I need to support both authentication methods in an application - WS Federation (wsfed) and Home realm discovery (hrd). I am having installed and customized Thinktecture identity server, but I am stack with achieving the above scenario. I am not sure what should be the configuration in <system.identityModel.services> <federationConfiguration> section.
Can I have two <wsFederation...> elements there and how the system would know which protocol to use?
Also is it possible to combine to method in a single page on the identity server side?
Any ideas will be much appreciated!
Thanks!
If you need both, then configure the server for hrd and then as a RP you can configure IdentityServer as a RP to its own hrd endpoint. There's an issue in the github issue tracker with more info (you'll have to search there).
Related
I have the gist of how to connect to a MySQL server, however my dilemma is using passwords. Here are some of the things I am looking at.
Architecture will be 1 core service which as of right now will be set up as a digest authentication service. Note: In the future I will also have it set up for kerberos authentication.
The service will have a schema it will need to be able to access in MySQL. Also the micro services will have their own schemas that they will also need to be able to access.
The database will be localhost initially but will eventually be moved (in production) to a separate server altogether.
Given the requirements above, I cannot give the services users that are restricted to localhost and have no password associated with them (nor would I want that in the event the server was hacked). So how can I have access to the database without using any plain text passwords (I don't want it stored in the code)?
Maybe I am just not understanding something here that could make my life so much easier so again I look towards the wisdom of the many here. Thanks in advance!
Some things that I should maybe mention: I plan on using go-martini as my http router, I'd like to be able to set up OAuth Provider, I will need to manage user sessions and authentication (right now not as important as I'm trying to get the core part of the service setup)
Edit: To clarify some information;
I do not have an AD, kerberos, or any other LDAP service to use and would be hard pressed to set them up at this time in a VM I use for development.
The service should not be dependent on any of those items as SSO is a much later requirement in this project.
Strictly speaking it will be deployed in environments where there are none of those available and this is non-negotiable.
I also am specifically developing the services in Go and the clients in React.
Note: I do not need someone to correct MY question. I would appreciate it if you do not change the context of my question to suite the answer you wish to give me. That is not what StackOverflow is about, it is also quite rude to do that. Thank you.
I am newbie with CAS Server, I found it is a single sign on server between different application in terms of technology like php, .net & java. I explore it but even though there are some questions yet not clear. Before ask my doubt, I tell what am I trying to achieve?
I am using a gwt based application, Now for some of the features, development is in a php technology. It should get some session data from existing java application. another approach to customize CAS like integrate a web service layer for authorization, instead of using its existing like query to db.
The doubts are:
1) Can I share a session data between Java & php application using CAS?
2) is there any security issue while passing a data using CAS server?
Thanks in Advance.
Sharing session data accross application can be addressed by mechanisms not linked to CAS. Though, when authentication occurs in CAS server, user data are retrieved from various data sources and these user data can be pushed to client CAS applications through SAML validation and the appropriate configuration.
I have two applications one is a business process management (BPM) & the other is a document management system (DMS) , both systems exposes web services to enable integration with other systems. Both system provide a master login username and password to provide JSON API Authentication. for example to start a process ("process1") inside the BPM ; the DMS can send the following API call
/jw/web/json/workflow/process/start/process1?master_username=BPMadmin&master_password=982716171717&loginAS=currentusername
and same apply for calling DMS web services.
The limitation in this security approach is that i am unable to call any of the DMS or the BPM web services using JavaScript and consume the returned JSON using javaScript, since if i follow the javaScript approach i will be exposing the master_username & master_password to the end users and they can manually modify the LoginAs parameter to other usernames and perform actions they are not authorized to do.
so my questions are:-
Can i make the web service calls secure using JavaScript?
second question what other security approaches i can follow to make the web services calls secure using javaScript? baring in mind that i can modify the webs service security to other approaches rather than using master login username and password, but this might require more time and effort from my side?
Thanks in advance for any help
Best Regards
First of all JS is client side and does not include any special security/magic/irreversible functions, like browser aided crypto engine, high grate SPRNG for key generation and so forth. So long story short anything you do with js is not secure it can be obfuscated but it will be NOT SECURE. That is the point you already made. Another more approach is to use your server as 'proxy'. So lets say You are designing an JS aided gui and show some documents ro so, then you make an AJAX request to your app server (not BPM nor DMS) and it acts as proxy that will do the authentication against DMS and call WS and then return the result back to your JS :) So your setup would look like JS (session)-> App (ws auth)-> DMS -> App (sesion)-> JS (I assume you have authenticated user and we'll use users session as JS <-> server secure channel, if not you will have to incorporate some other js auth mechanism maybe one time pass or something but it will be easy because it is your system). And voila. Only security consideration is to not allow anyone to call your servers proxy site :)
C# 2008
I have developed an application that need to connect to a web server in order to work. If the web server goes offline. The the app will have to be notified so that the user using the app can know what happened.
This application will be downloaded from the internet from our clients web site. So hundreds or thousands of users could have it.
I was thinking about pinging the web server maybe every 5 seconds. However, with 100's or 1000's apps would overload the web server.
Someone has told me about ESB would be right for this problem. The way I am thinking to use this, and I am not totally sure. Is to have every app to subscribe to the ESB. If the web server goes offline it will send a message to all the apps.
However, I understand that ESB is very big and complex and maybe this is overkill for my problem.
Am I understanding correctly.
If ESB is not the correct choice is there another design pattern I could use?
Many thanks
It sounds inappropriately out of scope to spec an ESB for this simple purpose. Why not just have the client machines figure it out as they periodically need to access the website? Instead of pinging the web server over and over, in the course of their normal activities they will need to access the web server for any normal reason, if they get an error response they can branch down the "web server is down" code path.
An ESB sounds like the wrong solution.
Two possibilities come to mind:
(1) If the user doesn't need to know they're offline in real-time, defer detection to usual error handling when you try and access the server.
(2) If you must know real time, use a small proxy at each client site so that only the proxies need to ping your server, not every desktop.
Hi I have a question regarding security, and web services.
I need a web service to provide an interface for the underlying mySQL database. I am trying to get a Blackberry Application to store data on the web servers mySQL database through a web service.
My question is, how can I ensure that the bb-application is the only thing that is using the web service? The web service will essential insert data into a table. I want to ensure that only the bb-application is allowed to use this service and not someone who figures out the service and starts spamming my table.
Any pointers, best practices or links are greatly appreciated.
Also what sort of web service is best in this scenario?
Take a look at basic authentication over SSL. Configuring the application to include the username/password in the header should be fairly straightforward and the SSL connection will ensure they're not being transmitted in cleartext.
Use net.rim.device.api.crypto.HMAC to implement HMAC authentication and validation. Establishing end to end SSL connections on a Blackberry can be problematic and dependent on wireless provider support unless your users are activated on a corporate BES (which I srongly recommend as part of the solution if you want robust security).
I am going to assume that the BlackBerry application is made by yourself as well. How you can then do this is by creating a sequence or hash that only your application can create, that the web service can verify. For instance, in the beginning of the process, or better, for each step the web service sends down a key sequence, which maps to an internal dictionary within your application on the method to make the unique hash.
The flow would then be as follows:
Perform data task in BB application
Ready to transmit data to web service
Create unique hash from data + your own information from the mapped dictionary
Transmit the data with the key
Web Service verifies the key. If validation fails, it discards the data completely, if succeeds, it will then do what it needs to do.
Continue.
HTH
Disclaimer: Assuming this is an open ended WS.
Also see my answer here.
I would go with a REST web service over HTTPS it would take your problems away. I dunno anything about blackberry apps so I can't give u any pointers on how to use HTTPS in that platform.
If you are creating a SOAP web service then you want to read about ws-security.
Others have indicated using SSL to secure the site. However, that is only one part of the puzzle. Kyle was close with the second, but didn't quite cut it.
The answer is that every single transaction which is posted to your web service must contain some type of authorization key. That key can be pre-shared and baked into the application OR it can be acquired through some other means and set up as part of the application install / configuration process.
Nearly all companies which provide web services online following this method. The idea is that regardless of the underlying protocol (ssl for example) you have to validate that the request is indeed coming from an authorized device / program. Some vendors have the users create a unique key for each user, some for each device, and others just 1 key for the entire organization. Regardless of how deep you take it there is in fact a key.
The key usually isn't that large. It might be anywhere from 15 to 40 alphanumeric characters.