I am developing a REST API layer for my application using Zend_Rest_Controller. I have an authenticate method where the clients will pass the apikey and after the key is authorized I have to create a session (for which I'm using new Zend_Session_Namespace(<32 bit unique session key which I'm generating>)) which need to be retrieved in subsequent API calls where the client will pass the same session key which I generated in the previous step.
It looks like Zend uses PHPSESSID variable to retrieve the session object and since my clients use, curl there is no guarantee that the same request object will be used in subsequent calls.
In a nutshell - I want to generate a 32 bit unique string and then use that as a key to store the session object and then use that key to restore my session object in the next call. And in the process I don't want Zend to use the PHPSESSID variable.
Any help will be greatly appreciated!
Cheers
The Zend_Session API documentation lists a setId method:
setId() - set an id to a user specified id
throws: Zend_Session_Exception
access: public static void setId (string $id)
string $id
Related
Im looking at the new Keycloak Beta 4 API. When i get the users account information, what is referred to as 'id' in the web ui comes back as 'sub' in the account object.
{ sub: '25a37fd0-d10e-40ca-af6c-821f20e01be8',
name: 'Barrack Obama',
preferred_username: 'obama#whitehouse.gov',
given_name: 'Barrack',
family_name: 'Obama',
email: 'obama#whitehouse.gov' }
What is 'sub' and is this a safe uuid to map database objects to?
As per the keycloak documentation
Anatomy of Action Token
Action token is a standard Json Web Token signed with active realm key where the payload contains several fields:
typ - Identification of the action (e.g. verify-email)
iat and exp - Times of token validity
sub - ID of the user
azp - Client name
iss - Issuer - URL of the issuing realm
aud - Audience - list containing URL of the issuing realm
asid - ID of the authentication session (optional)
nonce - Random nonce to guarantee uniqueness of use if the operation can only be executed once (optional)
Please refer the following link https://www.keycloak.org/docs/latest/server_development/index.html#_action_token_anatomy
Reason may be they want to retain the uniqueness in the name.
In addition to the previous answer, inside JWT tokens, sub refers to subject. The reason is that those tokens can be used in various cases, including authorization. That means that id sometimes might not be "the unique identifier" but might be anything, including repeatable destinations. Basically, a naming convention JWT follows, regardless of Keycloak.
Is it possible to flash whole session or some key in it inside filter?
I want store some token in session which will bind user from DB to session and create filter which will check if token id Db equal to token in session. If not - it should invalidate the session. Can it be done or may be I need to do it differently? I have access to requestHeader object in filter. I thought of a way to make a copy of it with modified session in a filter. Or should I move this logic to Controller?
Check out Reading a Session value and Discarding the whole session.
I'm using the parse REST API.
I need to setup so that for any requests made:
1) only logged in/authenticated users can Read or Write.
2) users can only access/modify records they own.
My current implementation:
1) using the Application key + REST API key.
2) sending request to user login endpoint, on success returning the user data including the session token
for 2), I'm not doing anything with the session token yet.
I understand that parse has:
1) class based permissions
2) object-level permissions (ACL's)
With Read and Write access on the class level, and by simply using the Application Key + REST API Keys,
anyone with these two keys can access that class (ofcourse, the Master Key has even more "power").
I want to simply say that they can Read and Write on the class level, if they're logged in/authenticated.
And when they Read, Update or Delete, they can only do so if they're owner of the object.
I assume that session token will play a role in the logged in part, and ownership is defined by object-level ACL
Is this correct and how to roughly set this scenario up in parse?
It's not clear to me in the REST API how to handle this (what I think is a common) type of scenario.
Thanks for any feedback
{"ACL":{"$CURRENT_USER":{"read":true,"write":true}}}
above in acl column will mean at the security level, only the creator has RW permissions. No other user can see these records with this ACL attr value regardless of their access on the CLASS level.
OR
you control the accessor predicates in your app. So you can add a column = 'createdBY' of type pointer_to_class_User.
Any queries just contain predicate ..
'where={"createdBy":{"__type":"Pointer","className":"User","objectId":"$CURRENT_USER"}}'
which enforces ( outside row security level ) idea of only getting result sets containing rows for the current-user.
all depends on how you want to use the security layer.
I would do it using the predicates and resort to the ACL only where you may have stuff like SSN's or Salary where as a policy you dont what general read permissions.
I I have been searching a lot for answer to this question. However after reading a lot of resources including Spring Security documentation as well I am still away from completely
understanding as to how to authenticate a user for REST API using Spring Security .
Here is what I want to do:
1) I want to implement authentication like Amazon S3 service using public-private key
2) For that I will be sending an HMAC token with every request and public key in authorization header or my own custom header.
3) I want to use spring security to achieve server side handling of the token as follows:
1) fetch the public key from the header.
2) get the private key stored in database using my cutsom UserDetailService class
3) calculate the HMAC token on server side using request and private key just like I do it on client
4) compare two tokens to verify user
5) if successful,store authentication object in SecurityContextHolder.
From above I am not sure how to do this in Spring Security. What I have understood is as follows:
1) Use a <http> element along with custom filter. I have done this as follows
<http use-expressions="true" create-session="stateless"
authentication-manager-ref="restAuthenticationManager"
entry-point-ref="jkwebRestAuthenticationEntryPoint">
<intercept-url pattern="/api/**" access="isAuthenticated()">
</intercept-url>
<custom-filter ref="jkWebSecurityHmacAuthenticationFilter"
position="FORM_LOGIN_FILTER"/>
</http>
2) Now I can get access the header in this filter and access public key from it.
However, I am not sure how to retrieve the private key from database using this public key. Do I need to use custom AuthenticationManager or AuthenticationProvider? and how to do this.OR can I directly inject my UserDetailService Bean into filter bean as it is?
3) If I do not need to use custom AuthenticationManager or AuthenticationProvider and I can inject UserDetailService directly into filter bean,then do I need custom AuthenticationEntryPoint?
4) Assuming I am able to retrieve and do authentication in the filter do I need to just call chain.doFilter and request will be forwarded to the appropriate controller?
5) in case if authentication fails in the filter how I should 401 resonse to client or custom authentication entry point need to be used? if yes how?
6) also I need to put Authioities in UserDetails which I construct in UserDetailsService implementation and set it in UserDetails object. Just by setting the authentication object in security context will do the job and authorization will be carried our once authentication is successful?
I can post more code for clarity if needed.
After using the original MVC for sometime I am getting familiar with MVC 2, but I would like to know whether there is away of passing values from a form, like a user name and password, which is not sent as part of URL when moving on to the next page?
I have a basic form that takes in a few values binding to an entity and then the next thing I do is call my model level for the database. After that I return RedirectToAction.
Can anyone advise me, please?
When you redirect you are loosing all POSTed values that were present in the form. A redirect means a new GET request and a GET request means that if you want to be able to retrieve those values on the target action you have a couple of choices:
Save them in the database and pass only the id as query string parameter that will allow the target action to retrieve them
Pass all values as query string parameters
Use TempData or Session (not recommended)