I'm migrating a backend Basic Auth to Digest Auth.
Until now, we have an first tier apache2 server making the authentication via header overwrite to avoid users knowing the backend credentials:
<Location />
ProxyPassReverse "http://192.168.110.111/"
ProxyPass "http://192.168.110.111/"
RequestHeader set Authorization "Basic dXNlcjp1c2Vy"
</Location>
However, Digest authentication requires some extra work to manage nonce variable fields and such stuff.
Does anybody know if there is any way to make the Digest login to the backend automatically from the Apache server against the proxyed backend?
Thanks!!
Related
i managed to secure my spring boot backend (localhost:8081) with keycloak as an authorization server (with an access token needed), but i want my frontend (react with port localhost:3000) to access the data which is secured. Thus meaning that localhost:3000/products should fetch data from localhost:8081/products after a successful login.
Could anyone guide me on this problem?
You choose an OIDC client lib for react. It should handle
redirection to authorization server for login
redirection back from authorization server with authorization code
exchange of authorization code for access, refresh and ID tokens
automatic access token refreshing
(maybe) automatically insert authorization header with bearer access token for configured routes
The requests your React app will issue to Spring resource server will then have required JWT access token.
PS
Make sure your Spring back-end is configured as resource-server (and not as client).
Also make sure that you do not use the deprecated Keycloak adapters for spring.
I have a https frontend which is making requests to the backend. After adding ssl certificate my requests are getting blocked. I cannot make my backend api https. What should i do?
FYI:
The frontend server is react, the backend is express and i am running nginx.
In order to make https requests to the backend server, i just set it as a subdomain and it all worked.
I have an App Engine server hosting an AngularJS application that makes CORS requests to some Cloud Endpoints APIs on another App Engine server. As per the $http service documentation I have enabled it to send credentials in cross-domain requests by settinga default header:
$httpProvider.defaults.withCredentials = true;
The front-end server has an associated custom domain with SSL support, and makes requests via HTTPS (so that both the ends are basically HTTPS).
My goal is sending an authentication cookie to the backend in order to manage resource access authorization, but for some reason this cookie never gets sent.
I do see the cookie in the request when the two servers are running locally (frontend: http://localhost:8081, backend: http://localhost:8080), but not when they're deployed.
What am I missing there?
angular http Documetation i follwed
Try adding this header to your HTTP calls {'Content-Type': 'application/x-www-form-urlencoded'}
If I understand correctly, you want to send an authorization cookie over CORS to a different (sub)domain?
To do this, you need to permit CORS requests on the initial page load, use 'withCredentials' as you have detailed as well as have a cookie for the targeted cross domain call. If it's cross domain, you'll have to write the cookie in js code, if it's a sibling subdomain make sure the cookie domain starts with a dot .domain.com, and the cookie will then be shared across all subdomains of the domain.
Localhost can play havoc with this kind of testing because the domain relationships are different (i.e. Not sibling subdomains) - you can try using a local proxy to set up a scenario which maps subdomains to a loop back address.
I have an architecture where I'm using sailsJS (custom node.js implementation) as my api server and an angular front end server. Each app is being served from different domains.
How can I maintain an authenticated session in the sailsJS api app between requests?
Sails has an integrated req.session object for maintaining sessions but it doesn't seem to be working out of the box when the client is being served from another domain.
You need to check two things when doing cross-origin requests from your front-end app to your Sails app:
Make sure your Sails app has CORS enabled; this will ensure that the browser doesn't block the requests for security reasons
Make sure the withCredentials flag is set in your AJAX request; this will ensure that your cookie is sent to Sails and your session is maintained.
With Restangular, you can set withCredentials to be used on all requests by default using setDefaultHttpFields; see this answer for details.
How can I protect my website during development with htaccess in Cakephp? While I have only ftp username and password
I used
.htaccess
AuthType Basic
AuthName "MyProjName"
AuthUserFile "/projectname/app/webroot/p.htpasswd"
require valid-user
Server error occure
The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there was an error in a CGI script.
This is not an CakePHP question, this is a Apache HTTP question.
If you need to control HTTP Auth with users data stored in MySQL database that is managed by some cakephp app, you may need to search for "htaccess mysql user", and check the properly hashing passwords to support that feature.