I'm currently working on a Spring-MVC web application in which the users can upload files to the server. Those files are saved in the server-side file system and served as static content: my application is deployed on a Tomcat instance and I've added a context in the server.xml file to make them accessible.
Now, I want to secure the access to those files. Basically, a user should only be allowed to access the files he/she uploaded.
What would be the best way to implement this authorization check?
Related
I am using spring with ext js for my web application. Un- authorized users able to access app.js file. Please suggest how to protect it.
I have web api that uses windows authentication. I've created my own Active Directory Server and a separate IIS Server. I have registered the IIS server to the domain but for some reason I'm getting a 401 issue when I use the API URL in my Javascript.
But works when using it directly from web browser
Please note that this is the same code (javascript, SQL Server, and ASP.NET Web Api) I'm developing at work. The only difference are the url for LDAP and domain. I have tried everything from changing Windows Authentication Providers. I'm just curious if I need to add my machine as a trusted to the Active Directory which I'm not sure how. I have added the Active Directory User to the IIS with Full Control but still no luck.
I'm doing some research about authentication via Active Directory for internal application.
Application is divided in two parts - front-end in Angular 2, and back-end in Spring. I would like to add windows authentication to it to avoid providing credentials when you are already logged in, but i can't fully understand how possibly server knows the credentials of which user to compare with those stored in Active Directory. For example let's assume that I've logged into windows, my data are sent to Active Directory. Now I'm heading to website, which i would like to automatically authenticate me with http request sent to rest api. Rest server invokes some logic connected with authentication with Active Directory, and after success rest api sends token back to Angular. But the thing I'm missing is how server knows which credentials compare to know if user exists in AD. Should i somehow use angular to gain acces of user credentials stored in windows through browser? Or I'm missing something important here.
We have created a custom application and deployed it as separate WAR in IBM WebSphere Application Server 8.5.
In the custom application we have created a class file to check whether Ltpatoken2 is set . If it’s not set the user will redirect to custom login page otherwise they will get access to the application .
We have enabled single sign on for Process Portal Url and the custom application as well . Once the single sign on is successful and if the user is redirecting back to Process Portal its generating the LtpaToken2 . If the user is redirecting back to custom application , then it’s not generating LtpaToken2 though the single sign on was Successful. To set Ltpatoke2 in this case ,user has to access ProcessPortal URL again or they have to login to the application using normal login page from the application once again.
Process Portal URL : https:// dev.mydomain.com:31067/ProcessPortal/
Custom Application URL : https:// dev.mydomain.com:31067/MyApp/
Single Sign On : https://wsso. mydomain.com/ SignOn.htm
Fire Bug Details
Process Portal
Custom Application
basically it looks like you have not protected your entry path using J2EE roles. By default WebSphere does not enforce authentication. If you add to the J2EE application (web.xml) WebSphere could be told to go to a custom authentication page automatically.
Using this case you would enable your application to be able to use more of the WebSphere Security Features
I would like to allow third-party/crossdomain access to my Heroku api. Currently I have an xml file with crossdomain properties in my other websites... how do I open up access on Heroku to other sites?
Maybe the placement of the xml file is the issue... but I have it all redirected in routes so /crossdomain.xml will point to the correct file.. it just is not allowing access currently.