I am able to call a web service that doesn't require server credentials. But I need to call a web service which require server credentials(username and password) for authentication. How to call this type of web services by supplying appropriate credentials using Ajax.Request or any other method in Palm WebOS.
Any help would be highly appreciated.
Thanks,
If you are using Basic Authentication you could try this: Using Authentication with Ajax.Request
Related
I want to invoke REST API from SOA with Basic Authentication.
I did all configurations but it does not work.
How and where to set basic authentication username and password for the REST API?
You need to configure and attach this policy for the endpoint you are calling:
https://docs.oracle.com/middleware/1212/owsm/OWSMS/owsm-predefined-policies.htm#OWSMS5467
Also see:
http://www.ateam-oracle.com/working-with-owsm-policies-part-1-of-some/
So we have an authentication server where the UI application gets the access token and then it communicate with API server, it's all good. Now we are building a third application which needs SSO to authenticate the same user and that is fine too.
However, there are scenarios where this third application needs to use some resources on the API server which, from my understanding, we need to get a token from auth server using client-id/secret and then send the request with the access token. This seems ok too, however I am not sure how API server is going to authorise that token (a hint on this would be great).
But the main problem is we want this request to be sent on behalf of the user. This is because API server needs to audit all user's activities. How can we achieve this using Spring Boot/OAuth2 and JWT Token?
I went through documentation and I know about #EnableOauth2Sso #EnableAuthorisationServer etc. but this scenario is not clear and I'm not even sure it's been implemented in Spring or not.
If there is no implementation for this scenario, what do you recommend? Any experience you have had on this, can you please share?
Your API server plays the role of a Resource Server. There is an annotation designed for that purpose: #EnableResourceServer. Your client app then will consume this resource using the handy OAuth2RestTemplate.
There are two approaches to properly configure the Resource Server and get this working:
Have the public key directly in your resource server app: this way when the client app try to use a token provided by the authorization server to get a resource from the Resource Server, this will verify if the token is valid by itself.
Configure the resource server to ask the authorization server if a given access token is valid and depending of the response it will allow or decline to get the resource.
I have posted a sample app on github using the first approach. There you can see the interaction between the Authorization Server, the Client and the Resource Server, as well as all the configurations you need for this implementation. Hope it helps you.
I have a need to authenticate against Azure Active Directory from a .net Web API. I read Vittorio Bertucci's article: Using ADAL .NET to Authenticate Users via Username/Password, and was wondering if there's any way of getting around the limitation of not being able to do this from a website/confidential client. He describes this as an AAD setting. Is it one that can be turned off?
Any assistance with this would be much appreciated!
This is not common scenario to use the Resource Owner Password Credentials in a web app. The recommend way is that using the Client Credential flow as Shawn Tabrizi suggested.
If you do want to use the Resource Owner Password Credentials flow, you can construct the request yourself as below:
POST: https://login.microsoftonline.com/xxxxx.onmicrosoft.com/oauth2/token
Content-Type: application/x-www-form-urlencoded
resource={resource}&client_id={clientId}&grant_type=password&username={userName}&password={password}&scope=openid&client_secret={clientSecret}
The Client Credential Flow (App Only Flow) should enable your confidential client to be able to authenticate to a downstream resource without a logged in user. This type of authentication is pure Service to Service Authentication, and will require only a secret for the client app to be presented either in the form of an App Key (symmetric key) or a Certificate Credential (asymmetric key).
However, all forms of access to an AAD Resource will require some form of initial interactive login. In the case of App Only Flows, you will need an Admin to perform an interactive login experience with the Client application, which will then allow subsequent user-less flows.
Check out these sample and let me know if it addresses your question!
https://github.com/azure-samples?utf8=%E2%9C%93&query=daemon
I hope this helps!
I am writing an android application for an University that uses Shibboleth for authenticating the students.
Since I am making a android native app (not a webview), I would like to programmatically pass the username and password and get back the user credentials of the user. Does Shibboleth have a restful api that I can use.
for ex. CAS has https://wiki.jasig.org/display/CASUM/RESTful+API which would allow me to programmatically send a username and password and get back the ticket credentials. Is there something similar for shibboleth?
Shibboleth does not provide a REST interface, but they do have a non-browser-oriented authentication profile called ECP.
https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP
Shibboleth doesn't have any restful support. However you can still use JAAS + Java plugin + Rest client to do authentication by calling your Restful based authentication system. I had similar implementation
I have a WCF service which needs to be called from client side(ajax call).
I want to use ScriptManager on ASPX page to add a ServiceReference to the WCF service (or) JQuery ajax call to the WCF service. I want to deny anonymous users accessing the WCF service. Is there any way to do user authentication before calling a service method from JavaScript? how to secure my WCF service calls from client side?
There are a number of things you can do to secure your WCF services. Probably the easiest way is if your services are already part of the existing overall ASP.NET application is to enable ASP.NET Compatibility Mode for your services. If your ASP.NET app uses authentication to validate users (e.g. forms authentication) and you are enabling that via a session cookie, then ASP.NET Compatibility Mode does most of that work for you.
By default, this is disabled, but you can enable it with an addition to your web.config:
<system.serviceModel>
...
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
...
</system.serviceModel>
This will enable compatibility mode for all your services in your application. You can also enable this on a service by service basis by setting the web.config value and also using the AspNetCompatibilityRequirements attribute on your service class not the interface):
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)]
public class FooService: IFooService {
}
When you enable this setting, you have access to HttpContext.Current (like an ASP.NET page) and it will also enforce that a user must be authenticated before accessing the .svc file (just like you have to be authenticated before accessing any .aspx file). If you try to access a .svc file without being authenticated, and you're using forms authentication, the caller will be redirected to the default login page and, after successful authentication, will be redirected to the .svc file.
This suggestion makes a few assumptions:
your services are in an ASP.NET application;
you're using some type of ASP.NET authentication (like forms authentication) to validate users' credentials and persist a validation ticket in a cookie;
This suggestion, while maybe not the most secure or robust, is probably the simplest to at least get up and running and secure your site to a reasonable degree.
Here's a good MSDN library intro article on ASP.NET compatibility mode.
If this works, perhaps the next step is to look into something like HMAC authentication (which involves a bit more work and the coordination of secret keys - but it's definitely more secure IMHO). Here's a nice walk-through of implementing it - http://blogs.microsoft.co.il/blogs/itai/archive/2009/02/22/how-to-implement-hmac-authentication-on-a-restful-wcf-service.aspx
I hope this helps. Good luck!!
I'm not sure if this will help but I placed a layer between my WCF and webapp. I'd make an AJAX servicereference call to a local asmx. This came under the protection of the forms authentication ticket. The asmx would then do any further security checks (if that specific user making the call was allowed to request that data or shape the data based on the user) and then forward the call on to my WCF service.
This way my service layer did not need to know about the users for each app accessing it and only had a concern for delivery of requested data.
The asmx webservice took the responsibility of security.
Then I made the WCF hosted in IIS using WAS and only allowed Windows Auth access for the identity that the webapp app pool was running as.
So:
ASPX -> ASMX WebService -> WCF
I think that would give you the control/separation and security you are asking for?
for WCF web http service The only way to secure a Web endpoint is to expose it through HTTPS, using transport security. When using message-based security, security information is usually placed in SOAP headers and because the messages sent to non-SOAP endpoints contain no SOAP envelope, there is nowhere to place the security information and you must rely on transport security.