I'm using TurboGears with PyAMF behind a Flex client, and everything works well.
What I want to do is expose just a AMF login method to the world, and only allow access to other AMF functions once the user has logged in.
Also, once the user is known, I'd like the protected AMF methods to get the username from the auth information, so not every function has to start with the user_id.
Is there support for this sort of integration out there anywhere?
I have not done it, but I happened to have this bookmarked the other day via del.icio.us.
Hope it helps.
Using PyAMF With TurboGears 2
I ended up spending over a day hitting the /login url with html posts until it all worked. I couldn't use the repoze.who mechanism from within the Amf controller.
I don't think I'll choose Turbogears for my next project though... there have been problems with setup every time I've set it up, and having to do work-arounds like this is just because it's not a well thought out architecture.
Related
Literally, I do not know what module is to get values from http, https.
I'm trying to bring tracking numbers from kind of BANC, UPS, FedEx...
My purpose is this reference specific values from other site and bring back to Netsuite.
1 What modules do I use for that?
2 If there is a login session, is it possible to access using suitescript?
your answer will be great help to me.
Accessing that information is usually done via API with credentials rather than a login session. For that you normally use N/https.
I am a relatively inexperienced programmer.
I have managed to build a web api which uses basic authentication as per the following:
https://weblog.west-wind.com/posts/2013/Apr/18/A-WebAPI-Basic-Authentication-Authorization-Filter which is working very nicely (forced over ssl obviously). Inside the OnAuthorizeUser i check the un/pw against an mssql database, via a call to an internal class called "DB" where all my database interaction occurs.
So all Controller methods are filtered by the Basic Authentication ("decorated" at the Controller level) however, access to certain Controller Methods also needs to be limited depending on the user - so there is a need to understand the user permissions. Based on my limited former ASP.NET experience I think I would have stored the relevant user details in a Session (or possibly cache) however I have so far steered clear of this based on wanting to stick to the concept of having a RESTful application etc
Rightly or wrongly, in playing around I realised I could use a private static (instance?) of my User class inside my internal DB class and populate it at the time of initial authorisation. I also added a public method (public User getThisUser()) to return the private User. From within my Controller methods I create an instance of DB and am able to check the values etc.
I was very worried that I would have issues with the "scope" of this "static" User, so to test, I created a Controller method to simply return the User information from DB.getThisUser(). In doing so I have found that I can log in as multiple different users (using different browsers concurrently for example) and each one consistently returns the correct user information (as logged in).
I'm still not entirely convinced this is "safe" however reading through the details of implementing something like ASP.NET Identity as a possible alternative makes my head spin and really seems like massive overkill in this case - I'm not using Entity Framework and after much searching I could not find a single example of NOT using an ORM (I need a solution to work with an existing DB).
Is this destined to fail? Do I go back to considering session or cache? Something else? I would really appreciate any feedback / advice on this from all of you who are more experienced than me. Thanks in advance for any help.
i think you're getting a bit confused.
an API is supposed to be stateless, meaning no session. Yes, you have a controller which translates into an endpoint.
You can hit an endpoint with all the information required to satisfy the request and this is it. Don't think of an API as an actual application where all requests are linked somehow. Instead, think of it at an application where each request is separate and can come from anywhere and any user.
How does the application know which user sent a request? Well, it doesn't unless you pass that information in.
You don't fire a request saying GetMeUserDetails. The api has no idea what you want. Instead you would say GetMeUserDetails for userId 12345. Now, since your request contains all the information required to satisfy the request, the API can now give you what you expect.
If some calls require authentication, you might use some sort of tokens to identify the user, but again, the information is passed in via the token.
You probably realize what static means and how it works. you are not going to see problems until you try to send two or more requests at the same time and then you'll realize that the first call now contains the details of the second request because well, static ...
I have been working with CodeIgniter for couple of days and I love it. For a beginner it`s a great framework for creating web applications.
I`m using Tank auth to set up login system and so far I have managed to get same thing done.
But there is one thing that I can not understand. I`ve been studying Tank auth code and googled but still can not ger around this very simple problem - how do I protect my websites content from unregistered users? What is the method used in CodeIgniter for that?
Lets say for example I have a controller Products with method show. By typing www.mywebsite.com/index.php/products/show I get to see them all in my website. Now how do I forbid unregistered users to access(see) my products?
I do understand that this most likely is silly question but I just can not move on without decent understanding about this. While it is fundamental google does not have the answer... (or I dont know how to ask precisely)
Assuming you have tank auth installed and configured correctly, you can simply redirect someone to the login screen if they aren't already logged in for any particular controller function.
if (!$this->tank_auth->is_logged_in()) redirect('auth/login');
If you use that at the start of any function it ensures only logged in users can load it, because any other user will be redirected away. Likewise, if you want to lock an entire controller off, just place that in the constructor.
The Welcome Controller that comes bundled with Tank Auth shows a good example of it, because only logged in users can see the "you are logged in now" page.
I'm trying to build an internal admin system to get to grips with creating a Laravel app from scratch. Currently everything is public so I'm looking at implementing a very simple login system.
There will be no DB connection needed as we want a single user. We'll store the relevant username and password in the .env file most likely.
I feel like I've looked everywhere and haven't been able to find any tutorials covering this requirement! From everything I've read it seems I have to use a 'custom authentication driver' or possibly build my own user provider class but I have no idea how to go about this task.
The idea is that if the app is expanded in future we'd like to be able to just go back to using Laravel's built in db auth functionality. For this reason it would be nice to retain all the common methods relating to checking the current user, using auth middleware on my routes and managing login tokens etc.
Thanks in advance for any help offered.
Recently I was asked to add an XML API to one of the Symfony modules in my project. I did it, and it works well. For authentication, we use sfGuardPlugin. Symfony version is 1.3.11. Using Propel, not Doctrine.
The most recent request to me is this:
We will embed a Flash game into the website.
The Flash will do requests to the XML API.
The guy who is coding the Flash application says that it doesn't share cookies with the browser.
We want the Flash to be able to reuse the session of the currently logged in user (we won't allow to be even shown if no user is logged in).
I did try this would-be solution: (taken from other SO articles and various Google search results)
I was told that the Symfony session resides in the symfony cookie.
I was told that if I copy this value in another client (in my case, wget) and do session_id("stolen_session_id") I will be able to duplicate the session, have the same user logged in, etc.
This turned out to be wrong. Say my cookie symfony had the "blabla" value. I did this: wget --post-data='session_id=blabla' X.X.X.X:NN/api/bla.xml -O-. My server PHP code parses this POST parameter and feeds it to session_id function. It then reported in the logs that the session_id('blabla') was returning 1. However, calling $this->getUser()->getGuardUser() returns null.
I need a way to map a passed session_id to a valid sfGuardUser. Or find an alternative way of reusing a session which already exists.
Suppose I have full access to the cookies. I want to know which one of them (or all of them?) to duplicate in order to achieve this.
BTW, I am seeing in my Chrome dev tools that the symfony cookie is of a session type. So it's no wonder at all as to why my method doesn't work, but I am little lost as to how do I do this in Symfony, while using the sfGuardPlugin.
I do realize this is not one of the most informed questions, but ditto, I just need help.
Thanks for your time.
(Dimitar P.)
Oops, forgot to mention which cookies I see on my domain:
symfony
sfRemember
__utma
__utmb
__utmc
__utmz
I am guessing the last four are for Google Analytics, though.
I didn't want to do this, but I was unable to find other alternatives:
$ wget --header='Cookie: symfony=blabla' X.X.X.X:NN/api/bla.xml -O-
I wanted my XML API to be REST, but evidently, Symfony doesn't allow authenticated requests other way than using cookies (and to enable the session ID to be always included in the URL is not an option at all).
Still, if somebody shows up with a fully REST alternative, I will upvote his/her answer.
You will need some way of specifying which user is executing the (wget) request. And PHP sessions use a session ID by default.
A common way to do this is token-based authentication. The most common way to achieve this is OAuth, which has a lot of default libraries (both for Symfony and for your API consumers).
If you're the only one using this API, you can also create a custom token (random sha1 string) per user per session (you can store this somewhere in your database). Now you would create something like ` wget X.X.X.X:NN/api/bla.xml?token=asdfhdsfhf