At the moment I am trying to implement the Jasig CAS HttpModule in Orchard CMS.
The CMS is setup using multi-tenancy which means any changes to the web.config file should be minimal and not client specific.
The problem is that the default module provided for CAS is a HTTPModule which will override any kind of Authentication within Orchard CMS for all clients.
Do you see any issues with reimplementing the CAS HTTP Module using MVC Action Filters?
Has anyone attempted this?
So there were not many pain points in implementing this so here it is... https://github.com/Jetski5822/NGM.CasClient
Related
I am new to Django and API creation. I am trying to figure out if it is better to use djangorestframework or just use JsonResponse. I got the suggestion of djangorestframework from Digital Ocean's tutorial but also found out about JsonResponse, which seems simpler given that I don't have to install another package.
Goal: I would like to be able to provide user information for both web and mobile applications.
I see that there are some reasons provided on this post for djangorestframework, which I pasted below for posteriority.
The common cases for using DRF are:
1)You're creating a public-facing external API for third-party
developers to access the data in your site, and you want to output
JSON they can use in their apps rather than HTML.
2)You're doing mobile development and you want your mobile app to make
GET/PUT/POST requests to a Django backend, and then have your backend
output data (usually as JSON) to the mobile app. Since you don't want
to pass back HTML to the mobile app, you use DRF to effectively create
a REST API that your mobile app can call.
3)You're creating a web app, but you don't want to use the Django
templating language. Instead you want to use the Django ORM but output
everything as JSON and have your frontend created by a JavaScript MVC
framework such as React, Backbone, AngularJS, etc. In those cases, you
can use DRF to output JSON that the JavaScript framework can process.
DRF basically provides you many features to make APIs that you don't have in raw django.
for example:
Serializers: a declarative way(django style like declaring models) of making serializers, when you use JsonResponse you have to tell everywhere what to serialize, with the serializer you have to import it and just use it, also this serializers can be able to save/update objects too. Also support ORM source to connect yours models(think how difficult would be serialize a model with nested relations with JsonResponse).
The Web browsable API, you can see all the availables endpoints.
Third party packages to install and use: https://www.django-rest-framework.org/community/third-party-packages/#existing-third-party-packages.
Im migrating my code to a core application.
So far so good. i got it all running, but there is one problem.
I had a ui (with razor) and using the CatchAllHandlers. And for the api i used HandlerFactoryPath to prefix the urls.
Now i have 2 problems:
It seems CatchAllHandlers isn't used?
Route is only processed if route starts with HandlerFactoryPath?
The second issue is fixable but how would i go around the first one?
Do i make my own middle-ware or does servicestack support other ways of doing this?
CatchAllHandlers are executed in .NET Core, it's also what ServiceStack's new MVC RazorFormat uses to process Content Pages.
Specifying a HandlerFactoryPath, e.g:
SetConfig(new HostConfig {
HandlerFactoryPath = "api"
});
Tells ServiceStack that you only want to listen to requests from the /api path info. All other requests are passed through ServiceStack who calls the next module in .NET Core pipeline as per .NET Core's convention when it's not configured to handle a route.
Not sure if it's relevant to your solution but in ServiceStack .NET Core you can register a ServiceStack Handler in .NET Core module pipeline so you could for instance return a /default.cshtml Content Razor Page for each request that's not handled by ServiceStack, by registering it after ServiceStack:
app.UseServiceStack(new AppHost());
app.Use(new RazorHandler("/default"));
i'm building a stateless authentication system for a Dart frontend and have discovered that it's quite tricky to build a stateless authentication system that's actually secure.
The stack is as follow: Dart application that does JSON POSTs to a Spring MVC backend using Jackson to convert back and forth between JSON and Java objects. Everything will be behind SSL when it goes into production.
Scenario 1: User logs in, I keep a session on the Java side - this is not stateless and will cause problems when load balancing the backend.
Scenario 2: Upon hitting the login button, a POST is done by Dart to the Authentication controller which verifies the credentials and passes back a token (which could be a bunch of UUIDs concatenated together). The token comes back to the frontend - This token combined with the username will then have to be passed along with each request. The dart application now needs to store this token somewhere, since a Dart application compiles to JavaScript, cookies seems to be not an option (JavaScript can't access cookies ?). HTML5 localstorage comes to mind, but from what I've read, it's pretty easy to hijack that token if any form of XSS vulnerability is available (and I'm guessing browser plugins and toolbars that inject JavaScript into the page can also access this token).
Scenario 3: Just like in scenario 2, I get passed back a token from the Spring MVC backend, but instead of storing it in HTML5 localstorage, I keep in a JavaScript variable and pass it on if a new window is opened.
The same problem applies here, since it's inside a javascript variable, any kind of XSS vulnerability or browser plugin can nab that token and hijack the session.
So it seems for a stateless "session", HTML5 localstorage is the most convenient, but it's not secure. Is there a way to secure it or is there an alternative way that will allow me stateless authentication in the browser?
I got a fairly decent answer on Information Security which suggests using cookies with HttpOnly and Secure flags being set on them:
https://security.stackexchange.com/questions/84860/how-to-build-a-secure-stateless-authentication-system-for-a-client-side-javascri/84861#84861
I had to switch to servlet3 to allow setting HttpOnly flag:
Set http-only on cookies created in Spring MVC Controller
On the Dart side, I had to switch from BrowserClient as it doesn't allow cross-domain cookies:
Dart BrowserClient POST not including my cookies
I think about the question, i would save only the token in the session/local storage. All other data could be in a kind of user background controller, which can load needed data by the token(like the user profil).
The hijacking think is bad without ssl. You could try something like a hash comprising (Browser / OS / Plug in data...) as kind of controll but that would be pseudo. I think you need ssl.
I have developed an app that use a RESTful API using JSON:
- Server side: PHP
- Mobile side: JavaScript or AS3 - XHTTPRequest (AJAX)
Each time I request data to server from mobile I send "{user, password, info request}", and I have developed my own algorithm to encrypt these data before sending them.
Probably I can use HTTPS to send data in a safer way, and I can use SESSION info to avoid the need of sending user/password in each request.
This is not the problem, the problem is that I have the sense of being reinventig the wheel because this issue must be solved already in a million ways (almost every app needs info exchange with a server through HTTP/HTTPS).
I have found lots of link in stackoverflow talking about using JSON/REST but no one talking about an specific standard protocol.
I have found other places with info:
http://openmobilealliance.org/
https://core.telegram.org/mtproto
wikipedia: Wireless Application Protocol
But I am not sure about the better way for doing it.
Any sugestion?, any tutorial, specification, example or case of use link?
Thanks a lot.
J. Pablo.
Firebase is one that I've heard of and haven't used yet. https://firebase.google.com/
I am currently building one using JWT and Laravel, and have been pretty happy with it. Using this link as a guide: https://scotch.io/tutorials/role-based-authentication-in-laravel-with-jwt
I have a working project that uses the FOSUserBundle to handle all things user related, including logging into the system. Now, I'm building an API, and would like users to be able to log into the system by sending their credentials via JSON over HTTPS. I'd also like to be able to use the _remember_me cookie.
So, I need to be able to send either those JSON-decoded credentials or the _remember_me cookie to the FOSUserBundle login mechanism, but I'm not quite sure how to do it. Any suggestions or nudges in the right direction would be greatly appreciated.
You need to create a custom authentication provider and a security factory. This is quite an advanced task, but there's a tutorial here that can help you. http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html
When you create your factory class (implementing the SecurityFactoryInterface) make sure you assign getPosition() to http. The several authentication factories will be called in a strict order depending on their position, so bear in mind that the remember_me position - that takes care of the remember me functionality (provided it is enabled in your security.yml file) - will kick in earlier than the http authentication you are about to implement.
Besides the tutorial above, you can take a look at and study the following built-in authentication factory that can provide useful information:vendor/symfony/symfony/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpDigestFactory.php