Questions tagged [authorization]
Authorization is the process of determining whether a user, program or device is allowed to access a protected resource in a particular way. Authorization is a key theme in computer security practices.
10,546
questions
839
votes
18
answers
318k
views
Best Practices for securing a REST API / web service [closed]
When designing a REST API or service are there any established best practices for dealing with security (Authentication, Authorization, Identity Management) ?
When building a SOAP API you have WS-...
- 12.3k
710
votes
17
answers
259k
views
Authentication versus Authorization
What's the difference in web applications? In short, please.
I see the abbreviation "auth" a lot. Does it stand for auth-entication or auth-orization? Or both?
- 21.3k
661
votes
18
answers
561k
views
How do you create a custom AuthorizeAttribute in ASP.NET Core?
I'm trying to make a custom authorization attribute in ASP.NET Core. In previous versions it was possible to override bool AuthorizeCore(HttpContextBase httpContext). But this no longer exists in ...
- 12.4k
405
votes
4
answers
718k
views
How to define the basic HTTP authentication using cURL correctly?
I'm learning Apigility (Apigility docu -> REST Service Tutorial) and trying to send a POST request with basic authentication via cURL:
$ curl -X POST -i -H "Content-Type: application/hal+json" -H "...
- 14.9k
334
votes
4
answers
333k
views
How to get http headers in flask?
Using Flask, how can I read HTTP headers? I want to check the authorization header which is sent by the client.
- 6,314
272
votes
7
answers
103k
views
Why does AuthorizeAttribute redirect to the login page for authentication and authorization failures?
In ASP.NET MVC, you can mark up a controller method with AuthorizeAttribute, like this:
[Authorize(Roles = "CanDeleteTags")]
public void Delete(string tagName)
{
// ...
}
This means that, if the ...
- 90.8k
164
votes
10
answers
260k
views
ASP.NET Web API : Correct way to return a 401/unauthorised response
I have an MVC webapi site that uses OAuth/token authentication to authenticate requests. All the relevant controllers have the right attributes, and authentication is working ok.
The problem is that ...
- 3,723
160
votes
9
answers
424k
views
Python requests library how to pass Authorization header with single token
I have a request URI and a token. If I use:
curl -s "<MY_URI>" -H "Authorization: TOK:<MY_TOKEN>"
etc., I get a 200 and view the corresponding JSON data.
So, I installed requests and ...
user1552586
157
votes
16
answers
329k
views
How to send custom headers with requests in Swagger UI?
I have some endpoints in the API - /user/login, /products.
In Swagger UI I post email and password to /user/login and as a response I receive a token string.
Then, I can copy the token from the ...
- 53.1k
153
votes
26
answers
182k
views
Can't connect Nexus 4 to adb: unauthorized
I have a Nexus 4 with Android 4.3 and I am trying to connect the device to a computer with Windows 7 64bit.
I installed the latest drivers and the latest adb version. I think I tried almost ...
- 1,531
153
votes
1
answer
7k
views
How can a JACC provider use the Principal-to-role mapping facilities of the server it's deployed on?
I am writing a JACC provider.
Along the way, this means implementing a PolicyConfiguration.
The PolicyConfiguration is responsible for accepting configuration information from the application server,...
- 15.9k
129
votes
4
answers
156k
views
Custom HTTP Authorization Header
I was wondering if it's acceptable to put custom data in an HTTP authorization header. We're designing a RESTful API and we may need a way to specify a custom method of authorization. As an example, ...
- 7,487
127
votes
4
answers
160k
views
ASP.NET MVC 4 Custom Authorize Attribute with Permission Codes (without roles)
I need to control the access to views based on users privilege levels (there are no roles, only privilege levels for CRUD operation levels assigned to users) in my MVC 4 application.
As an example; ...
- 4,107
124
votes
3
answers
78k
views
Custom Authorization in Asp.net WebApi - what a mess?
I'm reading from several resources (books and SO answers) about authorization in WebApi.
Suppose I want to add Custom Attribute which allows access only for Certain Users:
Case #1
I've seen ...
- 147k
117
votes
5
answers
111k
views
Authorize Attribute with Multiple Roles
I would like to add Authorization to a controller, for multiple Roles at once.
Normally that would look like this:
[Authorize(Roles = "RoleA,RoleB,RoleC")]
public async Task<ActionResult> ...
- 10.8k
106
votes
13
answers
116k
views
Authorization header missing in PHP POST request
I'm currently trying to read the authorization header in a PHP script that I'm calling with a POST request. The Authorization header is populated with a token. It seems the Authorization header is ...
- 4,781
98
votes
1
answer
25k
views
HttpClient single instance with different authentication headers
Given that the .net HttpClient has been designed with reuse in mind and is intended to be long lived and memory leaks have been reported in short lived instances. What guide lines are there where you ...
- 14.2k
96
votes
3
answers
78k
views
.NET exceptions I can throw for Not Authorized or Not Authenticated
I have parts of code where I want to throw an Exception whenever a user is not authenticated/not authorized.
So instead of writing my own NotAuthenticatedException and NotAuthorizedException, I was ...
- 8,923
94
votes
12
answers
164k
views
How to generate access token using refresh token through google drive API?
I have completed steps of authorization and obtained access token and refresh token.
What should I do next to generate access token using refresh token that I have stored through google drive API?
I ...
- 1,513
94
votes
8
answers
78k
views
Multiple HTTP Authorization headers?
Is it possible to include multiple Authorization Headers in an HTTP message? Specifically, I would like to include one of Bearer token type (passing an OAuth access token) and one of Basic type (...
- 1,457
92
votes
8
answers
220k
views
MongoDB "root" user
Is there a super UNIX like "root" user for MongoDB? I've been looking at http://docs.mongodb.org/manual/reference/user-privileges/ and have tried many combinations, but they all seem to lack in an ...
- 2,760
91
votes
6
answers
213k
views
Basic authorization command for curl
How do I set up the Basic authorization using Base64 encoded credentials?
I tried the below two commands, but of no use. Please suggest me the correct variant.
curl -i -H 'Accept:application/json' ...
- 1,141
89
votes
2
answers
15k
views
OAuth v2 communication between authentication and resource server
I'm having some troubles understanding how OAUTH-v2 works.
The OAuth version 2 spec reads:
Accessing Protected Resources
The client accesses protected
resources by presenting the access
token to the ...
- 4,342
88
votes
7
answers
256k
views
How do I set up access control in SVN?
I have set up a repository using SVN and uploaded projects. There are multiple users working on these projects. But, not everyone requires access to all projects. I want to set up user permissions for ...
- 941
87
votes
6
answers
93k
views
ASP.NET 5 Authorize against two or more policies (OR-combined policy)
Is it possible to apply authorization against two or more policies? I am using ASP.NET 5, rc1.
[Authorize(Policy = "Limited,Full")]
public class FooBarController : Controller
{
// This code doesn'...
- 2,669
86
votes
9
answers
103k
views
htaccess exclude one url from Basic Auth
I need to exclude one Url (or even better one prefix) from normal htaccess Basic Auth protection. Something like /callbacks/myBank or /callbacks/.*
Do you have any hints how to do it?
What I'm not ...
- 1,156
84
votes
4
answers
47k
views
Authorization approaches and design patterns for Node.js applications [closed]
I am building a multiple page admin interface for an internal enterprise software platform. Think lots of glue logic tying together various APIs, db queries, and shell scripts.
We will be using node....
- 2,603
84
votes
5
answers
113k
views
Customize the Authorization HTTP header
I need to authenticate a client when he sends a request to an API. The client has an API-token and I was thinking about using the standard Authorization header for sending the token to the server.
...
- 6,567
81
votes
1
answer
79k
views
How to implement custom authentication in ASP.NET MVC 5
I'm developing an ASP.NET MVC 5 application. I have an existing DB, from which I created my ADO.NET Entity Data Model.
I have a table in that DB which contains "username" and "password" column, and I ...
81
votes
6
answers
76k
views
How to prevent CSRF in a RESTful application?
Cross Site Request Forgery (CSRF) is typically prevent with one of the following methods:
Check referer - RESTful but unreliable
insert token into form and store the token in the server session - not ...
- 91.3k
80
votes
4
answers
143k
views
Why is <deny users="?" /> included in the following example?
The ? wildcard represents unauthenticated users while * represents all users, authenticated and unauthenticated. My book shows the following example of URL authorization:
<authorization>
<...
- 3,929
79
votes
5
answers
108k
views
How to Get All Endpoints List After Startup, Spring Boot
I have a rest service written with spring boot. I want to get all endpoints after start up. How can i achieve that?
Purpose of this, i want to save all endpoints to a db after start up (if they are ...
- 3,124
77
votes
8
answers
116k
views
Redirecting unauthorized controller in ASP.NET MVC
I have a controller in ASP.NET MVC that I've restricted to the admin role:
[Authorize(Roles = "Admin")]
public class TestController : Controller
{
...
If a user who is not in the Admin role ...
- 66.6k
75
votes
6
answers
77k
views
Authentication, Authorization and Session Management in Traditional Web Apps and APIs
Correct me if I am wrong: In a traditional web application, the browser automatically appends session information into a request to the server, so the server can know who the request comes from. What ...
- 86.5k
75
votes
1
answer
60k
views
REST API Authorization & Authentication (web + mobile)
I've read about oAuth, Amazon REST API, HTTP Basic/Digest and so on but can't get it all into "single piece". This is probably the closest situation - Creating an API for mobile applications - ...
- 5,168
75
votes
4
answers
31k
views
Is it more efficient to store the permissions of the user in an JWT claim or to check it on the server at every request?
JWT is an great way to make sure the data send to the user and back is not tampered with, but that makes for some tough choices. At the moment I am in the dilemma of choosing between storing the ...
- 1,226
74
votes
5
answers
180k
views
Get Header Authorization key in laravel controller?
Trying to get the header authorization key in controller for making an API. Request is making from fiddler.
$headers = apache_request_headers();
And the $header contains an array.
Array
(
[User-...
- 1,156
74
votes
3
answers
46k
views
Difference between Passport and JWT?
I'm pretty new to Express/Node - I'm trying to figure out what the difference between Passport and JWT is but can't find a definitive answer? I know you can use one or the other for auth purposes in ...
- 993
73
votes
5
answers
71k
views
Restrict access to a specific controller by IP address in ASP.NET MVC Beta
I have an ASP.NET MVC project containing an AdminController class and giving me URls like these:
http://example.com/admin/AddCustomer
http://examle.com/Admin/ListCustomers
I want to configure the ...
- 54.3k
69
votes
5
answers
58k
views
Token Based Authentication in ASP.NET Core (refreshed)
I'm working with ASP.NET Core application. I'm trying to implement Token Based Authentication but can not figure out how to use new Security System.
My scenario:
A client requests a token. My server ...
- 4,317
68
votes
4
answers
28k
views
Authorization header missing in django rest_framework, is apache to blame?
I've managed to extend TokenAuthentication and I have a working model when using the request session to store my tokens, however when I attempt to pass Authorization as a header parameter as described ...
- 7,436
66
votes
3
answers
46k
views
React Router Authorization
What are the best practices for authorization checking prior to a component mounting?
I use react-router 1.x
Here are my routes
React.render((
<Router history={History.createHistory()}>
...
- 704
65
votes
8
answers
44k
views
How can we set authorization for a whole area in ASP.NET MVC?
I've an Admin area and I want only Admins to enter the area. I considered adding the Authorized attribute to every controller in the Admin area. Isn't there an elegant solution or is this feature not ...
- 10.5k
64
votes
1
answer
3k
views
How can I delegate JAAS authorization checks to Shiro?
I'm developing a server-side application that needs authentication and authorization based on objects. I like Shiro's simplicity, but for being compatible with JAAS, I wrote a LoginModule that uses ...
- 1,709
62
votes
4
answers
194k
views
How to use basic authorization in PHP curl
I am having problem with PHP curl request with basic authorization.
Here is the command line curl:
curl -H "Accept: application/product+xml" "https://{id}:{api_key}@api.domain.com/products?limit=1&...
- 641
61
votes
4
answers
16k
views
Android: What is transport and jsonFactory in GoogleIdTokenVerifier.Builder?
in the blow code, whats is transport and jsonFactory ? (I do not understand)
https://developers.google.com/identity/sign-in/android/backend-auth#using-a-google-api-client-library
import com.google....
- 2,006
61
votes
13
answers
12k
views
Should unauthorized actions in the UI be hidden, disabled, or result in an error? [closed]
This is a perennial question for me that I've never really resolved so I'd like your input. If I have actions that I know a user will not be able to perform due to insufficient privileges or object ...
- 530k
61
votes
6
answers
52k
views
Set default header for every fetch() request
Is it possible, using the fetch API, to set default headers for every single request?
What I want to do is set an Authorization header whenever there is a json web token in the localStorage. My ...
- 665
59
votes
5
answers
72k
views
Accessing post or get parameters in custom authorization MVC4 Web Api
Is it possible to access post or get parameters via the HttpActionContext object?
I have a set of sensors that loggs data to a web server that provides a REST api. I would like to introduce some ...
- 3,289
59
votes
6
answers
34k
views
User authentication and authorisation in ASP.NET MVC [closed]
What is the best method for user authorisation/authentication in ASP.NET MVC?
I see there are really two approaches:
Use the built-in ASP.NET authorisation system.
Use a custom system with my own ...
- 41.7k