I'm writing an application for some Geolocalization.
How can i programmatically enable / disable location service from my application? like a settings page into my personal application ?
In your application you should try and use the Location service (GeoCoordinateWatcher), you should then check the Permission property, if this is set to Denied then this means that the user has, externally to your application, disabled location services on their phone therefore this is all you need to be concerned with. You can display a friendly message telling the user that certain features within your application will not be available but you leave the decision, to enable location services, up to the user.
The following article details the watcher_StatusChanged event handler, which includes the above check :-
http://msdn.microsoft.com/en-us/library/ff431782%28v=vs.92%29.aspx
Related
With new security and permission related checks included in Mojave and Catalina. In my swift application I am trying to create a copy of file using below function
“open func copyItem(at srcURL: URL, to dstURL: URL) throws”
As I call this function , my application entry is created under Full Disk Access panel of Security & Privacy in System Preferences. Unless until I enable this I can’t create a copy of my file using the function I mentioned above.
My issue: This entry getting added to the Full Disk Access is happening silently, I don't see any security alert asking me to allow or don't allow. We don't even have any API to get this information , so that we can ask user to manually add it.
Where can I get appropriate documentation about Full Disk access feature which will help to understand which locations are restricted to access and how can I enable it programmatically without users interference
if I use Xam.Plugins.Settings to save, for example, token оr anything else, what level of security does this give me? Can I expect a greater level of security if I create my own Settings service in each platform project, which simply uses the default Api?
How and where do you store data such as a token and userName? Whether you use encryption or some paid plug-ins? I've heard a little about them in Unity, but I'd like to know more.
The Settings Plugin saves specific properties directly to each platforms native settings APIs (NSUserDefaults, SharedPreferences).
For example, in Android, the SharedPreferences are a file that is stored on the device filesystem, within the app's data directory, set with permissions that only the specific application can read/write. However, as everything, it can be "hacked", if you have root privileges, and try to access the filesystem, you can always see what's in the file.
What you can do, is to encrypt the data you save in the Properties, so you add an extra layer of security.
I am not sure how to correctly handle Google domain application access/revoke. Situation is quite standard:
domain admin installs an application through marketplace workflow (scopes, setup url, ...)
application is than listed in admin console for domain (https://admin.google.com/AdminHome?fral=1#AppsList:serviceType=MARKETPLACE)
everything works fine, users can access app
at some moment, for some reason admin revokes application data access through the admin console for whatever reason (application is not deleted, only "disabled")
since than, as there is no privilege granted for app in domain, every user who accesses the application is redirected to error page
And here comes the question - how to properly detect and handle this. As some Google docs say, app should re-request required privileges through consent screen (approval force param).
But as my tests show - when user (admin or non-admin) accepts scopes needed on consent screen, application on admin console is still displayed with no data access.
But the same application is instead listed in user's connected apps (https://security.google.com/settings/security/permissions), even it is domain-installable app!
So do I programmatically handle this situation. Is there a way, or should I just redirect (admin)user to admin console to manually turn data access for that application on?
BTW, after marketplace installation, "sometimes" another consent screen pops up first time visiting app url - which obviously requests same scopes as marketplace listing - why is that?
On that case, application is dually listed like in previous case - in domain and in user's connected apps.
Microsoft's policy says:
The following requirements apply to applications that receive the
location of a user's mobile device:
2.7.3 Your application must provide in-application settings that allow the user to enable and disable your application's access to and use of
location from the Location Service API.
I included ID_CAP_LOCATION in my manifest for an AdMob (google mobile advertising) control only - Do I need to add that in-app settings disabling location and tell user that the application uses location services on the first launch for successfully passing the certification?
In Google's own documentation, they say:
Google asks that you only specify location data if that information is already used by your app
The suggested interpretation of Microsoft's certification guidelines would be that to be accepted on the store, if you're going to use the location of the user (even if only to pass to an advertising control) you should be up front about that and allow your customer to disable that option.
So, to summarize, I would suggest not using the location unless your app has another reason to do so (to keep Google happy), and if you choose to use locations, I would recommend being up front with (one-off) message on first launch, and the ability for your customer to disable it (to keep Microsoft happy).
I have made an ASP.NET MVC 3 Intranet site with Windows Authentication enabled:
in the Visual Studio project file properties
in the web.config, i.e. <authentication mode="Windows"/>
on the site properties in the IIS 7.5. server
Anonymous access is disabled for all these three above, the web.config says <deny users="?"/>. Impersonation is disabled in the web.config by identity <impersonate="false"/> and on the site properties in the IIS 7.5 server. And finally, the NETWORK SERVICE is set to run the app pool and also has Read on the site folder (not sure if it's needed though, you tell me, but it sure ain't enough to solve my problem below).
Now, when logging in through the standard Windows Authentication dialog box, domain users are presented with a 401.3 error after three valid login attempts. This seems to be before even reaching my MVC site's code, i.e. it seems completely IIS related. The event log gives the following kind of entry (it's an Information entry, not an Error, and I've obfuscated it a bit to protect my client) for all the users that has tried to log in:
Event code: 4008
Event message: File authorization failed for the request.
Event time: 2012-02-20 18:45:41
Event time (UTC): 2012-02-20 17:45:41
Event ID: 6dd3b4bf99784ba1a0fe06694dd89691
Event sequence: 3
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/2/ROOT-1-129742335229554599
Trust level: Full
Application Virtual Path: /
Application Path: D:\Public\BlahblahManager\
Machine name: HUB01-XYZ123
Process information:
Process ID: 2920
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Request information:
Request URL: http://blahblahmanager.user.ad.blah.com/
Request path: /
User host address: 134.XXX.XXX.XXX
User: USER-AD\teh-user
Is authenticated: True
Authentication Type: Negotiate
Thread account name: NT AUTHORITY\NETWORK SERVICE
Custom event details:
It is only when I specifically grant USER-AD\teh-user or USER-AD\Domain users the Read permission on the site's root folder (D:\Public\BlahblahManager) that the user can log in and actually see the site.
Why is this? There must be some kind of configuration that I'm missing. Shouldn't it be enough that the NETWORK SERVICE has Read on the site's root folder? I've Googled this for a while, and impersonation is mentioned here and there, but the jury is still out it seems. Some sites claims that you should go with impersonation and they provide examples on how to do it, but when I try out the examples it still doesn't work. Other sites says that impersonation is NOT the way to go and that you NEED to grant the folder permissions in these cases. But that seems such an odd thing to do. Users have no business on the actual server, they should be working through the website only.
Any suggestions? What is usually the minimum amount of configuration needed to get this to work? Any tips on how to troubleshoot this kind of problem and get to the root cause?
I refer you to see this post that declares all of MVC authentication methods. but make sure you have enabled minimum required authentication on your mvc application. Notice that Anonymous Authentication works with your group policies. you can config that by following : Internet Options -> Security Tab -> Local Intranet -> Custom Level, on your browser.
1- Another thing that may causes the problem is IIS may configured not to authorized related users. Some of them are :
iisservice
IUSR
IIS_IUSRS
Network Service
2- Also Check allowed verbs in IIS.
3- On the root folder of your application Give read access to IIS AppPool\YourAppPool.
4- Another cause could be hierarchical access rules in your application depends on what application services you are using, like web site panel access rules.
5- Setting the clientaccesspolicy.xml file.
6- Check InitializeService() Method, do you set entity access rules properly? For example:
config.SetEntitySetAccessRule("*", EntitySetRights.All);
7- Check FileAuthentication module at the web site level.
Double check Anonymous authentication is enabled on IIS.
Also, have a look at this post.
We were also fighting with this issue, and started setting up security groups so we could give our users file level permissions. Then one of our server admins stumbled across a couple of new properties that allow the app to authenticate to the file system under set credentials, and resolved the need for the users to have access. Here is what he came up with…
There are two IIS settings that control this:
Physical Path Credentials Physical Path Credentials Logon type
By default, Physical Path Credentials is set to Application User
(Pass-through authentication). This means that IIS doesn’t do any
impersonation when handling Windows Authentication requests. This can,
however, be set to a specific user (though not, unfortunately, the
application pool identity, which would be ideal). Physical Path
Credentials Logon Type is set by default to Clear-Text. For my testing
I set this to Interactive (though this may not be the correct value).
Possible values are Clear-Text, Batch, Interactive, and Network.
To set this up I did the following:
Created a local account (IIS-AccessUser)
Granted IIS-AccessUser read and execute access to the /home directory of the site.
Added IIS-AccessUser to IIS_IUSRS group (necessary for accessing .NET temporary files)
Set IIS-AccessUser as the Physical Path Credentials
Set Physical Path Credentials Logon Type to Interactive
Doing the above allowed me to log in to the application directly,
without having to allow Authenticated Users, or me having to be a
member of any of the groups in the /home folder. It also still
preserved .NET Authorization roles, so I still could not access parts
of the site that I was not allowed to.
I also faced this same issue on iis7 with windows authentication, but with with MVC4.
Finally found this post. Hope this might help someone in the future.
You are not required to grant file access permissions when using Windows Authentication in IIS 7.0 and IIS 7.5.
There's a better way that we were only able to discover this because our server admin smelled the security and management issues that arise from taking the route of granting file level access to users and groups.
For anyone dealing with this issue or if you are setting up a new IIS7/IIS7.5 server and/or moving from IIS 6, here is an article that gives you all of the Windows Authentication options and configurations that need to be modified to avoid granting file level access to individuals or groups.
Please read the two comments in at the end of the POST for some valid critiques of the methods used in this article.
http://weblogs.asp.net/owscott/iis-using-windows-authentication-with-minimal-permissions-granted-to-disk
In addition to the information in the article, please be aware that IIS 7.5 is not using the web configuration tags for system.web (at least not in my MVC 4 application).
It is looking in the system.webserver tags for authorization configuration (where you will need to list the windows domain\groups a user needs to be in to access your application).
-- DSB