I am developing a web application - the client is angularJS and the server is aps.net web api2 and adfs to authenticate.
I deploy my app on multiple servers (every server contain the whole app) and there is a network load balancer,
so the user (and the angularJS) contact the network load balancer.
When user enter the app, at first the server redirect him to authenticate and then the user can talk to the server.
My problem begin after the authentication, when the network load balancer redirect the user to other web api, then the "new" server doesnt know him and he cant get any data.
Is there any way to share the saml token between all my servers?
how does resetful application can authenticate in cloud (like Amazon) , when the developer doesnt know how many server does he have or to what server the user contact?
thanks for helpers :)
Related
I have a Spring Application, That authenticates the user name and password, And uses the JWT token for the SSO, I have deployed it in the Web Sphere Application Server, (**I have used the WAS 9 )I need the application to generate the LTPA token so that it can be used to authenticate the other application which is deployed in another web sphere application server, in the IBM Documentation, However the issues is. I am not aware where it needs to be added in the project. Or do I need to do anything needful. I have enabled the LTPA from the Security>> Global Security and enabled the SSO as well. I am aware that the generation is automated, But as the application needs to create the LTPA token for specific user. And it needs to be redirected to the URL of the other application, Which has the same domain name as well, The issue remains, What are the modification that I need to do in order for the application to generate the LTPA token and send it to the application that is deployed in other WAS server. And can I use the restapi for it. OR can be added in the URL, or use cookies.
Thank you in advance.
I have developed an AngularJs website, Android & IOS mobile apps. I am using https protocol to make my web service calls more secured. I am using OAuth flow for user authentication process. Once authentication process completed, OAuth token will be sent as a response to client apps.
Anyone can get access to server resources (upload/download user files) using this OAuth token from API response. So the system is not fully secured because it is difficult to check whether the request coming from my app or outside of the app.
If someone found the OAuth access key returned from my service, they can use them to upload/download resources from outside of the app. Server resource should be more secure as it contains more sensitive user records. Please check the below image to understand the workflow. Other programs section refers to custom batch scripts, other client apps, 3rd party tools etc..
How can I restrict my REST web service to send failure response if anyone tries to access it from outside of my app?
Please provide me the way to secure my web service and server resources by resolving these security issues.
I'm securing a web app with identity server 4. My app is split into 2 oidc clients an ASP.Net Core MVC client and a javascript(angularjs) client which uses the oidc-client javascript library.
When a user first visits the web app we redirect for log in to identity server, which logs in the mvc client. I want to the javascript client is then logged in using the silent login feature from the oidc-library.
Is it possible?
Is it an acceptable solution?
any points will be appreciated.
We are designing a web site for selling financial products online.
The following is a high level description of the components:
Our frontend will be a SPA built with AngularJs.
The frontend will communicate with an API hosted in Heroku.
The API will expose web resources which allows the execution of the
business process.
The API hosted in Heroku serve as a passthrough between the frontend
and the real services which actually do the tasks.
The purchase process is designen to not ask for user/password or
account creation at any point.
We have some queries we execute thru the API which returns confidential information -confidential according to the local law-
We want the frontend to authenticate to the API to retrieve this information still NOT asking for credentials to the user.
We thought about a local persistence of the credentials and obfuscating the request but that would be easy to break with a proxy so the request can be read clearly.
What would be an option for this need of authenticating the frontend without asking for credentials to our clients?
Discovered a problem with connecting all together - Facebook, GWT and App Engine.
I need to authenticate user on my web site hosted on App Engine (Java) that uses GWT. After authentication, some information should be passed to server from facebook - like profile information, user list, etc.
Currently am trying to use facebook4gwt and authentication works fine, and I can obtain all needed information on client side, but can not transfer facebook session to server, particularly, obtain Facebook cookies for session verification.
Could anyone suggest any good solution for this? Probably, it would make sense to get rid of facebook4gwt and do everything on server side.
I have been using the gwt-facebook library for one year to authenticate users of my application on App Engine. When a user is already logged into Facebook, and has already authorized my application, I can automatically get the access_token in GWT and send it to the server which can then do the hard work (data syncing) with facebook-java-api library.