I would like to know if I can hook in a custom authorization support in apache2 webserver. What I want to do is, based on the user logged in, I want to disable few HTML pages being served to UI. The logic to check permissions to static resources (html, css, js etc) for a given user is little complex so I cant use the already available authorization and access control support of apache2. I would want all the requests for static resources in my webapp should first go through my custom module (authorization) which then decides if this request can be served or redirected to some error page.
What is the best way to achieve this?
This article talks about mod_python to implement custom Apache/Subversion Authentication/Authorization, but is quite generic.
Combined with the standard <Location> Directive this can be a solution for your problem.
Related
I have some content in AEM and I am planning to export those content into mobile app(react) in headless way. I am using AEM content as service, sling content exporter(Jackson) to export the content.
For example, http://localhost:4502/content/we-retail/language-masters/en/course.model.json will export some content to frontend application(react mobile app). I want to protect this API call and I should return the json response only to my frontend application(react mobile app)
Basically I want to validate who is calling AEM. In this case I want to allow only mobile(react) to call AEM and want reject all others. How do I protect my AEM content ?
The one way I am thinking is to use Apache sling referrer filter in AEM. Referrer filter will reject the request if we are not allowing the mobile app (react ) in "Allow Host". Is this correct way to handle? if there any other best way to handle this? how about using Adobe granite OAuth 2.0 server ?
Please suggest me what are the available option to protect the content in headless.
As you give the App away (and it is based on JavaScript), you cannot get full security. Attackers could use a jailbroken phone and debug or de-compile your app. But you can easily secure your API in a way, that nobody can “accidently” find the entrance. Nor the average hacker can gain access.
The simple approach = SSL + Basic Auth
Make sure, that your site is only accessible via https (= SSL). Then just add a Basic Auth password, which is hard to guess. This is simple to implement (on Dispatcher and in the App), and developers/operators could still test the API. Only make sure, that the password is obfuscated in your App. So, don’t store it as plain text. A simple XOR encryption is probably enough.
The advanced approach = SSL with client-certificates
Instead of a Basic Auth password, you could use an SSL client certificate (implement that also on the Dispatcher, and NOT in AEM). This is probably a little bit over-engineered, and it can still get lost. But now the attacker must de-compile your App to extract the certificate. The Basic Auth password could theoretically be “found” in other ways – or it could be attacked with brute force.
PS: In both cases you need to monitor your API with some intrusion detection. And you must be able to distribute new passwords or client certificates to legitimate clients.
PPS: Mobile Security is a huge topic. This could not be handled in a StackOverflow question. But to stop script-kiddies from crawling your API, the simple approach is probably good enough.
I'm trying to create a multi-tenanted blazor application using ABP Framework and i'm struggling to figure out how to implement as the documentation is very limited.
My application needs to resolve the tenant based on the url. A tenant can have multiple urls, so therefore need to create a custom tenant resolver which looks up a url table for the tenant and returns the correct id. I have tried this in the HttpApi.Host project and its working fine but the issue is that it doesnt know anything about the URL that the blazor application was loaded on.
I'm now thinking about adding an http header to the api requests with the url, so that the tenant resolver can pull it. Before i head down this path, i'm concerned there is much easier and better way to accomplish this problem i'm tackling?
the documentation is very limited.
The documentation is rich, and the code is open source.
https://docs.abp.io/en/abp/latest/Multi-Tenancy#tenant-resolvers
https://github.com/abpframework/abp/tree/dev/framework/src/Volo.Abp.AspNetCore.MultiTenancy/Volo/Abp/AspNetCore/MultiTenancy
I read an article about social sharing issues in AngularJS and how to combat by using Apache as a proxy.
The solution is usable for small websites. But if a web app has 20+ different pages, I have to url-write and create static files for all of them. Moreover, a different stack is added to the app by using PHP and Apache.
Can we use NodeJS as the proxy and re-write the url, and what's the approach?
Is there a way to minimize static files creation?
Is there a way to remove proxy, url-rewrite, and static files all together? For example, inside our NodeJS app to check the user agent, if it is facebook bot or twitter and the like, we use request module to download our page and return the raw html code for them, is it a plausible solution?
Normally when someone shares a url in a social network, that social network request that page to generate a preview/thumbnail (aka "scrape").
Most likely those scrapers won't run javascript, so they need a static html version of that page.
Same applies for search engines (even though Google and others are starting to support javascript sites).
Here's a good approach for an SPA to still support scrapers:
use history.pushState in angular to get virtual urls when navigating thru your app (ie. urls without a #)
server-side (node.js or any), detect if a request comes from a user or a bot (eg. check the User-Agent using this lib https://www.npmjs.com/package/is-bot )
if the request url has a file extension, it's probably a static resource request (images, .css, .js), proxy to get the static file
if the request url is a page, for real users, if the url is a page (ie. not a static resource) always serve your index.html that loads your angular app (pro tip: keep this file cached in memory)
if the request url is a page, serve a pre-rendered version of the requested url (they won't run javascript), this is the hard part (side note: ReactJS makes this problem much simpler), you can use a service like https://prerender.io/ they'd take care of loading your angular app, and saving each page as html (if you're curious, they use a headless/virtual browser in memory called PhantomJS to do that, simulating what a real user would do clicking "Save As..."), then you can request and proxy those prerendered pages to bot requests (like social network scrappers). If you want, it's possible to run a prerender instance on your own servers.
All this server-side process I described is implemented in this express.js middleware by prerender:
https://github.com/prerender/prerender-node/blob/master/index.js
(even if you don't like prerender, you can use that code as implementation guide)
Alternatively, here's an implementation example using only nginx:
https://gist.github.com/thoop/8165802
I'm building a project using Node.js and AngularJS.
Some of the views and operations in my project require authorization.
In ASP.NET I used to simply save the user-id or user object in the Session when the user's credentials are correct, then in every Page and operation I would check if the user has permissions, and if not I would use Response.Redirect. So simple!
Now I use Node.js and AngularJS which are maybe the most popular combination for building websites nowadays and I would expect to have a very simple and quick way (even of a third party) to implement authorization, just like in ASP.NET.
Unfortunately I've only found a bunch of implementation examples that contain a myriad of code lines and turn me into an information security expert who knows about things like token and etc. Here are some of the articles I've found:
Best practices for authentication and authorization in Angular without breaking RESTful principles?
http://frederiknakstad.com/2013/01/21/authentication-in-single-page-applications-with-angular-js/
https://www.theodo.fr/blog/2015/08/handling-basic-route-authorization-in-angularjs/
http://code.tutsplus.com/tutorials/token-based-authentication-with-angularjs-nodejs--cms-22543
http://www.kdelemme.com/2014/03/09/authentication-with-angularjs-and-a-node-js-rest-api/
Is there any simple way to implement authentication+authorization+routing to unauthorized page without writing so many lines of code?
Any help will be profoundly appreciated!
MeteorJS is a node based framework with a drop-in authentication system. It also has first class support for AngularJS on the front-end.
You would first add the relevant accounts and UI packages on the command line.
meteor add accounts-password
meteor add dotansimha:accounts-ui-angular
You could also add OAuth provider packages such as accounts-facebook or accounts-google.
Then in your template you add a the login-buttons directive.
<login-buttons></login-buttons>
It then handles account creation, login, forgot passwords etc. It also provides hooks so you can add fields and values on account creation.
Here is a link to the authentication section of the Meteor/Angular ToDo tutorial.
nodejs modules and jsonwebtoken, passport, passport-local
passport local for local strategy and passport for authenticate and jsonwebtoken for create authentication token
I have Web application with angular as frontend and Django REST as backend.
My web application does the request like
/api/options/user?filter={}
Now is it possible that if those requests are made from application then they go through but they type that in broswer directly and edit some filters then they don't work
Although the data is not sensitive and they can still see it via console but i just don't want them to play with it or at least make it hard
You can't rely on the URL to distinguish between the two cases. You could have your application provide information in the headers of the request, which a browser would not know, but someone writing their own application could mimic your technique.