legged-oauth HMAC) Actual results: File "/Library/Python/2.5/site-packages/atom/client.py", line 108, in request auth_token.modify_request(http_request)

  Read the article

• Double hop SQL delegation not working

  - by eKoz

  I've been trying to diagnose this for some time, and unfortunately Im still getting the dreaded anonymous logon issue when trying to connect to a sql db as a domain user. Steps taken: App Pool created with delegation service acct Site / Virtual dir running with Integrated Windows auth only Made sure site itself can use kerberos KB 215383 Service acct added to IIS_WPG group Service acct added to "act as part of operating system" under Local Security settings Service acct added to Log on as service under Local Security Settings HTTP SPN set for web address + service account (and FQDN) MSSQLSvc SPN set for sql box and domain acct sql is running as Trust for delegation turned on service acct, specified services, and sql service acct After all this, Im still getting the exact same error from when I started. Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. This has advanced my balding by at least 5 years so far. I would greatly appreciate any additional tips on diagnosing or setting up.

  Read the article

• Single SingOn - Best practice

  - by halfdan

  Hi Guys, I need to build a scalable single sign-on mechanism for multiple sites. Scenario: Central web application to register/manage account (Server in Europe) Several web applications that need to authenticate against my user database (Servers in US/Europe/Pacific region) I am using MySQL as database backend. The options I came up with are either replicating the user database across all servers (data security?) or allowing the servers to directly connect to my MySQL instance by explicitly allowing connections from their IPs in my.cnf (high load? single point of failure?). What would be the best way to provide a scalable and low-latency single sign-on for all web applications? In terms of data security would it be a good idea to replicate the user database across all web applications? Note: All web applications provide an API which users can use to embed widgets into their own websites. These widgets work through a token auth mechanism which will again need to authenticate against my user database.

  Read the article

• Single SignOn - Best practice

  - by halfdan

  Hi Guys, I need to build a scalable single sign-on mechanism for multiple sites. Scenario: Central web application to register/manage account (Server in Europe) Several web applications that need to authenticate against my user database (Servers in US/Europe/Pacific region) I am using MySQL as database backend. The options I came up with are either replicating the user database across all servers (data security?) or allowing the servers to directly connect to my MySQL instance by explicitly allowing connections from their IPs in my.cnf (high load? single point of failure?). What would be the best way to provide a scalable and low-latency single sign-on for all web applications? In terms of data security would it be a good idea to replicate the user database across all web applications? Note: All web applications provide an API which users can use to embed widgets into their own websites. These widgets work through a token auth mechanism which will again need to authenticate against my user database.

  Read the article

• How can I login in a website with Pyhon?

  - by Shady

  How can I do it? I was trying to enter some specified link (with urllib), but to do it, I need to log. I have this source from the site <form id="login-form" action="auth/login" method="post"> <div> <!--label for="rememberme">Remember me</label><input type="checkbox" class="remember" checked="checked" name="remember me" /--> <label for="email" id="email-label" class="no-js">Email</label> <input id="email-email" type="text" name="handle" value="" autocomplete="off" /> <label for="combination" id="combo-label" class="no-js">Combination</label> <input id="password-clear" type="text" value="Combination" autocomplete="off" /> <input id="password-password" type="password" name="password" value="" autocomplete="off" /> <input id="sumbitLogin" class="signin" type="submit" value="Sign In" /> It's possible?

  Read the article

• Sharepoint 2010 - AAM - SPSite(SPContext.Current.Site.ID) RootWeb.Url is from wrong zone

  - by user2026343

  I have a sharepoint 2010 web application with 2 different zones, default zone with windows login (for search crawl), internet with Claims (FBA) for users to login. I have custom webparts that uses using (SPSite mySite = new SPSite(SPContext.Current.Site.ID)) using (SPWeb web = mySite.RootWeb) { string url = web.Url I use this url to include to emails etc... Problem is: when user connects to FBA (extended zone), and goes to the webpart,string url in my code returns the url of the default zone(windows auth) where user should not be touching. I have different host headers for these zones, any help would be very appreciated. Update: fixed it with using (SPSite newsite =new SPSite(SPContext.Current.Site.ID,SPContext.Current.Site.Zone)) using (SPWeb web = newsite.RootWeb) { //do your implementation here }

  Read the article

• Using gmail as SMTP server in Java web app is slow

  - by Annie

  Hi, I was wondering if anyone might be able to explain to me why it's taking nearly 30 seconds each time my Java web app sends an email using Gmail's SMTP server? See the following timestamps: 13/04/2010-22:24:27:281 DEBUG test.service.impl.SynchronousEmailService - Before sending mail. 13/04/2010-22:24:52:625 DEBUG test.service.impl.SynchronousEmailService - After sending mail. I'm using spring's JavaMailSender class with the following settings: email.host=smtp.gmail.com [email protected] email.password=mypassword email.port=465 mail.smtp.auth.required=true Note that the mail is getting sent and I'm receiving it fine, there's just this delay which is resulting in a slow experience for the application user. If you know how I can diagnose the problem myself that would be good too :)

  Read the article

• In Django, why is user.is_authenticated a method and not a member variable like is_staff

  - by luc

  Hello all, I've lost some time with a bug in my app due to user authentication. I think that it's a bit confusing but maybe someone can explain the reason and it will appear to me very logical. The user.is_staff is a member variable while user.is_authenticated is a method. However is_authenticated only returns True or False depending if the class is User or AnonymousUser (see http://docs.djangoproject.com/en/dev/topics/auth/) Is there a reason for that? Why user.is_authenticated is a method? Thanks in advance

  Read the article

• Ajax Post Request Returns JSON but Deferred Fails

  - by imrane

  I have a cross-domain POST request to http://api.local/user/auth - my API endpoint. I allow Cross Domain requests in my api with CORS. Using Chrome if that makes a difference. I get a valid server JSON response with 200 Status Code but I am using deferreds from a backbone model like so: @model.save() .fail(-> console.log 'sync fail') .success -> console.log 'sync OK' And I consistently get a 'sync fail' instead of the expected 'sync OK' Thoughts?

  Read the article

• Extracting Mail from Microsoft Exchange server 2007 through IMAPS in java

  - by abhishekgem84

  props.put("mail.debug", "true"); props.setProperty("mail.store.protocol","imaps"); props.setProperty("mail.imaps.auth.plain.disable","false"); props.setProperty("mail.imaps.host","Mail3.connect.com"); props.setProperty("mail.imaps.port","135"); props.setProperty("mail.imaps.user","test"); props.setProperty("mail.imaps.pwd","123"); props.setProperty("mail.imaps.ssl.protocols","SSL"); props.setProperty("mail.imaps.socketFactory.class", "javax.net.ssl.SSLSocketFactory"); props.setProperty("mail.imaps.socketFactory.fallback", "false"); props.setProperty("mail.imaps.socketFactory.port", "135"); i have done all this but it still says javax.mail.AuthenticationFailedException: failed to connect, no password specified? kindly help me out thanks

  Read the article

• Code igniter authentication code in controller security question

  - by Prime Studios

  I have a main controller to handle the very front-end of my authentication system, it handles login, logout, update user info, etc. functions that I anticipate calling by POST'ing from views/forms. What about something like a "delete_user" function though? My thoughts are a button in someones admin panel would say "Delete Account" and it would post to "/auth/delete", and the function would delete the user based on their session username or id. This seems a bit open ended, you could send out a link to someone and when they opened it while in that application it would delete their account.. Whats the best way to handle this?

  Read the article

• Have the default security settings changed in Windows 7 that would affect IPrincipal.IsInRole?

  - by adrianbanks

  We use NTLM auth in our application to determine whether a user can perform certain operations. We use the IPrincipal of their current Windows login (in WinForms applications), calling IsInRole to check for specific group memberships. To check that a user is a local administrator on the machine, we use: AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); ... bool allowed = Thread.CurrentPrincipal.IsInRole(@"Builtin\Administrators") This works if the current user is the Administrator user, or is another user that is a member of the Builtin\Administrators group. In our testing on Windows 7, we have found that this no longer works as expected. The Administrator user still works fine, but any other user that is a member of the Builtin\Administrators group returns false for the IsInRole call. What could be causing this difference? I have a gut feeling that a default setting has changed somewhere (possible in gpedit), but cannot find anything that looks like the culprit.

  Read the article

• getRequestProperty("Authorization") always returns null

  - by Thilo

  I am trying to read the authorization header for an HTTP request (because I need to add something to it), but I always get null for the header value. Other headers work fine. public void testAuth() throws MalformedURLException, IOException{ URLConnection request = new URL("http://google.com").openConnection(); request.setRequestProperty("Authorization", "MyHeader"); request.setRequestProperty("Stackoverflow", "anotherHeader"); // works fine assertEquals("anotherHeader", request.getRequestProperty("Stackoverflow")); // Auth header returns null assertEquals("MyHeader", request.getRequestProperty("Authorization")); } Am I doing something wrong? Is this a "security" feature? Is there a way to make this work with URLConnection, or do I need to use another HTTP client library?

  Read the article

• .NEt on WIN to Mono on Ubuntu

  - by Srikanth

  I am looking at a possibility to change my ASP.NET 2.0 app to Mono framework. I have used the mono analyzer tool and it does detect some p/invoke and interop dependencies. For ex. 1) We use excel interops and on linux we are looking to use staroffice/Openoffice instead. Is there an easy way of substituting excel with staroffice? (I know it sounds bizarre, but just don't want to miss out in case anyone has done it already.) 2) LDAP auth: What could be the best alternative in Ubuntu (or an other flavour of Linux) ? 3) Is there an ajax framework for mono? Preferably with similar controls as Atlas?? I hope I am not too ambitious here.. thanks.

  Read the article

• htpasswd, secure specific files in zend framework

  - by AKFourSeven

  Hi I have been bashing my head against the wall with this riddle and cannot find the way to solve this. I would like to secure couple of files to restrict access to certain pages but my attempts so far are unsuccessful. I do not want to use Zend Auth as it is a very small web site doing simple stuff. Here is a sample of what I have done: AuthUserFile /path/to/my/.htpasswd AuthName "Admin Restriction" AuthType Basic <Files file.phtml> require valid-user </Files> Is there any way to achieve this ?

  Read the article

• s3cmd setacl to grant 'Authenticated Users'

  - by rynop

  I'm using jgit to create a remote in s3. Problem I'm having is when I do a jgit push s3 master it creates the files in s3 as owned by me. I want to keep the files private, and be read/write by 'Authenticated users'. I'd like to be able to either set acl: authenticated-read in the ~/.jgit file OR be able to modify the acl after the push: s3cmd --add-header=x-amz-acl:authenticated-read setacl --acl-private s3://my.bucket/repo/* Neither of these work. How do i use jgit and push to s3 and keep it private, and let anyone with auth read/write?

  Read the article

• Call REST service while impersonating a user that is already authorized to the glasfish server

  - by user1894489

  There are two web-applications deployed on a glassfish server. Both web applications provide a REST web service. the access to both web-services is secured via glassfish security constraints (at the moment BASIC Auth and file-realm). Let's say a user is accessing the service of web application A. After he is authorized, service A wants to call service B via REST client. Is there a way for a service to impersonate a user that is already authorized to the glasfish server? Maybe something like forwarding the security context or editing the headers? Is there another Filter? @Context private SecurityContext securityContext; username = securityContext.getUserPrincipal().getName(); password = ??? client.addFilter(new com.sun.jersey.api.client.filter.HTTPBasicAuthFilter(username, password)); Thanks!

  Read the article

• How to send news letters in zend

  - by Sherif

  i am trying to send something like news letter Via Zend_Mail but after 12 mail i got this message Fatal error: Maximum execution time of 30 seconds exceeded in C:\Program Files\Zend\Apache2\htdocs\forga\library\Zend\Mail\Protocol\Abstract.php on line 321 my Code is like: $smtpHost = 'smtp.gmail.com'; $smtpConf = array( 'auth' = 'login', 'ssl' = 'tls', 'port' = '587', 'username' ='[email protected]', 'password' = 'xxxxxxxx' ); $transport = new Zend_Mail_Transport_Smtp($smtpHost, $smtpConf); foreach($users as $user) { $mail = new Zend_Mail(); $mail-setFrom("[email protected]", 'Forga'); $mail-setSubject($subject); if($html=='on') $mail-setBodyHtml($message); else $mail-setBodyText($message); $mail-addto($user); $transport-send($mail); }

  Read the article

• best way to add route under resource in Laravel 4

  - by passingby

  I would like know if there is a better way to add additional route aside from the default of resource in Laravel 4. I have this code below which is no problem with regard to the functionality, it's just that it seems to be long: <?php Route::group(array('before' => 'auth'), function() { # API Route::group(array('prefix' => 'api'), function() { Route::resource('projects', 'ProjectsController'); Route::resource('projects.groups', 'GroupsController'); Route::post('/projects/{projects}/groups/{groups}/reorder', 'GroupsController@reorder'); }); }); If in Rails Rails.application.routes.draw do # API namespace :api, defaults: { format: 'json' } do scope module: :v1 do resources :projects do resources :groups do member do post :reorder end end end end end end

  Read the article

• http authenitcation in xcode

  - by user313100

  I am trying to make twitter work in my app and everything works fine except the code does not seem to recognize an error from twitter. If the username/password are not valid, I get an error message through this function: - (void)connection:(NSURLConnection *)connection didReceiveData:(NSData *)data { NSString* strData = [[[NSString alloc] initWithBytes:[data bytes] length:[data length] encoding:NSASCIIStringEncoding] autorelease]; NSLog(@"Received data: %@", strData ) ; return ; } It prints: Received data: Could not authenticate you. . However, the app continues to the post a tweet view I have and ignores the error. Obviously, I do not have something setup right to detect such an error from twitter so my question is how do I get xcode to recognize an error like this? This uses basic http auth btw and don't mention anything about OAuth...just trying to get this to work for now.

  Read the article

• Sinatra: How do I provide access to a login form while preventing access to the rest of my Sinatra a

  - by Brandon Toone

  I recently created a Sinatra app with a login form (no basic auth). To prevent access to the app unless the user logged in I put a before block in place before do unless request.path_info == '/login' authenticated? end end I quickly realized that this prevented me from accessing resources in the public directory like my style sheet and logo unless authenticated first as well. To get around that I changed my filter to the following: before do unless request.path_info == '/login' || request.path_info == "/stylesheets/master.css" || request.path_info == "/images/logo.png" authenticated? end end If there were lots of resources I needed to provide exceptions to this way of making them would quickly become overwhelming. What is a better way to code this so I can make exceptions for the public directory or even its specific sub-directories and files like /stylesheets, /images, /images/bg.png but not /secret or /secret/eyes-only.pdf? Or ... Is there a completely different best-practice to handle this situation of locking down everything except the stuff related to logging in (handlers, views, resources)?

  Read the article

< Previous Page | 52 53 54 55 56 57 58 59 60 61 62 63  | Next Page >