i have a web application with Windows Authentication enabled. In my web.config I restrict the access with the following code:
<authorization>
<allow users="rba\eigg"/>
<deny users="*"/>
</authorization>
When I call the application in a browser, the IE's standard login dialog pops up. If I close it by 'Cancel' I get the HTTP 401 (Access is denied) error page as expected.
Is there a way to suppress the login dialog so that the user gets the 401 error page directly?
Thanks!
Rocko
At risk of sounding terse, let me just say: No. ;-)
It is an intrisic function of any browser when presented with a challenge/response type of auth.
Fiddling with this in any way would be a security risk and is not possible.
Just the way it is.
Cheers.
Related
I am using ZendFramework2 with zfc-user and ZfcRbac for authorization and access control. I have setup everything to work with database managed role. Now when a user navigate to an un-authorized page, I am getting the error page You are not authorized to access this resource which is thrown by ZfcRbac
Actually I have configured in my zfc-rbac.global.php to redirect to the 403 page. my settings are below.
ZfcRbac\Exception\UnauthorizedException
--
'unauthorized_strategy' => [
'template' => 'error/403'
],
How do I send the user to 403 page?
EDIT
The right answer is to attach the UnauthorizedStrategy in the onBootstrap
$t = $e->getTarget();
$t->getEventManager()->attach(
$t->getServiceManager()->get('\ZfcRbac\View\Strategy\UnauthorizedStrategy')
);
ZfcRbac per default doesn't do anything but throw the exception. The power of ZfcRbac then lies within it's many, many customizable features. The one you should be looking at is found under the Documentation-Section "Strategies".
In short
register the redirection strategy on your Modules onBootstrap
if required, change the redirection strategies configuration
I am the author of a Chrome extension that allows to translate status updates and comments right on Facebook: https://chrome.google.com/webstore/detail/facebook-translate/plofenifjagmdikfcobngnfmmnfmphin
For some days now, my users and me are getting an error in the error console that sais:
Refused to connect to 'https://api.microsofttranslator.com/V2/Http.svc/Translate?appId=&text=Chrome-Integration%3A+Google+bringt+Google+Now+auf+Desktop-PCs&to=en&contentType=text%2Fhtml' because it violates the following Content Security Policy directive: "connect-src https://.facebook.com http://.facebook.com https://.fbcdn.net http://.fbcdn.net *.facebook.net .spotilocal.com: https://.akamaihd.net ws://.facebook.com:* http://*.akamaihd.net".
In my chrome extension I did set the content security policy as follow:
"content_security_policy": "script-src 'self' https://ssl.google-analytics.com; object-src 'self'"
The URIs in the error console, however, are FB URIs only so that's why I'm thinking Facebook did update their site to restrict access to remote URIs. I'm not certain if it could be a Chrome issue, so sorry if I started the topic on the wrong stackoverflow network. :)
Can anyone confirm (and maybe point me to a possible solution for) this issue? Thanks everyone!
Extensions should bypass a page's Content Security Policy when executing XMLHTTPRequest from a content script. They currently aren't, which is a bug. I've filed https://bugs.webkit.org/show_bug.cgi?id=104480 to take a look at fixing it.
Are you executing XHR from your extension's content script, or are you executing it in the background page? The latter should work right now.
The error message says your are trying to connect to 'https://api.microsofttranslator.com/ domain which is not specified in connect-src of CSP Directive
It seems you have listed
"connect-src
https://.facebook.com
http://.facebook.com
https://.fbcdn.net
http://.fbcdn.net *.facebook.net .spotilocal.com:
https://.akamaihd.net ws://.facebook.com:*
http://*.akamaihd.net".
the above domains for connect-src policy, add the new domain microsofttranslator.com if it is valid.
Let me know if you need more information.
i had this problem out of the blue
paused ad-blocker on the domain, and now it works
I tried pretty much everything, but no matter what I try I always get the wrong login dialog.
I tried this sample snippet.
http://www.facebook.com/dialog/oauth/?
scope=email,user_birthday&
client_id=123050457758183&
redirect_uri=http://www.example.com/response&
response_type=token
When I input my client_id (app id?) and my redirect_uri (should be https://apps.facebook.com/appnamespace ?) I get a dialog that says "Logging in will not add this app's activity to Facebook."
instead of the first dialog on this documentation.
http://developers.facebook.com/docs/reference/dialogs/oauth
What am I doing wrong?
In your application's advanced settings, change "Enhanced Auth Dialog" to "Disabled" and try again. Otherwise, you need to configure the Auth Dialog, per the instructions here: https://developers.facebook.com/docs/beta/authentication/
Also, pay attention to the specific redirect_uri you provide. If your Canvas Page has a trailing backslash, make sure you include it. Otherwise you get the dreaded, "An error occurred. Please try again later."
I love it when something is working in other browsers and then ya fire up IE and it all goes poof.
I'm getting the following error:
SEC7111: HTTPS security is compromised by http://www.example.com/myappname/?rctp=[an FB user id]
Here's the workflow:
User goes to canvas app on Facebook. Makes choices on form, form submission goes to app's URL on my domain where quick database work is done and redirects back to the app with user id added as a GET variable, which is used to trigger a user-generated request in Request 2.0 fashion.
Works fine in Firefox. In IE9, I get the "only secure content" error message. IE9 F12 debugger console shows the above "SEC7111: HTTPS security is compromised by http..." message.
Not sure why it's showing "http://www.example.com/myappname" as the url it's redirecting from is "https://www.example.com/myappname"
Again... works fine in Firefox. As per some of the other Q's I've seen here, I tried adding FB._https = (window.location.protocol == "https:"); and FB._https = true to the JavaScript but to no avail.
UPDATE: Ok, removing the GET variable clears up the problem. But I NEED to pass that variable. Is there another way to do it?
I'm getting this error... What is puzzling me is the fact that i do not have any type of security enabled for the page i'm invoking...
WebClient myWebClient = new WebClient();
myWebClient.UploadData(myUrl,"POST", myByteArray);
When i access directly to the page ( on ie ) it works fine, with the WebClient it's not working.
Anyone has a clue on what can be wrong?
IE supports integrated security, which will use your current login credentials as the username and password, so you don't have to manually enter it.
If you are using IE, use Firefox and see if you are prompted for a username and password. Or, in IE, you can go to Tools, Options, Advanced, and uncheck Integrated Windows Authentication.
Most likely, you'll have to configure the web application to support anonymous access, or you'll have to implement security in your WebClient.
If you are struggling to get to the bottom of it Fiddler might shed some light. You will have to manually edit your code to go through the Fiddler proxy, but once that's done you can compare the IE result to the code one.