Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 4 years ago.
Improve this question
I need to test SAML federation for a web application that is protected by an in-house SSO solution that can federate in SAML.
For testing purposes, I generally provision a Windows Server 2012 R2 server and configure ADDS and ADFS on it and then create a relying party trust to our web application's SSO solution (our SSO solution has a ACS URL which I use here)
Now, is there a SaaS based IDP that allows me to quickly configure a user store and SAML federation with my application. I just need to test the simple use case of user authenticating with his IDP credentials and the SAML assertion being posted to my ACS url.
I know there are many SaaS IDP solutions but need to know which one provides the simplest and least resistant path for my use case.
Any suggestions are appreciated.
There are a number and you want one that is quick to use, good documentation and (hopefully) free.
I have used Azure AD, Auth0 and Okta for this kind of thing.
Sadly, SAML configuration is never easy!
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
Is CSRF protection really expected to be present in a REST based application?
I know it is required for web applications where JSPs are served from the server end. But I am developing a Spring Boot enabled REST service that will be consumed by Angular/Bootstrap front ends. The authentication mechanism is JWT based.
Can anybody explain what kind of CSRF attacks I can expect since I haven't use Spring's CSRF protection mechanism in backend REST services?
Since a REST application is supposed to be stateless, you can't implement traditional CSRF protection (which involves storing a token on the client and the server and then matching them).
However, you can still be vulnerable to CSRF attacks if you use a mechanism to pass credentials that is automatically persisted by the browser (such as cookies or HTTP Basic Auth).
You should avoid using such methods for authentication when writing a REST service and use something else (e.g. a custom HTTP request header).
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I have an html5 webapp that fetches data using jquery from rest java api. I have two questions:
How can I encrypt data on server and decrypt it locally with different key for each user. Where can I store this key in client side? Does it needed, or it is just enough to secure the rest service call with some authentication method?
Is there any standard way to prevent other rest clients (except browsers) to hit this rest api?
use HTTPS
Use authentication so you know who is hitting it - oauth, client certificates, session token - but there's nothing you can really do to prevent anything other than a browser accessing it. You could make it harder by rapidly recycling the authentication token using javascript (but this will break in horrible ways if the user opens more than one window).
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I am creating a spring boot web app using jhipster and mongodb as primary database. Need to implement Oauth2 for authentication along with JWT token mechanism so that every request does not hit the database for authentication. How can I implement this mechanism?
MongoDB (or any database) is not particularly relevant to the JWT authentication since the JWT itself can be validated locally by the resource server using the public key of the authorization server without going to the database (as you say).
The key is using a JwtTokenStore
I found this github sample helpful: https://github.com/dsyer/spring-security-angular/tree/master/oauth2
I also created a basic jwt implementation with jhipster for you to look at. Here are the changes from what jhipster generated for me: https://github.com/sdoxsee/jwt-jhipster/commit/40090fcf4fab1b556ae28532c4ba8a33e70460c9
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
What are the best practices for creating a user authentication system for an ios application? Any good tutorials or insights on the process are helpful (newbie).
Stormpath is an authentication and user management backend service aimed at developers. You manage your own collection of users, verify their logins, and assign users to groups (roles). Your app makes calls to their server.
Parse provides a Parse Social service that lets your app do user authentication through Facebook or Twitter. Parse is being acquired by Facebook (as of 2013-04), so I don't know what that means for their future.
Okta is another.
Mozilla Persona is quite promising, but may not yet be ready for the real world. There is an open-source kit for iOS named persona-ios. Read a discussion on How to use Persona in a native iOS app?.
User authentication and identity as as service seems to be a new but burgeoning field.
If you are using a third party backend the stackmob, parse etc all handle authentication. If you are rolling your own then this project looks a reasonable way to go: http://quickblox.com/developers/SimpleSample-users-ios.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 8 months ago.
Improve this question
I have implemented REST API using PHP. This API access to MySQL Database.
I was looking for hosting services but I'm not sure where to start, majority of this type of services is referring to Web Hosting, which as I understand is not what I need.
Can anyone suggest any free or cheap service that will support my requirements?
I also need the possibility to schedule service which will periodically access REST API. This one is not implemented yet, because I'm not sure what kind of languages/frameworks are usually supported by the hosting service.
Any help is truly appreciated.
I think that a regular web hosting account would actually work just fine for what you need. If you think about it, the only difference between your RESTful API and any other website is that your API does not return HTML, but rather returns data that is encoded to be consumed by another program instead of a human user directly. From a hosting perspective, though... there really is no difference. There are lots of companies that provide PHP/MySQL hosting out there - for example, Dreamhost. Lots and lots of options.
Do you need the database itself hosted or just the PHP? If the latter, most any web host with PHP will do what you desire. If the former, you'll need a database host as well as a web host.
As long as the hosting provider supports HTTP requests like DELETE,PUT,etc and you are using them in your REST application/service then you are good to go. So just ask for a confirmation about this.
If you need php + MySQL hosting then go for web hosting
And for shedule service you can use cron jobs
In cron job u can select an php script and interval of running it automatically
It will automatically execute after given interval of time