I have a website set on a specific domain which is completely separated from my couchdb url through rewrites and virtual hosts, and I got to a point where I need to add some user authentication using _sessions API but I'm afraid I can't do it with rewrites:
{
"from": "auth",
"to": "../../../_session"
}
gives me:
{"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}
which is acceptable, but now I'm wondering how would I get the session authentication to work from my domain without exposing couchdb url, and also, the session seems to be related to the domain so if I login through couchdb.example.com it won't work when using mywebsite.com as the public interface?
Thanks
PS. I've just found this post where there's an alternative by disabling secure_rewrites on the httpd config file, which seems to work, although, I was wondering that perhaps might be not a good approach and if is there something else which is ideal for this kind of problem.
I recommend to set secure_rewrites=false and don't worry about it.
We had a great discussion about CouchDB rewrites and security in the Iris Couch forum. Also see my post later about using Audit CouchDB. These are the highlights:
The secure_rewrites option is not the ultimate source of security for your data. At best, it is one layer in a multi-layer solution
The ultimate source of security is the _security object in the database. So that is where you should focus your attention
The Audit CouchDB tool scans every detail about your couch and it will tell you if any red-flags are present. It is implemented in Javascript so if you have NodeJS, you can run it; or simply reading the source code gives you an idea of what it is looking for.
If you are using vhost, than /_session handler is available at the vhost root without any rewrite rules (by default).
See the section [httpd] of default.ini:
vhost_global_handlers = _utils, _uuids, _session, _oauth, _users
Related
I've searched and searched and can't seem to find a pattern for this. I'd consider myself an intermediate Vue dev, however, the backend is my strong suit. I'm working on an app that will be white-labeled by resellers. While it's possible to have multiple builds, avoiding that would be ideal. The setup is a stand-alone vue-cli SPA connecting to a Laravel api backend and using the Sanctum auth package. So I need calls to the same domain. The issue: resellers will be on their own domain. The ask: Is there a pattern/solution for dynamically loading configs (mainly baseURL) for different domains (other items would by theme/stylesheet). Currently I have a few typical entries:
i.e. axios.defaults.baseURL = process.env.VUE_APP_API_BASE_URL
Basically, based on the domain the site is being served on, I'd like a dynamic/runtime config. I feel like this has been solved, but I can't seem to use the right search terms for some direction, so anything is helpful. I've tried a few things:
1) Parsing in js, but can't seem to get it to run early enough in the process to take effect? It seems to work, but I can't get it to "click"
2) Hit a public API endpoint with the current domain and get the config. Again, can implement, but can't seem to get it to inject into the Vue side correctly?
Any resources, pattern references or general guidance would be much appreciative to avoid maintaining multiple builds merely for a few variables. That said, I don't think there's much overhead in any of this, but also open to telling my I'm wrong and need multiple builds.
End Result
url visited is https://mydomaincom
then baseURL = https://api.mydomiancom
url visited https://resellerdomaincom
then baseURL=https://api.resellerdomaincom
I don't think there is a common pattern to solve your problem - I haven't found anything on the net.
The best software design solution could be the following:
have a single back-end
distribute only the client to your customers/resellers
Obviously the back end could see the domain of the application from which the request comes and manage the logic accordingly.
Good luck with your project.
Honestly how the question is put it's not really clear to me. Although my usual pattern is to:
Create an axios instance like so:
export const axiosInstance = axios.create({
// ...configs
baseURL: process.env.VUE_APP_URL_YOU_WOULD_LIKE_TO_HIT
})
and then whenever I make a request to some api, I would use this instance.
EDIT: According to your edit, you can either release the client to each customer, and have a .env file for each and every of them, or you can have a gateway system, where the client axios end point is always the same, hitting always the same server, and then from there the server decides what to ping, based on your own logic
In our MVC website log I can see lot of errors with message "A public action method was not found". Requests are coming with junk action method name.
For example if I have action name "GetProducts" then requests are coming with actiona name as "GetProducts AND 1=1" , "GetProducts;id'" , "GetProductswhscheck".
is this because of internet bots are trying to access my website with junk values?
It may be bots, it may be script kiddies, or it may be crackers. Either way - somebody is trying to find vulnerabilities on your site.
Let's look at the first one:
GetProducts AND 1=1"
This looks like an attempt at SQL Injection. There was probably a longer query after the "1=1", trying to get information out of your database - like usernames, e-mail addresses, and so on.
To defend yourself, make sure your queries are parameterized. You may also want to add some form of rate-limiting on your system; if possible, see if you can add captchas.
You may also want to look at this answer on Information Security Stack Exchange, and the OWASP top 10 security vulnerabilities.
Do this as soon as possible, because somebody's trying to break in to your system.
I'm working on a project using spring, MVC, and implementing webapp-runner. The project used to have a hierarchy like /test/home/index.jsp but using webapp-runner it changed to /home/index.jsp. So, What I need is to support and redirect the old url's with "/test/home/index.jsp" to "/home/index.jsp" so the page doesn't brake in case an old url is used.
I will be thankful if anyone can give me a hand.
return "redirect:/home/index.jsp";
in your controller that returns viewname, or create a second controller with the required mapping .
I would solve this by having an Apache2 in the web app server redirecting the old traffic to the new URL structure.
Installing it in the server is as simple as running
apt-get install apache2
Whether I'd use rewrite or redirect would depend wether you want to maintain the old URLs or not.
See here for more information: http://httpd.apache.org/docs/2.4/rewrite/remapping.html
We have an application with ASP and ASP.NET. We use StateStitch for the session sharing and stateserver setup for persisting (caching) sessions.
Now we want to implement High Availability and distributed caching, using AppFabric.
Only problem is: AppFabric requires <sessionState mode="custom"> and StateStitch requires <...mode="StateServer"> (tag in web.config)
Do any of you have any idea on how to go forward from here? Can't seem to implement AppFabric as //typeof(StateServer) and can't seem to make StateStitch accept custom setup.
Any thoughts, preferably utilizing one/both of the above mentioned techs...
Looking for the free solution :-)
Fixed it.
A hardcoded declaration in StateStitch, validated on StateServer and failed on Custom.
Solution: Added 'Custom' to the
If (Mode.StateServer || Mode.Custom) { Validated = true; }
I'm working on a Web Service project to provide data to a partner. Our app is really light weight and has only a handful of APIs. Because of time constraint and in-house pre-existing knowledge we went the Spring MVC / Spring Security path to serve those restful APIs.
At any rate this is a B2B project where we are expecting only that partner to hit our servers. So it seems a little over kill to modify are very small db schemas to add tables that would contain only 1 user access record for that partner...
Heard someone say though that it's possible to use an encrypted file, or at least a file where the password information is encrypted, instead of the database to hold the Spring Security user access information... Is that true? If it is can anyone point me to some references? I couldn't find anything relevant on Google at first glance... :(
Thanks.
http://www.mularien.com/blog/2008/07/07/5-minute-guide-to-spring-security/
See the '' under the authentication-provider; this allows you to use encrypted passwords (use sha). If you only have a single user and you wanted the information in an external file, then you could use a property file configuration placeholder to simply specify
${user.1.id} ${user.1.passwordenc},etc... kinda hacky, but it would work.
It's VERY possible. In fact, you can do it without coding; it's pretty simple to include the credentials directly in the XML defining the Spring Security stuff. You usually see this in examples, followed by warnings to "DON'T DO IT LIKE THIS!"
If in-house security is no big deal and you're not worried that your developers can see your password (as if they needed it, heh!) and no one else is likely to access your configuration files, then this is a quick and easy yet workable solution.
I'm going to post this, but I'm off to go dig in the Spring Security documentation for the example I was talking about I'll be back!
Update
Trever Schick was a bit faster with the example. I had a different example in mind but his code shows exactly what I was talking about. You define your security provider in the XML and provide user ID/password right there. There are a number of utilities available on the 'net for you to MD5 or SHA encode your password for you so you can cut and paste it into the file.
You need to implement a new org.springframework.security.core.userdetails.UserDetailsService that reads the user's information (username, password, enabled flag, and authorities) from a file. I don't know if someone already implemented it.