I am building an application where I need to generate PDF and save it on disk. However the file can only be access on authorization i.e. only loggedin user let's say with user role Admin can access the file and no one else can access those file.
Please guide me how can I achieve this.
I recommend using Spring-Security..
I'm no expert in Spring-Security, but what I would do initially is have an endpoint with #PathVariable, so the variable would be the key id for the search for the file on disk, but each user can only access their own key, and such validation rule has to be done in the backend.
for example:
/doc/215425245354
spring-security will validate the access to /doc/** and the key you implement the validation if it matches the user's file or not, in order to not let him access a file of another user.
I hope I was able to give you some direction. :)
Related
Is it possible to disable requests sent to Parse without a master key? I'd like to only access Parse through my custom backend and not give users direct access. Does public 'read' set on the User class mean that anyone can read the records in that class? If so, why is this a default - wouldn't that be against good security practices?
Thanks,
Daniel
Public read means that anyone with your api key can read the user collection from your parse server. Api key is not the best approach to protect your app because anybody can know it by putting "sniffing" your network requests.
In order to protect and provide access you can protect your objects with ACL's which allows you to create access for specific user (who is logged in) or to specific role. So you have couple of options:
Create a master user - each user must have username and password and when you create your parse objects make sure that only this specific user create/read/delete and update them. You must only to make sure that when you create an object you create ACL for this user so only this user will be able to modify and read the object. You can read more about parse-server security and ACL's in here: http://docs.parseplatform.org/rest/guide/#security
Using parse cloud code - In cloud code there is a nice feature of useMasterKey which provide full access to any object of parse-server so for each operation that you run (via JS SDK) you can also set the useMasterKey to true and then parse-server will ignore all the ACL's and will execute the query for you. The useMasterKey feature work only in cloud code context so it's safe. If you want to provide additional level of security you can run the cloud code function with your master user (from section 1) and check inside the cloud code for the user session so if the session is empty then you can return an error.
You can read more about cloud code in here: http://docs.parseplatform.org/cloudcode/guide/
This is the code which validate the user session:
if (!request.user || !request.user.get("sessionToken")) {
response.error("only logged in users are allowed to use this service");
return;
}
Above image is the springsecurity.xml file.
Above image is the folder wise I written.
I hope what you are trying to achieve is restricting access based on user role. You can intercept each incoming request and check if the user who is trying to access the url has required role to perform this operation. Please read this link and develop your logic.
I am fairly new at using Parse Server (hosted in back4app) and would like to get some clarification on the pre-created 'users' table.
I am currently trying to develop a Web Application (Javascript) using Parse and I am using REST API calls to signup and login users. One thing I have noticed is that anyone can get a hold of my REST API key (through html source), but most importantly anyone can make a GET 'users' request to get all the users in the DB. These results include the username, email, and ObjectID. As a result of this anyone can make another REST call to the 'sessions' table with the ObjectID and retrieve the sessionToken (which I was planning to use as an authorization token for protected REST API calls)
I am not quite sure how this can be safely accomplish. I have search online but without much success. Any help or articles will be greatly appreciated.
Thank you
The security access is made throuh the
CLP (Class-Level-Permission) and/or ACL (on each each row).
you should have a look here :
https://parseplatform.github.io/docs/js/guide/#security
Note that : "Session objects can only be accessed by the user specified in the user field. All Session objects have an ACL that is read and write by that user only. You cannot change this ACL. This means querying for sessions will only return objects that match the current logged-in user."
REM : for a web application you should use the Parse "Javascript Key" which can be "public". Try to keep the REST API key more "private" by using it for i.e. only on "third party custom and private server" that could make REST request on your database.
I want to supply my users a Dropbox access token trough my Parse server.
For the one who don't know, Dropbox access token is a string that supplies direct access to a dropbox account files, it should be secret, because if anyone finds it he can delete all the files.
My server should store many access tokens and it should supply the user the correct token, but the problem is that because the anonymous log in i'm afraid that if someone will know the parse server key, he could get all the secret dropbox access tokens.
In first place i supply the access tokens in server for security reasons and not put it hard coded to protect it.
But what's the difference if i put the parse key hard coded?
Is there a way to handle this?
thanks.
Yes you are correct. If somebody knows your ApiKey he can query your parse server without any problem unless you use ACL
ACL is access control list which allows you to decide (on the application level) which users/roles can read or write to one or more parse objects or parse users. In runtime Parse will check if the logged in user has an access to read or write the object and only if it will have an access it will return the results to the client.
So i suggest you to protect your users/tokens with ACL's if you like to protect only the access tokens then i suggest you to create a separate class that will store the user access token and in this class you need to create an ACL for the relevant user only.
You can read more about ACL's in here:
iOS SDK
Android SDK
JavaScript SDK
I am using Google Admin SDK Directory API to create users and using Service account I am able to perform CRUD operations on them.
I have a requirement whereby I have to check the credentials of users created using SDK.
When you fetch the users the password is not returned, hence comparison cannot be done.
I'll really appreciate if someone lets me know what would be effective way of approaching the checkCredentials function.
Thanks.
Google does not ever return the value of the password. That would be a monumental security risk.
See their documentation in regards to the user resource used in the directory API. It specifically states that the password field is never returned. It can only be used for setting the password.
If your requirement is too check creds on a newly created user, you should look into trying to login as the user with the password you just sent, using the google auth Apis
At the moment, the only solution I've found is to simulate the user login flow with a fake browser (Apache's httpcomponents-client for Java for example) pointing to Google Account ServiceLogin.