I am having an issue regarding sending email through smtp_sendgrid in oracle plsql. I have an email stored procedure. When I use a normal username and password, it sends the email properly but when I use the API key, it causes the error '421 service not available'. This is critical because sendgrid is about to discard normal username and password and will use API key only. This API key is working fine in other applications but causing an error in plsql only.
Related
I have a REST server over SSL.
Initially, the client logs in with the credentials.
To avoid sending the username/password for each request, I have created a custom token which is returned to the user in the login procedure.
This token contains some information about the client (IP and user-agent) as well as an expiration time; and of course the token is sent encrypted.
Further calls include the token in a custom header field; which are verified in IDispatchMessageInspector
The approach works fine, but I am pretty sure it's not a good approach.
Is there any benefit in using custom authentication than the message inspection?
Message inspection is the checking, changing, and replacing of messages after they are received and before they are sent.
Custom authentication requires the authentication of a username and password, which is more suitable for login or other situations where a username and password are required.
Both types of verification have their own applications.As you said to avoid sending the username and password every time you can choose message inspection. Personal words also tend to be message inspection.
I created a password manager in flutter, which stores password encrypted passwords in an db. I access this db via the backend, which is written in python. As a user in the app, you are able to set a master password, which after each login is passed to the backend, to encrypt the data. I now want to add sign in with google functionality (firebase authentication), so that you don't need to type in your master password every time. Is it possible to receive something like a key or a token from firebase after each successful google-login which you can use instead of the master password?
I noticed already that there is this uid in the firebase user class (which i receive from FirebaseAuth.instance.signInWithCredencial(google_sign_in_credencial) in the google registration progress) which is unique for every user, but i dont think that this is secure enough to replace this sensitive master password. I also heard from JWT Authorization, but i am not sure, if it's the right thing for that.
We are using a mobile xmpp client to chat with ejabberd server. During the registration, we want the following fields: JID, Password, appID to be sent to the xmpp server.
Which module should I look into to incorporate this change? I also want to store the appID in ejaberd's users table in the database. Further in our current installation we can see the password. Which module of ejabberd should I invoke to encrypt store the passwords. Also can we verify the user using the encrypted password? Any suggestion and pointers to the right direction will be of great help.
We are using a mobile xmpp client to chat with ejabberd server. During
the registration, we want the following fields: JID, Password and the
appID to be sent to the xmpp server ( ejabberd here). Which module
should I look into to incorporate this change? I also want to store
the appID in ejaberd's users table in the database.
mod_register only takes username and password during registration. If you want to store other details during registration, you would have to modify the source code of that module. Or you can store the appid and any other information in the account vcard, once the account is created and the client logins to it.
Further in our current installation we can see the password . which
module of ejabberd should I invoke to encrypt the password and store
the encrypted passwords. Also can we verify the user using the
encrypted password? Any suggestion and pointers to the right direction
will be of great help.
If you enable SCRAM in ejabberd configuration file, the passwords will be stored scrammed (that is, encrypted).
As an admin, I need to set user passwords through SOAP API but I could not find a service addresses my need. The closest service to mine is SetPassword that enables setting passwords through ZimbraID. Are there any ways to set passwords through usernames? Or how can I retrieve ZimbraIDs for existing accounts?
That's the only method available. However, you can get the zimbra id using GetAccount and using username.
I am developing a web service and I need to send a username and password to the service in a GET method. Is it OK to send this information in the uri as long as it's going over a secure channel like ssl? In other words, can I have a uri that looks like /users/{username}/{cleartext_password}?
Edit: Sorry, I think I was unclear. The web service is essentially just a database of usernames and hashed passwords. Imagine a desktop application that keeps usernames and passwords in a remote database. The end user types their username and password into the application and the application accesses the web service to authenticate the user.
So, the application will need to send an end user's username and plaintext password to the service. The service will take the username and password and check that the username and the hash of the password match the username and hashed password in the database. The application itself will have to authenticate before it can access the service, but I am just wondering what is the best way to send the end user's username and password to the service for authenticating the end user. I don't to use a POST method because I am simply authenticating and therefore not changing the state of the server. Sorry for the confusion.
Do this.
Send a "key" and a "digest".
The "key" is equivalent to a username.
The "digest" is a SHA1 (or MD5) hash of the key, the URI and a "shared secret" or password.
When the server gets this, it computes it's own version of the digest, based on key, URI being requested and the "shared secret" or password. Failure to match digests is a 401 error response.
If it's going over a secure channel, there's no problem sending the username and password as cleartext. I'd just recommend against ever sending them as cleartext through an insecure channel and against sending them repeatedly for each request.
What you could do is first authenticate to the web service (send the username and password via ssl as cleartext) and get a token from the server that it will recognize. Then send that token with each subsequent request.
Generally speaking this is not a good idea... This data will be present in a number of log files, consequently the data could be visible to people who should not see it. At the very least you should hash or encrypt it before sending it if you can.
Here is a related discussion for a little more detail... Is an HTTPS query string secure?
SSL does encrypt the URI, but definitely take a look at some alternatives.
HTTP Basic Auth is nice and simple, and well supported by browsers, webservers, etc
It also won't end up in log files to the same degree as URIs
NB: It's just some plain-text HTTP Headers, so definitiely NOT recommended for non-SSL apps.
http://en.wikipedia.org/wiki/Basic_access_authentication